Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-03 Thread Tobias Brunner
Hi Eric, Does ".reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? Could you please clarify your question (e.g. why do you mention break_before_make in this context? make_before_break defaults to no. 1) no

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-02 Thread Eric Germann
> On Jun 2, 2022, at 3:50 AM, Tobias Brunner wrote: > > Hi Eric, > >> Does ".reauth_time” and leaving “break_before_make” alone force a >> reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? > > Could you please clarify your question (e.g. why do you mention > break_b

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-02 Thread Tobias Brunner
Hi Eric, Does ".reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? Could you please clarify your question (e.g. why do you mention break_before_make in this context? what do you mean with "from non-cached CRLs

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-01 Thread Eric Germann
Does ".reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? Apologies for all the questions. Eric > On Jun 1, 2022, at 10:43 AM, Tobias Brunner wrote: > > Hi Eric, > >> 16[IKE] received end entity cert "CN=pfse

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-01 Thread Tobias Brunner
Hi Eric, 16[IKE] received end entity cert "CN=pfsense.semperen.net , C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations" 16[CFG]   using certificate "CN=pfsense.semperen.net , C=US, ST=OH, L=Van Wert, O=The Semperen G

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-01 Thread Eric Germann
crluri = "https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl"; 16[IKE] received end entity cert "CN=pfsense.semperen.net, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations" 16[CFG] using certificate "CN=pfsense.s

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-06-01 Thread Tobias Brunner
Hi Eric, What's the point of SS having an option to auto fetch a CRL at startup There is no such option. Regards, Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-05-31 Thread Eric K Germann
I would concur with Harri's point of adding an option to periodically reread the CRL's from whatever source they came from. What's the point of SS having an option to auto fetch a CRL at startup but then either having to create an outside-SS workflow to update it or do it by hand? If you d

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

2022-05-30 Thread Tobias Brunner
Hi Eric,  When IKE reauthenticates the log says it is loading crl from the directory (which has nothing in it). What exactly are you referring to here? Logs?  Also forcing “rereadcrls” doesn’t cause a new fetch.  “files” and “curl” plugins are loaded. If there is a cached CRL (note that