Hi Zach, > Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted?
It is either not valid or does not apply when verifying the validity of the peer's certificate. The lookup for cached CRLs is based on the subjectKeyIdentifier in the issuer certificate - which must match the authKeyIdentifier of the CRL - and then the cRLIssuer fields of any CDPs in the certificate that's verified. > Why is the curl plugin unable to fetch the local CRL from the file:/// uri? You need a fetcher plugin that is capable of fetching such URIs. As Noel mentioned, the file plugin can do so (without external dependencies), and the curl plugin can do so too, depending on whether your build of libcurl supports it or not. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users