[Openswan Users] checking CRL

Paul Wouters paul at xelerance.com
Tue May 10 21:36:08 CEST 2005


On Tue, 10 May 2005, david wrote:

> I put the CRL file in openswan/ipsec.d/crls on hostA, the VPN is initiated  by hostB and the VPN is not established.
>
> BUT when the CRL file is in openswan/ipsec.d/crls on HostB (and not on hostA) and the VPN is initiated by HostB(again) the VPN is established.
>
> Why ?
> Does a host not check if its own certificat is valid when initiating a connection ?

Only certificates received via out of bound methods (IKE, LDAP, OCSP, etc)
are checked for validity. Any certificate loaded with an explicit left or
rightcert= is loaded and used.
So if you would put both a leftcert= and a rightcert= and a CRL revoking one
on both machines, the connection would still come up.

Paul


More information about the Users mailing list