The following options apply to every IPSec VPN tunnel. These settings are available on the
tab.: Include log messages of the Internet Key Exchange (IKE) protocol in the logs.
: This parameter can be set to , that iscachecrls=yes
, or to , that iscachecrls=no
. If Certificate Revocation List (CRL) caching is enabled, local caching of CRLs is activated and no new CRL is picked up until the locally cached CRL has expired. The cached CRL is stored in /etc/ipsec.d/crls under a unique filename. As soon as it has expired, it is replaced with an updated CRL.
: The CRL handling policy is quite tolerant by default, that is, thestrictcrlpolicy
is set to by default. Consequently, in case a CRL is expired, only a warning is issued and another peer CRL is automatically accepted. If a more strict CRL policy is required, this parameter has to be enabled here, thestrictcrlpolicy
parameter will be set to . If the parameterstrictcrlpolicy
is enabled, no certificate will be accepted from a peer until no corresponding CRL is present in /etc/ipsec.conf. If this parameter is enabled it is crucial therefore to make sure that the CRLs are updated in time.
For details on the other options, see the strongSwan documentation available at http://wiki.strongswan.org/.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu