Verbose IKE: Include log messages of the Internet Key Exchange (IKE) protocol in the logs.

Cache CRLs: This parameter can be set to ON, that is cachecrls=yes, or to OFF, that is cachecrls=no. If Certificate Revocation List (CRL) caching is enabled, local caching of CRLs is activated and no new CRL is picked up until the locally cached CRL has expired. The cached CRL is stored in /etc/ipsec.d/crls under a unique filename. As soon as it has expired, it is replaced with an updated CRL.

Strict CRL policy: The CRL handling policy is quite tolerant by default, that is, the strictcrlpolicy is set to no by default. Consequently, in case a CRL is expired, only a warning is issued and another peer CRL is automatically accepted. If a more strict CRL policy is required, this parameter has to be enabled here, the strictcrlpolicy parameter will be set to yes. If the parameter strictcrlpolicy is enabled, no certificate will be accepted from a peer until no corresponding CRL is present in /etc/ipsec.conf. If this parameter is enabled it is crucial therefore to make sure that the CRLs are updated in time.