1 By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
2 both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
3 the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
4 available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
5 because the web server is currently not reachable. Thus the second Main Mode negotiation
6 fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
7 is triggered. When the third Main Mode trial comes around, the fetched CRL has become
8 available and the IKE negotiation completes. The new CRL is again cached locally as a
9 file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
projects / people / ms / strongswan.git / blob