<div dir="ltr"><div>Hi Paul,<br></div><div><div> Thanks for the response, yes my CA certificate doesn't have CRL attribute but I check many other CA certificate and out of 10 for example , only one CA certificate had the CRL distribution point.</div><div><br></div><div><br></div><div>Hi Tuomo, </div><div> Thanks for the reply. Here's the compressed version of image of end certificate showing CRL.</div><div><br></div><div><div><img src="cid:ii_k4a8t51h0" alt="Screen Shot 2019-12-17 at 10.23.45 PM.jpg" width="504" height="221"><br></div></div><div><br></div><div><br></div><div>Yes, 1 minute is too frequent interval to check of CRL. It was to 1 minute during debugging of this issue else it was set to 8h default value.</div><div><br></div><div>Also, my ipsec connection is restricted to SNMP ports so curl/wget on this URL is happening fine during the ipsec connection.</div><div><br></div><div>Please do let me know if I can share any other essential information.</div><div><br></div><div>Regards,</div><div>Utkarsh.</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 17, 2019 at 11:13 PM Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 17 Dec 2019 22:29:10 +0530<br>
Utkarsh Kumar <<a href="mailto:utkarshkumar84@gmail.com" target="_blank">utkarshkumar84@gmail.com</a>> wrote:<br>
<br>
> Hi Everyone,<br>
> I have a application where I am establishing IPSEC connection<br>
> between two linux machines using libreswan which is happening<br>
> successfully.<br>
<br>
Please, use swan@ lists in for usage issues like this.<br>
<br>
> I have enabled strict crl check in config with interval of 60 sec.<br>
> <br>
> crl-strict=yes<br>
> crlcheckinterval=1m<br>
<br>
1m is all too often. Use something sensible like hours. CRL lifetimes<br>
are days so you don't need to hammer crl distribution point every<br>
minute.<br>
<br>
> End Certificate:<br>
> [image: Screen Shot 2019-12-17 at 10.23.45 PM.png]<br>
<br>
Unfortunately this image didn't show what crypto library thinks about<br>
crl distribution point. Also note you must be able to fetch that crl<br>
without IPsec when IPsec is enabled - so distribution point must not be<br>
behind your tunnel when you use strict crl checking. Or at least you<br>
must make sure you can get tunnel up without strict checking to get crl<br>
first time into nss database.<br>
<br>
> But the CRL list is not updating automatically. In the logs I am<br>
> seeing following error. Can anyone please help me with the solution<br>
> here.<br>
<br>
> Error:<br>
> <br>
> Dec 17 18:46:05: | *time to check crls<br>
> Dec 17 18:46:05: | attempting to add a new CRL fetch request<br>
> Dec 17 18:46:05: | could not find CRL URI ext -8157<br>
<br>
CRL url must be in end certificate or issuer certificate. In either<br>
case crl fetching happens - your (too big) picture didn't reveal the<br>
true information about the certificate so it's quite hard to help. And<br>
it must be fetchable without IPsec and with IPsec.<br>
<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer" target="_blank">https://foobar.fi/</a>><br>
_______________________________________________<br>
Swan-dev mailing list<br>
<a href="mailto:Swan-dev@lists.libreswan.org" target="_blank">Swan-dev@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan-dev" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan-dev</a><br>
</blockquote></div>