Project

General

Profile

Regression #11526

Mobile IPsec broken when using strict certificate revocation list checking

Added by Kris Phillips about 2 months ago. Updated about 1 hour ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/24/2021
Due date:
% Done:

100%

Estimated time:
Affected Version:
Affected Architecture:
All
Release Notes:
Default

Description

Enabling Strict CRL Checking under Advanced Settings in IPSec produces the following error:

"loading connection 'con-mobile' failed: unknown option: strictcrlpolicy, config discarded"

Associated revisions

Revision 9a5bde87 (diff)
Added by Jim Pingle about 2 months ago

Correct location and config for Strict CRLs in IPsec. Fixes #11526

Revision f731957f (diff)
Added by Jim Pingle about 2 months ago

Correct location and config for Strict CRLs in IPsec. Fixes #11526

(cherry picked from commit 9a5bde87ce9fd0fad3a7f41750782b2dccce38d8)

History

#1 Updated by Jim Pingle about 2 months ago

  • Tracker changed from Bug to Regression
  • Project changed from pfSense Plus to pfSense
  • Category changed from IPsec to IPsec
  • Assignee set to Jim Pingle

This isn't specific to plus, and is a regression from 2.4.5.

Looks like the parameter format changed and the config needs to be updated to follow:

pfSense Old New
Off strictcrlpolicy=no (default) connections.<conn>.remote<suffix>.revocation=relaxed (default)
On strictcrlpolicy=yes connections.<conn>.remote<suffix>.revocation=strict

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Renato Botelho about 1 month ago

  • Target version set to 2.5.1

#4 Updated by Jim Pingle about 1 month ago

  • Subject changed from Enabling Strict Certificate Revocation List Checking Breaks IPSec Mobile Connectivity to Mobile IPsec broken when using strict certificate revocation list checking

Updating subject for release notes.

#5 Updated by Kris Phillips about 1 month ago

Applied this on a customer firewall and the issue went away for IPSec. Seems to be working, but should be further verified.

#6 Updated by Jim Pingle about 1 hour ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF