The inband crl command configures the device to validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.
The undo inband crl command restores the default configuration.
By default, the device does not validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.
Usage Scenario
When IKEv2 uses RSA signature authentication and the CRL is used for certificate validation, if the CA server is located in the private network of the headquarters, the branch cannot directly communicate with the CA server to obtain the CRL. As a result, the branch cannot use the latest CRL to validate the certificate in the headquarters. To enable the branch to obtain the CRL of the headquarters through IKEv2, run the inband crl command on the branch. After receiving the CRL sent from the headquarters through IKEv2, the branch uses this CRL to validate the certificate in the headquarters. If the certificate is not in the CRL, the certificate is considered valid and identity authentication succeeds. The branch can negotiate with the headquarters to establish an IPSec tunnel.
Precautions
When you run both the inband crl and inband ocsp commands, the certificate is considered valid only when it passes the validity check in both OCSP and CRL modes.
The IKEv2 protocol defines the payload length as 2 bytes (that is, the maximum length is 65535). Therefore, when the CRL length exceeds 65535, IKEv2 cannot construct the CRL payload. As a result, the certificate validity check fails.