Overriding Certificate Verification if CRL Download Fails

By default, if the router either cannot access the LDAP URL or retrieve a valid certificate revocation list, certificate verification fails and the IPSec tunnel is not established. To override this behavior and permit the authentication of the IPSec peer when the CRL is not downloaded, include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level:

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.