[strongSwan] strongswan client configuration

[Alexandre Chapellon]

Le 13/06/2011 13:16, Andreas Steffen a écrit :
> On 06/13/2011 01:07 PM, Alexandre Chapellon wrote:
>> Thanks Andreas,
>>
>> It now works as expected.
>> I added the peer (VON gateway... let's say Moon) certificate generated
>> with my self-signed CA.
>> I have another question (well a lot in fact):
>>
>> When using gnome-nm here is what I need to configure the ipsec tunnel on
>> the client (carol) side:
>>
>>    - CA Certificate
>>    - Carol's Certificate
>>    - Carol's Private key
>>    - Ask for virtual IP.
>>
> As an alternative you could also import Moon's certificate via the
> strongSwan NM applet. If you are using the CA method make sure
> that the hostname of the moon gateway is contained as a subjectAltName
> in moon's certificate.
>
OK! I didn't understood thoose two methods were available.

>> When using CLI:
>>    - Moon's certificate
>>    - Carol's Certificate
>>    - Carol's private key
>>    - Ask for virtual IP
>>
>> How comes it is different?
>>
> If moon's certificate is signed by a CA then you don't have to
> import moon's cert via rightcert=. Just copy the CA certificate
> into /etc/ipsec.d/cacerts and trust will be established into
> moon.
>
Indeed, this is what I am trying to do from the beginning. That's why I 
initially had a "ca" stanza in my ipsec.conf pointing to the CA cert. I 
have finally found I forgot to specify "auto=add" in my "ca" stanza!
Now works exactly as expected.

Thanks for thoose clarifications Andreas.

I'm now gonna open new thread for my other questions :)!

> Regards
>
> Andreas
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==