<div>Hi,</div>
<div> </div>
<div>I need to configure two end-point tunnel on a Strongswan VPN gateway which binds two differents CA root certificates and I would like know if somebody already do that?</div>
<div> </div>
<div>Ex: VPN client coming through the GW ETH1 will be authenticate by certificate delivered by the CA Root 1 and VPN client coming through the GW ETH2 will be authenticate by certificate delivered by the CA Root 2</div>
<div> </div>
<div>Can we declare several CA in the ipsec.conf? for example as below?</div>
<div>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; mso-layout-grid-align: none"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"># /etc/ipsec.conf - strongSwan IPsec configuration file</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; mso-layout-grid-align: none"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"> </span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">config setup<br> crlcheckinterval=600s<br> cachecrls=yes<br>
strictcrlpolicy=yes<br> plutostart=no<br><br>ca rootCA1 </span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"> cacert=rootCA1Cert.pem<br> crluri=<a href="http://crl2.strongswan.org/strongswanrootCA1.crl">http://crl2.strongswan.org/strongswanrootCA1.crl</a><br>
auto=add</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"> </span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">ca rootCA2 </span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"> cacert=rootCA2Cert.pem<br> crluri=<a href="http://crl2.strongswan.org/strongswanrootCA2.crl">http://crl2.strongswan.org/strongswanrootCA2.crl</a><br>
auto=add<br><br><br>conn %default<br> keyingtries=1<br> keyexchange=ikev2<br><br>conn roadwarrior1<br> left=192.168.0.1<br> leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a><br> leftcert=Gw-eth1Cert1.pem<br>
leftid=@<a href="http://Gw1.test.org">Gw1.test.org</a><br> right=%any</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 35.4pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"><span style="mso-spacerun: yes"> </span>rightca="C=FR, O=test1, CN= Root CA 1"<br>
auto=add</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"> </span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">conn roadwarrior2<br> left=172.16.0.1<br> leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a><br>
leftcert=Gw-eth2Cert2.pem<br> leftid=@<a href="http://Gw2.test.org">Gw2.test.org</a><br> right=%any</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 35.4pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"><span style="mso-spacerun: yes"> </span>rightca="C=FR, O=test2, CN= Root CA 2"<br>
auto=add</span></p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 35.4pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"></span> </p>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 35.4pt"><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">Last question, Do I have to add specific parameter in the strongswan.conf to manage 2 CA?</span></p>
<span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"></span></div>
<div><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">Thanks in advance,</span></div>
<div><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"></span> </div>
<div><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB"></span> </div>
<div><span lang="EN-GB" style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-ansi-language: EN-GB">Mickael</span></div>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 35.4pt"><br></p>
<div class="gmail_quote"> </div>