<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Is this the relevant option?</div>
<div><br>
</div>
<div>
<p style="color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.8px; line-height: 16.2px; widows: 1; background-color: rgb(255, 255, 255);">
<em>left|rightca = <issuer dn> | %same</em></p>
<p style="color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.8px; line-height: 16.2px; widows: 1; padding-left: 2em; background-color: rgb(255, 255, 255);">
the distinguished name of a certificate authority which is required to lie in the trust path going from the<br>
<em>left|right</em> participant's certificate up to the root certification authority.<br>
<strong>%same</strong> means that the value configured for the other participant should be reused.</p>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Ryan Ruel<br>
<span style="font-weight:bold">Date: </span>Tuesday, October 13, 2015 at 5:48 AM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>"<br>
<span style="font-weight:bold">Subject: </span>[strongSwan] Limiting a connection to a specific CA?<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Assume that you have configured two separate IPsec connections in ipsec.conf. Each client is authenticating via certificates, one to the first connection and the other to the second.</div>
<div id=""><br>
</div>
<div id="">If the clients are using certificates signed by private (but different) CA’s, is there anyway currently to limit validation for each connection to a specific root CA?</div>
<div id=""><br>
</div>
<div id="">From what I understand, all root CA’s are checked until a match is found?</div>
<div id=""><br>
</div>
<div id="">I’m wondering if there’s a way to limit the trust chain for each connection to just one CA.</div>
</div>
</div>
</span>
</body>
</html>