<div dir="ltr"><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">Hi
everyone,<span></span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">I am
trying to implement a client side framework in which each ipsec connection has its own configurtion. For PSK it was quite easy to achieve. Unfortunately the same principle should also apply to the pki configuration (own identity certificate/private key and trusted certificates
). This does not seem to be supported. Am
I right? </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><br></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><font face="times new roman, serif"><span style="font-size:16px">-- Trusted certificate</span></font></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><font face="times new roman, serif"><span style="font-size:16px"><br></span></font></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">By default all trusted certificates are in the same folder.
Ca section allows us to pick individual trusted certificate. However, even if several ca sections are used, there does not seem to be a way
to link them to a specific connection. They just seem to be global to all
connections.<span></span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">Another option
that I thought of is by specifying which trusted certificate is associated with
which connection by including several rightca lines. I could not find an example of this on the web. <span></span></span><span style="font-family:"times new roman",serif;font-size:16px">Is that something possible?</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-family:"times new roman",serif;font-size:16px"><br></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-family:"times new roman",serif;font-size:16px">-- Identity certificate / private key</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">Concerning
specifying an identity certificate / private key per connection, although it is
possible to specify the identity certificate with leftcert, it is not possible
to specify the private key to be used except in ipsec.secrets RSA line. Is it
possible to specific several RSA lines and let strongswan determine which one
correspond with the correct identity certificate? How would that work?<span></span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">I found
two pieces of documentation that seems to be in contradiction.<span></span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">In <a href="https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecret">https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecret</a><span></span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal"><i><span style="font-size:12pt;font-family:"times new roman",serif">Authentication by public key systems such as RSA requires that each host
have its own private key. A host could reasonably use a different private keys
for different interfaces and for different peers. But it would not be normal to
share entries between systems. Thus no-selector and one-selector forms of entry
often make sense for public key authentication.<span></span></span></i></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal"><span style="font-size:12pt;font-family:"times new roman",serif">In <a href="https://github.com/strongswan/strongswan">https://github.com/strongswan/strongswan</a>,
there is the following section<span></span></span></p><p class="MsoNormal" style="margin:18pt 0cm 12pt;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><i><span style="font-size:12pt;font-family:"times new roman",serif">Multiple certificates<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 12pt 36pt;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><i><span style="font-size:12pt;font-family:"times new roman",serif">strongSwan
supports multiple local host certificates and corresponding RSA private keys:<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">conn rw1<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
right=%any<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
rightid=peer1.domain1<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
leftcert=myCert1.pem<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
# leftid is DN of myCert1<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm"><span> </span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">conn rw2<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
right=%any<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
rightid=peer2.domain2<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
leftcert=myCert2.pem<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background:rgb(246,248,250)"><i><span style="font-size:12pt;font-family:"times new roman",serif;border:1pt none windowtext;padding:0cm">
# leftid is DN of myCert2<span></span></span></i></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 36pt;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><i><span style="font-size:12pt;font-family:"times new roman",serif">When peer1 initiates
a connection then strongSwan will send myCert1 and will sign with myKey1 defined in /etc/ipsec.secrets </span></i><span style="font-size:12pt;font-family:"times new roman",serif">(see below) whereas <i>myCert2</i> and <i>myKey2</i> will
be used <i>in a connection setup started
from peer2.</i><span></span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">Is it possible to specify one private key per
connection?<span></span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><br></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">-- vti</span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">Finally, we are using vti. We create one unique device
per connection. Unfortunately the address is assigned automatically to my eth0
devices instead of the proper device which is associated to the device for my
connection. There is the Charon option install_virtual_ip_on which allows me to
specify on which device the virtual ip address must be added but that does not work for
multiple connections. Any trick for that?<span></span></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">I am currently on strongswan version 5.5.1.</span><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><span></span></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span style="font-family:"times new roman",serif;font-size:12pt">Is there a way to achieve all what I want?</span><br></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><span> </span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">Thanks,<span></span></span></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,blinkmacsystemfont,"segoe ui",helvetica,arial,sans-serif,"apple color emoji","segoe ui emoji","segoe ui symbol";font-size:16px">
</p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif">Guylain<span></span></span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:107%;font-family:"times new roman",serif"><br></span></p></div>