<div dir="ltr">Thank you Tobias. I was not aware of swanctl.conf. It is really much more flexible than ipsec.conf.<div><div><br></div><div>Guylain</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 13, 2017 at 12:50 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Guylain,<br>
<span class=""><br>
> -- Trusted certificate<br>
><br>
><br>
> By default all trusted certificates are in the same folder. Ca section<br>
> allows us to pick individual trusted certificate. However, even if<br>
> several ca sections are used, there does not seem to be a way to link<br>
> them to a specific connection. They just seem to be global to all<br>
> connections.<br>
<br>
</span>You may list accepted certificates in `rightcert` or the accepted CA DN<br>
in `rightca` for each connection.<br>
<span class=""><br>
> Another option that I thought of is by specifying which trusted<br>
> certificate is associated with which connection by including several<br>
> rightca lines. I could not find an example of this on the web. Is that<br>
> something possible?<br>
<br>
</span>Multiple CA certificates can be associated with a connection via<br>
swanctl.conf where you can list several CA certs in `cacerts`.<br>
<span class=""><br>
> -- Identity certificate / private key<br>
><br>
><br>
><br>
> Concerning specifying an identity certificate / private key per<br>
> connection, although it is possible to specify the identity certificate<br>
> with leftcert, it is not possible to specify the private key to be used<br>
> except in ipsec.secrets RSA line. Is it possible to specific several RSA<br>
> lines and let strongswan determine which one correspond with the correct<br>
> identity certificate? How would that work?<br>
<br>
</span>If you set `leftcert` the corresponding private key is used, no matter<br>
how many other private keys are defined.<br>
<span class=""><br>
> Finally, we are using vti. We create one unique device per connection.<br>
> Unfortunately the address is assigned automatically to my eth0 devices<br>
> instead of the proper device which is associated to the device for my<br>
> connection. There is the Charon option install_virtual_ip_on which<br>
> allows me to specify on which device the virtual ip address must be<br>
> added but that does not work for multiple connections. Any trick for that?<br>
<br>
</span>Use a custom updown script if you need something like that and install<br>
the virtual I yourself (i.e. disable charon.install_virtual_ip). But<br>
you might not need VTI devices or one for each connection.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>