[strongSwan-dev] Need solution for strongSwan VPN Tunnel specific CA in the configuration for the Authentication
Kalpesh Panchal
kalpesh.panchal at rockwellcollins.com
Thu Nov 2 19:21:45 CET 2017
Hi All,
We are using multiple VPN tunnels on the same system. All CAs for Tunnel A
& B are in */etc/ipsec.d/cacerts/*
For that
*How can we provide the Tunnel specific CA list in configuration for the
Authentication ?*
*means*
*Tunnel A must be established only if received client certificate is signed
by any CA of Tunnel A *
*and *
*Tunnel B must be established only if received client certificate is signed
by any CA of Tunnel B.*
Here we can not use *rightca *option as we may have up to 20 different CAs
for each Tunnel.
Currently we are facing below issue:
*Tunnel A is established even if received client certificate is signed by
any CA of Tunnel B. And vice versa.*
Let me know if anything required from my side.
Appreciating the quick response in advance.
Thanks,
Kalpesh Panchal
On Thu, Nov 2, 2017 at 12:09 PM, Kalpesh Panchal <
kalpesh.panchal at rockwellcollins.com> wrote:
> Hi All,
>
> We are using multiple VPN tunnels on the same system. All CAs for Tunnel A
> & B are in */etc/ipsec.d/cacerts/*
>
> For that
> *How can we provide the Tunnel specific CA list in configuration for the
> Authentication ?*
> *means*
> *Tunnel A must be established only if received client certificate is
> signed by any CA of Tunnel A *
> *and *
> *Tunnel B must be established only if received client certificate is
> signed by any CA of Tunnel B.*
>
> Here we can not use *rightca *option as we may have up to 20 different
> CAs for each Tunnel.
>
> Currently we are facing below issue:
>
> *Tunnel A is established even if received client certificate is signed by
> any CA of Tunnel B. And vice versa.*
>
> Let me know if anything required from my side.
>
> Appreciating the quick response in advance.
>
> Thanks,
> Kalpesh Panchal
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20171102/7da40e11/attachment.html>
More information about the Dev
mailing list