[strongSwan] How to use "cacert" directory
ABULIUS, MUGUR (MUGUR)
mugur.abulius at alcatel-lucent.com
Thu Jul 15 17:13:35 CEST 2010
Hello,
In my configuration the strongSwan system initiates IKEv2 connections with two different Securities Gateways (SEGs) and uses two distinct certificates (leftcert=) for them. In general, the certificates for each SEG are administered by different entities. Certificates in the strongSwan system are commissioned independently by these two entities.
Concerning strongSwan configuration I intend to put all the chain of certificates concerning a remote SEG in a separate "cacert" directory (specified with a "ca" section). E.g. /etc/ipsec.d/cacert1 and /etc/ipsec.d/ceacert2. I don't intend to use "/etc/ipsec.d/certs".
Can you please confirm that:
* This is a correct configuration for strongSwan?
* Does strongSwan accept sub-directories in 'cacert1' and 'cacert2' (empties or not)?
* Does strongSwan looks (by default) for certificates also in the sub-directories created in 'cacert1' and 'cacert2'.
* It may be possible that the certificates from 'cacert1' and 'cacert2' to be identical (but probably not their file name), unless the local certificates that are always different. Is this configuration valid for strongSwan?
Thank you
Mugur
More information about the Users
mailing list