[strongSwan] How to use "cacert" directory

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 15 18:42:10 CEST 2010


Hello Mugur,

strongSwan loads upon startup all CA certificates contained in
/etc/ipsec.d/cacerts/. End entity certificates are always loaded
as single files either with relative pathnames (pointing to
/etc/ipsec.d/certs/) or absolute pathnames e.g.

conn c1
     leftcert=/etc/ipsec.d/cacert1/cert1.pem
     ..
     auto=add

conn c2
     leftcert=/etc/ipsecd.d/cacert2/cert2.pem
     ..
     auto=add

CA certificates can be read as single files from locations outside
of /etc/ipsec.d/cacerts using absolute pathnames declared in a
ca section in ipsec.conf, e.g.

ca ca1
     cacert=/etc/ipsec.d/cacert1/cacert1.pem
     auto=add

ca ca2
     cacert=/etc/ipsec.d/cacert2/cacert2.pem
     auto=add

There is no possibility of specifying alternative cacert directories
from which all files would be implicitly loaded, except by hacking
the strongSwan source code.

I hope this helps

Andreas

On 07/15/2010 05:13 PM, ABULIUS, MUGUR (MUGUR) wrote:
> Hello,
> 
> In my configuration the strongSwan system initiates IKEv2 connections
> with two different Securities Gateways (SEGs) and uses two distinct
> certificates (leftcert=) for them. In general, the certificates for
> each SEG are administered by different entities. Certificates in the
> strongSwan system are commissioned independently by these two
> entities.
> 
> Concerning strongSwan configuration I intend to put all the chain of
> certificates concerning a remote SEG in a separate "cacert" directory
> (specified with a "ca" section). E.g. /etc/ipsec.d/cacert1 and
> /etc/ipsec.d/ceacert2. I don't intend to use "/etc/ipsec.d/certs".
> 
> Can you please confirm that: * This is a correct configuration for
> strongSwan? * Does strongSwan accept sub-directories in 'cacert1' and
> 'cacert2' (empties or not)? * Does strongSwan looks (by default) for
> certificates also in the sub-directories created in 'cacert1' and
> 'cacert2'. * It may be possible that the certificates from 'cacert1'
> and 'cacert2' to be identical (but probably not their file name),
> unless the local certificates that are always different. Is this
> configuration valid for strongSwan?
> 
> 
> Thank you Mugur

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list