[strongSwan] Trusting all gateways with certs signed by a given CA

David Hooker david.d.hooker at gmail.com
Wed Jul 21 15:24:26 CEST 2010


Hi list,

I have two StrongSwans running in a testbench scenario using preshared keys
with IKEv2.  I would like to set up PKI instead of preshared keys.  I'm not
interested in using DNs, I just want to trust any certificate signed by my
CA (unless there's a compelling security concern with this).  It would be
preferable if each gateway had its own cert, its own key, and the CA cert
without having to copy every cert onto every gateway.

I'm running openssl to generate the CA:  openssl req -x509 -days 3650
-newkey rsa:2048 -keyout ca.key -out ca.crt
Here's the cert request: openssl req -newkey rsa:2048 -keyout site.key -out
site.req
And here's the ca sign: openssl -in site.req -days 730 -out site.crt -notext

I'm just filling in the country code, the company name, and using the site's
name as the common-name.  There's no subjectAltName.

Is this the way to go about creating the certs required, and what do I need
to have in my ipsec.conf to make this work?  Thankyou.

PS: does anyone have recommendations for generating entropy in a VM?  I
would like to use a TRNG but I can't get VMWare ESXi to pass
USB/serial/parallel devices through -- timer_entropyd generates plenty of
entropy bits, but is it random enough?

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100721/b3472809/attachment.html>


More information about the Users mailing list