[strongSwan] how to create a ACL-like system based on certificates?

Andreas Schuldei schuldei at spotify.com
Thu May 13 01:02:30 CEST 2010


In order to have fine grained control over the IPsec traffic in our
distributed network of host-to-host ipsec connections we would like to
create a ACLs-like system.

For example all servers should be able to talk to infrastructure hosts
(like DNS or backup servers).

Only the other storage servers and the few specialized servers
accessing the storage system should be able to initiate connections to
storage servers.

Only the server distributing the search index and the few servers
quering the search system should be able to initiate connections to
search servers.

The monitoring servers should be able to initiate connections to all servers.

How could i represent such a system with different types of server
certificates (one type per server class) and strongswan configuration?

/andreas




More information about the Users mailing list