[strongSwan] multi ptp setup question.

Martin Willi martin at strongswan.org
Tue Feb 22 09:30:39 CET 2011

Hi Gary,

> So following my understanding, do I need to create a CA on each server
> a, b and c, and issue those keys out to a-e?

I don't see a reason to use multiple CAs in your setup. A single CA on a
completely separate host is sufficient, issuing a certificate for all of
your hosts.
Even if a hosts trusts the CA and all issued certificates, you can still
limit connections to selected identities.

> I don't know how this works with things like revocation on the remote
> servers that need check client access as well.

Revocation is completely optional. If you need it, your CA can issue
CRLs your hosts can fetch, or an OCSP responder may hand out certificate
status information on demand.

> Once I tackle this part of the problem, Windows clients will be the
> second part. Server d in the scenario above is a home office that
> needs to route in both directions, but e (to the nth) will be random
> Windows 7 workstations.

If you have Windows 7 workstations only, I'd highly recommend to use the
newer IKEv2 protocol in your setup. You may use certificate or password
authentication (with EAP), you'll find more information in our wiki.


More information about the Users mailing list