[strongSwan] multi ptp setup question.

[Gary Smith]

> > So following my understanding, do I need to create a CA on each server
> > a, b and c, and issue those keys out to a-e?
> 
> I don't see a reason to use multiple CAs in your setup. A single CA on a
> completely separate host is sufficient, issuing a certificate for all of
> your hosts.
> Even if a hosts trusts the CA and all issued certificates, you can still
> limit connections to selected identities.
> 
> > I don't know how this works with things like revocation on the remote
> > servers that need check client access as well.
> 
> Revocation is completely optional. If you need it, your CA can issue
> CRLs your hosts can fetch, or an OCSP responder may hand out certificate
> status information on demand.
> 
> > Once I tackle this part of the problem, Windows clients will be the
> > second part. Server d in the scenario above is a home office that
> > needs to route in both directions, but e (to the nth) will be random
> > Windows 7 workstations.
> 
> If you have Windows 7 workstations only, I'd highly recommend to use the
> newer IKEv2 protocol in your setup. You may use certificate or password
> authentication (with EAP), you'll find more information in our wiki.

Martin, 

Thanks for the follow up. So, in recap, I'll use my central CA to create SSL PEM certs to issue to each endpoint for the ptp and then setup IKEv2 for with EAP for the workstations. It sounds reasonable. I've been looking through some of the additional docs (there's a lot to take in) for each of the configurations, so I'll probably try this weekend to see if I can at least get the ptp networks up and running first.

Again, Thanks

Gary Smith