[strongSwan] Multi CA root configuration
Mickael SABELLE
mickael.sabelle at gmail.com
Tue Mar 8 18:34:28 CET 2011
Hi,
I need to configure two end-point tunnel on a Strongswan VPN gateway which
binds two differents CA root certificates and I would like know if somebody
already do that?
Ex: VPN client coming through the GW ETH1 will be authenticate by
certificate delivered by the CA Root 1 and VPN client coming through the GW
ETH2 will be authenticate by certificate delivered by the CA Root 2
Can we declare several CA in the ipsec.conf? for example as below?
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=600s
cachecrls=yes
strictcrlpolicy=yes
plutostart=no
ca rootCA1
cacert=rootCA1Cert.pem
crluri=http://crl2.strongswan.org/strongswanrootCA1.crl
auto=add
ca rootCA2
cacert=rootCA2Cert.pem
crluri=http://crl2.strongswan.org/strongswanrootCA2.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior1
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftcert=Gw-eth1Cert1.pem
leftid=@Gw1.test.org
right=%any
rightca="C=FR, O=test1, CN= Root CA 1"
auto=add
conn roadwarrior2
left=172.16.0.1
leftsubnet=10.1.0.0/16
leftcert=Gw-eth2Cert2.pem
leftid=@Gw2.test.org
right=%any
rightca="C=FR, O=test2, CN= Root CA 2"
auto=add
Last question, Do I have to add specific parameter in the strongswan.conf to
manage 2 CA?
Thanks in advance,
Mickael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110308/5d7ae2c5/attachment.html>
More information about the Users
mailing list