[strongSwan] Multi CA root configuration

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 8 20:03:38 CET 2011 

Hello Mickael,

your configuration looks fine.

On 03/08/2011 06:34 PM, Mickael SABELLE wrote:
> Hi,
> I need to configure two end-point tunnel on a Strongswan VPN
> gateway which binds two differents CA root certificates and I would like
> know if somebody already do that?
> Ex: VPN client coming through the GW ETH1 will be authenticate by
> certificate delivered by the CA Root 1 and VPN client coming through
> the GW ETH2 will be authenticate by certificate delivered by the CA Root 2
> Can we declare several CA in the ipsec.conf? for example as below?
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>         crlcheckinterval=600s
>         cachecrls=yes
>         strictcrlpolicy=yes
>         plutostart=no
>
> ca rootCA1
>
>         cacert=rootCA1Cert.pem
>         crluri=http://crl2.strongswan.org/strongswanrootCA1.crl
>         auto=add
>
> ca rootCA2
>
>         cacert=rootCA2Cert.pem
>         crluri=http://crl2.strongswan.org/strongswanrootCA2.crl
>         auto=add
>
>
> conn %default
>         keyingtries=1
>         keyexchange=ikev2
>
> conn roadwarrior1
>         left=192.168.0.1
>         leftsubnet=10.1.0.0/16
>         leftcert=Gw-eth1Cert1.pem
>         leftid=@Gw1.test.org
>         right=%any
>         rightca="C=FR, O=test1, CN= Root CA 1"
>         auto=add
>
> conn roadwarrior2
>         left=172.16.0.1
>         leftsubnet=10.1.0.0/16
>         leftcert=Gw-eth2Cert2.pem
>         leftid=@Gw2.test.org
>         right=%any
>         rightca="C=FR, O=test2, CN= Root CA 2"
>         auto=add
>
> Last question, Do I have to add specific parameter in the
> strongswan.conf to manage 2 CA?
>
No additional parameters are needed.

> Thanks in advance,
> Mickael

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list