[strongSwan] Using existing CA for strongSwan; Way to specify which client certs are valid for VPN?

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 30 07:49:44 CEST 2013

Hello Igor,

have a look at the whitelist plugin which I think is going to
do what you want:


Here is a sample scenario:


If your clients use the subject Distinguished Name from their
certificates as IKE identity than you have to enter the DNs of
the entitled users into the whitelist.



On 04/29/2013 07:10 PM, Igor Sverkos wrote:
> Hi,
> we want to use our existing CA for strongSwan, too.
> As fair as I understand, every certificate signed by our existing CA
> could also be used for VPN, right?
> That's not what we want. We want to control which certificate can be
> used for VPN. The reason we want this is to be able to control who is
> allowed to use the VPN.
> Is there a way to do that without creating an own CA just for
> strongSwan? For example can I tell strongSwan to only allow clients
> which client certificates are also stored in /etc/ipsec.d/certs?
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130430/795dd76c/attachment.bin>

More information about the Users mailing list