[strongSwan] Using existing CA for strongSwan; Way to specify which client certs are valid for VPN?
Andreas Steffen
andreas.steffen at strongswan.org
Tue Apr 30 07:49:44 CEST 2013
Hello Igor,
have a look at the whitelist plugin which I think is going to
do what you want:
http://wiki.strongswan.org/projects/strongswan/wiki/Whitelist
Here is a sample scenario:
http://www.strongswan.org/uml/testresults/ikev2/rw-whitelist/
If your clients use the subject Distinguished Name from their
certificates as IKE identity than you have to enter the DNs of
the entitled users into the whitelist.
Regards
Andreas
On 04/29/2013 07:10 PM, Igor Sverkos wrote:
> Hi,
>
> we want to use our existing CA for strongSwan, too.
>
> As fair as I understand, every certificate signed by our existing CA
> could also be used for VPN, right?
>
> That's not what we want. We want to control which certificate can be
> used for VPN. The reason we want this is to be able to control who is
> allowed to use the VPN.
>
> Is there a way to do that without creating an own CA just for
> strongSwan? For example can I tell strongSwan to only allow clients
> which client certificates are also stored in /etc/ipsec.d/certs?
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130430/795dd76c/attachment.bin>
More information about the Users
mailing list