[strongSwan] Using existing CA for strongSwan; Way to specify which client certs are valid for VPN?
andreas.steffen at strongswan.org
Tue Apr 30 07:49:44 CEST 2013
have a look at the whitelist plugin which I think is going to
do what you want:
Here is a sample scenario:
If your clients use the subject Distinguished Name from their
certificates as IKE identity than you have to enter the DNs of
the entitled users into the whitelist.
On 04/29/2013 07:10 PM, Igor Sverkos wrote:
> we want to use our existing CA for strongSwan, too.
> As fair as I understand, every certificate signed by our existing CA
> could also be used for VPN, right?
> That's not what we want. We want to control which certificate can be
> used for VPN. The reason we want this is to be able to control who is
> allowed to use the VPN.
> Is there a way to do that without creating an own CA just for
> strongSwan? For example can I tell strongSwan to only allow clients
> which client certificates are also stored in /etc/ipsec.d/certs?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users