Hi Claude, > Is the rightgroups parameter in ipsec.conf appicable to Certificate DN's ? No, none of the DN components is interpreted as group. To limit a connection to an O=, OU= or other RDN you can use wildcards in rightid, such as "C=CH, O=strongSwan, OU=sales, CN=*". Regards Martin