[strongSwan] routing based on rightid

Martin Willi martin at strongswan.org
Thu Oct 24 10:01:15 CEST 2013

Hi Hans,

> I added multiple certificates OU=<groupname> to the cert store, hoping
> that Windows would ask me which one to use, with no luck.

I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE

What you might try is to switch from Machine Certificates to EAP-TLS
authentication (in IKEv2). Microsoft uses EAP-TLS to authenticate users
(not the Machine) with certificates or Smartcards. When selecting "Smart
Card or certificate" as EAP method, you can even (un-)set a "Use simple
certificate selection" flag that sounds promising.

Please be aware that certificates and keys have to go in the user
certificate store for EAP-TLS, and that you have to ./configure
strongSwan with --enable-eap-tls and set rightauth=eap-tls, see [1] for



More information about the Users mailing list