[strongSwan] how to use 'rightca' connection option?
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 23 19:50:49 CET 2016
Hi John,
could you send me a log file showing that a CA different from the CA
requested by rightca is accepted?
Best regards
Andreas
On 23.11.2016 16:41, John Brown wrote:
> Hello all,
>
> I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
> rightca option in ipsec.conf file but without a success.
>
> As far as I understand the documentation, if rightca contains DN of a
> certificate authority which lies in the trust path from the end device
> cert to rootca, authentication process will pass (assuming that other
> elements are configured fine) otherwise will fail and this is the
> functionality I need. But in my scenario, whatever is the value of
> rightca, the authentication process pass with success.
>
> I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
> lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
> ca is installed in /etc/ipsec.d/cacerts.
>
> Part of the connection config:
>
> conn lap1
> auto=add
> left=%any
> right=192.168.1.1
> rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
> ...
> leftauth=pubkey
> rightauth=pubkey
> leftcert=cert.crt
> rightid="CN=*, ST=Stttt, C=Cccc, E=E at eeee, O=Oooooo, L=Lllllll,
> OU=*, OU=Ouuuuuu"
> rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
>
> I've changed values of fields in righid, but rightca is taken from real
> config without modification.
>
> I'm probably missing something obvious, or does not understand this
> feature, but I have no idea, what this can be.
>
> Does anybody knows?
>
> Best regards,
> John,
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161123/d814dce2/attachment.bin>
More information about the Users
mailing list