[strongSwan] how to use 'rightca' connection option?

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 23 19:50:49 CET 2016

Hi John,

could you send me a log file showing that a CA different from the CA
requested by rightca is accepted?

Best regards


On 23.11.2016 16:41, John Brown wrote:
> Hello all,
> I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
> rightca option in ipsec.conf file but without a success.
> As far as I understand the documentation, if rightca contains DN of a
> certificate authority which lies in the trust path from the end device
> cert to rootca, authentication process will pass (assuming that other
> elements are configured fine) otherwise will fail and this is the
> functionality I need. But in my scenario,  whatever is the value of
> rightca, the authentication process pass with success.
> I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
> lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
> ca is installed in /etc/ipsec.d/cacerts.
> Part of the connection config:
> conn lap1
>          auto=add
>          left=%any
>          right=
>          rightsubnet= <>
>          ...
>          leftauth=pubkey
>          rightauth=pubkey
>          leftcert=cert.crt
>          rightid="CN=*, ST=Stttt, C=Cccc, E=E at eeee, O=Oooooo, L=Lllllll,
> OU=*, OU=Ouuuuuu"
>          rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
> I've changed values of fields in righid, but rightca is taken from real
> config without modification.
> I'm probably missing something obvious, or does not understand this
> feature, but I have no idea, what this can be.
> Does anybody knows?
> Best regards,
> John,

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161123/d814dce2/attachment.bin>

More information about the Users mailing list