[strongSwan] how to use 'rightca' connection option?
andreas.steffen at strongswan.org
Wed Nov 23 19:50:49 CET 2016
could you send me a log file showing that a CA different from the CA
requested by rightca is accepted?
On 23.11.2016 16:41, John Brown wrote:
> Hello all,
> I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
> rightca option in ipsec.conf file but without a success.
> As far as I understand the documentation, if rightca contains DN of a
> certificate authority which lies in the trust path from the end device
> cert to rootca, authentication process will pass (assuming that other
> elements are configured fine) otherwise will fail and this is the
> functionality I need. But in my scenario, whatever is the value of
> rightca, the authentication process pass with success.
> I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
> lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
> ca is installed in /etc/ipsec.d/cacerts.
> Part of the connection config:
> conn lap1
> rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
> rightid="CN=*, ST=Stttt, C=Cccc, E=E at eeee, O=Oooooo, L=Lllllll,
> OU=*, OU=Ouuuuuu"
> rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
> I've changed values of fields in righid, but rightca is taken from real
> config without modification.
> I'm probably missing something obvious, or does not understand this
> feature, but I have no idea, what this can be.
> Does anybody knows?
> Best regards,
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users