[strongSwan] PKI configuration per connection

Guylain Lavoie guylainlavoie at gmail.com
Thu Apr 13 04:17:59 CEST 2017

Hi everyone,

I am trying to implement a client side framework in which each ipsec
connection has its own configurtion. For PSK it was quite easy to achieve.
Unfortunately the same principle should also apply to the pki configuration
(own identity certificate/private key and trusted certificates ). This does
not seem to be supported. Am I right?

-- Trusted certificate

By default all trusted certificates are in the same folder. Ca section
allows us to pick individual trusted certificate. However, even if several
ca sections are used, there does not seem to be a way to link them to a
specific connection. They just seem to be global to all connections.

Another option that I thought of is by specifying which trusted certificate
is associated with which connection by including several rightca lines. I
could not find an example of this on the web. Is that something possible?

-- Identity certificate / private key

Concerning specifying an identity certificate / private key per connection,
although it is possible to specify the identity certificate with leftcert,
it is not possible to specify the private key to be used except in
ipsec.secrets RSA line. Is it possible to specific several RSA lines and
let strongswan determine which one correspond with the correct identity
certificate? How would that work?

I found two pieces of documentation that seems to be in contradiction.

In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecret

*Authentication by public key systems such as RSA requires that each host
have its own private key. A host could reasonably use a different private
keys for different interfaces and for different peers. But it would not be
normal to share entries between systems. Thus no-selector and one-selector
forms of entry often make sense for public key authentication.*

In https://github.com/strongswan/strongswan, there is the following section

*Multiple certificates*

*strongSwan supports multiple local host certificates and corresponding RSA
private keys:*

*conn rw1*

*     right=%any*

*     rightid=peer1.domain1*

*     leftcert=myCert1.pem*

*     # leftid is DN of myCert1*

*conn rw2*

*     right=%any*

*     rightid=peer2.domain2*

*     leftcert=myCert2.pem*

*     # leftid is DN of myCert2*

*When peer1 initiates a connection then strongSwan will send myCert1 and
will sign with myKey1 defined in /etc/ipsec.secrets *(see below) whereas
*myCert2* and *myKey2* will be used *in a connection setup started
from peer2.*

Is it possible to specify one private key per connection?

-- vti

Finally, we are using vti. We create one unique device per connection.
Unfortunately the address is assigned automatically to my eth0 devices
instead of the proper device which is associated to the device for my
connection. There is the Charon option install_virtual_ip_on which allows
me to specify on which device the virtual ip address must be added but that
does not work for multiple connections. Any trick for that?

I am currently on strongswan version 5.5.1.

Is there a way to achieve all what I want?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170412/c832d68d/attachment.html>

More information about the Users mailing list