[strongSwan] PKI configuration per connection

Tobias Brunner tobias at strongswan.org
Thu Apr 13 18:50:14 CEST 2017

Hi Guylain,

> -- Trusted certificate
> By default all trusted certificates are in the same folder. Ca section
> allows us to pick individual trusted certificate. However, even if
> several ca sections are used, there does not seem to be a way to link
> them to a specific connection. They just seem to be global to all
> connections.

You may list accepted certificates in `rightcert` or the accepted CA DN
in `rightca` for each connection.

> Another option that I thought of is by specifying which trusted
> certificate is associated with which connection by including several
> rightca lines. I could not find an example of this on the web. Is that
> something possible?

Multiple CA certificates can be associated with a connection via
swanctl.conf where you can list several CA certs in `cacerts`.

> -- Identity certificate / private key
> Concerning specifying an identity certificate / private key per
> connection, although it is possible to specify the identity certificate
> with leftcert, it is not possible to specify the private key to be used
> except in ipsec.secrets RSA line. Is it possible to specific several RSA
> lines and let strongswan determine which one correspond with the correct
> identity certificate? How would that work?

If you set `leftcert` the corresponding private key is used, no matter
how many other private keys are defined.

> Finally, we are using vti. We create one unique device per connection.
> Unfortunately the address is assigned automatically to my eth0 devices
> instead of the proper device which is associated to the device for my
> connection. There is the Charon option install_virtual_ip_on which
> allows me to specify on which device the virtual ip address must be
> added but that does not work for multiple connections. Any trick for that?

Use a custom updown script if you need something like that and install
the virtual I yourself (i.e. disable charon.install_virtual_ip).  But
you might not need VTI devices or one for each connection.


More information about the Users mailing list