[strongSwan] PKI configuration per connection
Guylain Lavoie
guylainlavoie at gmail.com
Fri Apr 14 19:52:12 CEST 2017
Thank you Tobias. I was not aware of swanctl.conf. It is really much more
flexible than ipsec.conf.
Guylain
On Thu, Apr 13, 2017 at 12:50 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Guylain,
>
> > -- Trusted certificate
> >
> >
> > By default all trusted certificates are in the same folder. Ca section
> > allows us to pick individual trusted certificate. However, even if
> > several ca sections are used, there does not seem to be a way to link
> > them to a specific connection. They just seem to be global to all
> > connections.
>
> You may list accepted certificates in `rightcert` or the accepted CA DN
> in `rightca` for each connection.
>
> > Another option that I thought of is by specifying which trusted
> > certificate is associated with which connection by including several
> > rightca lines. I could not find an example of this on the web. Is that
> > something possible?
>
> Multiple CA certificates can be associated with a connection via
> swanctl.conf where you can list several CA certs in `cacerts`.
>
> > -- Identity certificate / private key
> >
> >
> >
> > Concerning specifying an identity certificate / private key per
> > connection, although it is possible to specify the identity certificate
> > with leftcert, it is not possible to specify the private key to be used
> > except in ipsec.secrets RSA line. Is it possible to specific several RSA
> > lines and let strongswan determine which one correspond with the correct
> > identity certificate? How would that work?
>
> If you set `leftcert` the corresponding private key is used, no matter
> how many other private keys are defined.
>
> > Finally, we are using vti. We create one unique device per connection.
> > Unfortunately the address is assigned automatically to my eth0 devices
> > instead of the proper device which is associated to the device for my
> > connection. There is the Charon option install_virtual_ip_on which
> > allows me to specify on which device the virtual ip address must be
> > added but that does not work for multiple connections. Any trick for
> that?
>
> Use a custom updown script if you need something like that and install
> the virtual I yourself (i.e. disable charon.install_virtual_ip). But
> you might not need VTI devices or one for each connection.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170414/80632378/attachment.html>
More information about the Users
mailing list