[strongSwan] Migrating to a new ca
Dirk Hartmann
dha at heise.de
Wed Feb 21 14:55:04 CET 2018
Hi,
after many years with our old certification authority for strongswan
I'm planning to migrate to a new one with more modern crypto.
To make it as painless as possible for the end users I plan on adding a
second ca and a matching second server certificate to our installation.
Over time I would update the old clients with the new ca and new
certificates.
For the linux and mac clients and some Windows clients we use unique
connection descriptions so there is no problem to provide a leftid and
leftcert for the ones that are updated.
But I'm not sure about the config for our eap clients.
The configuration part is
conn win7eapmschap
left=STRONGSWANSERVERIP
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftsendcert=always
leftcert=serverCert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=%eappool,%eappool6
eap_identity=%any
leftcert=serverCert.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER"
auto=add
Is it possible to add a second connection definition that is identical
but has
conn win2018eapmschap
leftcert=serverCert2018.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
so that eap clients can connect to the server when they are equiped
with either the old or the new ca?
Best regards
Dirk
More information about the Users
mailing list