[strongSwan] Migrating to a new ca

Tobias Brunner tobias at strongswan.org
Thu Feb 22 10:54:37 CET 2018

Hi Dirk,

> Is it possible to add a second connection definition that is identical 
> but has
> conn win2018eapmschap
> 	leftcert=serverCert2018.pem
> so that eap clients can connect to the server when they are equiped 
> with either the old or the new ca?

You can do that.  However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).

Unfortunately, certificate requests are currently not considered when
selecting configs.  So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.


More information about the Users mailing list