[strongSwan] Migrating to a new ca
Dirk Hartmann
dha at heise.de
Thu Feb 22 11:51:40 CET 2018
Hi Tobias,
--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner
<tobias at strongswan.org> wrote:
>> Is it possible to add a second connection definition that is
>> identical but has
>> conn win2018eapmschap
>> leftcert=serverCert2018.pem
>> leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
>>
>> so that eap clients can connect to the server when they are equiped
>> with either the old or the new ca?
>
> You can do that. However, the second config will only be used with
> clients that explicitly send a remote identity that matches leftid.
> With clients that don't send an IDr (e.g. Windows or the strongSwan
> Android app with its default settings) the first config that's loaded
> and matches the IPs/IDs will be used (since the only difference is
> leftid and no identity can be compared to it, both will match equally
> well, so the first one will be used).
>
> Unfortunately, certificate requests are currently not considered when
> selecting configs. So even if leftca is set and a client that doesn't
> send an IDr sends a certificate request for the second CA the first
> config will be used.
Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this
way.
Then I'll probably add an additional IP and hostname to the server and
add a conn only for this IP.
left= in ipsec.conf only accepts one argument (ip,fqdn) while
connections.<conn>.local_addrs in swanctl.conf allows multiple that is
a good reason to start with VICI :) So I can work with only one new
config for IPv4 and IPv6 instead of two.
Thanks again
Dirk
More information about the Users
mailing list