[strongSwan] Migrating to a new ca

Dirk Hartmann dha at heise.de
Thu Feb 22 11:51:40 CET 2018

Hi Tobias,

--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner 
<tobias at strongswan.org> wrote:

>> Is it possible to add a second connection definition that is
>> identical  but has
>> conn win2018eapmschap
>> 	leftcert=serverCert2018.pem
>> so that eap clients can connect to the server when they are equiped
>> with either the old or the new ca?
> You can do that.  However, the second config will only be used with
> clients that explicitly send a remote identity that matches leftid.
> With clients that don't send an IDr (e.g. Windows or the strongSwan
> Android app with its default settings) the first config that's loaded
> and matches the IPs/IDs will be used (since the only difference is
> leftid and no identity can be compared to it, both will match equally
> well, so the first one will be used).
> Unfortunately, certificate requests are currently not considered when
> selecting configs.  So even if leftca is set and a client that doesn't
> send an IDr sends a certificate request for the second CA the first
> config will be used.

Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this 

Then I'll probably add an additional IP and hostname to the server and 
add a conn only for this IP.

left= in ipsec.conf only accepts one argument (ip,fqdn) while 
connections.<conn>.local_addrs in swanctl.conf allows multiple that is 
a good reason to start with VICI :) So I can work with only one new 
config for IPv4 and IPv6 instead of two.

Thanks again

More information about the Users mailing list