Re: [strongSwan] how to use 'rightca' connection option?

2016-11-23 Thread Andreas Steffen 

Hi John,

could you send me a log file showing that a CA different from the CA
requested by rightca is accepted?

Best regards

Andreas

On 23.11.2016 16:41, John Brown wrote:

Hello all,

I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
rightca option in ipsec.conf file but without a success.

As far as I understand the documentation, if rightca contains DN of a
certificate authority which lies in the trust path from the end device
cert to rootca, authentication process will pass (assuming that other
elements are configured fine) otherwise will fail and this is the
functionality I need. But in my scenario,  whatever is the value of
rightca, the authentication process pass with success.

I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
ca is installed in /etc/ipsec.d/cacerts.

Part of the connection config:

conn lap1
 auto=add
 left=%any
 right=192.168.1.1
 rightsubnet=10.0.0.0/24 
 ...
 leftauth=pubkey
 rightauth=pubkey
 leftcert=cert.crt
 rightid="CN=*, ST=S, C=Cccc, E=E@, O=Oo, L=Lll,
OU=*, OU=Ouu"
 rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"

I've changed values of fields in righid, but rightca is taken from real
config without modification.

I'm probably missing something obvious, or does not understand this
feature, but I have no idea, what this can be.

Does anybody knows?

Best regards,
John,


==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] how to use 'rightca' connection option?

2016-11-23 Thread John Brown 
Hello all,

I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
rightca option in ipsec.conf file but without a success.

As far as I understand the documentation, if rightca contains DN of a
certificate authority which lies in the trust path from the end device cert
to rootca, authentication process will pass (assuming that other elements
are configured fine) otherwise will fail and this is the functionality I
need. But in my scenario,  whatever is the value of rightca, the
authentication process pass with success.

I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root ca
is installed in /etc/ipsec.d/cacerts.

Part of the connection config:

conn lap1
auto=add
left=%any
right=192.168.1.1
rightsubnet=10.0.0.0/24
...
leftauth=pubkey
rightauth=pubkey
leftcert=cert.crt
rightid="CN=*, ST=S, C=Cccc, E=E@, O=Oo, L=Lll,
OU=*, OU=Ouu"
rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"

I've changed values of fields in righid, but rightca is taken from real
config without modification.

I'm probably missing something obvious, or does not understand this
feature, but I have no idea, what this can be.

Does anybody knows?

Best regards,
John,
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] hardware requirement for about 600 users

2016-11-23 Thread Michael Schwartzkopff 
Am Mittwoch, 23. November 2016, 17:48:19 schrieb Poh Yong Hwang:
> Hi,
> 
> Can i check what is the hardware requirements to allow 600 users to
> accessing Ipsec VPN through strongswan and access to servers behind the vpn
> through NAT?
> 
> thanks!

How many users in paralell?
What bandwidth (aggregated)?
How many re-authentications per second (or minute)?

Any recent CPU should be able to handle "normal" internet connection speeds up 
to 100 MBit/s and user figures as given above.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] hardware requirement for about 600 users

2016-11-23 Thread Poh Yong Hwang 
Hi,

Can i check what is the hardware requirements to allow 600 users to
accessing Ipsec VPN through strongswan and access to servers behind the vpn
through NAT?

thanks!
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users