On 2023-08-21 2:13 AM, Tuomo Soini wrote:
If you omit leftca and rightca any valid ca from your nss db is ok
which is normally what you want.
Only if you have extra ca certs you want to trust for single connection
only you are in trouble and you need to duplicate all your connections
with different local certificate and rightca=%same...
Some vpn clients only allow gateway to have certificate signed by same
ca so you might be forced to duplicate your connections for transition
anyway because your gw certificate must match client certificate ca in
this case.
Windows is apparently one of the clients in that category, which makes
up the majority of our roadwarrior clients.
Duplicating the connection with additional local + CA certificates
worked perfectly.
Thanks very much!
--
Nels Lindquist
[email protected]
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
