Hi everyone,
I am trying to implement a client side framework in which each ipsec connection has its own configurtion. For PSK it was quite easy to achieve. Unfortunately the same principle should also apply to the pki configuration (own identity certificate/private key and trusted certificates ). This does not seem to be supported. Am I right? -- Trusted certificate By default all trusted certificates are in the same folder. Ca section allows us to pick individual trusted certificate. However, even if several ca sections are used, there does not seem to be a way to link them to a specific connection. They just seem to be global to all connections. Another option that I thought of is by specifying which trusted certificate is associated with which connection by including several rightca lines. I could not find an example of this on the web. Is that something possible? -- Identity certificate / private key Concerning specifying an identity certificate / private key per connection, although it is possible to specify the identity certificate with leftcert, it is not possible to specify the private key to be used except in ipsec.secrets RSA line. Is it possible to specific several RSA lines and let strongswan determine which one correspond with the correct identity certificate? How would that work? I found two pieces of documentation that seems to be in contradiction. In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecret *Authentication by public key systems such as RSA requires that each host have its own private key. A host could reasonably use a different private keys for different interfaces and for different peers. But it would not be normal to share entries between systems. Thus no-selector and one-selector forms of entry often make sense for public key authentication.* In https://github.com/strongswan/strongswan, there is the following section *Multiple certificates* *strongSwan supports multiple local host certificates and corresponding RSA private keys:* *conn rw1* * right=%any* * rightid=peer1.domain1* * leftcert=myCert1.pem* * # leftid is DN of myCert1* *conn rw2* * right=%any* * rightid=peer2.domain2* * leftcert=myCert2.pem* * # leftid is DN of myCert2* *When peer1 initiates a connection then strongSwan will send myCert1 and will sign with myKey1 defined in /etc/ipsec.secrets *(see below) whereas *myCert2* and *myKey2* will be used *in a connection setup started from peer2.* Is it possible to specify one private key per connection? -- vti Finally, we are using vti. We create one unique device per connection. Unfortunately the address is assigned automatically to my eth0 devices instead of the proper device which is associated to the device for my connection. There is the Charon option install_virtual_ip_on which allows me to specify on which device the virtual ip address must be added but that does not work for multiple connections. Any trick for that? I am currently on strongswan version 5.5.1. Is there a way to achieve all what I want? Thanks, Guylain
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
