Hi Guylain, > -- Trusted certificate > > > By default all trusted certificates are in the same folder. Ca section > allows us to pick individual trusted certificate. However, even if > several ca sections are used, there does not seem to be a way to link > them to a specific connection. They just seem to be global to all > connections.
You may list accepted certificates in `rightcert` or the accepted CA DN in `rightca` for each connection. > Another option that I thought of is by specifying which trusted > certificate is associated with which connection by including several > rightca lines. I could not find an example of this on the web. Is that > something possible? Multiple CA certificates can be associated with a connection via swanctl.conf where you can list several CA certs in `cacerts`. > -- Identity certificate / private key > > > > Concerning specifying an identity certificate / private key per > connection, although it is possible to specify the identity certificate > with leftcert, it is not possible to specify the private key to be used > except in ipsec.secrets RSA line. Is it possible to specific several RSA > lines and let strongswan determine which one correspond with the correct > identity certificate? How would that work? If you set `leftcert` the corresponding private key is used, no matter how many other private keys are defined. > Finally, we are using vti. We create one unique device per connection. > Unfortunately the address is assigned automatically to my eth0 devices > instead of the proper device which is associated to the device for my > connection. There is the Charon option install_virtual_ip_on which > allows me to specify on which device the virtual ip address must be > added but that does not work for multiple connections. Any trick for that? Use a custom updown script if you need something like that and install the virtual I yourself (i.e. disable charon.install_virtual_ip). But you might not need VTI devices or one for each connection. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
