Thank you Tobias. I was not aware of swanctl.conf. It is really much more flexible than ipsec.conf.
Guylain On Thu, Apr 13, 2017 at 12:50 PM, Tobias Brunner <[email protected]> wrote: > Hi Guylain, > > > -- Trusted certificate > > > > > > By default all trusted certificates are in the same folder. Ca section > > allows us to pick individual trusted certificate. However, even if > > several ca sections are used, there does not seem to be a way to link > > them to a specific connection. They just seem to be global to all > > connections. > > You may list accepted certificates in `rightcert` or the accepted CA DN > in `rightca` for each connection. > > > Another option that I thought of is by specifying which trusted > > certificate is associated with which connection by including several > > rightca lines. I could not find an example of this on the web. Is that > > something possible? > > Multiple CA certificates can be associated with a connection via > swanctl.conf where you can list several CA certs in `cacerts`. > > > -- Identity certificate / private key > > > > > > > > Concerning specifying an identity certificate / private key per > > connection, although it is possible to specify the identity certificate > > with leftcert, it is not possible to specify the private key to be used > > except in ipsec.secrets RSA line. Is it possible to specific several RSA > > lines and let strongswan determine which one correspond with the correct > > identity certificate? How would that work? > > If you set `leftcert` the corresponding private key is used, no matter > how many other private keys are defined. > > > Finally, we are using vti. We create one unique device per connection. > > Unfortunately the address is assigned automatically to my eth0 devices > > instead of the proper device which is associated to the device for my > > connection. There is the Charon option install_virtual_ip_on which > > allows me to specify on which device the virtual ip address must be > > added but that does not work for multiple connections. Any trick for > that? > > Use a custom updown script if you need something like that and install > the virtual I yourself (i.e. disable charon.install_virtual_ip). But > you might not need VTI devices or one for each connection. > > Regards, > Tobias > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
