--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner
Is it possible to add a second connection definition that is
identical but has
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
so that eap clients can connect to the server when they are equiped
with either the old or the new ca?
You can do that. However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).
Unfortunately, certificate requests are currently not considered when
selecting configs. So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.
Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this
Then I'll probably add an additional IP and hostname to the server and
add a conn only for this IP.
left= in ipsec.conf only accepts one argument (ip,fqdn) while
connections.<conn>.local_addrs in swanctl.conf allows multiple that is
a good reason to start with VICI :) So I can work with only one new
config for IPv4 and IPv6 instead of two.