Hi Tobias,

--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner <tob...@strongswan.org> wrote:


Is it possible to add a second connection definition that is
identical  but has
conn win2018eapmschap
        leftcert=serverCert2018.pem
        leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"

so that eap clients can connect to the server when they are equiped
with either the old or the new ca?

You can do that.  However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).

Unfortunately, certificate requests are currently not considered when
selecting configs.  So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.

Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this way.

Then I'll probably add an additional IP and hostname to the server and add a conn only for this IP.

left= in ipsec.conf only accepts one argument (ip,fqdn) while connections.<conn>.local_addrs in swanctl.conf allows multiple that is a good reason to start with VICI :) So I can work with only one new config for IPv4 and IPv6 instead of two.

Thanks again
Dirk


Reply via email to