I am trying to create a setup using CA signed certificates (not a typical VPN
server/client setup where client only connects to one server) I would like a
setup in which I can replicate a peer VPN server to peer VPN server setup where
they authenticate using CA signed certifcates. Bascially a many-to-many setup
where anyone having valid CA can establish a IPSec transport mode(not tunnel)
I had two main issues –
* Only tunnel mode works in below configs
* I could have multiple clients connect to ExaA server below(using
modecfgclient) but I couldn’t replicate ExaA conn on multiple nodes to create
multiple ipsec based transport mode connections using below
* Any sample config files or keywords I can use will be helpful.
conn ExaA
left=192.168.10.1
leftsubnet=0.0.0.0/0
leftcert=vpn.IPSec-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightca=%same
rightrsasigkey=%cert
modecfgdns="192.168.10.1"
authby=rsasig
auto=start
dpddelay=60
dpdtimeout=300
dpdaction=clear
#mobike=yes
ikev2=insist
fragmentation=yes
#certutil -L -d sql:/etc/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
vpn.IPSec-demo.com u,u,u
IPSec-demo CA CT,,
conn ExaB
left=192.168.10.2
leftsubnet=0.0.0.0/0
leftcert=DB1.IPSec-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightca=%same
rightrsasigkey=%cert
modecfgdns="192.168.10.1"
authby=rsasig
auto=start
dpddelay=60
dpdtimeout=300
dpdaction=clear
#mobike=yes
ikev2=insist
fragmentation=yes
# certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
DB1.IPSec-demo.com u,u,u
IPSec-demo CA CT,,
[
~
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
