Hi John, could you send me a log file showing that a CA different from the CA requested by rightca is accepted?
Best regards Andreas On 23.11.2016 16:41, John Brown wrote:
Hello all,
I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
rightca option in ipsec.conf file but without a success.
As far as I understand the documentation, if rightca contains DN of a
certificate authority which lies in the trust path from the end device
cert to rootca, authentication process will pass (assuming that other
elements are configured fine) otherwise will fail and this is the
functionality I need. But in my scenario, whatever is the value of
rightca, the authentication process pass with success.
I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
ca is installed in /etc/ipsec.d/cacerts.
Part of the connection config:
conn lap1
auto=add
left=%any
right=192.168.1.1
rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
...
leftauth=pubkey
rightauth=pubkey
leftcert=cert.crt
rightid="CN=*, ST=Stttt, C=Cccc, E=E@eeee, O=Oooooo, L=Lllllll,
OU=*, OU=Ouuuuuu"
rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
I've changed values of fields in righid, but rightca is taken from real
config without modification.
I'm probably missing something obvious, or does not understand this
feature, but I have no idea, what this can be.
Does anybody knows?
Best regards,
John,
====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
