1

I would like to setup Strongswan/Libreswan with PKI authentication. Now I have searched and found only how to configure specific accepted client certificates like here: http://technikenity.blogspot.com/2013/06/howto-windows-8-ikev2-vpn-with.html

What I would like to do is have something like rightCA=companyCA.pem That would make Strongswan accept any client certificate that can build trust up to the CA.

EDIT: I would also like to have a means of authorizing the authenticated clients(eg. against LDAP)

MemCtrl
  • 118
  • 2
  • 10

1 Answers1

0

You can do exactly that with the rightca option. Just configure the distinguished name of the CA for which you want to accept client certificates.

You actually don't even have to set that option as strongSwan accepts all client certificates for which it can successfully verify the trust chain to a trusted CA certificate (i.e. the option is mainly to restrict clients to a specific CA if there are multiple trusted CAs).

ecdsa
  • 3,973
  • 15
  • 29
  • Thank you for the answer. Can you add anything on the edited question? – MemCtrl Apr 02 '14 at 10:03
  • There is no LDAP plugin for strongSwan. But the [eap-radius](http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) plugin might be an option. Depends on your needs. – ecdsa Apr 02 '14 at 13:42