[Swan] Need help on one to many certificate based authentication setup using libreswan
Mamta Gambhir
mamta.gambhir at oracle.com
Tue Aug 9 01:33:01 EEST 2022
I am trying to create a setup using CA signed certificates (not a typical VPN server/client setup where client only connects to one server) I would like a setup in which I can replicate a peer VPN server to peer VPN server setup where they authenticate using CA signed certifcates. Bascially a many-to-many setup where anyone having valid CA can establish a IPSec transport mode(not tunnel)
I had two main issues –
* Only tunnel mode works in below configs
* I could have multiple clients connect to ExaA server below(using modecfgclient) but I couldn’t replicate ExaA conn on multiple nodes to create multiple ipsec based transport mode connections using below
* Any sample config files or keywords I can use will be helpful.
conn ExaA
left=192.168.10.1
leftsubnet=0.0.0.0/0
leftcert=vpn.IPSec-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightca=%same
rightrsasigkey=%cert
modecfgdns="192.168.10.1"
authby=rsasig
auto=start
dpddelay=60
dpdtimeout=300
dpdaction=clear
#mobike=yes
ikev2=insist
fragmentation=yes
#certutil -L -d sql:/etc/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
vpn.IPSec-demo.com u,u,u
IPSec-demo CA CT,,
conn ExaB
left=192.168.10.2
leftsubnet=0.0.0.0/0
leftcert=DB1.IPSec-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightca=%same
rightrsasigkey=%cert
modecfgdns="192.168.10.1"
authby=rsasig
auto=start
dpddelay=60
dpdtimeout=300
dpdaction=clear
#mobike=yes
ikev2=insist
fragmentation=yes
# certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
DB1.IPSec-demo.com u,u,u
IPSec-demo CA CT,,
[
~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220808/bfc51b69/attachment.htm>
More information about the Swan
mailing list