[Swan] Need help on one to many certificate based authentication setup using libreswan

Mamta Gambhir mamta.gambhir at oracle.com
Tue Aug 9 01:33:01 EEST 2022


I am trying to create a setup using  CA signed certificates (not a typical VPN server/client setup  where client only connects to one server) I would like a setup in which I can replicate a peer VPN server to peer VPN server setup where they authenticate using CA signed certifcates. Bascially a many-to-many setup where anyone having valid CA can establish a IPSec transport mode(not tunnel)

I had two main issues –

  *   Only tunnel mode works in below configs
  *   I could have multiple clients connect to ExaA server below(using modecfgclient) but I couldn’t replicate ExaA conn on multiple nodes to create multiple ipsec based transport mode connections using below
  *   Any sample config files or keywords I can use will be helpful.

conn ExaA
    left=192.168.10.1
    leftsubnet=0.0.0.0/0
    leftcert=vpn.IPSec-demo.com
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsendcert=always
    right=%any
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns="192.168.10.1"
    authby=rsasig
    auto=start
    dpddelay=60
    dpdtimeout=300
    dpdaction=clear
    #mobike=yes
    ikev2=insist
    fragmentation=yes


#certutil -L -d sql:/etc/ipsec.d/



Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI



vpn.IPSec-demo.com                                           u,u,u

IPSec-demo CA                                                CT,,



conn ExaB
    left=192.168.10.2
    leftsubnet=0.0.0.0/0
    leftcert=DB1.IPSec-demo.com
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsendcert=always
    right=%any
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns="192.168.10.1"
    authby=rsasig
    auto=start
    dpddelay=60
    dpdtimeout=300
    dpdaction=clear
    #mobike=yes
    ikev2=insist
    fragmentation=yes




# certutil -L -d sql:/etc/ipsec.d



Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI



DB1.IPSec-demo.com                                           u,u,u

IPSec-demo CA                                                CT,,

[


~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220808/bfc51b69/attachment.htm>


More information about the Swan mailing list