[Openswan Users] Remote users (roadwarrior) with multiple CA certs?
Adam Rybak
arybak at ar-it.pl
Tue Mar 27 04:20:06 EDT 2012
Hello All,
i currently have configuration for remote users with roadwarrior
IPSEC/L2TP - all users have certs from my private CA and ewerything works
ok - but my CA is about to expire in the fiture - i want to migrate all
users to new CA and new certs but i cannot do this at one time - i want to
migrate continously - some will have old certs (old CA) and some will use
new certs (new CA). Currently users cannot connect with new ca - i added
new ca to the /etc/ipsec.d/cacerts/ and reread it but in configuration i
have explicite that vpn users vpnt4.crt which was created in old CA
context... it is possible to add separate cert for this new ca?
my config:
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=mast
conn ROADW-NAT
rightsubnet=vhost:%priv
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=vpn4.pem
pfs=no
rekey=no
keyingtries=3
left=193.XXX.XXX.XXX
leftnexthop=193.XXX.XXX.YYY
leftprotoport=17/1701
sareftrack=yes
overlapip=yes
right=%any
rightprotoport=17/%any
dpddelay=10
dpdtimeout=30
dpdaction=clear
type=transport
auto=add
conn ROADW
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=vpn4.pem
pfs=no
rekey=no
keyingtries=3
left=193.XXX.XXX.XXX
leftnexthop=193.XXX.XXX.YYY
leftprotoport=17/1701
sareftrack=yes
overlapip=yes
right=%any
rightprotoport=17/%any
dpddelay=10
dpdtimeout=30
dpdaction=clear
type=transport
auto=add
Regards,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120327/5333108a/attachment.html>
More information about the Users
mailing list