Hello All, <br><br> i currently have configuration for remote users with roadwarrior IPSEC/L2TP - all users have certs from my private CA and ewerything works ok - but my CA is about to expire in the fiture - i want to migrate all users to new CA and new certs but i cannot do this at one time - i want to migrate continously - some will have old certs (old CA) and some will use new certs (new CA). Currently users cannot connect with new ca - i added new ca to the /etc/ipsec.d/cacerts/ and reread it but in configuration i have explicite that vpn users vpnt4.crt which was created in old CA context... it is possible to add separate cert for this new ca?<br>
<br>my config:<br><br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br> oe=off<br>
protostack=mast<br><br><br>conn ROADW-NAT<br> rightsubnet=vhost:%priv<br> authby=rsasig<br> leftrsasigkey=%cert<br> rightrsasigkey=%cert<br> leftcert=vpn4.pem<br> pfs=no<br>
rekey=no<br> keyingtries=3<br> left=193.XXX.XXX.XXX<br> leftnexthop=193.XXX.XXX.YYY<br> leftprotoport=17/1701<br> sareftrack=yes<br> overlapip=yes<br> right=%any<br>
rightprotoport=17/%any<br> dpddelay=10<br> dpdtimeout=30<br> dpdaction=clear<br> type=transport<br> auto=add<br><br>conn ROADW<br> authby=rsasig<br> leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br> leftcert=vpn4.pem<br> pfs=no<br> rekey=no<br> keyingtries=3<br> left=193.XXX.XXX.XXX<br> leftnexthop=193.XXX.XXX.YYY<br> leftprotoport=17/1701<br>
sareftrack=yes<br> overlapip=yes<br> right=%any<br> rightprotoport=17/%any<br> dpddelay=10<br> dpdtimeout=30<br> dpdaction=clear<br> type=transport<br> auto=add<br>
<br>Regards,<br>Adam<br>