I would like to setup Strongswan/Libreswan with PKI authentication. Now I have searched and found only how to configure specific accepted client certificates like here: http://technikenity.blogspot.com/2013/06/howto-windows-8-ikev2-vpn-with.html
What I would like to do is have something like rightCA=companyCA.pem
That would make Strongswan accept any client certificate that can build trust up to the CA.
EDIT: I would also like to have a means of authorizing the authenticated clients(eg. against LDAP)
Best Answer
You can do exactly that with the
rightca
option. Just configure the distinguished name of the CA for which you want to accept client certificates.You actually don't even have to set that option as strongSwan accepts all client certificates for which it can successfully verify the trust chain to a trusted CA certificate (i.e. the option is mainly to restrict clients to a specific CA if there are multiple trusted CAs).