Strongswan with X.509 authentication and LDAP authorization

ipsecopenswanstrongswanvpnx509

I would like to setup Strongswan/Libreswan with PKI authentication. Now I have searched and found only how to configure specific accepted client certificates like here: http://technikenity.blogspot.com/2013/06/howto-windows-8-ikev2-vpn-with.html

What I would like to do is have something like rightCA=companyCA.pem
That would make Strongswan accept any client certificate that can build trust up to the CA.

EDIT: I would also like to have a means of authorizing the authenticated clients(eg. against LDAP)

Best Answer

You can do exactly that with the rightca option. Just configure the distinguished name of the CA for which you want to accept client certificates.

You actually don't even have to set that option as strongSwan accepts all client certificates for which it can successfully verify the trust chain to a trusted CA certificate (i.e. the option is mainly to restrict clients to a specific CA if there are multiple trusted CAs).

Best Answer

Related Solutions

Windows 7/8 Strongswan IKEv2 Wrong Gateway

Accounting IPSec connections with RSA authentication

Related Topic