When using a CA you can match many connections, usually roadwarriors, in a single connection. The trust now comes from the fact that we trust that the CA has only signed (and not revoked) valid client certificates. If an incoming connection presents a certificate with a public key that was signed by a CA that we trust, we allow the connection. We can limit the allowed connections based on the DN.
conn west-roadwarriors left=193.110.157.81 leftcert=/etc/ipsec.d/certs/west.pem rightrsasigkey=%cert right=%any rightid="C=CA, O=Xelerance, OU=bofh, CN=*" auto=add
Using pattern matching on the DN in the rightid=
you can implement access restrictions. You could use different conn
definitions with a different leftsubnet=
or even a leftprotoport=
to give very specific access to groups or individuals. You can also make special connections using a leftsubnet=
that points to a network printer. This might require careful planning of the RDNs in your certificates. You...