[Openswan Users] X509 DN filtering

[John A. Sullivan III]

On Tue, 2004-08-24 at 18:11, Marc Spiegelman wrote:
> I am trying to figure out a solution so roadwarriors can only connect
> to their designated VPN concentrator but VPN concentrators can all
> connect to each other.  I was wondering if there is a configuration in
> openswan so I can limit which certificates are allowed to connect.  I
> was thinking the distinguished name could be used but I don't know if
> openswan is capable of this kind of filtering.  If so, does anyone
> have any examples?  Does anyone have any other ideas to meet my
> objective? 
<snip>
I believe the information on how to do this is in the X.509 patch
documentation.  You can certainly specify the ID in the connection
configuration although that seems like a lot of administrative
overhead.  I also believe that recent enhancements to the X.509 patch
allow the use of wildcards.  That would make life easier.

The DN is exposed for use in the updown scripts.  In fact, we use this
all the time in the ISCS project (http://iscs.sourceforge.net).  There,
we allow a user to connect to their default gateway and then can allow
or restrict their access to the rest of the WAN using their X.509 DN all
through their default gateway -- no need to connect directly to each
resource protecting gateway or to use a virtual IP to handle security
beyond the default gateway.  I don't know if that's helpful toward your
goal.
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com