<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<DIV><FONT face=Arial size=2>Thanks, it works fine with
openssl-0.9.7h,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>But I had many trouble with openssl-0.9.8a:
</FONT></DIV>
<DIV><FONT face=Arial size=2>*The generartion of the root CA is different: you
need to change openssl.cnf to get the x509 v3 field: CA:True.</FONT></DIV>
<DIV><FONT face=Arial size=2>*My "ipsec barf" is good, all
certificate were valide, but I get: "invalid id information". And I noticed
there were not the x509 v3 fields: DirName and serial.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Do you know what's append?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Laurent.</FONT></DIV></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=paul@xelerance.com href="mailto:paul@xelerance.com">Paul Wouters</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=martin@andorinha.ist.utl.pt
href="mailto:martin@andorinha.ist.utl.pt">Jorge Daniel Sequeira Matias</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, October 04, 2005 8:23
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Openswan Users] multiple
root CA</DIV>
<DIV><BR></DIV>On Tue, 4 Oct 2005, Jorge Daniel Sequeira Matias
wrote:<BR><BR>> certifies your users certificates, it doesn't work. I have
tested this setup<BR>> too because my VPN Server certificate is signed by a
SubCA. This SubCA is<BR>> going to expire. I had to create a new SubCA of
the same RootCA.<BR>> In this case, as the users and VPN Server
certificates are all "suns" of the<BR>> RootCA, Openswan doesn't know how
select the right VPN Server certificate to<BR>> send to the
user.<BR><BR>You can explicitely set a CA with
rightca=/leftca=<BR><BR>> Anyone knows if is possible to install 2
openswans in the same machine each<BR>> one listening on different IP
address? This could solve my problem.<BR><BR>No you cannot, since the kernel
wouldn't know to which IKE daemon it should
talk.<BR><BR>Paul<BR>_______________________________________________<BR>Users
mailing list<BR><A
href="mailto:Users@openswan.org">Users@openswan.org</A><BR><A
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</A><BR></BLOCKQUOTE></BODY></HTML>