<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>Hi,All:<BR> I have two
hosts--192.168.10.9 and 192.168.10.10 which are connected to a hub. They have
openswan2.3.1 installed. I </FONT><FONT size=2>have already setup a tunnel using
main mode and aggressive mode with x.509 certificate authentication. Detailed
configurations are as </FONT><FONT size=2>follows.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>On
192.168.10.9:<BR>/etc/ipsec.d/certs/9.pem --localhost's
certificate<BR>/etc/ipsec.d/certs/10.pem --counterpart's
certificate<BR>/etc/ipsec.d/cacerts/cacert.pem<BR>/etc/ipsec.d/private/9.key</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>ipsec.conf:<BR>config
setup<BR> interfaces="ipsec0=eth1"<BR>conn
test<BR> left=192.168.10.9<BR> leftcert=9.pem<BR> right=192.168.10.10<BR> rightcert=10.pem<BR> pfs=no<BR> ike=3des-md5-modp1536<BR> aggrmode=yes<BR> auto=add</FONT></DIV>
<DIV> </DIV><FONT size=2>
<DIV><BR>On 192.168.10.10:<BR>/etc/ipsec.d/certs/10.pem
--localhost's certificate<BR>/etc/ipsec.d/certs/9.pem
--counterpart's
certificate<BR>/etc/ipsec.d/cacerts/cacert.pem<BR>/etc/ipsec.d/private/10.key</DIV>
<DIV> </DIV>
<DIV>ipsec.conf:<BR>config setup<BR> interfaces="ipsec0=eth1"<BR>conn
test<BR> left=192.168.10.10<BR> leftcert=10.pem<BR> right=192.168.10.9<BR> rightcert=9.pem<BR> pfs=no<BR> ike=3des-md5-modp1536<BR> aggrmode=yes<BR> auto=add</DIV>
<DIV> </DIV>
<DIV><BR> I use tcpdump to capture the data packet of
IKE phase 1. I find that the two hosts don't exchange each other's certificate
whether using main mode or aggressive mode. I mean they just exchange each
other's the RDN sequence which is part of the x.509 certificate. They must store
their counterpart's certificates in /etc/ipsec.d/certs dir. I GUESS that the
hosts will lookup its counterpart's certificate in /etc/ipsec.d/certs/ dir using
the RDN sequence. Then, they can get counterpart's public key. That's why they
don't exchange public key during IKE phase 1 negotiation.</DIV>
<DIV> </DIV>
<DIV>The question is:<BR>1. Is what I guess right?<BR>2. I use openswan in a
embeded system. There are many clients with x.509 certificates. So, openswan
must store lots of cetificates. But, there is not enough space in this embeded
environment. Is there any good suggestion? <BR>3. For question 2, I want
the openswan to store its own certificate only and get its counterparts' publick
keys through IKE phase 1 negotiation. Therefore, it will save a lot storage
space. Does this method work?</DIV>
<DIV> I will really appreciate your reply and
help~~~~~~~~</DIV>
<DIV> </DIV>
<DIV> Jacky</FONT></DIV></BODY></HTML>