Hello All,
<div><br></div><div>I'm setting up an openswan install on an ubuntu server.</div><div><br></div><div>I prefer to use x.509 on both sides to certify the validity of both ends of the connection. I already have scripts to auto-create openssl certs/pem/pkcs12 for each client.</div>
<div><br></div><div>I need to be able to "disable" clients and then re-enable them later. I was thinking about using the CRL, but it doesn't appear openswan detects when the CRL is updated, so anytime you have to revoke a cert you also have to restart openswan - does that also kill all the current connections?</div>
<div><br></div><div>Another avenue I've thought about is to not use the CRL (but still use certs), but add XAUTH for the users and just remove/comment users who are "disabled". Would that also require a restart to re-read the XAUTH config file?</div>
<div><br></div><div>One last question. I've been looking for a really good config example that uses x.509, but the documentation seems a little sparse. Maybe I'm just not looking in the right places? Can you recommend a good "howto" type resource on configuring openswan w/ x.509?</div>
<div><br></div><div>Thanks!</div>