[Openswan dev] [PATCH] Updates to the ipsec.conf man page for leftsendcert

Nate Carlson natecars at natecarlson.com
Fri May 14 10:58:05 CEST 2004

I've updated the man page to include the leftsendcert directives. If I've
got some details wrong, sorry - I just gleaned what I could from archive
posts.  :)

I've also documented leftcert, as that wasn't in the man page before.

If someone can explain what leftsourceip is supposed to do exactly, I can
also add docs for that.

Also, my apologies if this is formatted incorrectly - I've never written
man before, so just based it on the other entries. If there is something 
wrong with the way I'm doing it, just let me know.


| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
-------------- next part --------------
diff -Naur openswan-2/programs/_confread/ipsec.conf.5 openswan-2.docs/programs/_confread/ipsec.conf.5
--- openswan-2/programs/_confread/ipsec.conf.5	2003-12-22 13:41:07.000000000 -0600
+++ openswan-2.docs/programs/_confread/ipsec.conf.5	2004-05-14 09:51:57.000000000 -0500
@@ -550,6 +550,11 @@
 must be a specific host, not
 .B %any
 or another magic value.
+The value 
+.B %cert
+will load the information required from a certificate defined in
+.B %leftcert
+and automatically define leftid for you.
 .B Caution:
 if two connection descriptions
 specify different public keys for the same
@@ -560,6 +565,29 @@
 if present, a second public key.
 Either key can authenticate the signature, allowing for key rollover.
+.BR leftcert
+If you are using 
+.B leftrsasigkey=%cert
+this defines the certificate you would like to use. It should point to a X.509
+encoded certificate file. If you do not specify a full pathname, by default it
+will look in /etc/ipsec.d/certs.
+.BR leftsendcert
+This option configures when Openswan will send X.509 certificates to the remote
+host. Acceptable values are 
+.B yes|always
+(signifying that we should always send a certificate),
+.B ifasked
+(signifying that we should send a certificate if the remote end asks for it), and
+.B no|never
+(signifying that we will never send a X.509 certificate).
+The default for this option is 
+.B ifasked
+which may break compatibility with other vendor's IPSec implementations, such as
+Cisco and SafeNet. If you find that you are getting errors about no ID/Key found,
+you likely need to set this to
+.B always.
 .B xauth
 Use XAUTH / Mode Config for this connection.  This uses PAM for authentication
 currently, and it not well documented.  Use the source :)  Acceptable values are

More information about the Dev mailing list