[Openswan Users] X509 DN filtering

Paul Wouters paul at xelerance.com
Wed Aug 25 01:27:20 CEST 2004

On Tue, 24 Aug 2004, Marc Spiegelman wrote:

> I am trying to figure out a solution so roadwarriors can only connect to their designated VPN concentrator but VPN concentrators can all connect to each other.  I was wondering if there is a configuration in openswan so I can limit which certificates are allowed to connect.  I was thinking the distinguished name could be used but I don't know if openswan is capable of this kind of filtering.  If so, does anyone have any examples?  Does anyone have any other ideas to meet my objective?

>From Andreas his X509 documentation:

The IPsec policy defined above can now be enforced with the following three
IPsec security associations:

     conn sales
          rightid="C=CH, O=ACME, OU=Sales, CN=*"
          rightsubnetwithin=  # Sales DHCP range
          leftsubnet=         # Sales subnet

    conn research
         rightid="C=CH, O=ACME, OU=Research, CN=*"
         rightsubnetwithin=   # Research DHCP range
         leftsubnet=          # Research subnet

    conn web
         rightid="C=CH, O=ACME, OU=*, CN=*"
         rightsubnetwithin=   # Remote access DHCP range
         leftsubnet=        # Web server
         rightprotoport=tcp              # TCP protocol only
         leftprotoport=tcp/http          # TCP port 80 only


More information about the Users mailing list