[Openswan Users] no connection authorized...

Paul Wouters paul at xelerance.com
Wed Dec 8 23:02:58 CET 2004


On Wed, 8 Dec 2004, Eric S. Johansson wrote:

> conn ronlaptop
>        left=harvee.org
>        leftnexthop=%defaultroute
>        leftsubnet=192.168.0.0/255.255.255.0
>        leftcert=/var/ipcop/certs/hostcert.pem
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        rightcert=/var/ipcop/certs/ronlaptopcert.pem
>        dpddelay=30
>        dpdtimeout=120
>        dpdaction=clear
>        authby=rsasig
>        auto=add

Note that since you are explicitely loading both certificates, the
role of the CA is undermined, since openswan 'trusts' all
explicitely loaded certificates.

The proper way to use Ca's is to not specify any rightcert=. Then the
properly trusted CA that is loaded will be looked up by the server side.
I am not sure if this will fix your problem. It would be good if IPcop
switched to openswan-2 instead of still using openswan-1, which is in
maintanance mode only.

Paul


More information about the Users mailing list