[Openswan Users] Re: Openswan with X.509 signed by different CAs

Jacco de Leeuw jacco2 at dds.nl
Thu Dec 9 13:16:02 CET 2004 

WADA Masahiro wrote:

>>If I remember correctly, the Microsoft documentation says that
>>both sides MUST be using certificates from the same CA.
>
> I have never heard such information.
> If someone know its document, please tell me.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecbpspecial.mspx

That webpage, for instance, mentions the following:

  "When you are using the certificate authentication method for L2TP
  connections, the list of certification authorities (CAs) is not configurable.
  Instead, ensure one of the following before attempting an L2TP connection:

  - Both the VPN client and VPN server were issued computer certificates from
    the same CA.
  - Both the VPN client and VPN server were issued computer certificates from
    CAs that follow a certificate chain up to the same root CA".

Andreas Steffen wrote:

> The problem is that your Windows client has sends a Certificate
> Request message to *swan requesting a certificate issued by
> CA A whereas *swan has a certificate issued by CA B. Therefore
> the negotiation fails. If you can reconfigure your Windows client
> to request either a certificate from CA B or send an empty
> Certificate Request then *swan will respond and send its own
> certificate.

According to the page mentioned above:

  "When you are using the certificate authentication method for L2TP
  connections, the list of certification authorities (CAs) is not
  configurable. Instead, each computer in the L2TP connection sends a
  list of root CAs to its IPSec peer from which it accepts a certificate for
  authentication. The root CAs in this list correspond to the root CAs that
  issued computer certificates to the computer. For example, if Computer A was
  issued computer certificates by root CAs CertAuth1 and CertAuth2, it notifies
  its IPSec peer during main mode negotiation that it will accept certificates
  for authentication from only CertAuth1 and CertAuth2. If the IPSec peer,
  Computer B, does not have a valid computer certificate issued from either
  CertAuth1 or CertAuth2, IPSec main mode negotiation fails".

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list