[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion

Tim Bouwer TBouwer at pfn.com
Mon Jan 5 16:01:04 CET 2004

Hi Michael

>>    >>> It is only going to occur if you transmit the certificates.  There
is very
>>    >>> little reason to do that.

>>    >>> Unless you have 1000 road warriors, I don't see a reason to do
>>    >>> that. It just causes problems, like the one that you have.

>>    Tim> We use x509 across the board for authentication of the Freeswan
>>    Tim> gateways and for our roadwarriors and also as the basis for the
>>    Tim> encryption in preference to preshared keys - it would be

>  I never said use pre-shared keys.

>  I said, don't transmit the certificates. There is simply no point in
>  that, except for road-warriors where you have a policy of accepting any
>  certificate from a particular CA, *AND* you have no way to retrieve them
>  from, say an LDAP server.

How do you stop openswan from sending the cert or requesting the cert?

For example, I set up a test with two machines and had the one with both its
own (left) and the remote (right) cert on the local disk.  

I can see openswan loading the rightcert in /var/log/secure but a tcpdump
shows the cert being sent from the remote machine during the IKE phase even
though left already has it.  

Is there some magic that I am missing in ipsec.conf?  We do not use ldap or
dns provided certs.


More information about the Users mailing list