[Openswan Users] DSL modems in bridge mode and UDP fragmentat
ion
Tim Bouwer
TBouwer at pfn.com
Mon Jan 5 16:01:04 CET 2004
Hi Michael
>> >>> It is only going to occur if you transmit the certificates. There
is very
>> >>> little reason to do that.
>> >>> Unless you have 1000 road warriors, I don't see a reason to do
>> >>> that. It just causes problems, like the one that you have.
>> Tim> We use x509 across the board for authentication of the Freeswan
>> Tim> gateways and for our roadwarriors and also as the basis for the
>> Tim> encryption in preference to preshared keys - it would be
difficult
> I never said use pre-shared keys.
> I said, don't transmit the certificates. There is simply no point in
doing
> that, except for road-warriors where you have a policy of accepting any
> certificate from a particular CA, *AND* you have no way to retrieve them
> from, say an LDAP server.
How do you stop openswan from sending the cert or requesting the cert?
For example, I set up a test with two machines and had the one with both its
own (left) and the remote (right) cert on the local disk.
I can see openswan loading the rightcert in /var/log/secure but a tcpdump
shows the cert being sent from the remote machine during the IKE phase even
though left already has it.
Is there some magic that I am missing in ipsec.conf? We do not use ldap or
dns provided certs.
Tim
More information about the Users
mailing list