[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Paul Wouters
paul at xelerance.com
Fri Jun 18 01:20:42 CEST 2004
On Thu, 17 Jun 2004, Xiaoming Yu wrote:
> One more comment on this subject. Even when we decide to use certificate
> with leftid, rightid, if this is still a client server scenario, and I have
> multiple clients. On the server side, do i have to set up multiple
> connections in the config file, one for each client with unique
> certificate? Is that just easier to use one preshared key, at least fro
> testing? I know in real life, probably worth it because of the security
> benefit.
When using raw rsa keys you will need to make a conn for each client-server.
There are ways to minimize the writing/changing you need to do by including
one conn into another conn definition with the also= construct. See the
ipsec.conf man page.
With X.509 certificates, you should only need one conn accepting all
certificates signed by a certain CA.
Paul
More information about the Users
mailing list