[Openswan Users] Openswan 1.0.3 and Win2k or WinXP with X.509

Nate Carlson natecars at natecarlson.com
Thu May 13 11:22:34 CEST 2004


On Thu, 13 May 2004, Trevor Benson wrote:
> Does anyone have multiple Openswan vpn systems with x.509 being used
> from Microsoft roadwarriors?  I assume that the cert for each tunnel is
> negotiated from the list of personal certs based on the CA and host you
> connect to?  Or does anyone know of any issues with using multiple certs
> on 2k or XP.

Are you using ipsec.exe, or l2tp over ipsec?

If ipsec.exe, the certificate to use is determined by the ca= entry -- 
it'll grab a cert from your store that was signed by that CA, and present 
it to the remote side. Not sure what happens if you have multiple certs 
from that CA - never tried it.

If l2tp over ipsec, Windows just seems to grab the first cert in your 
personal store, in my experience. It doesn't seem to work properly if 
you've got multiple certs, and the first one isn't the one you want to 
use.  :(  (If anyone's been able to get it to work with multiple certs, 
let me know!)

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list