[Openswan Users] Openswan 1.0.3 and Win2k or WinXP with X.509

[Trevor Benson]

> -----Original Message-----
> From: users-bounces at lists.openswan.org [mailto:users-
> bounces at lists.openswan.org] On Behalf Of Nate Carlson
> Sent: Thursday, May 13, 2004 8:23 AM
> To: users at lists.openswan.org
> Subject: Re: [Openswan Users] Openswan 1.0.3 and Win2k or WinXP with
X.509
> 
> On Thu, 13 May 2004, Trevor Benson wrote:
> > Does anyone have multiple Openswan vpn systems with x.509 being used
> > from Microsoft roadwarriors?  I assume that the cert for each tunnel
is
> > negotiated from the list of personal certs based on the CA and host
you
> > connect to?  Or does anyone know of any issues with using multiple
certs
> > on 2k or XP.
> 
> Are you using ipsec.exe, or l2tp over ipsec?
> 
> If ipsec.exe, the certificate to use is determined by the ca= entry --
> it'll grab a cert from your store that was signed by that CA, and
present
> it to the remote side. Not sure what happens if you have multiple
certs
> from that CA - never tried it.
> 
> If l2tp over ipsec, Windows just seems to grab the first cert in your
> personal store, in my experience. It doesn't seem to work properly if
> you've got multiple certs, and the first one isn't the one you want to
> use.  :(  (If anyone's been able to get it to work with multiple
certs,
> let me know!)

Well that's good and bad news.  I will be using both soon.  Since I will
need only one cert that is using MS vpn client, then that sounds not too
bad, as long as it stays the first cert, probably just installation
order?  As long as that does then I should be able to use ipsec.exe and
the ca= entry.  

Hmm I have noticed quite a few extra spots where I had selection options
for things, I will do some testing and let you know, as preferably I
would like more then 1 MS VPN client to work at separate openswan sites.
I will keep you updated once I give it some more testing.

Trevor