[Openswan Users] Virtual interfaces and digital certificates

Paul Wouters paul at xtdnet.nl
Mon Apr 4 15:50:11 CEST 2005


On Mon, 4 Apr 2005, Hugo Mora wrote:

> - I am creating an web interface to manage ipsec connections. Virtual
> interfaces limit is set on IPSEC_NUM_IF (now is set to 4), defined on
> ipsec_param.h. If my "real" interfaces have some ip addresses,
> theorically, users could create a lot of ipsec tunnels, but I don't
> know how to reuse
> ipsec0=eth0
> ipsec1=eth1
> ipsec2=eth0:0
> ipsec3=eth0:1
> ipsec4=eth0:2
> ipsec5=eth0:3 ..... And how much??

You could increase the number. Perhaps we should change the default to
16? Michael?

> Setting only "ipsec0=eth0 ipsec1=eth1" doesn't work? Where is my mistake?

Using this works:

interfaces="ipsec0=eth0 ipsec1=eth0:1 ipsec2=eth0:2 ipsec3=eth1"

> - Another question: Do I need the CA certificate on "cacerts/" folder?
> I thought that *yes*, but if I delete it, the tunnel still connect...
> How the certificates are verifyed?

If you use X.509 based CA setup, then yes you need it. If you delete the
cacerts/* file(s), and not restart openswan, you might get lucky but at
some point, things will start to fail. Unless you only use selfsigned
certificates for both ends explicitely loaded, without using a CA to sign
certificates.

Paul



More information about the Users mailing list