[Openswan Users] Many networks

Paul Wouters paul at xelerance.com
Wed Feb 9 21:45:47 CET 2005


On Wed, 9 Feb 2005, Thiago Lima  wrote:

> 	In my setup right now I have one certificate for each
> connection/firewall and all my users here ( I have 4 technician ) uses the
> same certificate. I belive that is wrong and I want to change this behavior.
> I want every technician to have his own certificate and I would like to
> revoke then if needed..

Just generate three more then.

> 	I could just put every certificate in openswan configuration but
> that seens difficult to maintain.

You do not need to. If you are using a rightid= for the current certificate,
just change it to use CN=*. But you can also leave out the rightid's if
you are just using one CA cert to sign all 5 of them (4 techs plus vpn server)

> 	Looking in the openswan site I've seen something about OCSP. Maybe
> that's what I'm looking for.

That is meant for much larger scale things.

> 	I'm using kerberos to autenticate those users in ssh. I'm looking
> for something like that for the ipsec connection.

You really mean kerberos tickets? or you mean user/password ? Ifyou really
want user/passwd, you need to use XAUTH/ModeConfig, but there is no need
for this.

Paul


More information about the Users mailing list