[Openswan Users] A working example of use of X.509 certificates, Linux -- Windows XP

Miguel Dilaj mdilaj at nccglobal.com
Thu Jun 16 10:44:55 CEST 2005

Paul Wouters wrote:

>> NOTE: certificates/CA created TODAY are rejected by Windows. If you 
>> create your certificate/CA today, use it tomorrow, otherwise change 
>> the time of the machine in which you're using openssl to generate the 
>> certificates/CA with yesterday's date. Annoying, isn't it?
> That is usually either the result of not using NTP on windows, or because
of dual boot windows/linux messing with the clock, or having the two
computers in a different timezone.

Mmmm... I'm not sure if it's my case, when I was testing earlier, some of
the certs were created using openssl on Cygwin in the same box where I
intend to import them, and I noticed that "problem" of certs valid from the
same day being rejected. I mentioned it just in case someone runs into a
similar problem.
The "final" certs were created in the same box, but as you suggested, on
Linux using dual booting (the time and timezone should be the same anyway).

>> I'm not sure if the line
>> 	interfaces="ipsec0=eth0"
>> is required, but it works...
> No. in fact when using netkey on linux 2.6, it is best left at

OK, but I've 2 interfaces on the VPN box.
I _guess_ that I should use:


where a.a.a.a is the IP address of the "external" interface where OpenSWAN
must listen. Please correct me if I'm wrong (because the system is up &
running now, and I don't want to disrupt anything! ;-)

> Thanks for your report, we seldon hear from people who manage to get
things working :)

It was my pleasure. I noticed what you mentioned, and this often causes a
lack of documentation on such setups. It'll be good if people with different
scenarios and a working configuration can do the same.



This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  

More information about the Users mailing list