[Openswan Users] how to check all CA certificats in /cacerts ?

Andreas Steffen andreas.steffen at strongsec.net
Mon May 9 12:49:56 CEST 2005 

Add  rightrsasigkey=%cert

Regards

Andreas

david wrote:
> Hi all,
> 
> I have 2 Host :
> 
> ---------------hostA ipsec.conf--------------
> config setup
>          klipsdebug=none
>          plutodebug=all
> 
> conn %default
>          keyingtries=0
>          authby=rsasig
> 
> 
> conn testvpnda
>         left=195.212.109.202
>         leftcert=user01des.crt
>    
>      right=%any
>         rightid="C=fr,ST=ile-de-france,L=paris,O=toto,
>                  CN=user02des,E=user02des at caramail.com"
>         auto=add
>  ----------------end--------------------
> 
> 
> ---------------hostB--------------------
> config setup
>          klipsdebug=none
>          plutodebug=all
> 
> conn %default
>          keyingtries=0
>          authby=rsasig
> 
> conn testvpnda
> 
>         left=195.212.109.203
>         leftcert=user02des.crt
>         right=195.212.109.202
>         rightid="C=fr,ST=ile-de-france,L=paris,O=toto,
>                  CN=user01des,E=user01des at caramail.com"
>         auto=add
> -------------------------end--------------
> 
> THIS CONFIGURATION WORKS.
> 
> Now,I want that hostA accepts all certificats signed by the CA certificates
 > present in openswan/cacerts without using the certificate's 
Distinguished Name
 > or subjectAltNames.
> 
> I try this:  
> ---------------hostA ipsec.conf--------------
> config setup
>          klipsdebug=none
>          plutodebug=all
> 
> 
> conn %default
>          keyingtries=0
>          authby=rsasig
> 
> 
> conn testvpnda
>         left=195.212.109.202
>         leftcert=user01des.crt
>         right=%any
>         auto=add
>  ----------------end--------------------
> 
> But it does not work! when I make a ipsec auto --status, I see 
> that hostA is unaware of my testvpnda connection...
> 
> What is wrong in my hostA ipsec.conf ? what I have to do ?
> 
> thanks !
> 
> david
> 
> Protek-on:
>  CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list