[Openswan Users] how to check all CA certificats in /cacerts ?

david ngc1976.m42 at caramail.com
Mon May 9 13:57:05 CEST 2005 

 
	



> Add  rightrsasigkey=%cert

thanks for your help Andreas,

I put rightrsasigkey=%cert in my ipsec.conf but it did not work,
so I t
ryed rightcert=%cert and ...It works.
It has the same meaning, hasn't it
 ..?
> 
> Regards
> 
> Andreas
> 
> david wrote:
> > Hi all,
> > 

> > I have 2 Host :
> > 
> > ---------------hostA ipsec.conf---------
-----
> > config setup
> >          klipsdebug=none
> >          pluto
debug=all
> > 
> > conn %default
> >          keyingtries=0
> >      
    authby=rsasig
> > 
> > 
> > conn testvpnda
> >         left=195.2
12.109.202
> >         leftcert=user01des.crt
> >    
> >      right=%
any
> >         rightid="C=fr,ST=ile-de-france,L=paris,O=toto,
> >     
             CN=user02des,E=user02des at caramail.com"
> >         auto=add

> >  ----------------end--------------------
> > 
> > 
> > ---------
------hostB--------------------
> > config setup
> >          klipsdebu
g=none
> >          plutodebug=all
> > 
> > conn %default
> >        
  keyingtries=0
> >          authby=rsasig
> > 
> > conn testvpnda
> 
> 
> >         left=195.212.109.203
> >         leftcert=user02des.crt

> >         right=195.212.109.202
> >         rightid="C=fr,ST=ile-de-f
rance,L=paris,O=toto,
> >                  CN=user01des,E=user01des at cara
mail.com"
> >         auto=add
> > -------------------------end--------
------
> > 
> > THIS CONFIGURATION WORKS.
> > 
> > Now,I want that ho
stA accepts all certificats signed by the CA certificates
>  > present i
n openswan/cacerts without using the certificate's 
> Distinguished Name

>  > or subjectAltNames.
> > 
> > I try this:  
> > ---------------h
ostA ipsec.conf--------------
> > config setup
> >          klipsdebug=
none
> >          plutodebug=all
> > 
> > 
> > conn %default
> >    
      keyingtries=0
> >          authby=rsasig
> > 
> > 
> > conn tes
tvpnda
> >         left=195.212.109.202
> >         leftcert=user01des.
crt
> >         right=%any
> >         auto=add
> >  ----------------e
nd--------------------
> > 
> > But it does not work! when I make a ips
ec auto --status, I see 
> > that hostA is unaware of my testvpnda conne
ction...
> > 
> > What is wrong in my hostA ipsec.conf ? what I have to
 do ?
> > 
> > thanks !
> > 
> > david
> > 
> > Protek-on:
> >  Ca
raMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramai
l.com
> > 
> > 
> > --------------------------------------------------
----------------------
> > 
> > _______________________________________
________
> > Users mailing list
> > Users at openswan.org
> > <a href=htt
p://lists.openswan.org/mailman/listinfo/users>http://lists.openswan.org/m
ailman/listinfo/users</a>
> ============================================
===========================
> Andreas Steffen                   e-mail: 
andreas.steffen at strongsec.com
> strongSec GmbH                    home: 
  <a href=http://www.strongsec.com>http://www.strongsec.com</a>Alter Züri
chweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Swi
tzerland)   fax:    +41 1 730 80 65
> ==================================
========[strong internet security]===

Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com

More information about the Users mailing list