[Openswan Users] multiple root CA

Andreas Steffen andreas.steffen at strongsec.net
Tue Oct 4 20:51:19 CEST 2005 

Jorge Daniel Sequeira Matias wrote:
> On Monday 03 October 2005 17:56, Laurent Jouannic wrote:
> 
>>Hi to the forum,
>>
>>Well, I'm still using freeswan with x509 path and I send my question to
>>this forum, because freeswan one is obsolete.
>>
>>My problem is the following:
>>
>>My root CA will be soon obsolete and I want to know if it's possible to use
>>multiple (in fact 2)  root CA in /etc/ipsec.d/cacerts/,  during a certain
>>time (needed for the transition).
> 
> 
>>Is it possible?
>>
> 
>   I have tested that setup with openswan a few days ago and it works!
> 
> 
>   But, for example, if you want to renew a SubCA, from the same root CA, that 
> certifies your users certificates, it doesn't work. I have tested this setup 
> too because my VPN Server certificate is signed by a SubCA. This SubCA is 
> going to expire. I had to create a new SubCA of the same RootCA.
>   In this case, as the users and VPN Server certificates are all "suns" of the 
> RootCA, Openswan doesn't know how select the right VPN Server certificate to 
> send to the user.

On the VPN server side define two roadwarrior connections: One with the

   leftcert=<old server certificate>

and one with

   leftcert=<new server certificate>

On the user side just set the parameter

   rightca=%same

which will generate a certificate request for the same CA.
The VPN server will then select the matching connection definition
and send the correct server certificate.

>   I see only one solution for the second scenario problem: Install a second 
> VPN Server with a new IP address.
> 
>   Anyone knows if is possible to install 2 openswans in the same machine each 
> one listening on different IP address? This could solve my problem.
>   My setup is kernel v2.6.11 with a CVS version obtained one or two weeks 
> later after openswan 2.3.1 was released (with some bug fixes).
> 
> 
> Best Regards,
> Jorge Matias
> 
> System Administrator at
> Technical University of Lisbon
> Instituto Superior Técnico
> Centro de Informática

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list