[Openswan Users] x509 question...

Andreas Steffen andreas.steffen at strongsec.net
Sat Oct 8 14:11:17 CEST 2005


Hi,

the private keys in ipsec.secrets are primarily selected
on the basis of the public key or certificate defined for the
connection in ipsec.secrets.

thus if you define three connections in ipsec.conf

conn vpn1
      ..
      leftcert=myCert1.pem

conn vpn2
      ..
      leftcert=myCert2.pem

conn vpn3
      ...
      leftrsasigkey=0sRz8e...

then ipsec.secrets has the following entries:

: RSA {
     ...
     }

: RSA myKey1.pem

: RSA myKey2.pem

With certificates and the leftcert statement you can have
multiple anonymous entries (i.e. : RSA ... without any IDs)
in ipsec.secrets, whereas with raw RSA keys you can have only
one. If you mix raw RSA keys and certificates then the raw key
entry in ipsec.secrets should precede the pkcs#1 file entries.

Regards

Andreas

Drees Stefan wrote:
> Hello,
> it is possible to set an connection id in ipsec.secrets with certificates?
>  
> I mean
> <id local> <id remote> : RSA zert.pem <passphrase>
> I tried already with IP-Address but it seems to be ignored.
>  
> I need this because i have other connections, which are using:
> : RSA {
>     <KEY>
> }
> and i can´t switch them to use certificates.
>  
> Thanks in advance.
>  
> Computer & Communication GmbH
> Gewerbepark 16
> 59069 Hamm
>  
> Tel.: +49 2385 922040
> Fax.: +49 2385 9220400
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list