AW: [Openswan Users] x509 question...

Drees Stefan s_drees at c-c.de
Mon Oct 10 09:48:28 CEST 2005


Hi,
and thanks for your answer.
I tried the opposite, first certificates and then raw rsa
and got many errors (Many log messages about connection rebuild).
I will try it the next days.

Thanks for your help.

Stefan Drees

-----Ursprüngliche Nachricht-----
Von: Andreas Steffen [mailto:andreas.steffen at strongsec.net] 
Gesendet: Samstag, 8. Oktober 2005 13:11
An: Drees Stefan
Cc: users at openswan.org
Betreff: Re: [Openswan Users] x509 question...

Hi,

the private keys in ipsec.secrets are primarily selected on the basis of the public key or certificate defined for the connection in ipsec.secrets.

thus if you define three connections in ipsec.conf

conn vpn1
      ..
      leftcert=myCert1.pem

conn vpn2
      ..
      leftcert=myCert2.pem

conn vpn3
      ...
      leftrsasigkey=0sRz8e...

then ipsec.secrets has the following entries:

: RSA {
     ...
     }

: RSA myKey1.pem

: RSA myKey2.pem

With certificates and the leftcert statement you can have multiple anonymous entries (i.e. : RSA ... without any IDs) in ipsec.secrets, whereas with raw RSA keys you can have only one. If you mix raw RSA keys and certificates then the raw key entry in ipsec.secrets should precede the pkcs#1 file entries.

Regards

Andreas

Drees Stefan wrote:
> Hello,
> it is possible to set an connection id in ipsec.secrets with certificates?
>  
> I mean
> <id local> <id remote> : RSA zert.pem <passphrase> I tried already 
> with IP-Address but it seems to be ignored.
>  
> I need this because i have other connections, which are using:
> : RSA {
>     <KEY>
> }
> and i can´t switch them to use certificates.
>  
> Thanks in advance.
>  
> Computer & Communication GmbH
> Gewerbepark 16
> 59069 Hamm
>  
> Tel.: +49 2385 922040
> Fax.: +49 2385 9220400
>  
> 
> 
> ----------------------------------------------------------------------
> --
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


--
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===



More information about the Users mailing list