[Openswan Users] Accepting any certificate signed by same authority
Christian Brechbühler
brechbuehler at gmail.com
Fri Feb 24 13:48:03 CET 2006
Openswan client "lithium" initiates road warrior style connection with
Openswan VPN gateway "vpn". Is there a configuration that doesn't
need the gateway's certificate on every client?
I have the following, which works:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
interfaces=%defaultroute
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
rightca=%same
conn home
rightcert=vpn.pem
right=6.6.6.6
rightsubnet=10.0.0.0/24
left=%defaultroute
leftcert=lithium.pem
auto=add
include /etc/ipsec.d/examples/no_oe.conf
It doesn't seem right that every client would need the gateway's
certificate, vpn.pem. After all, the gateway doesn't have any one's
cert; it just specifies left=%any and leftca=%same (I know right is
more customary). When I omit righcert, running 'ipsec auto --verbose
--up home' gives this error:
003 "home" #158: we require peer to have ID '6.6.6.6', but peer
declares 'C=US, ST=Massachusetts, L=Boston, O=E, CN=vpn,
E=brechbuehler at gmail.com'
Is there a way not to require peer to have a specific ID? I tried
many things, but cannot get the symmetry I'd expect.
Thanks in advance for any help, or pointer to relevant man page.
Christian
More information about the Users
mailing list