[Openswan Users] Accepting any certificate signed by same authority

Christian Brechbühler brechbuehler at gmail.com
Fri Feb 24 13:48:03 CET 2006


Openswan client "lithium" initiates road warrior style connection with
Openswan VPN gateway "vpn".  Is there a configuration that doesn't
need the gateway's certificate on every client?
I have the following, which works:

    version     2.0     # conforms to second version of ipsec.conf specification

    config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
        interfaces=%defaultroute

    conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightca=%same

    conn home
        rightcert=vpn.pem
        right=6.6.6.6
        rightsubnet=10.0.0.0/24
        left=%defaultroute
        leftcert=lithium.pem
        auto=add

    include /etc/ipsec.d/examples/no_oe.conf

It doesn't seem right that every client would need the gateway's
certificate, vpn.pem.  After all, the gateway doesn't have any one's
cert; it just specifies left=%any and leftca=%same (I know right is
more customary).  When I omit righcert, running 'ipsec auto --verbose
--up home' gives this error:

    003 "home" #158: we require peer to have ID '6.6.6.6', but peer
declares 'C=US, ST=Massachusetts, L=Boston, O=E, CN=vpn,
E=brechbuehler at gmail.com'

Is there a way not to require peer to have a specific ID?  I tried
many things, but cannot get the symmetry I'd expect.

Thanks in advance for any help, or pointer to relevant man page.

Christian


More information about the Users mailing list