[Openswan Users] Accepting any certificate signed by same
authority
Paul Wouters
paul at xelerance.com
Fri Feb 24 20:45:54 CET 2006
On Fri, 24 Feb 2006, Christian Brechbühler wrote:
> Openswan client "lithium" initiates road warrior style connection with
> Openswan VPN gateway "vpn". Is there a configuration that doesn't
> need the gateway's certificate on every client?
You never need the gateway's certificate on other client machines when using
a setup with a Certificate Authority (CA).
You only need the CA certificate on all client machines.
> conn home
> rightcert=vpn.pem
> right=6.6.6.6
> rightsubnet=10.0.0.0/24
> left=%defaultroute
> leftcert=lithium.pem
> auto=add
This connection is now bypassing the CA cert chain of trust completely.
Openswan implicitely trusts all certificates you load through a cert=
command. You should be able to leave out the rightcert= line and depend
on the CA cert (and similarly on the other end)
Paul
More information about the Users
mailing list