[Openswan Users] Accepting any certificate signed by same authority

Paul Wouters paul at xelerance.com
Fri Feb 24 20:45:54 CET 2006


On Fri, 24 Feb 2006, Christian Brechbühler wrote:

> Openswan client "lithium" initiates road warrior style connection with
> Openswan VPN gateway "vpn".  Is there a configuration that doesn't
> need the gateway's certificate on every client?

You never need the gateway's certificate on other client machines when using
a setup with a Certificate Authority (CA).
You only need the CA certificate on all client machines.

>     conn home
>         rightcert=vpn.pem
>         right=6.6.6.6
>         rightsubnet=10.0.0.0/24
>         left=%defaultroute
>         leftcert=lithium.pem
>         auto=add

This connection is now bypassing the CA cert chain of trust completely.
Openswan implicitely trusts all certificates you load through a cert=
command. You should be able to leave out the rightcert= line and depend
on the CA cert (and similarly on the other end)

Paul


More information about the Users mailing list