[Openswan Users] Accepting any certificate signed by same
authority
Christian Brechbühler
brechbuehler at gmail.com
Fri Feb 24 15:01:45 CET 2006
On 2/24/06, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 24 Feb 2006, Christian Brechbühler wrote:
>
> > Openswan client "lithium" initiates road warrior style connection with
> > Openswan VPN gateway "vpn". Is there a configuration that doesn't
> > need the gateway's certificate on every client?
>
> You never need the gateway's certificate on other client machines when using
> a setup with a Certificate Authority (CA).
> You only need the CA certificate on all client machines.
>
> > conn home
> > rightcert=vpn.pem
> > right=6.6.6.6
> > rightsubnet=10.0.0.0/24
> > left=%defaultroute
> > leftcert=lithium.pem
> > auto=add
>
> This connection is now bypassing the CA cert chain of trust completely.
> Openswan implicitely trusts all certificates you load through a cert=
> command. You should be able to leave out the rightcert= line and depend
> on the CA cert (and similarly on the other end)
>
> Paul
Hi Paul,
thanks for the help! I agree with everything you say *should* work.
And on the other end (right=vpn) it does indeed work.
However when I leave out "rightcert=vpn.pem" the client (left=lithium)
will no longer connect to the gateway (right=vpn). It says that "we
require peer to have ID '6.6.6.6'". How can I NOT require that?
Do I have a configuration mistake?
Or do I need to upgrade? I'm running openswan 2.4.4 on kernel 2.6.9-1.11_FC2.
Thanks again
Christian
More information about the Users
mailing list