[Openswan Users] Accepting any certificate signed by same authority

Christian Brechbühler brechbuehler at gmail.com
Fri Feb 24 15:01:45 CET 2006


On 2/24/06, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 24 Feb 2006, Christian Brechbühler wrote:
>
> > Openswan client "lithium" initiates road warrior style connection with
> > Openswan VPN gateway "vpn".  Is there a configuration that doesn't
> > need the gateway's certificate on every client?
>
> You never need the gateway's certificate on other client machines when using
> a setup with a Certificate Authority (CA).
> You only need the CA certificate on all client machines.
>
> >     conn home
> >         rightcert=vpn.pem
> >         right=6.6.6.6
> >         rightsubnet=10.0.0.0/24
> >         left=%defaultroute
> >         leftcert=lithium.pem
> >         auto=add
>
> This connection is now bypassing the CA cert chain of trust completely.
> Openswan implicitely trusts all certificates you load through a cert=
> command. You should be able to leave out the rightcert= line and depend
> on the CA cert (and similarly on the other end)
>
> Paul

Hi Paul,

thanks for the help!  I agree with everything you say *should* work. 
And on the other end (right=vpn) it does indeed work.

However when I leave out "rightcert=vpn.pem" the client (left=lithium)
will no longer connect to the gateway (right=vpn).  It says that "we
require peer to have ID '6.6.6.6'".  How can I NOT require that?

Do I have a configuration mistake?
Or do I need to upgrade?  I'm running openswan 2.4.4 on kernel  2.6.9-1.11_FC2.

Thanks again
Christian


More information about the Users mailing list