[Openswan Users] Accepting any certificate signed by same
authority
Christian Brechbühler
brechbuehler at gmail.com
Tue Feb 28 21:09:30 CET 2006
On 2/24/06, Andy <fs at globalnetit.com> wrote:
>
> On Fri, 2006-02-24 at 15:01 -0500, Christian Brechbühler wrote:
>
> > However when I leave out "rightcert=vpn.pem" the client (left=lithium)
> > will no longer connect to the gateway (right=vpn). It says that "we
> > require peer to have ID '6.6.6.6'". How can I NOT require that?
> >
> Use "rightid", not rightcert. Set the ID to match what the other end
> sends - looking back at your earlier message that will be
>
> rightid="C=US, ST=Massachusetts, L=Boston, O=E, CN=vpn, E=
> brechbuehler at gmail.com"
Andy's mail sent me off in the right direction. I had tried that, but "O=E"
is actually "O=EventMonitor, Inc.". And having that comma there caused an
error (invalid OID), even with slash separators. I created a new server
certificate, got various errors (pluto Abort / Assertion failed / no
suitable connection), updated ipsec.secrets and the iptables rules. Now it
works!
If I read http://www.strongsec.com/freeswan/install.txt right, the initiator
MUST specify the id of the peer, only the responder can use a wildcard like
%any.
Thanks to Andy and Paul for their help!
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060228/35a3c3aa/attachment.htm
More information about the Users
mailing list