[Openswan Users] Accepting any certificate signed by same authority

Christian Brechbühler brechbuehler at gmail.com
Tue Feb 28 21:09:30 CET 2006


On 2/24/06, Andy <fs at globalnetit.com> wrote:
>
> On Fri, 2006-02-24 at 15:01 -0500, Christian Brechbühler wrote:
>
> > However when I leave out "rightcert=vpn.pem" the client (left=lithium)
> > will no longer connect to the gateway (right=vpn).  It says that "we
> > require peer to have ID '6.6.6.6'".  How can I NOT require that?
> >
> Use "rightid", not rightcert. Set the ID to match what the other end
> sends - looking back at your earlier message that will be
>
>   rightid="C=US, ST=Massachusetts, L=Boston, O=E, CN=vpn, E=
> brechbuehler at gmail.com"


Andy's mail sent me off in the right direction.  I had tried that, but "O=E"
is actually "O=EventMonitor, Inc.".  And having that comma there caused an
error (invalid OID), even with slash separators.  I created a new server
certificate, got various errors (pluto Abort / Assertion failed / no
suitable connection), updated ipsec.secrets and the iptables rules.  Now it
works!

If I read http://www.strongsec.com/freeswan/install.txt right, the initiator
MUST specify the id of the peer, only the responder can use a wildcard like
%any.

Thanks to Andy and Paul for their help!

Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060228/35a3c3aa/attachment.htm


More information about the Users mailing list