[Openswan Users] Testing of openswan-Do we need a certificate

[Paul Wouters]

On Mon, 15 May 2006, karthik.ramanathan at wipro.com wrote:

> I have configured IPsec using openswan in my linux PC . On my windows
> 2000 i have configured IPsec .For implementation and connection to be
> established between two PCs do i require a certificate on both sides ???

I do not know how you "configured ipsec on windows 2000". Do you mean l2tp?
do you mean some static conn via mmc? do you mean with lsipsectool.exe?

In general you have a choice of PSK or X.509 certificates, and certificates
are definately the preferred way.

> If it is so then please tell me how to get a certificate for both the
> machines .

See one of the many manuals and/or openssl or software packages out there.
Eg Nate Carlson's page or Jakko's pages or the X.509 README in docs/ or
the Openswan book.

> Also on ipsec.conf there is a parameter called pfs can anyone
> tell me what is the use of that and what value should i put for that
> ????

It is Perfect Forward Secrecy, and is an option that Windows unfortunately
still does not support properply. Use pfs=no for connections with Windows.

> Is it required compulsory in the conf file or can i remove that ???
> i jus know the full form of pfs and want to know what it is actually
> used for ??

It means it i using a session key that changes every hour, so that even
if one of the hosts is compromised, any past intercepted IPsec traffic
can still not be decrypted (before the session keys used were destroyed)

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155