[Openswan Users] Some questions about x.509 certificate au thenticate
ctosgh at 126.com
Mon Apr 9 02:57:58 EDT 2007
I have two hosts--192.168.10.9 and 192.168.10.10 which are connected to a hub. They have openswan2.3.1 installed. I have already setup a tunnel using main mode and aggressive mode with x.509 certificate authentication. Detailed configurations are as follows.
/etc/ipsec.d/certs/9.pem --localhost's certificate
/etc/ipsec.d/certs/10.pem --counterpart's certificate
/etc/ipsec.d/certs/10.pem --localhost's certificate
/etc/ipsec.d/certs/9.pem --counterpart's certificate
I use tcpdump to capture the data packet of IKE phase 1. I find that the two hosts don't exchange each other's certificate whether using main mode or aggressive mode. I mean they just exchange each other's the RDN sequence which is part of the x.509 certificate. They must store their counterpart's certificates in /etc/ipsec.d/certs dir. I GUESS that the hosts will lookup its counterpart's certificate in /etc/ipsec.d/certs/ dir using the RDN sequence. Then, they can get counterpart's public key. That's why they don't exchange public key during IKE phase 1 negotiation.
The question is:
1. Is what I guess right?
2. I use openswan in a embeded system. There are many clients with x.509 certificates. So, openswan must store lots of cetificates. But, there is not enough space in this embeded environment. Is there any good suggestion?
3. For question 2, I want the openswan to store its own certificate only and get its counterparts' publick keys through IKE phase 1 negotiation. Therefore, it will save a lot storage space. Does this method work?
I will really appreciate your reply and help~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users