[Openswan Users] Some questions about x.509 certificate authenticate

孙国辉(VPN技术部) sun_guohui at topsec.com.cn
Mon Apr 9 02:17:37 EDT 2007 

Hi,All:
      I have two hosts--192.168.10.9 and 192.168.10.10 which are connected to a hub. They have openswan2.3.1 installed. I have already setup a tunnel using main mode and aggressive mode with x.509 certificate authentication. Detailed configurations are as follows.

On 192.168.10.9:
/etc/ipsec.d/certs/9.pem     --localhost's certificate
/etc/ipsec.d/certs/10.pem    --counterpart's certificate
/etc/ipsec.d/cacerts/cacert.pem
/etc/ipsec.d/private/9.key

ipsec.conf:
config setup
 interfaces="ipsec0=eth1"
conn test
 left=192.168.10.9
 leftcert=9.pem
 right=192.168.10.10
 rightcert=10.pem
 pfs=no
 ike=3des-md5-modp1536
 aggrmode=yes
 auto=add


On 192.168.10.10:
/etc/ipsec.d/certs/10.pem    --localhost's certificate
/etc/ipsec.d/certs/9.pem     --counterpart's certificate
/etc/ipsec.d/cacerts/cacert.pem
/etc/ipsec.d/private/10.key

ipsec.conf:
config setup
 interfaces="ipsec0=eth1"
conn test
 left=192.168.10.10
 leftcert=10.pem
 right=192.168.10.9
 rightcert=9.pem
 pfs=no
 ike=3des-md5-modp1536
 aggrmode=yes
 auto=add


     I use tcpdump to capture the data packet of IKE phase 1. I find that the two hosts don't exchange each other's certificate whether using main mode or aggressive mode. I mean they just exchange each other's the RDN sequence which is part of the x.509 certificate. They must store their counterpart's certificates in /etc/ipsec.d/certs dir. I GUESS that the hosts will lookup its counterpart's certificate in /etc/ipsec.d/certs/ dir using the RDN sequence. Then, they can get counterpart's public key. That's why they don't exchange public key during IKE phase 1 negotiation.

The question is:
1. Is what I guess right?
2. I use openswan in a embeded system. There are many clients with x.509 certificates. So, openswan must store lots of cetificates. But, there is not enough space in this embeded environment. Is there any good suggestion?  
3. For question 2, I want the openswan to store its own certificate only and get its counterparts' publick keys through IKE phase 1 negotiation. Therefore, it will save a lot storage space. Does this method work?
     I will really appreciate your reply and help~~~~~~~~

     Jacky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070409/acc40e16/attachment.html

More information about the Users mailing list