[Openswan Users] Some questions about x.509 certificate authenticate
Paul Wouters
paul at xelerance.com
Wed Apr 11 10:26:24 EDT 2007
On Mon, 9 Apr 2007, Ëï¹ú»Ô(VPN¼¼Êõ²¿) wrote:
> I have two hosts--192.168.10.9 and 192.168.10.10 which are connected to a hub. They have openswan2.3.1 installed. I have already setup a tunnel using main mode and aggressive mode with x.509 certificate authentication. Detailed configurations are as follows.
> conn test
> left=192.168.10.9
> leftcert=9.pem
> right=192.168.10.10
> rightcert=10.pem
> I use tcpdump to capture the data packet of IKE phase 1. I find that the two hosts don't exchange each other's certificate whether using main mode or aggressive mode. I mean they just exchange each other's the RDN sequence which is part of the x.509 certificate.
That's because you loaded the certificates explicitely. You should only
specify the local cert in leftcert= (or rightcert=) and not the remote cert.
> 3. For question 2, I want the openswan to store its own certificate only and get its counterparts' publick keys through IKE phase 1 negotiation. Therefore, it will save a lot storage space. Does this method work?
Yes.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list