[Openswan Users] Some questions about x.509 certificate authenticate

[Paul Wouters]

On Thu, 12 Apr 2007, Ëï¹ú»Ô(VPN¼¼Êõ²¿) wrote:

> >>       I have two hosts--192.168.10.9 and 192.168.10.10 which are connected to a hub. They have openswan2.3.1 installed. I have already setup a tunnel using main mode and aggressive mode with x.509 certificate authentication. Detailed configurations are as follows.

>                 It works as what you said under main mode. But, I still have a question. We know there are six packets during IKE phase 1 negotiation if using main mode.I have all these six packets captured. I find that the right(responder) will send an cert request payload in the fourth packet to the left(initiator). Because the following two packets are encrypted, so I guess the initiator will send its cert in the fifth packet and the responder will send its cert in the six packet which is the last packet in phase 1. Therefore, both two sides do not need to store its counterpart's cert. Does what I think right???

Dont use sniffing. Set plutodebug=control in ipsec.conf to log what is happening at the IKE level.

>                 But, it doesn't work under aggressive mode

That is correct. Various fixes went into openswan since version 2.3.1 that
fix Aggressive Mode cases. Please upgrade and try again. Use the latest
rc version 2.4.8rc1 because it specifically fixes Aggressive Mode with NAT-T,
which was broken up to and including openswan 2.4.7.

ftp://ftp.openswan.org/openswan/testing/

Paul