[Openswan Users] x509 Certs
Paul Wouters
paul at xelerance.com
Thu Aug 14 23:36:45 EDT 2008
On Thu, 14 Aug 2008, Chris Zimmerman wrote:
> If I have machine A and machine B and Machine A initiates an IPSec tunnel to Machine B using x509 certs, is
> there an exchange of certs in the beginning much like SSH does when you're connecting for the first time? In
> other words, does machine A say, "Here's my certificate" and B likewise? How is the cert verified with the
> CA?
There is no "leap of faith". Either you need to load the remote cert
using rightcert= from file, or the certs need to be signed by a CA
which's public cert is in /etc/ipsec.d/cacerts/, in which case the
remote should send the cert inline, but it will be verified with the
loaded CA.
> I've been reading the Openswan book solid for the last 2 days and working with a Watchguard device to set this
> up and I think I've garbled some of my information.
>
> Thanks.
>
>
>
>
More information about the Users
mailing list