[Openswan Users] x509 Certs

Paul Wouters paul at xelerance.com
Thu Aug 14 23:36:45 EDT 2008

On Thu, 14 Aug 2008, Chris Zimmerman wrote:

> If I have machine A and machine B and Machine A initiates an IPSec tunnel to Machine B using x509 certs, is
> there an exchange of certs in the beginning much like SSH does when you're connecting for the first time?  In
> other words, does machine A say, "Here's my certificate" and B likewise?  How is the cert verified with the
> CA? 

There is no "leap of faith". Either you need to load the remote cert
using rightcert= from file, or the certs need to be signed by a CA
which's public cert is in /etc/ipsec.d/cacerts/, in which case the
remote should send the cert inline, but it will be verified with the
loaded CA.

> I've been reading the Openswan book solid for the last 2 days and working with a Watchguard device to set this
> up and I think I've garbled some of my information.
> Thanks.

More information about the Users mailing list