[Openswan Users] Can openswan one-way certification !

Paul Wouters paul at xelerance.com
Wed Apr 1 23:53:51 EDT 2009


On Thu, 2 Apr 2009, chenyq wrote:

> I  am come from china ,my english is very poor ! and need some one can help me ! i just
> want one-way certification ,thany u !
> now let\s begin

"one-way certification" is not possible. Both ends have to authenticate
each other. This might change when the IETF BTNS working group items get
implemented, but currently each end must authenticate to the other end.

> gw-right:
> conn x509
>         left=192.168.1.2
>         leftsubnet=10.0.0.0/8
>         leftcert=left.pem
>         leftnexthop=%defaultroute
>         right=192.168.2.2
>         rightsubnet=172.16.1.0/24
>         rightid=192.168.2.2
>         #rightcert=right.pem
>         rightnexthop=%defaultroute
>         pfs=no
>         auto=add
> gw-left:
> conn x509
>         left=192.168.1.2
>         leftsubnet=10.0.0.0/8
>         leftcert=left.pem
>         leftnexthop=%defaultroute
>         right=192.168.2.2
>         rightid=192.168.2.2
>         rightsubnet=172.16.1.0/24
>         #rightcert=right.pem
>         rightnexthop=%defaultroute
>         pfs=no
>         auto=add

It's strongly recommend to use the DN= for id's when using X.509. This is
the default on openswan 2.4.x. For Openswan-2.6.x you should specify leftid=%fromcert
for the local end (eg if you have leftcert=) and leave out the rightid=.

> 003 "x509" #2: received Vendor ID payload [Openswan (this version) 2.4.6  X.509-1.5.4

openswan 2.4.6 is EXTREMELY old. Upgrade to at least 2.4.14 if you cannot run openswan
2.6.x.

Paul


More information about the Users mailing list