[Openswan Users] Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]

[Paul Wouters]

On Thu, 2 Apr 2009, shawnlau wrote:

> The error information could be ignore, and it would not affect the normal use of openswan!  Right? Paul!

Yes, you can ignore the "DISABLED" for RSA keys in ipsec verify if you are using
X.509 certificates.

> And I have a request, Could you give me a configure instance about net--to--net connection with x.509 , and the left gateway still be the CA sever. I had checked the configuration in /openswan/test/Pluto/x509 and openswan handbook, but it's made me feel more confuse.
>
> Until today, the error message still persecuted me. No matter how I change the ipsec.conf configure file. Really a little frustrating.

You need to put the cacert PEM in /etc/ipsec.d/cacerts. Then assuming your local end
is left, you add leftcert=left.pem and leftid=%fromcert (on openswan 2.6.x only)
You should probably also set leftsendcert=always. You do not need to use rightcert=
and you do not need leftca=/rightca=. Then, do the same on the other endpoint. Where
you also just load its own cert via its own leftcert (or rightcert= if you picked that)

Paul