[Openswan Users] Certificates and roadwarriors

[Paul Wouters]

On Sun, 5 Jul 2009, Martin Spinassi wrote:

> I'd like to give to each roadwarrior user a unique certificate, but
> ipsec.conf needs a leftcert or some statical cert file, but it just works
> with one roadwarrior user, right?

On the client side, you only need your own cert and the CA cert. On the
server side, you only need the server cert and the CA cert. You only
use both leftcert= and rightcert= when you are not using a CA.

> If I try to authenticate with a user with a different certificate than
> configured in ipsec.conf, I get this error:

You should not configure a client certificate on the gateway. Instead
you should only have:

right=%any
rightsubnet=vhost:%priv,%no
rightca=%same

> Probably I must understand something with certificates, or it just work
> with one certificate for every "conn" config...I know I'm missing
> something , but just doesn't know what is it exactly.

Yes, you use one cert for every conn, which is to identify the LOCAL
cert to use. Remote certs are transmitted via the IKe protocol by
openswan automatically.

> I've read some documents of how to make differents certificates (with
> CA.sh or openssl), but every "newreq" gets a "newcert" when it gets
> signed, but moving it to the cert directory of ipsec doesn't do the
> trick.

Look in openswan-2.x.y/testing/x509/dist_certs for an example on how to
create the certifiates and in openswan-2.x.y/testing/pluto/*x509* for
other examples (note some will use leftcert+rightcert and not a CA)

Paul