[Openswan Users] Certificates and roadwarriors
Martin Spinassi
martins.listz at gmail.com
Tue Jul 7 08:58:46 EDT 2009
On Mon, 2009-07-06 at 01:29 -0400, Paul Wouters wrote:
> On Sun, 5 Jul 2009, Martin Spinassi wrote:
>
> > I'd like to give to each roadwarrior user a unique certificate, but
> > ipsec.conf needs a leftcert or some statical cert file, but it just works
> > with one roadwarrior user, right?
>
> On the client side, you only need your own cert and the CA cert. On the
> server side, you only need the server cert and the CA cert. You only
> use both leftcert= and rightcert= when you are not using a CA.
>
> > If I try to authenticate with a user with a different certificate than
> > configured in ipsec.conf, I get this error:
>
> You should not configure a client certificate on the gateway. Instead
> you should only have:
>
> right=%any
> rightsubnet=vhost:%priv,%no
> rightca=%same
>
> > Probably I must understand something with certificates, or it just work
> > with one certificate for every "conn" config...I know I'm missing
> > something , but just doesn't know what is it exactly.
>
> Yes, you use one cert for every conn, which is to identify the LOCAL
> cert to use. Remote certs are transmitted via the IKe protocol by
> openswan automatically.
>
> > I've read some documents of how to make differents certificates (with
> > CA.sh or openssl), but every "newreq" gets a "newcert" when it gets
> > signed, but moving it to the cert directory of ipsec doesn't do the
> > trick.
>
> Look in openswan-2.x.y/testing/x509/dist_certs for an example on how to
> create the certifiates and in openswan-2.x.y/testing/pluto/*x509* for
> other examples (note some will use leftcert+rightcert and not a CA)
>
> Paul
Thanks Paul!
You really clarify all this.
I've also added the leftid="CA=dsa O=dsa....", and now it works fine.
Cheers
Martín
More information about the Users
mailing list