[Openswan Users] Certificates and roadwarriors

Martin Spinassi martins.listz at gmail.com
Tue Jul 7 08:58:46 EDT 2009

On Mon, 2009-07-06 at 01:29 -0400, Paul Wouters wrote:
> On Sun, 5 Jul 2009, Martin Spinassi wrote:
> > I'd like to give to each roadwarrior user a unique certificate, but
> > ipsec.conf needs a leftcert or some statical cert file, but it just works
> > with one roadwarrior user, right?
> On the client side, you only need your own cert and the CA cert. On the
> server side, you only need the server cert and the CA cert. You only
> use both leftcert= and rightcert= when you are not using a CA.
> > If I try to authenticate with a user with a different certificate than
> > configured in ipsec.conf, I get this error:
> You should not configure a client certificate on the gateway. Instead
> you should only have:
> right=%any
> rightsubnet=vhost:%priv,%no
> rightca=%same
> > Probably I must understand something with certificates, or it just work
> > with one certificate for every "conn" config...I know I'm missing
> > something , but just doesn't know what is it exactly.
> Yes, you use one cert for every conn, which is to identify the LOCAL
> cert to use. Remote certs are transmitted via the IKe protocol by
> openswan automatically.
> > I've read some documents of how to make differents certificates (with
> > CA.sh or openssl), but every "newreq" gets a "newcert" when it gets
> > signed, but moving it to the cert directory of ipsec doesn't do the
> > trick.
> Look in openswan-2.x.y/testing/x509/dist_certs for an example on how to
> create the certifiates and in openswan-2.x.y/testing/pluto/*x509* for
> other examples (note some will use leftcert+rightcert and not a CA)
> Paul

Thanks Paul!

You really clarify all this.
I've also added the leftid="CA=dsa O=dsa....", and now it works fine.



More information about the Users mailing list