[Openswan Users] Establishing a VPN connection using certificates, --id <IP Address> vs --id <DN>

Paul Wouters paul at xelerance.com
Tue Jun 2 01:00:05 EDT 2009

On Mon, 1 Jun 2009, Marcos Hacker wrote:

> > That will cause havoc if you also have a PSK defined for that IP address. It will mix up RSA vs PSK modes.
> >
> > I'd have to think about what we can do to allow this case to work, without breaking anything
> > else. But you'll run into other issues too. If they propose based on ID_IPV4_ADDR. instead of
> > ID_DER_ASN1_DN, then for instance we will also not send out any CERT payloads.

> It sounds like the correct way to proceed is to set the Netgear to ID_DER_ASN1_DN when using certificates, and error out
> if the Netgear is misconfigured. I appreciate the insight.

I think so too.

> Is it still true that %fromcert can only load the id from a locally stored certificate? Or can it be used to retrieve the
> DN from the certificate the Netgear sends over?

%fromcert is meant to "preload" the ID failed based on the locally loaded
certificate. It should never be used without a left/rightcert= command for
that same endpoint.
If you want to limit the other end to one DN, set it using explicitely using


More information about the Users mailing list