[Openswan Users] automatic X509 certificate xchange

farajian amin amin_o_city at yahoo.com
Tue Mar 9 06:27:22 EST 2010


Dear Tuomo
If openswan does request other side certificate , why we need to copy other side certificate to the /etc/ipsec.d/certs too. 
I have the following configuration on a client as a road-warrior:

conn road-x509                                                                  
        left=192.168.1.210                                                      
        right=%any                                                              
        type=tunnel                                                             
        leftcert=VPN2Cert.pem                                                   
        rightcert=VPN1Cert.pem                                                  
        auto=add                                                                

and for the gateway:

conn road-x509                                                                  
        left=192.168.1.210                                                      
        right=%any                                                              
        type=tunnel                                                             
        leftcert=VPN2Cert.pem                                                   
        rightcert=VPN1Cert.pem                                                  
        auto=add                                                                


I have to copy VPN1Cert.pem and VPN2Cert.pem on both machines. I need a way ( Maybe by changing configurations in /etc/ipsec.conf) in which each side only have his own certificate , and in connection startup request other side certificate, do the validity check and run other staff. (The storage palce "memory or directory" is not important) 

Thanks in advance.

 
Amin Farajian



----- Original Message ----
From: Tuomo Soini <tis at foobar.fi>
To: farajian amin <amin_o_city at yahoo.com>
Cc: users at openswan.org
Sent: Tue, March 9, 2010 2:28:49 PM
Subject: Re: [Openswan Users] automatic X509 certificate xchange

farajian amin wrote:

> i dont want to copy each side cert to the other side manually. Can
> openswan request other side certificate and download it to the proper
> directory and then establish the connection? Is there any
> configuration script?

Openswan does do certificate request but it won't store remote
certificate locally, it's only stored in memory.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>



      


More information about the Users mailing list