[Openswan Users] automatic X509 certificate xchange
Paul Wouters
paul at xelerance.com
Tue Mar 9 13:53:18 EST 2010
On Tue, 9 Mar 2010, farajian amin wrote:
> If openswan does request other side certificate , why we need to copy other side certificate to the /etc/ipsec.d/certs too.
You do not need to do that.
> I have the following configuration on a client as a road-warrior:
> conn road-x509
> left=192.168.1.210
> right=%any
> type=tunnel
> leftcert=VPN2Cert.pem
> rightcert=VPN1Cert.pem
Assuming 192.168.1.210 is the gateway, you need right=%defaultroute, not right=%any
You do not need the leftcert= line. I would add rightsendcert=always.
> and for the gateway:
>
> conn road-x509
> left=192.168.1.210
> right=%any
> type=tunnel
> leftcert=VPN2Cert.pem
> rightcert=VPN1Cert.pem
You do not need rightcert=
Paul
More information about the Users
mailing list