[Openswan Users] automatic X509 certificate xchange
Antony Richards
arichards at cybertec.com.au
Tue Mar 9 18:03:17 EST 2010
Hi,
On 03/10/2010 05:53 AM, Paul Wouters wrote:
> On Tue, 9 Mar 2010, farajian amin wrote:
>
>
>> If openswan does request other side certificate , why we need to copy other side certificate to the /etc/ipsec.d/certs too.
>>
> You do not need to do that.
>
>
>> I have the following configuration on a client as a road-warrior:
>>
>
>> conn road-x509
>> left=192.168.1.210
>> right=%any
>> type=tunnel
>> leftcert=VPN2Cert.pem
>> rightcert=VPN1Cert.pem
>>
> Assuming 192.168.1.210 is the gateway, you need right=%defaultroute, not right=%any
> You do not need the leftcert= line. I would add rightsendcert=always.
>
>
(Assuming left is the gateway). If both certificates are signed by the
same Certificate Authority, I would remove *leftcert*, and add
*leftca=%same *(The documentation it says its on by default, but when
testing I found I needed it).
That way you only need to put VPN1Cert.pem on the host.
Likewise, for the gateway (below), remove *rightcert* and add
*rightca=%same*
*
*Regards,
Antony.
>> and for the gateway:
>>
>> conn road-x509
>> left=192.168.1.210
>> right=%any
>> type=tunnel
>> leftcert=VPN2Cert.pem
>> rightcert=VPN1Cert.pem
>>
> You do not need rightcert=
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100310/b2b71962/attachment-0001.html
More information about the Users
mailing list