[Openswan Users] Fw: automatic X509 certificate xchange

farajian amin amin_o_city at yahoo.com
Wed Mar 10 07:36:45 EST 2010 

Dear Paul and Antony
Thanks for your help. I finally run the scenario with the following configs:

On Gateway:
conn road-x509                                                                  
        type=tunnel                                                             
        authby=rsasig                                                           
        leftrsasigkey=%cert                                                     
        rightrsasigkey=%cert                                                    
        left=192.168.1.210                                                      
        leftid="C=X, ST=X, O=X, OU=X, CN=X , E=X"                                                                             right=%any  #any vpn client who wants to connect ,so we dont need to specify rightid= # 
        leftcert=VPN2Cert.pem                                                   
        #rightca=%same      "it is not required when u have only one CA cert as i checked"                 
        auto=add                                                              

And for the road-warrior

conn road-x509
        type=tunnel
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=192.168.1.210
        leftid="C=X, ST=X, O=X, OU=X, CN=X, E=X"
        right=%defaultroute
        rightsendcert=always
        rightcert=VPN1Cert.pem
        #leftca=%same "it is not required when u have only one CA cert as i checked"                 
        auto=add
#**END**#


Thanks again. 

Amin Farajian



----- Forwarded Message ----
From: Antony Richards <arichards at cybertec.com.au>
To: Paul Wouters <paul at xelerance.com>
Cc: farajian amin <amin_o_city at yahoo.com>; users at openswan.org
Sent: Wed, March 10, 2010 2:33:17 AM
Subject: Re: [Openswan Users] automatic X509 certificate xchange

Hi,

On 03/10/2010 05:53 AM, Paul Wouters wrote: 
On Tue, 9 Mar 2010, farajian amin wrote:
>
>
>If openswan does request other side certificate , why we need to copy other side certificate to the /etc/ipsec.d/certs too.
>>
>You do not need to do that.
>
>
>I have the following configuration on a client as a road-warrior:
>>  
>conn road-x509
>>       left=192.168.1.210
>>       right=%any
>>       type=tunnel
>>       leftcert=VPN2Cert.pem
>>       rightcert=VPN1Cert.pem
>>
>Assuming 192.168.1.210 is the gateway, you need right=%defaultroute, not right=%any
>You do not need the leftcert= line. I would add rightsendcert=always.
>
>
(Assuming left is the gateway).  If both certificates are signed by the
same Certificate Authority, I would remove leftcert, and add leftca=%same  (The documentation it says its on by default, but when testing I
found I needed it).

That way you only need to put VPN1Cert.pem on the host.

Likewise, for the gateway (below), remove rightcert and add rightca=%same

Regards,
Antony.


and for the gateway:
>>
>>conn road-x509
>>       left=192.168.1.210
>>       right=%any
>>       type=tunnel
>>       leftcert=VPN2Cert.pem
>>       rightcert=VPN1Cert.pem
>>
>You do not need rightcert=
>
>Paul
>_______________________________________________
>Users at openswan.org http://lists.openswan.org/mailman/listinfo/users
>Building and Integrating Virtual Private Networks with Openswan: 
>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100310/341ef44e/attachment.html

More information about the Users mailing list