[Openswan Users] Fw: automatic X509 certificate xchange
amin_o_city at yahoo.com
Wed Mar 10 07:36:45 EST 2010
Dear Paul and Antony
Thanks for your help. I finally run the scenario with the following configs:
leftid="C=X, ST=X, O=X, OU=X, CN=X , E=X" right=%any #any vpn client who wants to connect ,so we dont need to specify rightid= #
#rightca=%same "it is not required when u have only one CA cert as i checked"
And for the road-warrior
leftid="C=X, ST=X, O=X, OU=X, CN=X, E=X"
#leftca=%same "it is not required when u have only one CA cert as i checked"
----- Forwarded Message ----
From: Antony Richards <arichards at cybertec.com.au>
To: Paul Wouters <paul at xelerance.com>
Cc: farajian amin <amin_o_city at yahoo.com>; users at openswan.org
Sent: Wed, March 10, 2010 2:33:17 AM
Subject: Re: [Openswan Users] automatic X509 certificate xchange
On 03/10/2010 05:53 AM, Paul Wouters wrote:
On Tue, 9 Mar 2010, farajian amin wrote:
>If openswan does request other side certificate , why we need to copy other side certificate to the /etc/ipsec.d/certs too.
>You do not need to do that.
>I have the following configuration on a client as a road-warrior:
>Assuming 192.168.1.210 is the gateway, you need right=%defaultroute, not right=%any
>You do not need the leftcert= line. I would add rightsendcert=always.
(Assuming left is the gateway). If both certificates are signed by the
same Certificate Authority, I would remove leftcert, and add leftca=%same (The documentation it says its on by default, but when testing I
found I needed it).
That way you only need to put VPN1Cert.pem on the host.
Likewise, for the gateway (below), remove rightcert and add rightca=%same
and for the gateway:
>You do not need rightcert=
>Users at openswan.org http://lists.openswan.org/mailman/listinfo/users
>Building and Integrating Virtual Private Networks with Openswan:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users