[Openswan Users] IPsec authorized computers
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Jun 3 18:11:33 EDT 2011
Hello all,
This may go to show my lack of understanding, but I'm curious how people
set things up.
So I am thinking about setting up a roadwarrior configuration. I will
have people all over that will need to connect in and have some access
to a server/network. Most of them will be using the default Windows
client (IPsec+L2TP).
Obviously I could use a PSK, but that has the problem where if employee
#1 is fired, he can still connect in via IPsec at least.
So say I go with a certificate option instead. However, let's say that
I do not have an internal CA since all of my computers actually have
their own certificate from a well-known CA. I got to thinking that in
this case, I don't even want to have something like right=%any and
rightca=%same since anybody can potentially go and get a certificate
from the same CA. Do I set up a different conn for each of my users?
Instead of right=%any, I have right=employee1.pem and another one for
employee 2, etc.?
What is the best practice? Are people expected to have their own CA
just for the purpose of using rightca=%same? Still, if in the example
above where the employee gets fired, I could revoke the certificate, but
does Openswan check the CA for revocation?
Willie
More information about the Users
mailing list