[Openswan Users] IPsec authorized computers

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Jun 3 18:11:33 EDT 2011

Hello all,

This may go to show my lack of understanding, but I'm curious how people 
set things up.

So I am thinking about setting up a roadwarrior configuration.  I will 
have people all over that will need to connect in and have some access 
to a server/network.  Most of them will be using the default Windows 
client (IPsec+L2TP).

Obviously I could use a PSK, but that has the problem where if employee 
#1 is fired, he can still connect in via IPsec at least.

So say I go with a certificate option instead.  However, let's say that 
I do not have an internal CA since all of my computers actually have 
their own certificate from a well-known CA.  I got to thinking that in 
this case, I don't even want to have something like right=%any and 
rightca=%same since anybody can potentially go and get a certificate 
from the same CA.  Do I set up a different conn for each of my users? 
Instead of right=%any, I have right=employee1.pem and another one for 
employee 2, etc.?

What is the best practice?  Are people expected to have their own CA 
just for the purpose of using rightca=%same?  Still, if in the example 
above where the employee gets fired, I could revoke the certificate, but 
does Openswan check the CA for revocation?


More information about the Users mailing list