[Openswan Users] General direction for x.509

Richard Pickett richard.pickett at csrtechnologies.com
Fri Jun 10 21:34:55 EDT 2011


Hello All,

I'm setting up an openswan install on an ubuntu server.

I prefer to use x.509 on both sides to certify the validity of both ends of
the connection. I already have scripts to auto-create openssl
certs/pem/pkcs12 for each client.

I need to be able to "disable" clients and then re-enable them later. I was
thinking about using the CRL, but it doesn't appear openswan detects when
the CRL is updated, so anytime you have to revoke a cert you also have to
restart openswan - does that also kill all the current connections?

Another avenue I've thought about is to not use the CRL (but still use
certs), but add XAUTH for the users and just remove/comment users who are
"disabled". Would that also require a restart to re-read the XAUTH config
file?

One last question. I've been looking for a really good config example that
uses x.509, but the documentation seems a little sparse. Maybe I'm just not
looking in the right places? Can you recommend a good "howto" type resource
on configuring openswan w/ x.509?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110610/5add6871/attachment.html 


More information about the Users mailing list