[strongSwan] Trusting all gateways with certs signed by a given CA
Martin Willi
martin at strongswan.org
Wed Jul 21 18:48:21 CEST 2010
Hi David,
> I'm not interested in using DNs
It is not really possible to not use DNs, as each certificate must have
one. The peers need a way to build trust chains for the given IKE
identity.
> I'm running openssl to generate the CA
I'm not an OpenSSL expert, but looks fine so far. As an alternative, you
might have a look at our PKI utility [1], it is often simpler to use for
small PKIs.
> Is this the way to go about creating the certs required, and what do I
> need to have in my ipsec.conf to make this work? Thankyou.
Add your CA certificate to /etc/ipsec.d/cacerts on each box, and the
local peer certificate to /etc/ipsec.d/certs. In ipsec.conf, add
leftcert=xy.pem to your configuration. leftid should be set to the DN in
your certificate. rightid=%any is fine, as long you have strict control
over the issued certificates.
> PS: does anyone have recommendations for generating entropy in a VM?
Don't have any experience with it, sorry.
Best regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPKI
More information about the Users
mailing list