From: George B. <ge...@dx...> - 2005-12-19 14:50:43
|
VANHULLEBUS Yvan wrote: >=20 > Linux IPSec stack is NOT KAME's stack ! Oops, my mistake, KAME's the BSD stuff, right? Too much reading, all messed up in my brain. (I think this is where I got it from http://www.ipsec-howto.org/x299.html - the big title.) :-S > With certificates, one simple way of doing things is to NOT specify > peer_identifier, then allow any certificate from the specified CA (if > possible, of course). > > If you need more precise selection of allowed certificates, please > have a look at racoon.conf's man page, which will explain you how to > use wildcards in peer_identifier and/or specify multiple > peer_identifier values. I saw that in the man page, but I was unclear as to how it got the certificates to check against. What's confusing me is the certificate_type line which I understood was supposed to point to the matching certificate for the connection (i.e. the same as the certificate the peer is using.) Am I misunderstanding the use of certificate_type? Thanks for your help, George. P.S. Am I supposed to CC people when replying or just reply to the list address? Never really used mailing lists before (just the Debian BTS,) so not sure how it works. |