Re: [Ipsec-tools-devel] Is it possible to have multiple roadwarriors using individual x509 certificates?

[George B. <ge...@dx...>]

VANHULLEBUS Yvan wrote:
>=20
> Linux IPSec stack is NOT KAME's stack !

Oops, my mistake, KAME's the BSD stuff, right? Too much reading, all
messed up in my brain. (I think this is where I got it from
http://www.ipsec-howto.org/x299.html - the big title.) :-S

> With certificates, one simple way of doing things is to NOT specify
> peer_identifier, then allow any certificate from the specified CA (if
> possible, of course).
>
> If you need more precise selection of allowed certificates, please
> have a look at racoon.conf's man page, which will explain you how to
> use wildcards in peer_identifier and/or specify multiple
> peer_identifier values.

I saw that in the man page, but I was unclear as to how it got the
certificates to check against. What's confusing me is the
certificate_type line which I understood was supposed to point to the
matching certificate for the connection (i.e. the same as the
certificate the peer is using.) Am I misunderstanding the use of
certificate_type?


Thanks for your help,

George.


P.S. Am I supposed to CC people when replying or just reply to the list
address? Never really used mailing lists before (just the Debian BTS,)
so not sure how it works.