[Ipsec-tools-devel] Question re: certificate based authentication

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I am not 100% sure I'm asking this question in the right place but I'll 
take a stab at sending to this list again.  The support I got here last 
time was great, so I'm hoping that somebody could either answer my 
question or point me in the right direction.

Basically, a while back I had some questions about setkey/racoon.conf 
and building Phase 2 SA using a PSK.  I got that up working fine, but 
now I want to take it a step further.  I'm trying to get this setup 
using certificates.

It looks to me like the racoon configuration to do this is 
straightforward; essesntially do the following;

1) cp /path/to/cacert.pem /etc/racoon/certs
2) cd /etc/racoon/certs
3) ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0
4) change racoon.conf to change authentication type, set certificate 
type, set identifier, and turn verify_cert on

So, I understand that part and I am pretty confident that it will work. 
  What I am really confused about and can't find any documentation for 
is how the ipsec0 interface should be configured.  Currently, my 
ifcfg-ipsec0 configuration file looks like this: