Some questions about x.509 certificate authenticate

> 2. I use openswan in a embeded system. There are many
clients with x.509 
> certificates. So, openswan must store lots of
cetificates. But, there is 
> not enough space in this embeded environment. Is there
any good 
> suggestion? 
> 3. For question 2, I want the openswan to store its own
certificate only 
> and get its counterparts' publick keys through IKE
phase 1 negotiation. 
> Therefore, it will save a lot storage space. Does this
method work?

You are not required to use locally stored certificates. You
can also
use CA certificates to authenticate peers. This would save
storage
space but then you may have to take revoked certificates
into
account, e.g. by using a CRL or an OCSP server. See also:

http://www.strongswan.org/docs/readme2.htm#section_4.3


Jacco
-- 
Jacco de Leeuw                         mailto:jacco2dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Mon, 9 Apr 2007, Ëï¹ú»Ô(VPN¼¼Êõ²¿) wrote:

>       I have two hosts--192.168.10.9 and 192.168.10.10
which are connected to a hub. They have openswan2.3.1
installed. I have already setup a tunnel using main mode and
aggressive mode with x.509 certificate authentication.
Detailed configurations are as follows.

> conn test
>  left=192.168.10.9
>  leftcert=9.pem
>  right=192.168.10.10
>  rightcert=10.pem

>      I use tcpdump to capture the data packet of IKE
phase 1. I find that the two hosts don't exchange each
other's certificate whether using main mode or aggressive
mode. I mean they just exchange each other's the RDN
sequence which is part of the x.509 certificate.

That's because you loaded the certificates explicitely. You
should only
specify the local cert in leftcert= (or rightcert=) and not
the remote cert.

> 3. For question 2, I want the openswan to store its own
certificate only and get its counterparts' publick keys
through IKE phase 1 negotiation. Therefore, it will save a
lot storage space. Does this method work?

Yes.

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Thu, 12 Apr 2007, Ëï¹ú»Ô(VPN¼¼Êõ²¿) wrote:

> >>       I have two hosts--192.168.10.9 and
192.168.10.10 which are connected to a hub. They have
openswan2.3.1 installed. I have already setup a tunnel using
main mode and aggressive mode with x.509 certificate
authentication. Detailed configurations are as follows.

>                 It works as what you said under main
mode. But, I still have a question. We know there are six
packets during IKE phase 1 negotiation if using main mode.I
have all these six packets captured. I find that the
right(responder) will send an cert request payload in the
fourth packet to the left(initiator). Because the following
two packets are encrypted, so I guess the initiator will
send its cert in the fifth packet and the responder will
send its cert in the six packet which is the last packet in
phase 1. Therefore, both two sides do not need to store its
counterpart's cert. Does what I think right???

Dont use sniffing. Set plutodebug=control in ipsec.conf to
log what is happening at the IKE level.

>                 But, it doesn't work under aggressive
mode

That is correct. Various fixes went into openswan since
version 2.3.1 that
fix Aggressive Mode cases. Please upgrade and try again. Use
the latest
rc version 2.4.8rc1 because it specifically fixes Aggressive
Mode with NAT-T,
which was broken up to and including openswan 2.4.7.

ftp://ftp.openswan.org/openswan/testing/

Paul

_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

----- Original Message ----- 
From: "Paul Wouters" <paulxelerance.com>
To: "孙国辉(VPN技术部)" <sun_guohuitopsec.com.cn>
Cc: <usersopenswan.org>
Sent: Wednesday, April 11, 2007 10:26 PM
Subject: Re: [Openswan Users] Some questions about x.509
certificate authenticate


> On Mon, 9 Apr 2007, Ëï¹ú»Ô(VPN¼¼Êõ²¿)
wrote:
> 
>>       I have two hosts--192.168.10.9 and
192.168.10.10 which are connected to a hub. They have
openswan2.3.1 installed. I have already setup a tunnel using
main mode and aggressive mode with x.509 certificate
authentication. Detailed configurations are as follows.
> 
>> conn test
>>  left=192.168.10.9
>>  leftcert=9.pem
>>  right=192.168.10.10
>>  rightcert=10.pem
> 
>>      I use tcpdump to capture the data packet of
IKE phase 1. I find that the two hosts don't exchange each
other's certificate whether using main mode or aggressive
mode. I mean they just exchange each other's the RDN
sequence which is part of the x.509 certificate.
> 
> That's because you loaded the certificates explicitely.
You should only
> specify the local cert in leftcert= (or rightcert=) and
not the remote cert.
> 
Thanks Paul.
                It works as what you said under main mode.
But, I still have a question. We know there are six packets
during IKE phase 1 negotiation if using main mode.I have all
these six packets captured. I find that the right(responder)
will send an cert request payload in the fourth packet to
the left(initiator). Because the following two packets are
encrypted, so I guess the initiator will send its cert in
the fifth packet and the responder will send its cert in the
six packet which is the last packet in phase 1. Therefore,
both two sides do not need to store its counterpart's cert.
Does what I think right???
                But, it doesn't work under aggressive mode
if I do not specify the cert file of the right(the
responder). It works if I specify the cert file of the
right(the responder). I think this is reasonable.I capture
all the three packets during IKE pahse 1 negoitiation if
using aggressive mode and specifying the right's cert file.
I find that the left(initiator) will send a ID payload to in
the first packet to the right(responder). Then, in the
second packet the right(responder) send its ID payload to
the left(initiator). There is no cert request payload.The
third packet is encrypted,so........... Now, I can make sure
that cert will not be sent in the first two packets
 and the two sides can not exchang each other's cert in ONE
packet--the last encrypted packet. I doubt that the two
sides do not really exchang their cert during phase 1. They
only exchange each other's RDN sequence. So the left must
store the right's cert in local if using aggressive mode.
Does what I think right? And do you know how openswan's
aggressive mode really works when using cert?
            Sorry for my poor English  (*_*) and waiting for
your reply! 
>> 3. For question 2, I want the openswan to store its
own certificate only and get its counterparts' publick keys
through IKE phase 1 negotiation. Therefore, it will save a
lot storage space. Does this method work?
> 
> Yes.
> 
> Paul
> -- 
> Building and integrating Virtual Private Networks with
Openswan:
> http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155


_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155