[VPN] certificates without CA

Siddhartha Jain losttoy2000 at yahoo.co.uk
Thu Jul 17 14:20:11 EDT 2003


Certificates are issued by CAs. I don't think its
possible to use certificates for authentication
without CAs.

 --- Andreas Ott <aot at te.dk> wrote: > Hi
> 
> I was wondering whether it is possible to
> authentificate a
> vpn-connection by exchanging certificates only,
> instead of setting up a CA.
> 
> One one machine, I have Freeswan 1.99 with X.509
> patch and the following
> configuration:
> 
> conn test
>          leftcert=thismachine.pem
>          leftsubnet=10.10.0.0/16
>          left=%defaultroute
>          rightcert=othermachine.pem
>          rightsubnet=x.x.x.x/32
>          right=%any
>          pfs=yes
>          auto=add
> 
> On the other machine (windows 2000) I tried to use
> VPNDialer and the
> vpn-tool from ebootis.de, which basically are tools
> to deal with
> Windows' built-in IPSec-policy. But I'm unsure where
> to place the
> certificates and how to configure the tools.
> 
> Now matter what I try, pluto complains about
> OAKELY_RSA_SIG not allowed
> and OAKLEY_DES_CBC not supported. As for the latter
> message, I verified
> that 3DES is supported in my Windows setup.
> 
> Any hints and directions would be greatly
> appreciated. Also, if my
> ipsec.conf might be wrong, please correct.
> 
> TIA
> Andreas
> 
> 
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/



More information about the VPN mailing list