Paul, you are right. With the introduction of multiple certificates
and private keys in version 0.9.10 of the patch, the X.509 enabled
FreeS/WAN gateway does not know in advance any more if it has a
certificate to send for this specific connection, nor has it ever
had a way of knowing beforehand if it has a preloaded peer RSA
public key when acting as a responder to an incoming road warrior.
This is why I introduced the nocrsend parameter in version 0.9.12.
Thus, in order to be on the safe side when answering standard
FreeS/WAN roadwarriors, set
config setup
nocrsend=yes
in ipsec.conf and no certificate request will ever be sent.
The default value is nocrsend=no.
Regards
Andreas
P.S. Life would become much easier if standard FreeS/WAN would at
last just ignore CR messages instead of dropping the
connection.
Paul Wouters wrote:
> On Thu, 4 Jul 2002, Andreas Steffen wrote:
>
>
>>Without a certificate in /etc/x509cert.der there is nothing to fear from
>>X.509 enabled FreeS/WAN. It will not send any certificate request payloads.
>
>
> I have seen it however sent some _CSR error causing a non-x509 freeswan
> server to stop negotiating with it.
>
> Paul
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST