I finally got this working with Openswan and X.509 certificates.
On the OpenBSD side:
ipsec.conf:
ike passive esp from 86.134.74.32 to any
Linux/Openswan side:
ipsec.conf:
version 2
include /etc/ipsec.d/examples/no_oe.conf
config work
auto=add
left=%defaultroute
leftcert=roadwarrior.crt
leftrsasigkey=%cert
[EMAIL PROTECTED]
right=SERVER_IP
rightcert=server.crt
rightrsasigkey=%cert
[EMAIL PROTECTED]
forceencaps=yes
ike=aes128-sha1-modp1024
esp=aes128-sha1
This is working between 2 peers fine, haven't tried multiple peers yet.
As for certificates, both hosts need the public keys and CA cert as
well as thier own private key.
I am tempted to get this working with CAcert.org eventually.
Tom
