|
|
Lumir Unzeitig wrote:
Hi,I have got about 20 virtual interfaces binded to internal interface.
Each of them represents a gateway for a VLAN segment.
I must ensure a remote user (=memeber a specific VLAN) can acces strictly the
specific VLAN when connected remotely.
If I used client authentication via shared secret I can pair by this key
running
daemon on server site with client and set up proper routing.
But I'd like to use TLS. But I need a strict client with its certificate
connected to only strict running daemon.
How I understood all clients with valid certificates can connect to
any daemon on the gateway (if they know port, address,... and have proper CA
certificates, keys,...) if the are not on CRL
Does anybody know how to solve the strict daemon to strict client
(certificate) relationship by using TLS?
(I found 2 options:
1. to create for each daemon CRL file filling with all other certificates
or
2. to create separate CA for each of VLANs
but both are quite complicated :) .)
I do not understand CRL, so I have combined TLS with preshared secrets,
where the generated secrets is used by --tls-auth, and every client has
its own generated secret.
--
mvh
Morten Christensen
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|