sendcert-forced.txt

This a good VPN source

{left}sendcert=forced is a new certificate sending policy.

When sending the certificate is forced, then the certificate file is sent
without any interpretation. Normally one would send a certificate (X.509 or
PGP) based upon:
     1) if they asked for it, which CA did they request?
     2) what we found on the disk, and interpreted
     3) it would include whatever chains, etc. that might have been
	configured.

sendcert=forced causes pluto to send the entire contents of the file given
as {left}cert=. The certificate payload type is forced to be of the type
given by {left}certtype=<INTEGER>.

This feature is mostly used in testing, but it may be useful for doing 
interop with very weird kinds of peers. It will also get use in prototyping
of Me-Tarzan-You-Jane.

{left}certtype= numbers are taken from the IKEv1 IANA registry. A copy of
them can be found in linux/include/openswan/ipsec_policy.h as the
"ipsec_cert_type" enum. It is reproduced below:

/* Certificate type values
 * RFC 2408 ISAKMP, chapter 3.9
 */
enum ipsec_cert_type {
  CERT_NONE=			0,  /* none, or guess from file contents */
  CERT_PKCS7_WRAPPED_X509=	1,  /* self-signed certificate from disk */
  CERT_PGP=			2,
  CERT_DNS_SIGNED_KEY=		3,  /* KEY RR from DNS */
  CERT_X509_SIGNATURE=		4,
  CERT_X509_KEY_EXCHANGE=	5,
  CERT_KERBEROS_TOKENS=		6,
  CERT_CRL=			7,
  CERT_ARL=			8,
  CERT_SPKI=			9,
  CERT_X509_ATTRIBUTE=		10,
  CERT_RAW_RSA=                 11, /* raw RSA from config file */ 
};