{left}sendcert=forced is a new certificate sending policy. When sending the certificate is forced, then the certificate file is sent without any interpretation. Normally one would send a certificate (X.509 or PGP) based upon: 1) if they asked for it, which CA did they request? 2) what we found on the disk, and interpreted 3) it would include whatever chains, etc. that might have been configured. sendcert=forced causes pluto to send the entire contents of the file given as {left}cert=. The certificate payload type is forced to be of the type given by {left}certtype=. This feature is mostly used in testing, but it may be useful for doing interop with very weird kinds of peers. It will also get use in prototyping of Me-Tarzan-You-Jane. {left}certtype= numbers are taken from the IKEv1 IANA registry. A copy of them can be found in linux/include/openswan/ipsec_policy.h as the "ipsec_cert_type" enum. It is reproduced below: /* Certificate type values * RFC 2408 ISAKMP, chapter 3.9 */ enum ipsec_cert_type { CERT_NONE= 0, /* none, or guess from file contents */ CERT_PKCS7_WRAPPED_X509= 1, /* self-signed certificate from disk */ CERT_PGP= 2, CERT_DNS_SIGNED_KEY= 3, /* KEY RR from DNS */ CERT_X509_SIGNATURE= 4, CERT_X509_KEY_EXCHANGE= 5, CERT_KERBEROS_TOKENS= 6, CERT_CRL= 7, CERT_ARL= 8, CERT_SPKI= 9, CERT_X509_ATTRIBUTE= 10, CERT_RAW_RSA= 11, /* raw RSA from config file */ };
