{left}sendcert=forced is a new certificate sending policy.
When sending the certificate is forced, then the certificate file is sent without any interpretation. Normally one would send a certificate (X.509 or PGP) based upon:
sendcert=forced causes pluto to send the entire contents of the file given as {left}cert=. The certificate payload type is forced to be of the type given by {left}certtype=<INTEGER>.
This feature is mostly used in testing, but it may be useful for doing interop with very weird kinds of peers. It will also get use in prototyping of Me-Tarzan-You-Jane.
{left}certtype= numbers are taken from the IKEv1 IANA registry. A copy of them can be found in linux/include/openswan/ipsec_policy.h as the "ipsec_cert_type" enum. It is reproduced below:
/* Certificate type values
* RFC 2408 ISAKMP, chapter 3.9
*/
enum ipsec_cert_type {
CERT_NONE= 0, /* none, or guess from file contents */
CERT_PKCS7_WRAPPED_X509= 1, /* self-signed certificate from disk */
CERT_PGP= 2,
CERT_DNS_SIGNED_KEY= 3, /* KEY RR from DNS */
CERT_X509_SIGNATURE= 4,
CERT_X509_KEY_EXCHANGE= 5,
CERT_KERBEROS_TOKENS= 6,
CERT_CRL= 7,
CERT_ARL= 8,
CERT_SPKI= 9,
CERT_X509_ATTRIBUTE= 10,
CERT_RAW_RSA= 11, /* raw RSA from config file */
};
