[Openswan Users] Fwd: Re: VPN with FVL328
david at hrcsb.org
Fri Aug 20 12:32:46 CEST 2004
Speaking of documentation, I had a devil of a time setting up a vpn with
openswan & a Netgear FVL328 using x509 certificates. I'm sure other
folks have done it, but though I searched the web till I sweat blood, I
could find nary a mention of such a set up. Being new to VPNs and x509
certs both, this made things difficult. So, for the archives, and anyone
else who may be interested, below is a rather terse step by step howto
based on my experience.
Note: Although it claims to do so, the FVL328 does not do 2048
certificate requests, at least as of firmware 2.0
----- Forwarded message from David Clymer <david at hrcsb.org> -----
> To: xxxxxxx
> From: David Clymer <david at hrcsb.org>
> Subject: Re: VPN with FVL328
> Thus quoth xxxxxxx:
> > To: dclyme at hrcsb.org
> > From: xxxxxxx
> > Subject: VPN with FVL328
> > David,
> > I hope you don't mind me e-mailing you directly.
> not a problem.
> > I am setting up a Netgear FVL328 VPN system and I have had no luck
> > getting the CA stuff to work. I did manage to get the PSK to work using
> > superswan in aggressive mode. The FVL328 seems to be very picky about
> > the settings. I even had trouble using the windows client purchased from
> > Netgear when I tried md5 encoding.
> > If it is not too much trouble could you write out how you have the
> > router set up, which version of openswan you are using and which version
> > of Linux and kernel you are using? It helps to know that this is
> > actually working somewhere.
> jekyl:/etc# uname -r
> jekyl:/etc# ipsec version
> Linux Openswan U2.1.3/K2.4.26-router (native) (native)
> See `ipsec --copyright' for copyright information.
> Netgear model/firmware: System Name FVL328
> Firmware Version V2.0_02
> Kernel setup:
> I'm using the native IPsec rather than using the KLIPS patch.
> Openswan setup:
> version 2.0 # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=all
> # plutodebug=dns
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> conn block
> conn private
> conn private-or-clear
> conn clear-or-private
> conn clear
> conn packetdefault
> # netgear VPN connection
> conn netgear1
> # general options
> # Left security gateway, subnet behind it
> leftid=router at mydomain.org
> # Right security gateway, subnet behind it
> rightid=steveB at microsoft.com
> # use this as the key for any connection
> : RSA /etc/ipsec.d/private/jekylKey.pem
> To generate these certificates, I did the following:
> I used /usr/lib/ssl/misc/CA.sh to create my Certificate Authority.
> jekyl:~/certificates# /usr/lib/ssl/misc/CA.sh -newca
> CA certificate filename (or enter to create)
> Making CA certificate ...
> Generating a 1024 bit RSA private key
> writing new private key to './demoCA/private/./cakey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> Country Name (2 letter code) [AU]:US
> State or Province Name (full name) [Some-State]:Virginia
> Locality Name (eg, city) :City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Blah corp.
> Organizational Unit Name (eg, section) :MIS
> Common Name (eg, YOUR name) :Bob Dole
> Email Address :bdole at yahoo.com
> jekyl:~/certificates# ls
> All the CA stuff is in the demoCA folder.
> I took the certificate request from the netgear, pasted it into a text
> file (removing any leading or trailing empty lines) I called netgcr.pem
> I added some subjectAltName extensions to a file a called netg.cnf (see
> /usr/share/doc/openssl/doc/openssl.txt.gz for more details)
> subjectAltName=email:steveB at microsoft.com,IP:192.168.10.192
> subjectAltName=email:billG at microsoft.com,IP:192.168.10.1
> I then generated a cert for the netgear and the router:
> openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in netcr.pem -out netgcert.pem
> openssl req -new -newkey rsa:2048 -out rtrcr.pem # this also creates a file called privkey.pem
> openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in rtrcr.pem -out rtrcert.pem
> copied the certs and keys to the appropriate locations:
> cp *cert.pem /etc/ipsec.d/certs/
> cp privkey.pem /etc/ipsec.d/certs/routerkey.pem
> cp demoCA/cacert.pem /etc/ipsec.d/cacerts/demoCA.pem
> uploaded demoCA/cacert.pem to the netgear (in the "CA" section)
> followed by netgcert.pem to the ("certificates" section)
> I then used the VPN wizard (new in the 2.0 firmware) to set up the vpn.
> I went back in to the IKE policy created by the wizard and changed a few
> direction/type: both
> exchange mod: main mode
> local and remote identity types: FQ user name.
> local id: steveB at microsoft.com
> remote id: billG at microsoft.com
> authentication method: RSA signature
> DH group: group 2 (1024)
> And changed VPN policy settings:
> pfs: yes
> DH group: 2 (1024)
> ESP encryption: yes, 3DES
> ESP authentication: yes, SHA-1
> I think that should do it. Good luck!
----- End forwarded message -----
More information about the Users