[Openswan Users] Fwd: Re: VPN with FVL328

David Clymer david at hrcsb.org
Fri Aug 20 12:32:46 CEST 2004 

Speaking of documentation, I had a devil of a time setting up a vpn with
openswan & a Netgear FVL328 using x509 certificates. I'm sure other
folks have done it, but though I searched the web till I sweat blood, I
could find nary a mention of such a set up. Being new to VPNs and x509
certs both, this made things difficult. So, for the archives, and anyone
else who may be interested, below is a rather terse step by step howto
based on my experience.

Note: Although it claims to do so, the FVL328 does not do 2048
certificate requests, at least as of firmware 2.0

-davidc

----- Forwarded message from David Clymer <david at hrcsb.org> -----

> To: xxxxxxx 
> From: David Clymer <david at hrcsb.org>
> Subject: Re: VPN with FVL328
> 
> Thus quoth xxxxxxx:
> > To: dclyme at hrcsb.org
> > From: xxxxxxx 
> > Subject: VPN with FVL328
> > 
> > David,
> >   I hope you don't mind me e-mailing you directly.
> 
> not a problem.
> 
> >   I am setting up a Netgear FVL328 VPN system and I have had no luck 
> > getting the CA stuff to work. I did manage to get the PSK to work using 
> > superswan in aggressive mode. The FVL328 seems to be very picky about 
> > the settings. I even had trouble using the windows client purchased from 
> > Netgear when I tried md5 encoding.
> >   If it is not too much trouble could you write out how you have the 
> > router set up, which version of openswan you are using and which version 
> > of Linux and kernel you are using? It helps to know that this is 
> > actually working somewhere.
> 
> 
> 
> jekyl:/etc# uname -r
> 2.4.26-router
> 
> jekyl:/etc# ipsec version
> Linux Openswan U2.1.3/K2.4.26-router (native) (native)
> See `ipsec --copyright' for copyright information.
> 
> Netgear model/firmware: System Name   FVL328
>                         Firmware Version  V2.0_02
> 
> 
> Kernel setup:
> 
> I'm using the native IPsec rather than using the KLIPS patch.
> 
> Openswan setup:
> 
> /etc/ipsec.conf:
> 
> ----------8<----------
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=all
>         # plutodebug=dns
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn block
>     auto=ignore
> 
> conn private
>     auto=ignore
> 
> conn private-or-clear
>     auto=ignore
> 
> conn clear-or-private
>     auto=ignore
> 
> conn clear
>     auto=ignore
> 
> conn packetdefault
>     auto=ignore
> 
> # netgear VPN connection
> conn netgear1
>         # general options
>         type=tunnel
>         keyexchange=ike
>         pfs=yes
>         authby=rsasig
>         # Left security gateway, subnet behind it
>         left=192.168.10.1
>         leftsubnet=192.168.2.0/24
>         leftid=router at mydomain.org
>         leftcert=jekylCert.pem
>         # Right security gateway, subnet behind it
>         right=192.168.10.192
>         rightsubnet=192.168.9.0/24
>         rightid=steveB at microsoft.com
>         rightcert=netgear1.pem
>         auto=start
> 
> ---------->8----------
> 
> 
> /etc/ipsec.secrets:
> 
> ----------8<----------
> 
> # use this as the key for any connection
> : RSA /etc/ipsec.d/private/jekylKey.pem
> 
> ---------->8----------
> 
> 
> To generate these certificates, I did the following:
> 
> I used /usr/lib/ssl/misc/CA.sh to create my Certificate Authority.
> 
> jekyl:~/certificates# /usr/lib/ssl/misc/CA.sh -newca
> CA certificate filename (or enter to create)
> 
> Making CA certificate ...
> Generating a 1024 bit RSA private key
> ...++++++
> ...........................................++++++
> writing new private key to './demoCA/private/./cakey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:US
> State or Province Name (full name) [Some-State]:Virginia
> Locality Name (eg, city) []:City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Blah corp.
> Organizational Unit Name (eg, section) []:MIS
> Common Name (eg, YOUR name) []:Bob Dole
> Email Address []:bdole at yahoo.com
> 
> jekyl:~/certificates# ls
> demoCA
> 
> All the CA stuff is in the demoCA folder.
> 
> I took the certificate request from the netgear, pasted it into a text
> file (removing any leading or trailing empty lines) I called netgcr.pem
> 
> I added some subjectAltName extensions to a file a called netg.cnf (see
> /usr/share/doc/openssl/doc/openssl.txt.gz for more details)
> 
> netg.cnf
> ---------->8----------
> subjectAltName=email:steveB at microsoft.com,IP:192.168.10.192
> ----------8<----------
> 
> rtr.cnf
> ---------->8----------
> subjectAltName=email:billG at microsoft.com,IP:192.168.10.1
> ----------8<----------
> 
> I then generated a cert for the netgear and the router:
> 
> openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in netcr.pem -out netgcert.pem
> 
> openssl req -new -newkey rsa:2048 -out rtrcr.pem # this also creates a file called privkey.pem
> openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in rtrcr.pem -out rtrcert.pem
> 
> copied the certs and keys to the appropriate locations:
> 
> cp *cert.pem /etc/ipsec.d/certs/
> cp privkey.pem /etc/ipsec.d/certs/routerkey.pem
> cp demoCA/cacert.pem /etc/ipsec.d/cacerts/demoCA.pem
> 
> uploaded  demoCA/cacert.pem to the netgear (in the "CA" section)
> followed by netgcert.pem to the ("certificates" section) 
> 
> I then used the VPN wizard (new in the 2.0 firmware) to set up the vpn.
> I went back in to the IKE policy created by the wizard and changed a few
> settings:
> 
> direction/type: both
> exchange mod: main mode
> local and remote identity types: FQ user name. 
> local id: steveB at microsoft.com
> remote id: billG at microsoft.com
> authentication method: RSA signature
> DH group: group 2 (1024)
> 
> And changed VPN policy settings:
> 
> pfs: yes
> DH group: 2 (1024)
> ESP encryption: yes, 3DES
> ESP authentication: yes, SHA-1
> 
> 
> I think that should do it. Good luck!
> 
> -davidc

----- End forwarded message -----

More information about the Users mailing list