[Openswan Users] Fwd: Re: VPN with FVL328 [CORRECTION]

David Clymer dclyme at hrcsb.org
Wed Aug 25 14:38:38 CEST 2004 

Correction inline.


Thus quoth David Clymer:
> To: users at lists.openswan.org
> From: David Clymer <david at hrcsb.org>
> Subject: [Openswan Users] Fwd: Re: VPN with FVL328
> 
> 
> Speaking of documentation, I had a devil of a time setting up a vpn with
> openswan & a Netgear FVL328 using x509 certificates. I'm sure other
> folks have done it, but though I searched the web till I sweat blood, I
> could find nary a mention of such a set up. Being new to VPNs and x509
> certs both, this made things difficult. So, for the archives, and anyone
> else who may be interested, below is a rather terse step by step howto
> based on my experience.
> 
> Note: Although it claims to do so, the FVL328 does not do 2048
> certificate requests, at least as of firmware 2.0
> 
> -davidc
> 
> ----- Forwarded message from David Clymer <david at hrcsb.org> -----
> 
> > To: xxxxxxx 
> > From: David Clymer <david at hrcsb.org>
> > Subject: Re: VPN with FVL328
> > 
> > Thus quoth xxxxxxx:
> > > To: dclyme at hrcsb.org
> > > From: xxxxxxx 
> > > Subject: VPN with FVL328
> > > 
> > > David,
> > >   I hope you don't mind me e-mailing you directly.
> > 
> > not a problem.
> > 
> > >   I am setting up a Netgear FVL328 VPN system and I have had no luck 
> > > getting the CA stuff to work. I did manage to get the PSK to work using 
> > > superswan in aggressive mode. The FVL328 seems to be very picky about 
> > > the settings. I even had trouble using the windows client purchased from 
> > > Netgear when I tried md5 encoding.
> > >   If it is not too much trouble could you write out how you have the 
> > > router set up, which version of openswan you are using and which version 
> > > of Linux and kernel you are using? It helps to know that this is 
> > > actually working somewhere.
> > 
> > 
> > 
> > jekyl:/etc# uname -r
> > 2.4.26-router
> > 
> > jekyl:/etc# ipsec version
> > Linux Openswan U2.1.3/K2.4.26-router (native) (native)
> > See `ipsec --copyright' for copyright information.
> > 
> > Netgear model/firmware: System Name   FVL328
> >                         Firmware Version  V2.0_02
> > 
> > 
> > Kernel setup:
> > 
> > I'm using the native IPsec rather than using the KLIPS patch.
> > 
> > Openswan setup:
> > 
> > /etc/ipsec.conf:
> > 
> > ----------8<----------
> > 
> > version 2.0     # conforms to second version of ipsec.conf specification
> > 
> > # basic configuration
> > config setup
> >         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
> >         # klipsdebug=all
> >         # plutodebug=dns
> > 
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > conn block
> >     auto=ignore
> > 
> > conn private
> >     auto=ignore
> > 
> > conn private-or-clear
> >     auto=ignore
> > 
> > conn clear-or-private
> >     auto=ignore
> > 
> > conn clear
> >     auto=ignore
> > 
> > conn packetdefault
> >     auto=ignore
> > 
> > # netgear VPN connection
> > conn netgear1
> >         # general options
> >         type=tunnel
> >         keyexchange=ike
> >         pfs=yes
> >         authby=rsasig
> >         # Left security gateway, subnet behind it
> >         left=192.168.10.1
> >         leftsubnet=192.168.2.0/24
            # CORRECTION: left id should match the subjectAltName I
            # added to the certificate below (missed this discrepancy in my
            # previous example)
> >         # leftid=router at mydomain.org
            leftid=billG at microsoft.com
> >         leftcert=jekylCert.pem
> >         # Right security gateway, subnet behind it
> >         right=192.168.10.192
> >         rightsubnet=192.168.9.0/24
> >         rightid=steveB at microsoft.com
> >         rightcert=netgear1.pem
> >         auto=start
> > 
> > ---------->8----------
> > 
> > 
> > /etc/ipsec.secrets:
> > 
> > ----------8<----------
> > 
> > # use this as the key for any connection
> > : RSA /etc/ipsec.d/private/jekylKey.pem
> > 
> > ---------->8----------
> > 
> > 
> > To generate these certificates, I did the following:
> > 
> > I used /usr/lib/ssl/misc/CA.sh to create my Certificate Authority.
> > 
> > jekyl:~/certificates# /usr/lib/ssl/misc/CA.sh -newca
> > CA certificate filename (or enter to create)
> > 
> > Making CA certificate ...
> > Generating a 1024 bit RSA private key
> > ...++++++
> > ...........................................++++++
> > writing new private key to './demoCA/private/./cakey.pem'
> > Enter PEM pass phrase:
> > Verifying - Enter PEM pass phrase:
> > -----
> > You are about to be asked to enter information that will be incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name or a
> > DN.
> > There are quite a few fields but you can leave some blank
> > For some fields there will be a default value,
> > If you enter '.', the field will be left blank.
> > -----
> > Country Name (2 letter code) [AU]:US
> > State or Province Name (full name) [Some-State]:Virginia
> > Locality Name (eg, city) []:City
> > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Blah corp.
> > Organizational Unit Name (eg, section) []:MIS
> > Common Name (eg, YOUR name) []:Bob Dole
> > Email Address []:bdole at yahoo.com
> > 
> > jekyl:~/certificates# ls
> > demoCA
> > 
> > All the CA stuff is in the demoCA folder.
> > 
> > I took the certificate request from the netgear, pasted it into a text
> > file (removing any leading or trailing empty lines) I called netgcr.pem
> > 
> > I added some subjectAltName extensions to a file a called netg.cnf (see
> > /usr/share/doc/openssl/doc/openssl.txt.gz for more details)
> > 
> > netg.cnf
> > ---------->8----------
> > subjectAltName=email:steveB at microsoft.com,IP:192.168.10.192
> > ----------8<----------
> > 
> > rtr.cnf
> > ---------->8----------
> > subjectAltName=email:billG at microsoft.com,IP:192.168.10.1
> > ----------8<----------
> > 
> > I then generated a cert for the netgear and the router:
> > 
> > openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in netcr.pem -out netgcert.pem
> > 
> > openssl req -new -newkey rsa:2048 -out rtrcr.pem # this also creates a file called privkey.pem
> > openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extfile netg.cnf -in rtrcr.pem -out rtrcert.pem
> > 
> > copied the certs and keys to the appropriate locations:
> > 
> > cp *cert.pem /etc/ipsec.d/certs/
> > cp privkey.pem /etc/ipsec.d/certs/routerkey.pem
> > cp demoCA/cacert.pem /etc/ipsec.d/cacerts/demoCA.pem
> > 
> > uploaded  demoCA/cacert.pem to the netgear (in the "CA" section)
> > followed by netgcert.pem to the ("certificates" section) 
> > 
> > I then used the VPN wizard (new in the 2.0 firmware) to set up the vpn.
> > I went back in to the IKE policy created by the wizard and changed a few
> > settings:
> > 
> > direction/type: both
> > exchange mod: main mode
> > local and remote identity types: FQ user name. 
> > local id: steveB at microsoft.com
> > remote id: billG at microsoft.com
> > authentication method: RSA signature
> > DH group: group 2 (1024)
> > 
> > And changed VPN policy settings:
> > 
> > pfs: yes
> > DH group: 2 (1024)
> > ESP encryption: yes, 3DES
> > ESP authentication: yes, SHA-1
> > 
> > 
> > I think that should do it. Good luck!
> > 
> > -davidc
> 
> ----- End forwarded message -----
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list