[Openswan Users] X.509 + Policy Groups

Ralf Gerlich ralf.gerlich at bsse.biz
Wed Aug 10 14:43:19 CEST 2005 

Hello,

I'm planning on setting up a WLAN segment and I don't quite trust WPA, 
WEP,  MAC-"Authentication" and what-not so I'd like to add IPSEC with 
authentication based on X.509-certificates as another layer of security 
above all that.

For two hosts A and B to communicate on the WLAN they would have to 
establish an IPSEC-transport-channel directly between A and B, involving 
authentication of A and B towards each other. This way non-legitimate 
hosts - i.e., crackers - are barred from directly accessing other 
legitimate hosts on the WLAN.

For flexibility and ease of configuration I'd like to set this up as a 
policy group with the CIDR for the group being the whole IP-block 
allocated to the WLAN. The entry in ipsec.conf for each of the WLAN 
hosts might look s.th. like this:

conn wlan-groups
        type=transport
        authby=rsasig
        left=192.168.2.102
        leftid=%myid
        leftcert=mycert.pem
        right=%group
        rightnexthop=%direct
        rightrsasigkey=%cert
        rightca="C=DE, ... , CN=Virtual Private Network CA"
        auto=route

I have tried this with either listing "192.168.2.100" or 
"192.168.2.0/24" in policies/wlan-groups. However when I run

	ipsec auto --route wlan-groups

or

	ipsec auto --route "wlan-groups#192.168.2.100/32"

resp.

	ipsec auto --route "wlan-groups#192.168.2.0/24"

I get the error message
	025 "wlan-groups#192.168.2.100/32": cannot route template policy of 
RSASIG+ENCRYPT+TUNNEL+PFS
	025 "wlan-groups#192.168.2.100/32": could not route

resp.

	025 "wlan-groups#192.168.2.0/24": cannot route template policy of 
RSASIG+ENCRYPT+TUNNEL+PFS
	025 "wlan-groups#192.168.2.0/24": could not route

I know that there's also OE but as the same host certificates will be 
used for road-warrior access from the same hosts (which are laptops) and 
I'd like to use X.509 certs - which does not seem possible with OE - I 
think I have to do it this way.

Is what I'm thinking of possible at all or am I misunderstanding 
something? Maybe there's documentation I've been missing and somebody 
could point me to. Any help is appreciated.

Thank you in advance,
Ralf

More information about the Users mailing list