[Openswan Users] X.509 + Policy Groups
Ralf Gerlich
ralf.gerlich at bsse.biz
Wed Aug 10 14:43:19 CEST 2005
Hello,
I'm planning on setting up a WLAN segment and I don't quite trust WPA,
WEP, MAC-"Authentication" and what-not so I'd like to add IPSEC with
authentication based on X.509-certificates as another layer of security
above all that.
For two hosts A and B to communicate on the WLAN they would have to
establish an IPSEC-transport-channel directly between A and B, involving
authentication of A and B towards each other. This way non-legitimate
hosts - i.e., crackers - are barred from directly accessing other
legitimate hosts on the WLAN.
For flexibility and ease of configuration I'd like to set this up as a
policy group with the CIDR for the group being the whole IP-block
allocated to the WLAN. The entry in ipsec.conf for each of the WLAN
hosts might look s.th. like this:
conn wlan-groups
type=transport
authby=rsasig
left=192.168.2.102
leftid=%myid
leftcert=mycert.pem
right=%group
rightnexthop=%direct
rightrsasigkey=%cert
rightca="C=DE, ... , CN=Virtual Private Network CA"
auto=route
I have tried this with either listing "192.168.2.100" or
"192.168.2.0/24" in policies/wlan-groups. However when I run
ipsec auto --route wlan-groups
or
ipsec auto --route "wlan-groups#192.168.2.100/32"
resp.
ipsec auto --route "wlan-groups#192.168.2.0/24"
I get the error message
025 "wlan-groups#192.168.2.100/32": cannot route template policy of
RSASIG+ENCRYPT+TUNNEL+PFS
025 "wlan-groups#192.168.2.100/32": could not route
resp.
025 "wlan-groups#192.168.2.0/24": cannot route template policy of
RSASIG+ENCRYPT+TUNNEL+PFS
025 "wlan-groups#192.168.2.0/24": could not route
I know that there's also OE but as the same host certificates will be
used for road-warrior access from the same hosts (which are laptops) and
I'd like to use X.509 certs - which does not seem possible with OE - I
think I have to do it this way.
Is what I'm thinking of possible at all or am I misunderstanding
something? Maybe there's documentation I've been missing and somebody
could point me to. Any help is appreciated.
Thank you in advance,
Ralf
More information about the Users
mailing list