[Openswan Users] Some information please

Terry Mason terrymason at hotmail.com
Wed Dec 21 09:37:08 CET 2005 

Hello everyone - hopefully I'm posting in the correct place - this is my 
first attempt at support.

I have inherited an openswan installation on my companies firewall.  This 
allows us to VPN into the company network (openswan is on Fedora 3, and the 
clients are all windows xp).  I personally have no experience with vpns, and 
am trying to make some new certs.  The existing certs/connections seem fine, 
but any new certificates I create never work.

I have detailed instructions left from the previous admin - here is a rough 
sketch of what I'm trying:
1.  CA -newca
2.  CA -sign
3.  move the two files to /etc/ipsec.d/certs or private/username.device.xxx
4.  openssl pkcs12 -export -in /etc/ipsec.d/certs/username.device.pem -inkey 
/etc/ipsec.d/private/username.device.key -certfile 
/usr/share/ssl/misc/demoCA/cacert.pem -out 
/etc/ipsec.d/certs/username.device.p12


So everything appears to work, and I get a fancy p12 file, and my 
instructions tell me to install it on my windows clients.  I've taken the 
p12 file, and tried double clicking and installing it that way (appers to 
work) but my windows client takes forever trying to make a connection, then 
finally gives an error (error 729 I belive, but i'm at work now and can't 
check).

My instructions tell me not to auto install, but instead to go to the 
personal folder (in my certificates mmc) and import directly to my personal 
folder.  When I do this, I get two certs in that folder - one with my 
company name on it, and another with my name (this looks different from the 
existing vpn laptops, which only have one cert - with the user's name on 
it).

Hopefully this is enough information to give you guys.  I am still reading 
and trying to understand what exactly is going on.  I believe that I am 
using openssl to generate some certificates, then private keys combined with 
that certificate to access the network.

Another question - when creating a vpn connection, and dialing from the 
windows client, am I supposed to enter my NT domain username / password into 
the vpn box, or some other information (like the cert password)?

Thank you very much for your time!
Terry Mason

__________________________________
          Terry Mason Jr.

More information about the Users mailing list