[Openswan Users] Some information please
trevor-os at thennion.demon.co.uk
Wed Dec 21 20:03:56 CET 2005
Terry Mason wrote:
> Hello everyone - hopefully I'm posting in the correct place - this is
my first attempt at support.
> I have inherited an openswan installation on my companies firewall.
This allows us to VPN into the company network (openswan is on Fedora 3,
and the clients are all windows xp). I personally have no experience
with vpns, and am trying to make some new certs. The existing
certs/connections seem fine, but any new certificates I create never work.
> I have detailed instructions left from the previous admin - here is a
rough sketch of what I'm trying:
> 1. CA -newca
> 2. CA -sign
> 3. move the two files to /etc/ipsec.d/certs or
> 4. openssl pkcs12 -export -in /etc/ipsec.d/certs/username.device.pem
-inkey /etc/ipsec.d/private/username.device.key -certfile
> So everything appears to work, and I get a fancy p12 file, and my
instructions tell me to install it on my windows clients. I've taken
the p12 file, and tried double clicking and installing it that way
(appers to work) but my windows client takes forever trying to make a
connection, then finally gives an error (error 729 I belive, but i'm at
work now and can't check).
> My instructions tell me not to auto install, but instead to go to the
personal folder (in my certificates mmc) and import directly to my
personal folder. When I do this, I get two certs in that folder - one
with my company name on it, and another with my name (this looks
different from the existing vpn laptops, which only have one cert - with
the user's name on it).
> Hopefully this is enough information to give you guys. I am still
reading and trying to understand what exactly is going on. I believe
that I am using openssl to generate some certificates, then private keys
combined with that certificate to access the network.
> Another question - when creating a vpn connection, and dialing from
the windows client, am I supposed to enter my NT domain username /
password into the vpn box, or some other information (like the cert
> Thank you very much for your time!
> Terry Mason
These are the instructions I have written for our setup.
It uses OpenSSL compiled from sources, so you may find the directories
VPN - Certificates.
All the certificate creation and management is done using 'openssl'.
Requires a Certificate Authority (CA) to have been set up in advance.
This exists in /usr/local/ssl/misc/demoCA. The CA root certificate lasts
for 10 years. The pass phrase for the CA root certificate MUST be
carefully protected - lock it in the firesafe.
Each user will be issued their own Certificate that has been signed by
the CA's Root certificate.
The CRL (Certificate Revocation List) can be used to revoke an
Create a Client Certificate.
Be root and 'cd' to /usr/local/ssl/misc.
Use a Certificate name that includes the users name for ease of
recognition, ie 'wxptfhCert.pem'. This includes the client type as well
as the users name.
Run the command:
'openssl req -newkey rsa:1024 -keyout 'x'Key.pem -out 'x'Req.pem'
where 'x' is the client type and user name - 'x' would be wxptfh in
the example above..
Replace 'x' below in the same way.
Use the pass phrase xxxx - twice, when requested:
"Enter PEM passphrase:"
"Verifying password - Enter PEM passphrase:" Do NOT use the CA passphrase.
Do not enter a challenge password
Optional company name - not needed.
Now sign the new Request with the CA certificate:
'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext'
Enter the CA passphrase when requested: "Enter pass phrase for
"Sign the certificate? [y/n]:" y
"1 out of 1 certificate requests certified, commit? [y/n]:" y
For a Windows client create a PKCS#12 file
'openssl pkcs12 -export -inkey 'x'Key.pem -in 'x'Cert.pem -certfile
demoCA/cacert.pem -out 'x'Cert.p12'
"Enter PEM pass phrase:" xxxx
"Enter ExportPasword: " return
"Verifying password" return
The command "openssl x509 -in <name>Cert.pem -noout -subject" will
provide the subject line to use in the Gateway's ipsec.conf file.
Use the RootCA's subject line in the Windows client's ipsec.conf file.
The command "ipsec auto --listcacerts" run on the gateway system shows
the subject line.
For a Linux client - omit creating the *.p12 file. Send both the
'x'Cert.pem and 'x'Key.pem files to the Linux user.
If you had to change the CN details in the users certificate - ie to
issue another certificate before the previous certificate expires, make
/etc/ipsec.conf file on the gateway is updated.
Certificate Revocation List.
This file lists certificates that should no longer be allowed to connect
to the VPN gateway.
The CRL file, crl.pem, is stored in /usr/local/ssl/misc/demoCA/crl.
After updating the CRL file copy it to the VPN Gateway box, and store it in
Re-issuing an expired certificate.
You cannot issue a new certificate with identical subject data to an
existing certificate. Therefore when a certificate expires you may have
to update the local database so that the certificate is marked expired,
Use 'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext
-updatedb' to update the database and you should get the response
"'Y'=Expired", where 'Y' is the certificate number from demoCA/index.txt
of the certificate referred to.
Then use 'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext'
to sign the original Certificate Signing Request and create a
Certificate valid for another year.
The XP/Win2k systems use the free open source IPSec utility software
that comes from http://vpn.ebootis.de.
Copy the 4 files IPSEC.exe, IPSec.msc, ipsec.conf, e.bootis VPN.lnk, to
To install the Digital Certificate on the client system use the
pre-configured 'Microsoft Management Console' - IPSec.msc - present in
Run the IPSec.msc. Some labels are in German.
Select the 'Zertificate (Lokaler Computer)' option.
Right mouse button click on 'Personal' and select 'All Tasks -> Import'.
Click on the + alongside the 'Zertificate' item to expand the options if
'Personal' is not shown.
Click 'Next' then 'Browse'. Pull down the 'Files of type'and select
Personal Information Exchange (*.pfx,*.p12) file type - if not already
Pull down the 'Look in' box and select the place where you stored the
certificate. The file xxxxxCert should be visible. Select this file and
The File name should be present in the 'File to Import' panel. Click 'Next'.
Click 'Next' as there is no password.
This is important - click 'Automatically select the certificate store
based on the type of certificate',
Then click 'Next', and 'Finish'.
You should get a message 'The import was successful'.
If you select Action->Refresh from the toolbar you should see a new tab
'Certificates'. If you want to see the detail of the certificate -
select 'Certificates' and double click on the certificate shown in the
Close the IPSec.msc file and save the changes. A message may pop up
asking if you want to save it in the MMC version 2.0 format. Say 'Yes'.
I also have a python based GUI that invokes/stops the VPN that will run
on an XP/W2K machine somewhere. Let me know if you are interested.
Hope this helps.
More information about the Users