[Openswan Users] Some information please

[Trevor Hennion]

Terry Mason wrote:

 > Hello everyone - hopefully I'm posting in the correct place - this is 
my first attempt at support.
 >
 > I have inherited an openswan installation on my companies firewall. 
This allows us to VPN into the company network (openswan is on Fedora 3, 
and the clients are all windows xp).  I personally have no experience 
with vpns, and am trying to make some new certs.  The existing 
certs/connections seem fine, but any new certificates I create never work.
 >
 > I have detailed instructions left from the previous admin - here is a 
rough sketch of what I'm trying:
 > 1.  CA -newca
 > 2.  CA -sign
 > 3.  move the two files to /etc/ipsec.d/certs or 
private/username.device.xxx
 > 4.  openssl pkcs12 -export -in /etc/ipsec.d/certs/username.device.pem 
-inkey /etc/ipsec.d/private/username.device.key -certfile 
/usr/share/ssl/misc/demoCA/cacert.pem -out 
/etc/ipsec.d/certs/username.device.p12
 >
 >
 > So everything appears to work, and I get a fancy p12 file, and my 
instructions tell me to install it on my windows clients.  I've taken 
the p12 file, and tried double clicking and installing it that way 
(appers to work) but my windows client takes forever trying to make a 
connection, then finally gives an error (error 729 I belive, but i'm at 
work now and can't check).
 >
 > My instructions tell me not to auto install, but instead to go to the 
personal folder (in my certificates mmc) and import directly to my 
personal folder.  When I do this, I get two certs in that folder - one 
with my company name on it, and another with my name (this looks 
different from the existing vpn laptops, which only have one cert - with 
the user's name on it).
 >
 > Hopefully this is enough information to give you guys.  I am still 
reading and trying to understand what exactly is going on.  I believe 
that I am using openssl to generate some certificates, then private keys 
combined with that certificate to access the network.
 >
 > Another question - when creating a vpn connection, and dialing from 
the windows client, am I supposed to enter my NT domain username / 
password into the vpn box, or some other information (like the cert 
password)?
 >
 > Thank you very much for your time!
 > Terry Mason
 >

These are the instructions I have written for our setup.
It uses OpenSSL compiled from sources, so you may find the directories 
are different.


VPN - Certificates.

All the certificate creation and management is done using 'openssl'.
Requires a Certificate Authority (CA) to have been set up in advance. 
This exists in /usr/local/ssl/misc/demoCA. The CA root certificate lasts 
for 10 years. The pass phrase for the CA root certificate MUST be 
carefully protected - lock it in the firesafe.
Each user will be issued their own Certificate that has been signed by 
the CA's Root certificate.
The CRL (Certificate Revocation List) can be used to revoke an 
individual certificate.

Create a Client Certificate.

Be root and 'cd' to /usr/local/ssl/misc.

Use a Certificate name that includes the users name for ease of 
recognition, ie 'wxptfhCert.pem'.  This includes the client type as well 
as the users name.

Run the command:
'openssl req -newkey rsa:1024 -keyout 'x'Key.pem -out 'x'Req.pem'

     where 'x' is the client type and user name - 'x' would be wxptfh in 
the example above..

Replace 'x' below in the same way.

Use the pass phrase xxxx - twice, when requested:
"Enter PEM passphrase:"
"Verifying password - Enter PEM passphrase:" Do NOT use the CA passphrase.

Enter data:
C=UK
S=Berkshire
L=Reading
O=Your Company
OU=Your Deparment
CN=<username>
E=<username>@yourcompany

Do not enter a challenge password
Optional company name - not needed.

Now sign the new Request with the CA certificate:
'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext'

Enter the CA passphrase when requested: "Enter pass phrase for 
demoCA/private/cakey:"

"Sign the certificate? [y/n]:"  y
"1 out of 1 certificate requests certified, commit? [y/n]:"  y

For a Windows client create a PKCS#12 file
Run:
  'openssl pkcs12 -export -inkey 'x'Key.pem -in 'x'Cert.pem  -certfile 
demoCA/cacert.pem  -out 'x'Cert.p12'

"Enter PEM pass phrase:"  xxxx
"Enter ExportPasword: "  return
"Verifying password"  return

The command "openssl x509 -in <name>Cert.pem -noout -subject" will 
provide the subject line to use in the Gateway's ipsec.conf file.

Use the RootCA's subject line in the Windows client's ipsec.conf file. 
The command "ipsec auto --listcacerts" run on the gateway system shows 
the subject line.

For a Linux client - omit creating the *.p12 file. Send both the 
'x'Cert.pem and 'x'Key.pem files to the Linux user.

If you had to change the CN details in the users certificate - ie to 
issue another certificate before the previous certificate expires, make 
sure the
/etc/ipsec.conf file on the gateway is updated.

Certificate Revocation List.

This file lists certificates that should no longer be allowed to connect 
to the VPN gateway.
The CRL file, crl.pem, is stored in /usr/local/ssl/misc/demoCA/crl. 
After updating the CRL file copy it to the VPN Gateway box, and store it in
/etc/ipsec.d/crls.


Re-issuing an expired certificate.

You cannot issue a new certificate with identical subject data to an 
existing certificate. Therefore when a certificate expires you may have 
to update the local database so that the certificate is marked expired, 
or revoked.

Use 'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext 
-updatedb' to update the database and you should get the response 
"'Y'=Expired", where 'Y' is the certificate number from demoCA/index.txt 
of the certificate referred to.

Then use 'openssl ca -in 'x'Req.pem -days 365 -out 'x'Cert.pem -notext' 
to sign the original Certificate Signing Request and create a 
Certificate valid for another year.


Client tasks.

The XP/Win2k systems use the free open source IPSec utility software 
that comes from http://vpn.ebootis.de.
Copy the 4 files IPSEC.exe, IPSec.msc, ipsec.conf, e.bootis VPN.lnk, to 
C:\Program Files\VPN.

To install the Digital Certificate on the client system use the 
pre-configured 'Microsoft Management Console' - IPSec.msc - present in 
C:\Program Files\VPN.

Run the IPSec.msc. Some labels are in German.

Select the 'Zertificate (Lokaler Computer)' option.

Right mouse button click on 'Personal' and select 'All Tasks -> Import'. 
Click on the + alongside the 'Zertificate' item to expand the options if 
'Personal' is not shown.

Click 'Next' then 'Browse'. Pull down the 'Files of type'and select 
Personal Information Exchange (*.pfx,*.p12) file type - if not already 
showing.

Pull down the 'Look in' box and select the place where you stored the 
certificate.  The file xxxxxCert should be visible. Select this file and 
click 'Open'.

The File name should be present in the 'File to Import' panel. Click 'Next'.
Click 'Next' as there is no password.

This is important - click  'Automatically select the certificate store 
based on the type of certificate',

Then click 'Next', and 'Finish'.

You should get a message 'The import was successful'.

If you select Action->Refresh from the toolbar you should see a new tab 
'Certificates'. If you want to see the detail of the certificate - 
select 'Certificates' and double click on the certificate shown in the 
right pane.

Close the IPSec.msc file and save the changes. A message may pop up 
asking if you want to save it in the MMC version 2.0 format. Say 'Yes'.


I also have a python based GUI that invokes/stops the VPN that will run 
on an XP/W2K machine somewhere. Let me know if you are interested.

Hope this helps.

Regards

Trevor Hennion
http://www.infocentrality.co.uk