[Openswan Users] Some information please

Jacco de Leeuw jacco2 at dds.nl
Fri Dec 23 15:05:36 CET 2005 

Terry Mason wrote:

> I have detailed instructions left from the previous admin - here is a 
> rough sketch of what I'm trying:
> 1.  CA -newca

I assume you only need to do this when you want to create a new CA
and invalidate all previously generated certificates?

> 2.  CA -sign
> 3.  move the two files to /etc/ipsec.d/certs or private/username.device.xxx
> 4.  openssl pkcs12 -export -in /etc/ipsec.d/certs/username.device.pem 
> -inkey /etc/ipsec.d/private/username.device.key -certfile 
> /usr/share/ssl/misc/demoCA/cacert.pem -out 
> /etc/ipsec.d/certs/username.device.p12

There is also a pretty good howto by Nate Carlson at:
http://www.natecarlson.com/linux/ipsec-l2tp.php#casetup
(It is also recommended to add a "Client" or "Server" EKU).

> My instructions tell me not to auto install

That's right, you should not double click on the PKCS#12 file.

> but instead to go to the 
> personal folder (in my certificates mmc) and import directly to my 
> personal folder.

Remember to use "Automatically select the certificate store" instead
of "Place all certificates in the following store: Personal".

> When I do this, I get two certs in that folder - one 
> with my company name on it, and another with my name

That can't be right.

> (this looks different from the existing vpn laptops, which only have
> one cert - with the user's name on it).

Exactly. The user's certificate should be in the Personal cert store
and the root certificate in the Trusted Root store. Otherwise the
personal certificate is unusable.

> Another question - when creating a vpn connection, and dialing from the 
> windows client, am I supposed to enter my NT domain username / password 
> into the vpn box, or some other information (like the cert password)?

The cert password is used only once and that is when you import the
certificate.

It depends on how your VPN server does PPP authentication for the
L2TP/IPsec VPN connections. If it uses a static list of CHAP passwords
(/etc/ppp/chap-secrets) then you simply need to enter a username and
password contained in that file.

A more advanced configuration relays the PPP authentication to a
separate RADIUS server. You then enter a username and password
that was configured on the RADIUS server.

If you are using a Samba server or a Windows server on your network
then you can even relay the VPN's PPP authentication to that server
using pppd's Winbind plugin. In that case you enter your NT domain
username and password.

In other words: check the VPN server (it's probably in the file
/etc/ppp/options.l2tpd)

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck

More information about the Users mailing list