[Openswan Users] Some information please
Jacco de Leeuw
jacco2 at dds.nl
Fri Dec 23 15:05:36 CET 2005
Terry Mason wrote:
> I have detailed instructions left from the previous admin - here is a
> rough sketch of what I'm trying:
> 1. CA -newca
I assume you only need to do this when you want to create a new CA
and invalidate all previously generated certificates?
> 2. CA -sign
> 3. move the two files to /etc/ipsec.d/certs or private/username.device.xxx
> 4. openssl pkcs12 -export -in /etc/ipsec.d/certs/username.device.pem
> -inkey /etc/ipsec.d/private/username.device.key -certfile
> /usr/share/ssl/misc/demoCA/cacert.pem -out
There is also a pretty good howto by Nate Carlson at:
(It is also recommended to add a "Client" or "Server" EKU).
> My instructions tell me not to auto install
That's right, you should not double click on the PKCS#12 file.
> but instead to go to the
> personal folder (in my certificates mmc) and import directly to my
> personal folder.
Remember to use "Automatically select the certificate store" instead
of "Place all certificates in the following store: Personal".
> When I do this, I get two certs in that folder - one
> with my company name on it, and another with my name
That can't be right.
> (this looks different from the existing vpn laptops, which only have
> one cert - with the user's name on it).
Exactly. The user's certificate should be in the Personal cert store
and the root certificate in the Trusted Root store. Otherwise the
personal certificate is unusable.
> Another question - when creating a vpn connection, and dialing from the
> windows client, am I supposed to enter my NT domain username / password
> into the vpn box, or some other information (like the cert password)?
The cert password is used only once and that is when you import the
It depends on how your VPN server does PPP authentication for the
L2TP/IPsec VPN connections. If it uses a static list of CHAP passwords
(/etc/ppp/chap-secrets) then you simply need to enter a username and
password contained in that file.
A more advanced configuration relays the PPP authentication to a
separate RADIUS server. You then enter a username and password
that was configured on the RADIUS server.
If you are using a Samba server or a Windows server on your network
then you can even relay the VPN's PPP authentication to that server
using pppd's Winbind plugin. In that case you enter your NT domain
username and password.
In other words: check the VPN server (it's probably in the file
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users