[Openswan Users] OpenS/WAN and Win2K/XP

David Spear dspear at telus.net
Wed Jan 26 07:58:17 CET 2005

> Yes. You need to create 1 CA and one Cert for each box that is an
> endpoint,
> which includes the openswan machine.
AHA!  Now we are making progress.  First, in response to your last
message asking if I had copied demoCA/cacert.pem to
/etc/ipsec.d/cacerts, the answer is "yes".  My logs indicate that it is
found and loaded.  Also that my host cert "downstairs.pem" has been
loaded.  This is the same "downstairs.pem" which has been converted to
p12 and copied to the Windows boxes.

So I'm still looking for a relationship here.  I know that when I use
"CA -newreq" and "CA -sign" I am generating a key/cert pair which are
output as "newreq.pem" and "newcert.pem"  When I import "newcert.pem" to
a Windows box I then have TWO certificates installed (a "personal" one
and a "Trusted CA Root" one).  These are the "two" that you refer to
above.  By placing the key which corresponds to these certs (newreq.pem)
into my /etc/ipsec.d/private I am allowing users which present the
corresponding cert (newcert.pem) to connect to my freeswan gateway.  Am
I mistaken here?  I'm pretty sure now that I'm missing a key step.  Pun

Regarding the two certs required on my gateway box (end user and CA),
let's say I do the following:

# CA -newreq
# CA -sign
# mv newreq.pem gateway.key
# mv newcert.pem gateway.pem

Where do I put gateway.key and gateway.pem?  Do I have to reference them
in /etc/ipsec.conf?  Do the Windows boxes have to know about them (i.e.
do they go in the Win ipsec.conf)?  AS the win boxes are able to extract
two certs from the single import file downstairs.pem (above, actually
downstairs.pem converted to pkcs12 format using openssl) is there
something I have to do to make the openswan box do the same?  Is
"cacert.pem" generated at the same time as keys or when the CA was set
up using "CA -newca"?  

Relating to my situation "no suitable connection for
/C=CA/ST=BC/L=Penticton/O=HMEXC,CN=downstairs" which I am seeing in my
freeswan log, what does it mean?  It appears to me that I am making it
through the opening rounds of ipsec negotiation (to STATE_MAIN_R2) and
that there is some sort of authorizing file/cert/key missing on the
openswan end which would be telling openswan "let this guy in, he has a
cert which we recognize".  I figured that having
/etc/ipsec.d/private/downstairs.key coupled with having
/etc/ipsec.d/cacerts/cacert.pem (CA Cert of CA which issued
downstairs.pem) would do the trick...


PS are demoCA/cacert.pem and the "Trusted CA Root Certificate" on my win
box the same thing?

More information about the Users mailing list