[Openswan Users] OpenS/WAN and Win2K/XP

Paul Wouters paul at xelerance.com
Wed Jan 26 18:19:15 CET 2005

On Wed, 26 Jan 2005, David Spear wrote:

> AHA!  Now we are making progress.  First, in response to your last
> message asking if I had copied demoCA/cacert.pem to
> /etc/ipsec.d/cacerts, the answer is "yes".  My logs indicate that it is
> found and loaded.  Also that my host cert "downstairs.pem" has been
> loaded.  This is the same "downstairs.pem" which has been converted to
> p12 and copied to the Windows boxes.

I have no idea what happens when two identical certificates interconnect.
You are not supposed to di it that way :)
Because now even the CN= are equal, while normally the CN='s are unique.
Generate a seperate certificate for the gateway and laptop.

> above.  By placing the key which corresponds to these certs (newreq.pem)
> into my /etc/ipsec.d/private I am allowing users which present the
> corresponding cert (newcert.pem) to connect to my freeswan gateway.  Am

No. By placing the cacert in your cacert directory, and by using a certificate for
the gateway with that CA, you allow all certificates signed by that CA to connect.
This can be further tuned down by various other options I won't go into now.

> Regarding the two certs required on my gateway box (end user and CA),
> let's say I do the following:
> # CA -newreq
> # CA -sign
> # mv newreq.pem gateway.key
> # mv newcert.pem gateway.pem
> Where do I put gateway.key and gateway.pem?  Do I have to reference them

key in /etc/ipsec.d/private
cert in /etc/ipsec.d/certs
CAcert in /etc/ipsec.d/cacerts/

> in /etc/ipsec.conf?

You use leftcert=/etc/ipsec.d/certs/gateway.pem
Do not specifiy a rightcert= (since that would override the CAcert)

> do they go in the Win ipsec.conf)

In the windows ipsec.conf you just put:

rightca=" [insert the subject og your CA here]"

Note this is rightCA, not rightCERT.

> two certs from the single import file downstairs.pem (above, actually
> downstairs.pem converted to pkcs12 format using openssl) is there
> something I have to do to make the openswan box do the same?  Is

No, openswan doesnt need the p12 fileformat.

> "cacert.pem" generated at the same time as keys or when the CA was set
> up using "CA -newca"?
> Relating to my situation "no suitable connection for
> /C=CA/ST=BC/L=Penticton/O=HMEXC,CN=downstairs" which I am seeing in my
> freeswan log, what does it mean?

your CA wasn't properly recognised because you didnt  put it in cacerts/ and so
the incoming certificate had an unknown CA and was deemed not allowed to connect.

> PS are demoCA/cacert.pem and the "Trusted CA Root Certificate" on my win
> box the same thing?



"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list