[Openswan Users] testing very simple openswan architecture

david ngc1976.m42 at caramail.com
Tue May 3 18:37:04 CEST 2005 

> On Tue, 3 May 2005, david wrote:
> 
> > I read the documentation strongsec/freeswan and the how-to from Nate Carlson but I think I do not understand how to configure the ipsec.conf files for the two hosts.
> >
> > HostA and hostB are directky linked.
> >
> > --------------------HostA certificat files----------------------
> > /etc/openswan/ipsec.d/private/user01des.key
> > /etc/openswan/ipsec.d/certs/user01des.crt
> > /etc/openswan/ipsec.d/cacerts/ca.crt
> >
> > -----------------------------end-----------------------------------
> >
> > --------------------HostB certificat files----------------------
> > /etc/openswan/ipsec.d/private/user02des.key
> > /etc/openswan/ipsec.d/certs/user02des.crt
> > /etc/openswan/ipsec.d/cacerts/ca.crt
> >
> > -----------------------------end-----------------------------------
> >
> > user01des.crt and user02.crt are signed by the ca.crt
> > For all the keys, the length is 1024 with DES3.
> >
> >
> >
> >
> >
> > -------------------host A ipsec.conf file------------------------
> > config setup
> >         klipsdebug=none
> >   plutodebug=all
> >
> > # Add connections here
> > conn %default
> >         keyingtries=0
> >         authby=rsasig
> >
> >
> > # sample VPN connection
> > conn testvpnda
> >  left=195.212.109.202
> >  leftcert=user01des.crt
> >  right=195.212.109.203
> >  rightrsasigkey=%cert
> >  auto=add
> >
> > ------------------------------end-------------------------------------
> >
> > I put the same configuration for hostA et hostB.
> 
> That wont work, unless you changed leftcert/rightcert. Both ends need to
> load only their own certificate.

yes, I put (already) for hostB :
 -------------------host B ipsec.conf file------------------------
 config setup
         klipsdebug=none
   plutodebug=all

 # Add connections here
 conn %default
         keyingtries=0
         authby=rsasig

 # sample VPN connection
 conn testvpnda
  left=195.212.109.202
  leftrsasigkey=%cert
  right=195.212.109.203
  rightcert=user02des.crt
  auto=add

------------------------------end-------------------------------------


> 
> Helpful command: ipsec auto --listall
------------------------------------------------------------------------

ok, this command give me on hostB (it is quiet the same on hostA but of course, proper certificat and proper key are not the same, everything is ok):

[root at dhcp203 openswan]# ipsec auto --listall
000
000 List of Public Keys:
000
000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9, until May 03 13:26:29 2006 ok
000        ID_USER_FQDN 'user01des at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9, until May 03 13:26:29 2006 ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4, until May 03 13:29:40 2006 ok
000        ID_USER_FQDN 'user02des at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4, until May 03 13:29:40 2006 ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=user02des, E=user02des at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 May 03 19:17:42 2005, 2192 RSA Key AQNeVYs83, until --- -- --:--:-- ---- ok (expires never)
000        ID_IPV4_ADDR '195.212.109.204'
000 May 03 19:17:42 2005, 2192 RSA Key AQOvVgRGm, until --- -- --:--:-- ---- ok (expires never)
000        ID_IPV4_ADDR '195.212.109.203'
000
000 List of X.509 End Certificates:
000
000 May 03 19:17:47 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=user02des, E=user02des at caramail.com'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   03
000        pubkey:   1024 RSA Key AwEAAeqR4, has private key
000        validity: not before May 03 13:29:40 2005 ok
000                  not after  May 03 13:29:40 2006 ok
000        subjkey:  a6:0a:2c:41:7b:8b:4d:6d:75:6b:b5:a2:ec:25:95:81:e7:12:d1:bc
000        authkey:  28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
000
000 List of X.509 CA Certificates:
000
000 May 03 19:17:40 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   00
000        pubkey:   1024 RSA Key AwEAAcKtB
000        validity: not before May 03 13:11:24 2005 ok
000                  not after  May 03 13:11:24 2025 ok
000        subjkey:  28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
 ----------------------------------end---------------------------------

Is there anything wrong ? (it's seems to me not...)


> Check to see if your certificate loaded it has a private key loaded, and 
> the root CA loaded on both ends.

It seems that my certificat is loaded and it has a private key ,and the root CA is loaded too ?


> 
> Paul

Comparez les prix de la high-tech avec Boursoprix.com - http://www.boursoprix.com

More information about the Users mailing list