[Openswan Users] Linux to Linux ipsec/l2tp server
Paul Wouters
paul at xelerance.com
Mon Feb 13 20:20:08 CET 2006
On Mon, 13 Feb 2006, Brett Curtis wrote:
> Ok I have decided to run rsasig for auth. I went through this guide
> http://www.natecarlson.com/linux/ipsec-l2tp.php to help me configure my own
> Certificate Authority and created all the needed keys and pems and crls but
> When I change my ipsec.secrets to this:
A few remarks:
1) you can use RSA keys without X.509 (for linuux-linux connections)
2) You can use RSA keys without L2TP
> : RSA host.domain.net.key "passwdusedtocreatekey"
>
> I get this error in the logs.
>
> Feb 13 13:29:19 defender pluto[4028]: error in PKCS#1 private key
> Feb 13 13:29:19 defender pluto[4028]: | loaded private key for keyid: PPK_RSA:
> Feb 13 13:29:19 defender pluto[4028]: "/etc/ipsec/ipsec.secrets" line 1: error
> loading RSA private key file
> Feb 13 13:29:19 defender pluto[4028]: | next event EVENT_PENDING_PHASE2 in 120
> seconds
>
> I went through the certificate creation a few times to make sure i did not
> screw anything up.. however I must have.
I am not sure what you did to your key.
A simple linux-linux connection using RSA keys without certificates or l2tp:
conn simple
left=leftip
leftrsasigkey=0sA............
leftid=@servername
right=rightip
rightrsasigkey=0sA............
rightid=@clientname
authby=rsasig
auto=start
On left type: ipsec showhostkey --left to obtain the exact leftrsasigkey= line
On right type: ipsec showhostkey --right to obtain the exact rightrsasigkey= line
If right is behind NAT add to config setup:
nat_traversal=yes
virtual_private=%v4:10.0.0.0/24 [or whatever internal IP range right has)
and add to conn simple (assuming right is behind nat)
rightsubnet=vhost:%no,%priv
If right is also on dynamic ip, change right=rightip to right=%any. on left, and to
right=%defaultroute on right.
Paul
More information about the Users
mailing list