[Openswan Users] Linux to Linux ipsec/l2tp server

Paul Wouters paul at xelerance.com
Mon Feb 13 20:20:08 CET 2006


On Mon, 13 Feb 2006, Brett Curtis wrote:

> Ok I have decided to run rsasig for auth. I went through this guide
> http://www.natecarlson.com/linux/ipsec-l2tp.php to help me configure my own
> Certificate Authority and created all the needed keys and pems and crls but
> When I change my ipsec.secrets to this:

A few remarks:
1) you can use RSA keys without X.509 (for linuux-linux connections)
2) You can use RSA keys without L2TP

> : RSA host.domain.net.key "passwdusedtocreatekey"
>
> I get this error in the logs.
>
> Feb 13 13:29:19 defender pluto[4028]:   error in PKCS#1 private key
> Feb 13 13:29:19 defender pluto[4028]: | loaded private key for keyid: PPK_RSA:
> Feb 13 13:29:19 defender pluto[4028]: "/etc/ipsec/ipsec.secrets" line 1: error
> loading RSA private key file
> Feb 13 13:29:19 defender pluto[4028]: | next event EVENT_PENDING_PHASE2 in 120
> seconds
>
> I went through the certificate creation a few times to make sure i did not
> screw anything up.. however I must have.

I am not sure what you did to your key.

A simple linux-linux connection using RSA keys without certificates or l2tp:

conn simple
	left=leftip
	leftrsasigkey=0sA............
	leftid=@servername
	right=rightip
	rightrsasigkey=0sA............
	rightid=@clientname
	authby=rsasig
	auto=start

On left type: ipsec showhostkey --left to obtain the exact leftrsasigkey= line
On right type: ipsec showhostkey --right to obtain the exact rightrsasigkey= line

If right is behind NAT add to config setup:
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/24   [or whatever internal IP range right has)

and add to conn simple (assuming right is behind nat)
	rightsubnet=vhost:%no,%priv

If right is also on dynamic ip, change right=rightip to right=%any. on left, and to
right=%defaultroute on right.

Paul


More information about the Users mailing list