[Openswan Users] Linux to Linux ipsec/l2tp server
Brett Curtis
dashnu at gmail.com
Mon Feb 13 15:25:04 CET 2006
Ok I think that howto is incorrect. It explains how to create host
certs by using CA.sh -newreq and then sign it using CA.sh -sign which
leaves you will two files newcert.pem & newreq.pem and the newreq.pem
is the one used in ipsec.secrets. However ipsec fails to read that
file..
I think it needs to be converted... I am all confused now but anyways..
On Feb 13, 2006, at 2:20 PM, Paul Wouters wrote:
> On Mon, 13 Feb 2006, Brett Curtis wrote:
>
>> Ok I have decided to run rsasig for auth. I went through this guide
>> http://www.natecarlson.com/linux/ipsec-l2tp.php to help me
>> configure my own
>> Certificate Authority and created all the needed keys and pems and
>> crls but
>> When I change my ipsec.secrets to this:
>
> A few remarks:
> 1) you can use RSA keys without X.509 (for linuux-linux connections)
Ok linux to linux
> 2) You can use RSA keys without L2TP
Roger however I need x509 for windows l2tp clients? So this really
does not help me.
>
>> : RSA host.domain.net.key "passwdusedtocreatekey"
>>
>> I get this error in the logs.
>>
>> Feb 13 13:29:19 defender pluto[4028]: error in PKCS#1 private key
>> Feb 13 13:29:19 defender pluto[4028]: | loaded private key for
>> keyid: PPK_RSA:
>> Feb 13 13:29:19 defender pluto[4028]: "/etc/ipsec/ipsec.secrets"
>> line 1: error
>> loading RSA private key file
>> Feb 13 13:29:19 defender pluto[4028]: | next event
>> EVENT_PENDING_PHASE2 in 120
>> seconds
>>
>> I went through the certificate creation a few times to make sure i
>> did not
>> screw anything up.. however I must have.
>
> I am not sure what you did to your key.
The keys are not in the correct format. I guess..
>
> A simple linux-linux connection using RSA keys without certificates
> or l2tp:
>
> conn simple
> left=leftip
> leftrsasigkey=0sA............
> leftid=@servername
> right=rightip
> rightrsasigkey=0sA............
> rightid=@clientname
> authby=rsasig
> auto=start
>
> On left type: ipsec showhostkey --left to obtain the exact
> leftrsasigkey= line
> On right type: ipsec showhostkey --right to obtain the exact
> rightrsasigkey= line
>
> If right is behind NAT add to config setup:
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/24 [or whatever internal IP range
> right has)
>
> and add to conn simple (assuming right is behind nat)
> rightsubnet=vhost:%no,%priv
>
> If right is also on dynamic ip, change right=rightip to right=%any.
> on left, and to
> right=%defaultroute on right.
>
> Paul
Ok this worked out for me. (I think.. testing through ssh and once
the connect was made I lost access to my home box.. the server side
logs looked good) This only helps on the linux side though using RSA
keys and the native windows client will not work..?
i used ipsec newhostkey --output /etc/ipsec/ipsec.secrets --bits 2048
to get all of the above to work.
So with this setup each linux client i have would need to run this
command and I would have to create a new conn for each of them?
I am going to keep on the x509 path and see if I can debug my
install. As far as I can tell this will be the best way to use linux
clients and windows clients.
Thanks for the help.
More information about the Users
mailing list