[Openswan Users] Linux to Linux ipsec/l2tp server

Brett Curtis dashnu at gmail.com
Mon Feb 13 15:25:04 CET 2006


Ok I think that howto is incorrect. It explains how to create host  
certs by using CA.sh -newreq and then sign it using CA.sh -sign which  
leaves you will two files newcert.pem & newreq.pem and the newreq.pem  
is the one used in ipsec.secrets. However ipsec fails to read that  
file..

I think it needs to be converted... I am all confused now but anyways..
On Feb 13, 2006, at 2:20 PM, Paul Wouters wrote:

> On Mon, 13 Feb 2006, Brett Curtis wrote:
>
>> Ok I have decided to run rsasig for auth. I went through this guide
>> http://www.natecarlson.com/linux/ipsec-l2tp.php to help me  
>> configure my own
>> Certificate Authority and created all the needed keys and pems and  
>> crls but
>> When I change my ipsec.secrets to this:
>
> A few remarks:
> 1) you can use RSA keys without X.509 (for linuux-linux connections)
Ok linux to linux
> 2) You can use RSA keys without L2TP
Roger however I need x509 for windows l2tp clients? So this really  
does not help me.
>
>> : RSA host.domain.net.key "passwdusedtocreatekey"
>>
>> I get this error in the logs.
>>
>> Feb 13 13:29:19 defender pluto[4028]:   error in PKCS#1 private key
>> Feb 13 13:29:19 defender pluto[4028]: | loaded private key for  
>> keyid: PPK_RSA:
>> Feb 13 13:29:19 defender pluto[4028]: "/etc/ipsec/ipsec.secrets"  
>> line 1: error
>> loading RSA private key file
>> Feb 13 13:29:19 defender pluto[4028]: | next event  
>> EVENT_PENDING_PHASE2 in 120
>> seconds
>>
>> I went through the certificate creation a few times to make sure i  
>> did not
>> screw anything up.. however I must have.
>
> I am not sure what you did to your key.

The keys are not in the correct format. I guess..
>
> A simple linux-linux connection using RSA keys without certificates  
> or l2tp:
>
> conn simple
> 	left=leftip
> 	leftrsasigkey=0sA............
> 	leftid=@servername
> 	right=rightip
> 	rightrsasigkey=0sA............
> 	rightid=@clientname
> 	authby=rsasig
> 	auto=start
>
> On left type: ipsec showhostkey --left to obtain the exact  
> leftrsasigkey= line
> On right type: ipsec showhostkey --right to obtain the exact  
> rightrsasigkey= line
>
> If right is behind NAT add to config setup:
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/24   [or whatever internal IP range  
> right has)
>
> and add to conn simple (assuming right is behind nat)
> 	rightsubnet=vhost:%no,%priv
>
> If right is also on dynamic ip, change right=rightip to right=%any.  
> on left, and to
> right=%defaultroute on right.
>
> Paul

Ok this worked out for me. (I think.. testing through ssh and once  
the connect was made I lost access to my home box.. the server side  
logs looked good) This only helps on the linux side though using RSA  
keys and the native windows client will not work..?

i used ipsec newhostkey --output /etc/ipsec/ipsec.secrets --bits 2048  
to get all of the above to work.

So with this setup each linux client i have would need to run this  
command and I would have to create a new conn for each of them?

I am going to keep on the x509 path and see if I can debug my  
install. As far as I can tell this will be the best way to use linux  
clients and windows clients.

Thanks for the help.


More information about the Users mailing list