[Openswan Users] [Openswan dev] X.509 in openswan

Christian Brechbühler brechbuehler at gmail.com
Thu Nov 16 13:56:00 EST 2006 

On 11/14/06, AntZ <antzcn at gmail.com> wrote:
>
> $ ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 Nov 15 03:40:28 2006, 1024 RSA Key AwEAAb9RN, until Dec 15 02:15:46
> 2006 ok
> 000        ID_DER_ASN1_DN 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll,
> E=antzcn at gmail.com'
> 000        Issuer 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=
> antzcn at gmail.com'
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 Nov 15 03:40:28 2006, count: 1
> 000        subject: 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=
> antzcn at gmail.com'
> 000        issuer:  'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=
> antzcn at gmail.com'
> 000        serial:   00:80:03:c8:30:c2:21:b0:d2
> 000        pubkey:   1024 RSA Key AwEAAb9RN, has private key
> 000        validity: not before Nov 15 02:15:46 2006 ok
> 000                  not after  Dec 15 02:15:46 2006 warning (expires
> in 29 days)
>
> 000        subjkey:  46:5d:13:73:60:a7:52:b0:f3:72:00:f2:83:7a:d8:ed:a8:1d:71:ef
>
> 000        authkey:  46:5d:13:73:60:a7:52:b0:f3:72:00:f2:83:7a:d8:ed:a8:1d:71:ef
> 000        aserial:  00:80:03:c8:30:c2:21:b0:d2
> 000 Nov 15 03:40:28 2006, count: 1
> 000        subject: 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=
> antzcn at gmail.com'
> 000        issuer:  'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=
> antzcn at gmail.com'
> 000        serial:   00:c3:10:5e:23:76:d2:fa:72
> 000        pubkey:   1024 RSA Key AwEAAdqR/
> 000        validity: not before Nov 15 02:16:32 2006 ok
> 000                  not after  Dec 15 02:16:32 2006 warning (expires
> in 29 days)
>
> 000        subjkey:  f1:94:40:14:48:4f:de:c0:1b:8c:11:0e:85:a9:45:4d:b9:fa:a9:d4
>
> 000        authkey:  f1:94:40:14:48:4f:de:c0:1b:8c:11:0e:85:a9:45:4d:b9:fa:a9:d4
> 000        aserial:  00:c3:10:5e:23:76:d2:fa:72


Several things seem unusual to me:

   - You have more than one end certificate.  That's probably OK, and may
   be desirable in some situations.  But it is not necessary.
   - Both end certificates specify exactly the same subject (you).  I
   think that will cause trouble.  At a minimum, openswan might pick the wrong
   one (AwEAAdqR/, for which you don't have the private key).  I suspect a
   mistake.  Entities should always differ in at least one attribute (C, ST, L,
   O, OU, CN, or E).  I use ONE end certificate (different on each peer).
    - You have no CA certificates.  Put the certificate of your CA onto
   each peer.  This is the same across all machines.  None of them must have
   its key -- keep the certificate on a separate host, if you can.
    - (Consequence:)  The end certificates are both self-signed --
   specifically, aserial == serial.  You should sign all end certificates by
   your CA.

For a successful VPN connection, authentication is granted based on the fact
that the peer presents a host certificate that is signed by a CA that we
know.  To keep your life simple, just use one CA.

Good luck!

/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061116/81ebf047/attachment.html

More information about the Users mailing list