[Openswan Users] PSK works, certificates not
Arno Lehmann
al at its-lehmann.de
Tue Jul 17 05:55:00 EDT 2007
Hi,
and thanks for your hints. But...
17.07.2007 09:55,, D h @ v @ l wrote::
>
>
> */>Arno Lehmann <al at its-lehmann.de>/* wrote:
...
>
> >I created a connection in ipsec.conf like this:
>
> >config setup
> >interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
> >klipsdebug=
> >plutodebug=
> >manualstart=
> >syslog=
> >plutowait=yes
> >nhelpers=0
> >#
>
> Just disable klipsdebug, plutodebug, mannualstart, syslog or gives
> options yes or no but not leave blanck.
Ok, I did that, though the above didn't produce any unexpected behaviour.
...
> Here you have to specify
> leftrsasigkey=%cert
> leftsubnet=192.168.0.0/24
The setup now looks like this:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
# klipsdebug=
# plutodebug=
# manualstart=
# syslog=
plutowait=yes
nhelpers=0
#
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v
4:!192.168.0.0/24,%v4:!192.168.37.0/24
# nat_traversal=yes
conn intern-cert
# war %default
pfs=no
authby=rsasig
rightrsasigkey=%cert
leftcert=ITS-VPN.pem
left=192.168.0.22
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
rightca=%same
auto=add
...
>I copied the server-related files to the vpn gateway
> (/etc/ipsec.d/certs, .../cacerts, .../private - certificate, CA
> certificate, private key for certificate, respectivels) and restarted
> the ipsec subsystem.
>
> >When I keep the gateway certificate protected by a password, and have
> a line like ": RSA "password" in ipsec.secrets, I get these
> messages:
>
> you have to specify this thing in ipsec.secrets file
> : RSA ITS-VPN.key "password"
> This ITS-VPN.key is key file which is copied to private folder. This
> solve that key not found problem.
True... that at least worked. (Quite stupid of me... I actually left
out the file name :-)
...
> Just to make certificate refer
> http://www.natecarlson.com/linux/ipsec-x509.php guide. Also make crl.pem
> file. then follow
> http://www.jacco2.dds.nl/networking/vista-openswan.html to go ahead.
Hmm... I'd really prefer doing that through tinyCA, and I'm not sure
that tinyCA does anything different. Except I get a more friendly user
interface :-)
Anyway, I'm still stuck with the same messages with the modified setup.
But I set plutodebug=all and found something interesting...
.
A few steps into the conversation, I get the following messages:
(shortened for better readability)
> Jul 17 11:25:42 balrog pluto[20631]: | started looking for secret for C=DE, L=...->192.168.0.88 of kind PPK_PSK
> Jul 17 11:25:42 balrog pluto[20631]: | instantiating him to 0.0.0.0
> Jul 17 11:25:42 balrog pluto[20631]: | actually looking for secret for C=DE, L=...->0.0.0.0 of kind PPK_PSK
> Jul 17 11:25:42 balrog pluto[20631]: | 1: compared PSK 0.0.0.0 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 2: compared PSK 192.168.37.1 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 1: compared PSK 0.0.0.0 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 2: compared PSK 192.168.0.22 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | concluding with best_match=0 best=(nil) (lineno=-1)
Do I read this correct that pluto does *NOT* find a secret for its own
certificate?
From the README.x509 file, I concluded that I would not need a
leftid= line in ipsec.conf because the DNs would be used for matching.
And these are identical, I double-checked that the lines quoted above
have the same DN text in them.
Regards,
Arno
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
More information about the Users
mailing list