[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Fri Sep 11 17:06:42 EDT 2009 

Hey Paul,

Let me just understand so I can make absolutely sure I am following the 
precise process for certificates:

1. Create private key
2. Create Certificate Authority for self signing.
3. Take the CSR from V-IPSecure and make a Self Signed Cert out of it.
4. Load Self Signed cert to both V-IPSecure and Openswan (call this 
ait2tordem.pem)
5. Load the private key in /etc/ipsec.d/private (V-IPSecure doesn't require 
a private key upload per se, it just asks for the Trusted and Self Signed 
Certificate to be uploaded).
6. Update ipsec.conf and ipsec.secrets as appropriate.

I just want to make sure I am not doing something boneheaded on my end. I 
would think by now I would have this up and running ..... I have read tons 
of READMEs and a lot of the postings on the list.

Best Regards,
JT

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com

--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Friday, September 11, 2009 3:51 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> Paul,
>
> No success.... Here is the latest:
>
> ipsec.secrets (no password)
>
> : RSA /etc/ipsec.d/private/ca_key.pem
>
>
> -bash-3.2# ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 Sep 11 14:49:00 2009, 2048 RSA Key AwEAAdRjy (no private key), until 
> Nov 20 11:00:01 2011 ok
> 000        ID_DER_ASN1_DN 'C=US, ST=TX, L=Austin, O=AutomaticIT, 
> OU=Executive'
> 000        Issuer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
> CN=AIT, E=jt.edwards at automaticit.com'
> 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
> 000     1: RSA (none) (none)
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 Sep 11 14:49:00 2009, count: 1
> 000        subject: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
> CN=AIT, E=jt.edwards at automaticit.com'
> 000        serial:   00:e9:97:94:7d:7f:75:2f:5a
> 000        pubkey:   2048 RSA Key AwEAAdRjy
> 000        validity: not before Sep 11 12:00:01 2009 ok
> 000                  not after  Nov 20 11:00:01 2011 ok
> 000
> 000 List of X.509 CA Certificates:
> 000
> 000 Sep 11 14:49:00 2009, count: 1
> 000        subject: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
> CN=AIT, E=jt.edwards at automaticit.com'
> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
> CN=AIT, E=jt.edwards at automaticit.com'
> 000        serial:   00:8a:66:2f:7d:43:a3:a1:cc
> 000        pubkey:   2048 RSA Key AwEAAc3GG, has private key
> 000        validity: not before Sep 11 11:47:44 2009 ok
> 000                  not after  Nov 20 10:47:44 2011 ok
> 000        subjkey: 
> ee:4d:cc:22:d7:5a:ff:61:f7:94:aa:1d:bb:2c:5c:76:db:fb:a9:21
> 000        authkey: 
> ee:4d:cc:22:d7:5a:ff:61:f7:94:aa:1d:bb:2c:5c:76:db:fb:a9:21
> 000        aserial:  00:8a:66:2f:7d:43:a3:a1:cc
> 000
> 000 List of X.509 CRLs:
> 000
> 000 Sep 11 14:49:00 2009, revoked certs: 0
> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
> CN=AIT, E=jt.edwards at automaticit.com'
> 000        updates:  this Sep 11 13:57:38 2009
> 000                  next Oct 11 13:57:38 2009 ok
>
> JT Edwards
> Senior Solutions Architect (Automation and Service Management)
> IBM Tivoli Certified
> Direct: 281-226-0284
> Direct: 512-772-3266
> Follow Me: 1866-866-4391 ext 1
> AIM tstrike34
> GoogleTalk tstrike34 at gmail.com
>
> --------------------------------------------------
> From: "Paul Wouters" <paul at xelerance.com>
> Sent: Friday, September 11, 2009 3:38 PM
> To: "JT Edwards" <tstrike34 at gmail.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure
>
>> On Fri, 11 Sep 2009, JT Edwards wrote:
>>
>>> Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: Main mode peer 
>>> ID is ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, 
>>> OU=Executive'
>>> Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: no suitable 
>>> connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
>>
>>> conn ait-torden
>>>       auto=start
>>>       authby=rsasig
>>>       rekey=no
>>>       type=tunnel
>>>       left=22.123.34.56
>>>       leftcert=/etc/ipsec.d//certs/ait2torden.pem
>>>       leftrsasigkey=/etc/ipsec.d/private/ca_key.pem
>>
>> Either use leftcert= or leftrsasigkey=, not both. In this case you want 
>> leftcert.
>>
>>>       leftsendcert=always
>>>       leftid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
>>>       right=12.234.22.224
>>>       # rightid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
>>>       rightrsasigkey=/etc/ipsec.d/private/ca_key.pem
>>
>> leave out rightrsasigkey=
>> add:
>>  rightca=%same
>>
>> left/rightrsasigkey is for raw RSA keys. left/rightcert= is for RSA in 
>> X.509 certs.
>>
>> Paul
>

More information about the Users mailing list