[Openswan Users] Fwd: IPsec configuration
Ana
kentdavies at gmail.com
Sun Nov 17 11:00:52 UTC 2013
Hi everybody. Hello again.
Following my last cry for help, here am I again with some IPsec problems.
After managing to get IPsec running using secrets, I'm now trying (without
success) to accomplish the same but now using X.509 certificates.
Just for remembering, I’m running two virtual machines with CentOS that
simulates the network depicted in the bellow picture.
[image: Inline image 1]
I want to create an IPsec tunnel between machine A and machine B. The keys
should be negotiated using IKE and the tunnel should enable total
connectivity between the two machines. My goal is to achieve this using
x.509 certificates.
My machine A will act as a gateway and as an Certificate Authority.
The first step, was to create my CA and two certificates. One for machine A
and one for machine B. So, on machine A I've run this commands:
1) Create the CA:
openssl genrsa -des3 -out cakey.key 1024
openssl req -new -key cakey.key -out cacsr.csr
openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey
cakey.key
2) For each machine, create a certificate signed using the CA created above:
openssl genrsa -des3 -out gwonekey.key 1024
openssl req -new -key gwonekey.key -out gwonecsr.csr
openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out
gwonecert.crt
openssl genrsa -des3 -out gwtwokey.key 1024
openssl req -new -key gwtwokey.key -out gwtwocsr.csr
openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out
gwtwocert.crt
3) I've also created a Certification Revocation list:
echo 01 > /etc/pki/CA/crlnumber
openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
On machine A I've done this:
mkdir /etc/ipsec.d/private
mkdir /etc/ipsec.d/certs
mkdir /etc/ipsec.d/cacerts
mkdir /etc/ipsec.d/crls
cp gwonekey.key /etc/ipsec.d/private
cp gwonecert.crt /etc/ipsec.d/certs
cp cacert.crt /etc/ipsec.d/cacerts
cp crl.pem /etc/ipsec.d/crls
And on Machine B after copying the files:
mkdir /etc/ipsec.d/private
mkdir /etc/ipsec.d/certs
mkdir /etc/ipsec.d/cacerts
mkdir /etc/ipsec.d/crls
cp gwtwokey.key /etc/ipsec.d/private
cp gwonecert.crt /etc/ipsec.d/certs
cp gwtwocert.crt /etc/ipsec.d/certs
cp cacert.crt /etc/ipsec.d/cacerts
I've then edited the *ipsec.secrets* file on both machines:
Machine A:
%any %any : PSK "test"
: RSA gwonecert.crt "test"
Machine B:
%any %any : PSK "test"
: RSA gwonecert.crt "test"
: RSA gwtwocert.crt "test"
The last step was to edit the *ipsec.conf* on those machines:
Machine A:
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
#conn gw-to-gw
# authby=secret
# left=192.168.1.1
# leftsubnet=10.1.1.0/24
# right=192.168.1.2
# rightsubnet=10.1.2.0/24
# auto=start
# type=tunnel
conn cert
authby=rsasig
leftrsasigkey=%cert
leftcert=gwonecert.crt
left=192.168.1.1
leftsubnet=10.1.1.0/24
right=192.168.1.2
rightsubnet=10.1.2.0/24
auto=start
type=tunnel
Machine B:
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
#conn gw-to-gw
# authby=secret
# left=192.168.1.1
# leftsubnet=10.1.1.0/24
# right=192.168.1.2
# rightsubnet=10.1.2.0/24
# auto=start
# type=tunnel
conn cert
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=gwtwocert.crt
rightcert=gwonecert.crt
left=192.168.1.2
leftsubnet=10.1.2.0/24
right=192.168.1.1
rightsubnet=10.1.1.0/24
auto=start
type=tunnel
I've restarted ipsec on both machines using *service ipsec restart* but
now, after doing *ipsec auto --up* *cert *nothing happens. In terminal I
have to hit ctrl C.
Once again, can someone tell me what I am doing wrong?
Many thanks,
Kent Davies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131117/37f67930/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 19854 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131117/37f67930/attachment-0001.png>
More information about the Users
mailing list