[Openswan Users] Fwd: IPsec configuration

Ana kentdavies at gmail.com
Mon Nov 18 10:34:59 UTC 2013


Hello.

Thanks for your answer.

All you said is new to me.

I've started by converting all my certs to the pkcs#12 format like this:

openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out ca.p12


And then, I've imported them to ipsec.d like this:

[root at mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d /etc/ipsec.d/
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: www.mysite.com - XPTO
pk12util: PKCS12 IMPORT SUCCESSFUL


And now I'm completely lost :(

Sorry, but what should I do next? I can't seem to find a proper tutorial
explaining this steps.

Thanks,

Kent Davies




On Mon, Nov 18, 2013 at 4:47 AM, Leto <letoams at gmail.com> wrote:

> if using the centos builds, those use nss, so you cannot put private key
> and certs in /etc/ipsec.d/
>
> you need to use ipsec initnss and then ipsec import on the certs in
> pkcs#12 format. see README.NSS
>
> sent from a tiny device
>
> On 2013-11-17, at 6:00, Ana <kentdavies at gmail.com> wrote:
>
> Hi everybody. Hello again.
>
>
> Following my last cry for help, here am I again with some IPsec problems.
>
>
> After managing to get IPsec running using secrets, I'm now trying (without
> success) to accomplish the same but now using X.509 certificates.
>
>
> Just for remembering, I’m running two virtual machines with CentOS that
> simulates the network depicted in the bellow picture.
>
> <image.png>
>
>
> I want to create an IPsec tunnel between machine A and machine B. The keys
> should be negotiated using IKE and the tunnel should enable total
> connectivity between the two machines. My goal is to achieve this using
> x.509 certificates.
>
>
> My machine A will act as a gateway and as an Certificate Authority.
>
>
> The first step, was to create my CA and two certificates. One for machine
> A and one for machine B. So, on machine A I've run this commands:
>
>  1) Create the CA:
>
> openssl genrsa -des3 -out cakey.key 1024
>
> openssl req -new -key cakey.key -out cacsr.csr
>
> openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey
> cakey.key
>
>
> 2) For each machine, create a certificate signed using the CA created
> above:
>
>
> openssl genrsa -des3 -out gwonekey.key 1024
>
> openssl req -new -key gwonekey.key -out gwonecsr.csr
>
> openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out
> gwonecert.crt
>
>
> openssl genrsa -des3 -out gwtwokey.key 1024
>
> openssl req -new -key gwtwokey.key -out gwtwocsr.csr
>
> openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out
> gwtwocert.crt
>
>
> 3) I've also created a Certification Revocation list:
>
> echo 01 > /etc/pki/CA/crlnumber
>
> openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
>
>
> On machine A I've done this:
>
> mkdir /etc/ipsec.d/private
>
> mkdir /etc/ipsec.d/certs
>
> mkdir /etc/ipsec.d/cacerts
>
> mkdir /etc/ipsec.d/crls
>
> cp gwonekey.key /etc/ipsec.d/private
>
> cp gwonecert.crt /etc/ipsec.d/certs
>
> cp cacert.crt /etc/ipsec.d/cacerts
>
> cp crl.pem /etc/ipsec.d/crls
>
>
> And on Machine B after copying the files:
>
> mkdir /etc/ipsec.d/private
>
> mkdir /etc/ipsec.d/certs
>
> mkdir /etc/ipsec.d/cacerts
>
> mkdir /etc/ipsec.d/crls
>
> cp gwtwokey.key /etc/ipsec.d/private
>
> cp gwonecert.crt /etc/ipsec.d/certs
>
> cp gwtwocert.crt /etc/ipsec.d/certs
>
> cp cacert.crt /etc/ipsec.d/cacerts
>
>
> I've then edited the *ipsec.secrets* file on both machines:
>
> Machine A:
>
> %any %any : PSK "test"
>
> : RSA gwonecert.crt "test"
>
>
> Machine B:
>
> %any %any : PSK "test"
>
> : RSA gwonecert.crt "test"
>
> : RSA gwtwocert.crt "test"
>
>
> The last step was to edit the *ipsec.conf* on those machines:
>
> Machine A:
>
> config setup
>
>             protostack=netkey
>
>             dumpdir=/var/run/pluto/
>
>             nat_traversal=yes
>
>             virtual_private=%v4:
> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>
>
>
> #conn gw-to-gw
>
> #           authby=secret
>
> #           left=192.168.1.1
>
> #           leftsubnet=10.1.1.0/24
>
> #           right=192.168.1.2
>
> #           rightsubnet=10.1.2.0/24
>
> #           auto=start
>
> #           type=tunnel
>
>
>
> conn cert
>
>             authby=rsasig
>
>             leftrsasigkey=%cert
>
>             leftcert=gwonecert.crt
>
>             left=192.168.1.1
>
>             leftsubnet=10.1.1.0/24
>
>             right=192.168.1.2
>
>             rightsubnet=10.1.2.0/24
>
>             auto=start
>
>             type=tunnel
>
>
> Machine B:
>
> config setup
>
>             protostack=netkey
>
>             dumpdir=/var/run/pluto/
>
>             nat_traversal=yes
>
>             virtual_private=%v4:
> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>
>
>
> #conn gw-to-gw
>
> #           authby=secret
>
> #           left=192.168.1.1
>
> #           leftsubnet=10.1.1.0/24
>
> #           right=192.168.1.2
>
> #           rightsubnet=10.1.2.0/24
>
> #           auto=start
>
> #           type=tunnel
>
>
>
> conn cert
>
>             authby=rsasig
>
>             leftrsasigkey=%cert
>
>             rightrsasigkey=%cert
>
>             leftcert=gwtwocert.crt
>
>             rightcert=gwonecert.crt
>
>             left=192.168.1.2
>
>             leftsubnet=10.1.2.0/24
>
>             right=192.168.1.1
>
>             rightsubnet=10.1.1.0/24
>
>             auto=start
>
>             type=tunnel
>
>
> I've restarted ipsec on both machines using *service ipsec restart* but
> now, after doing *ipsec auto --up* *cert *nothing happens. In terminal I
> have to hit ctrl C.
>
>
> Once again, can someone tell me what I am doing wrong?
>
>
> Many thanks,
>
>
> Kent Davies
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131118/ed433539/attachment-0001.html>


More information about the Users mailing list