[Openswan Users] Fwd: IPsec configuration

Bart Smink bartsmink at gmail.com
Mon Nov 18 10:43:55 UTC 2013


You could check the logs, and as you're on Centos they're in
/var/log/secure . There you find the error that Openswan gives when you try
to start the connection.


2013/11/18 Ana <kentdavies at gmail.com>

> Hello.
>
> Thanks for your answer.
>
> All you said is new to me.
>
> I've started by converting all my certs to the pkcs#12 format like this:
>
> openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out ca.p12
>
>
> And then, I've imported them to ipsec.d like this:
>
> [root at mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d
> /etc/ipsec.d/
> Enter Password or Pin for "NSS Certificate DB":
> Enter password for PKCS12 file:
> pk12util: no nickname for cert in PKCS12 file.
> pk12util: using nickname: www.mysite.com - XPTO
> pk12util: PKCS12 IMPORT SUCCESSFUL
>
>
> And now I'm completely lost :(
>
> Sorry, but what should I do next? I can't seem to find a proper tutorial
> explaining this steps.
>
> Thanks,
>
> Kent Davies
>
>
>
>
> On Mon, Nov 18, 2013 at 4:47 AM, Leto <letoams at gmail.com> wrote:
>
>> if using the centos builds, those use nss, so you cannot put private key
>> and certs in /etc/ipsec.d/
>>
>> you need to use ipsec initnss and then ipsec import on the certs in
>> pkcs#12 format. see README.NSS
>>
>> sent from a tiny device
>>
>> On 2013-11-17, at 6:00, Ana <kentdavies at gmail.com> wrote:
>>
>> Hi everybody. Hello again.
>>
>>
>> Following my last cry for help, here am I again with some IPsec problems.
>>
>>
>> After managing to get IPsec running using secrets, I'm now trying
>> (without success) to accomplish the same but now using X.509 certificates.
>>
>>
>> Just for remembering, I’m running two virtual machines with CentOS that
>> simulates the network depicted in the bellow picture.
>>
>> <image.png>
>>
>>
>> I want to create an IPsec tunnel between machine A and machine B. The
>> keys should be negotiated using IKE and the tunnel should enable total
>> connectivity between the two machines. My goal is to achieve this using
>> x.509 certificates.
>>
>>
>> My machine A will act as a gateway and as an Certificate Authority.
>>
>>
>> The first step, was to create my CA and two certificates. One for machine
>> A and one for machine B. So, on machine A I've run this commands:
>>
>>  1) Create the CA:
>>
>> openssl genrsa -des3 -out cakey.key 1024
>>
>> openssl req -new -key cakey.key -out cacsr.csr
>>
>> openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey
>> cakey.key
>>
>>
>> 2) For each machine, create a certificate signed using the CA created
>> above:
>>
>>
>> openssl genrsa -des3 -out gwonekey.key 1024
>>
>> openssl req -new -key gwonekey.key -out gwonecsr.csr
>>
>> openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out
>> gwonecert.crt
>>
>>
>> openssl genrsa -des3 -out gwtwokey.key 1024
>>
>> openssl req -new -key gwtwokey.key -out gwtwocsr.csr
>>
>> openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out
>> gwtwocert.crt
>>
>>
>> 3) I've also created a Certification Revocation list:
>>
>> echo 01 > /etc/pki/CA/crlnumber
>>
>> openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
>>
>>
>> On machine A I've done this:
>>
>> mkdir /etc/ipsec.d/private
>>
>> mkdir /etc/ipsec.d/certs
>>
>> mkdir /etc/ipsec.d/cacerts
>>
>> mkdir /etc/ipsec.d/crls
>>
>> cp gwonekey.key /etc/ipsec.d/private
>>
>> cp gwonecert.crt /etc/ipsec.d/certs
>>
>> cp cacert.crt /etc/ipsec.d/cacerts
>>
>> cp crl.pem /etc/ipsec.d/crls
>>
>>
>> And on Machine B after copying the files:
>>
>> mkdir /etc/ipsec.d/private
>>
>> mkdir /etc/ipsec.d/certs
>>
>> mkdir /etc/ipsec.d/cacerts
>>
>> mkdir /etc/ipsec.d/crls
>>
>> cp gwtwokey.key /etc/ipsec.d/private
>>
>> cp gwonecert.crt /etc/ipsec.d/certs
>>
>> cp gwtwocert.crt /etc/ipsec.d/certs
>>
>> cp cacert.crt /etc/ipsec.d/cacerts
>>
>>
>> I've then edited the *ipsec.secrets* file on both machines:
>>
>> Machine A:
>>
>> %any %any : PSK "test"
>>
>> : RSA gwonecert.crt "test"
>>
>>
>> Machine B:
>>
>> %any %any : PSK "test"
>>
>> : RSA gwonecert.crt "test"
>>
>> : RSA gwtwocert.crt "test"
>>
>>
>> The last step was to edit the *ipsec.conf* on those machines:
>>
>> Machine A:
>>
>> config setup
>>
>>             protostack=netkey
>>
>>             dumpdir=/var/run/pluto/
>>
>>             nat_traversal=yes
>>
>>             virtual_private=%v4:
>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>
>>
>>
>> #conn gw-to-gw
>>
>> #           authby=secret
>>
>> #           left=192.168.1.1
>>
>> #           leftsubnet=10.1.1.0/24
>>
>> #           right=192.168.1.2
>>
>> #           rightsubnet=10.1.2.0/24
>>
>> #           auto=start
>>
>> #           type=tunnel
>>
>>
>>
>> conn cert
>>
>>             authby=rsasig
>>
>>             leftrsasigkey=%cert
>>
>>             leftcert=gwonecert.crt
>>
>>             left=192.168.1.1
>>
>>             leftsubnet=10.1.1.0/24
>>
>>             right=192.168.1.2
>>
>>             rightsubnet=10.1.2.0/24
>>
>>             auto=start
>>
>>             type=tunnel
>>
>>
>> Machine B:
>>
>> config setup
>>
>>             protostack=netkey
>>
>>             dumpdir=/var/run/pluto/
>>
>>             nat_traversal=yes
>>
>>             virtual_private=%v4:
>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>
>>
>>
>> #conn gw-to-gw
>>
>> #           authby=secret
>>
>> #           left=192.168.1.1
>>
>> #           leftsubnet=10.1.1.0/24
>>
>> #           right=192.168.1.2
>>
>> #           rightsubnet=10.1.2.0/24
>>
>> #           auto=start
>>
>> #           type=tunnel
>>
>>
>>
>> conn cert
>>
>>             authby=rsasig
>>
>>             leftrsasigkey=%cert
>>
>>             rightrsasigkey=%cert
>>
>>             leftcert=gwtwocert.crt
>>
>>             rightcert=gwonecert.crt
>>
>>             left=192.168.1.2
>>
>>             leftsubnet=10.1.2.0/24
>>
>>             right=192.168.1.1
>>
>>             rightsubnet=10.1.1.0/24
>>
>>             auto=start
>>
>>             type=tunnel
>>
>>
>> I've restarted ipsec on both machines using *service ipsec restart* but
>> now, after doing *ipsec auto --up* *cert *nothing happens. In terminal I
>> have to hit ctrl C.
>>
>>
>> Once again, can someone tell me what I am doing wrong?
>>
>>
>> Many thanks,
>>
>>
>> Kent Davies
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>


-- 
**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131118/527eb6e0/attachment-0001.html>


More information about the Users mailing list