Our university college (HiST) is trying to establish an IPSec tunnel between a FreeRadius server using Openswan OpenSwan 2.4.12 and a Cisco WLC running 4.2.173.00.
To start the IPSec negotiation we need RSA-keys at both ends of the tunnel ( freeradius, WLC Cisco), or Pre-shared keys (PSK). Case 1: On the Freeradius Server we two pairs of keys on the command line as follows: - Keypair for the FreeRadius-server: Freradiushost# ipsec newhostkey --hostname "FreeRadius" -output /etc/ipsec.secrets -bits 1024. - Keypair for the wlc: Freradiushost# ipsec newhostkey -hostname "wlcname" -output "RSAKeyFileName" -bits 1024 However, the WLC doesn't accept the RSA keys generated. The file produced looks like this: : RSA { # RSA 1024 bits "wlcname" etc. # for signatures only etc. #pubkey=xxxxxxx Modulus: xxxx PublicExponent: xxx #everything after this point is secret PrivateExponent: xxx Prime1: xxxx Prime2: xxxx Exponent1: xxxx Exponent2: xxxx Coefficient: xxxx } We try to paste the wlc's keys into the web interface under the menu Security, Advanced, CA Certificate, IPSec Certs. But, to no avail, the page at "ip-number of wlc" says: Error in setting Certificate". How should we generate the RSA keys in OpenSwan in order to get them into the Cisco WLC? Case 2: We have also tried to use Pre-shared keys. But alas, the Cisco WLC doesn't respond to the request from Freeradius Server. How should these PSK's be formed and what settings should be used? Any configuration examples of IPSEC on the OpenSwan, or generic explanations would be welcome as well. Shared Secret Format: ASCII Shared Secret: <same as on OpenSwan> Key Wrap: <not used> Port Number: 1812 Server Status: Enabled Support for RFC 3576 : Enabled Server Timeout: 2 seconds Network User: Enable Management: Enable IPSec Enable IPsec Parameters IPSec: HMAC SHA1 IPSEC Encryption: AES CBS (Shared Secret will be used as the Preshared Key) IKE Phase 1 Aggressive (tried main as well, with corresponding settings in OpenSwan) Lifetime (seconds) 28800 IKE Diffie Hellman Group Group 2 (1024 bits) Remarks: I would like to mention two tings: The path is open between FreeRadius server and WLC Cisco. The FreeRadius server was tested with other Linux IPSec tunnels, and this worked flawlessly. The setup of the FreeRadius is changed in each case to correspond with settings on the WLC. Looking forward to getting help from you! P.S.: It seems that IPSEC tunnels vs. WLCs is not what's easy to get help with; we've contacted several major Norwegian consulting firms with little or no response. Regards Saleh Abuzid Dept. engineer, Dept. of servers- and networks, HiST - Sor-Trondelag University College (www.hist.no <http://www.hist.no/> ) Phone: ++47 73559672 E-mail: saleh.abu...@hist.no Saleh Abuzid Gunnerus gate 1 Høgskolen i Sør-Trøndlag (HiST) SPO-IKT Avdelingsingeniør tlf: 73559672 E-mail: saleh.abu...@hist.no
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html