I am close to getting Bering and Dachstein working together to provide an IPSec
gateway using x.509 certificates. I am getting errors in the auth.log file (attached
inline) that say "no RSA public key known for <DN of my win2k client>" What do I do
to solve this? I have attached both the log and the instructions I used to get to
this point.
Thanks. I am really close, I can feel it.
---------------------------------------------------------------------------
Chad Carr [EMAIL PROTECTED]
---------------------------------------------------------------------------
==========Contents of auth.log==========
Feb 3 09:14:12 wlanfw Pluto[1901]: Starting Pluto (FreeS/WAN Version 1.91)
Feb 3 09:14:12 wlanfw Pluto[1901]: including X.509 patch (Version 0.9.3)
Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/cacerts'
Feb 3 09:14:12 wlanfw Pluto[1901]: loaded cacert file 'RootCA.der' (1182 bytes)
Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/crls'
Feb 3 09:14:12 wlanfw Pluto[1901]: loaded crl file 'crl.pem' (698 bytes)
Feb 3 09:14:12 wlanfw Pluto[1901]: loaded my X.509 cert file '/etc/x509cert.der'
(1220 bytes)
Feb 3 09:14:15 wlanfw Pluto[1901]: added connection description "w2k-road-warriors"
Feb 3 09:14:15 wlanfw Pluto[1901]: listening for IKE messages
Feb 3 09:14:15 wlanfw Pluto[1901]: adding interface ipsec0/eth0 192.168.3.1
Feb 3 09:14:15 wlanfw Pluto[1901]: loading secrets from "/etc/ipsec.secrets"
Feb 3 09:15:58 wlanfw Pluto[1901]: packet from 192.168.3.10:500: ignoring Vendor ID
payload
Feb 3 09:15:58 wlanfw Pluto[1901]: "w2k-road-warriors" #1: responding to Main Mode
from unknown peer 192.168.3.10
Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Peer ID is ID_DER_ASN1_DN:
'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr,
[EMAIL PROTECTED]'
Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Certificate is invalid
Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Invalid X.509 certificate
Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: deleting connection
"w2k-road-warriors" instance with peer 192.168.3.10
Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: no RSA public key known
for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr,
[EMAIL PROTECTED]'
Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Peer ID is ID_DER_ASN1_DN:
'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr,
[EMAIL PROTECTED]'
Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Certificate is invalid
Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Invalid X.509 certificate
Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: no RSA public key known
for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr,
[EMAIL PROTECTED]'
==========Instructions==========
SECTION 4 - TURNING BERING INTO A CERTIFICATE AUTHORITY (BROKEN)
Using x.509 certificates - this doesn't quite work yet. I will get this
document up to date when it works.
The outcome of this whole process:
root certificate authority certificate in /etc/ipsec.d/cacerts/RootCA.der
root CA certificate revocation list in /etc/ipsec.d/crls/crl.pem
binary gateway certificate in /etc/x509cert.der ?
ascii private key for gateway in /etc/ipsec.secrets ?
ascii gateway certificate in /etc/ipsec.d ?
ascii private key for gateway in /etc/ipsec.d/private ?
But we must start at the beginning, which is getting openssl onto your system.
I did this by doing "apt-get install openssl" on Debian Woody and then waiting
for it to install properly, but if you use Red Hat or one of the other
distibutions out there, use your way instead. I recommend going with the
package way whenever possible. You will have to adjust the paths below to
correspond to where your distibution puts things.
If you have to install from source, so be it, but there are other better
documents for you to learn that from. Try
http://www.bayour.com/LDAPv3-HOWTO.html#3.1.OpenSSL|outline. If that doesn't
work, search for "openssl howto" on www.yahoo.com and see where life takes you.
We want our certificates to be longer than the default 1024 bits, and we want
them to last longer than the default 365 days, so we go into the
/etc/ssl/openssl.conf file and change default_bits to 2048 and default_days to
3650. Do all of the rest of the operations in your ~scrathc directory.
1) Create a new Trusted Root CA on your compact flash
a) generate root certificate
i) /usr/lib/ssl/misc/CA.sh -newca (choose a good passphrase)
ii) openssl x509 -in demoCA/cacert.pem -outform der -out \
/mnt/cf/etc/ipsec.d/cacerts/RootCA.der
b) generate a certificate revocation list
openssl ca -gencrl -out /mnt/cf/etc/ipsec.d/crls/crl.pem
2) Create and sign a new certificate for your router on your compact flash
a) generate certificate request
/usr/lib/ssl/misc/CA.sh -newreq
b) sign it with the root certificate
/usr/lib/ssl/misc/CA.sh -sign
(when prompted, enter the password of the root certificate)
c) extract the private part of the signed certificate
fswcert -k newreq.pem >> /mnt/cf/etc/ipsec.secrets
d) install the binary form of the certificate
openssl x509 -in newcert.pem -outform der -out /mnt/cf/etc/x509cert.der
e) move newcert.pem and newreq.pem out of the way
i) mkdir gateway
ii) mv newcert.pem newreq.pem gateway/
3) Configure FreeS/WAN to respond to client properly
a) /etc/ipsec.secrets
remove old PSK line ???
b) /etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=192.168.3.1
leftsubnet=0.0.0.0/0
leftid="/C=US/ST=California/L=Orange/O=Chad's IPSec \
Firewall/CN=Chad [EMAIL PROTECTED]"
pfs=yes
auto=add
conn w2k-road-warriors
right=%any
c) restart ipsec
/etc/init.d/ipsec restart
4) Create and sign a new certificate for the Windows 2000 client
a) generate certificate request
/usr/lib/ssl/misc/CA.sh -newreq
b) sign it with the root certificate
/usr/lib/ssl/misc/CA.sh -sign
(when prompted, enter the password of the root certificate)
c) create pkcs#12 certificate for export to Windows 2000 client (including
RootCA certificate)
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
demoCA/cacert.pem -out w2kclient.p12
d) use MMC to import this certificate in the Windows 2000 client
e) apply certificate to IPSec Security Policy on both IP Security Rules (in
place of preshared key)
f) restart IPSec Policy Agent service.
5) Pingy, pingy.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
