Hi Tim, I'm not a CA or a VPN expert but I did wrestled with this way-way back using a patched Dachstein 1.02. And I didn't even use ssh sentinel or any non-free third party tool to build the connection. I attribute most of the helpfull info from the Bering documentation.
> Message: 10 > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] > Date: Fri, 25 Jul 2003 17:14:49 -0400 > Subject: [leaf-user] VPN: How to establish connection with .p12? > > Hello! > > Short version: > > How do I turn a single .P12 file that works fine with SSH Sentinel into the > files that Bering/SuperFreeS/Wan 1.99 expect to work with? I believe that > these would be cacert.pem, crl.pem and x509cert.der, though maybe another > collection of files will work as well. > > Long version: > > I am trying to establish a VPN between my Bering box and a remote firewall. > This is to replace and expand on the functionality I have with a Windows > 2000 computer running SSH Sentinel. > > My biggest problem right now is how to set up Bering to accept the > certificates. With SSH Sentinel, I have been given a single .p12 file. > With that, SSH Sentinel has everything that it needs to make the VPN work. > > This is not true, it seems, of Bering. According to the Bering User's > Guide (Chapter 15: http://leaf.sourceforge.net/doc/guide/buipsec.html), > there are three files I need: > > cacert.pem (in /etc/ipsec.d/cacerts) > crl.pem (in /etc/ipsec.d/crls) > x509cert.der (in /etc) > > The Bering install guide assumes you are in full control of the connection, > are generating your own keys, etc. It doesn't explain at all what it's > doing. Most importantly, it does not define which of these pieces each of > these files are. I have tried to find out what each of these are supposed > to be (public key? Private key? Both? My key-pair? The remote end's? > The CA's?) but I have met with very limited success. The Bering script actually creates this: 1. cacert.pem - this is the main CA (Certificate Authority) that acts like an encrypted database for holding all of the certificates' info (that the script creates). 2. crl.pem - along with a CA you also get a certificate revocation list (self explanatory). 3. serverCert.pem - this should be you Bering (local host) certificate. an x509cert.der is also created, and this is just the .der equivalent of the serverCert.pem. this is also used for interoperability purposes. (gurus, please step in if i'm mistaken). 4. clientCert.pem - this is no different from the serverCert.pem, only this one is targetted to be used by your remote partner: the windows 2000 server (on your case). unfortunately, win2k cannot read this cert in itself that is why a .p12 equivalent is also created. hence you have a clientCert.p12. > Could someone assist me in breaking down this .P12 file into the pieces I > need to feed into Bering to make this VPN work? like i've said above, Bering doesn't need this .p12 file. but your win2k does. > Thank you very much for reading my lengthy e-mail. I would be very > grateful for any help you could give me. make sure you patch up your win2k server with the latest service pack, and i strongly suggest that you have to wrestle with this some more. you'll get this eventually. also, if you already have ssh sentinel installed, you will have to push through using it, or you must REMOVE (uninstall) it if you wish to try setting it up without using ssh sentinel. docs says that this is a common pitfall for others trying out VPN interop with fswan and win2k. another good suggestion would be, to try out the interop connection using PSK only, then once it's working, you can proceed to a much complex setup using certificates (a suggestion from the gurus that actually helps out). HTH - Vic ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
