Hello Tim, ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Victor Berdin" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, July 29, 2003 8:39 AM Subject: Re: [leaf-user] Re: VPN: How to establish connection with .p12?
[snipped] > I've been poring over all of the docs that have been suggested (most of > which I had already read over). From what I can determine, the .p12 file I > have been given contains three things: > > 1) A client key (The actual key the VPN will use to encrypt the symmetric > keys, saved as a PEM) > 2) A client cert (certifying that my key is valid according to the CA, > saved as a PEM) > 3) A CA cert (allowing me to verify the key, and verify other people's > keys, saved as a DER) > > So far, so good. However, now that I've identified them (and separated > them out into their own files), what do I do with them? For your Bering <====> Win2K setup (btw, what VPN interop setup are you trtying to implement?) If you're still using the Bering script to generate the certificates, the names used are very specific. 'serverKey.pem' pertains to the Bering (localhost) auth key, and should be referred to by the /etc/ipsec.secrets file in this manner: : RSA /etc/ipsec.d/serverKey.pem "passphrase" Take note where your serverKey.pem is really located. Otherwise this entry will fail. (the Bering docs discussed this). The clientCert.p12 file on the other hand should be sent to your Windowzzz machine and installed as a certificate (of type p12). Bering docs also provides a quick run on this. But there are other DOCs however, that you can refer to (with screen captures) when doing this. As you will have to configure a series of settings via numerous pop-up windows. And BTW, I'm talking about not using ssh sentinel OK? As you don't really need any third party tool to make this work. > Basically, every set of instructions requires at least three things (and > some want more). The simplest is probably the Bering docs ( > http://leaf.sourceforge.net/doc/guide/buipsec.html#id2894942): > > cacert.pem > x509cert.der > crl.pem > > For cacert.pem, I believe that my #3 should work, though mine is a DER and > it wants a PEM. Will this work? > > For x509cert.der, I believe that my #1 should work, though this time mine > is a PEM and theirs is a DER. > > However, I have no equivilent (that I can tell) for the crl.pem. All I > have left is a client cert. A crl file is a CA Revocation List. I don't > have one of those! > Am I correct so far? And what should I do for a CRL? You should do nothing with it actually, unless you wish to revoke a valid certificate. To get get a more human-readable status on requests done to the CA, you can view the 'index.txt' file. This should show the 'V/R' flags that indicate whether the certs are still Valid or Revoked. You should really dig deeper into the howtos of OpenSSL to understand these files and their usage. > Sigh. I really wish I could generate a couple of RSA keys, share them > between the firewalls and call it a day... :( > > Tim Massey Unfortunately, you can't with Windows interop. But what you can do to make things much-much, very much simpler, is to use PSK instead (or for starters). Then once your setup is already working, go try using the certs once more. This subject is indeed very frustrating at first. If not for other members on this list, I would've taken my life by now heheh... ;o) HTH - Vic ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html