Re: fswcert
On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... Thanks! Lupe -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 06:57:18PM +0200, Lupe Christoph wrote: On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... ipsec.conf(5) doesn't mention certificates at all, since they're not a part of standard freeswan, and the x509 project doesn't supply a patched man page. I gather that integrating x509 into standard freeswan is not on anyone's short-term agenda, alas. But if you read /usr/share/doc/freeswan/README.x509.gz , in section 4.6 it says If no rightid or leftid entry is present then the subject distinguished name contained in the certificate is taken as the ID. I missed this the first time through, but someone on the mailing list mentioned it. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpDkfHDDn6lh.pgp Description: PGP signature
Re: fswcert
On Tuesday, 2002-04-09 at 00:03:20 -0400, Noah L. Meyerhans wrote: On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' Mail me directly if you need help setting this up. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... Thanks! Lupe -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 06:57:18PM +0200, Lupe Christoph wrote: On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... ipsec.conf(5) doesn't mention certificates at all, since they're not a part of standard freeswan, and the x509 project doesn't supply a patched man page. I gather that integrating x509 into standard freeswan is not on anyone's short-term agenda, alas. But if you read /usr/share/doc/freeswan/README.x509.gz , in section 4.6 it says If no rightid or leftid entry is present then the subject distinguished name contained in the certificate is taken as the ID. I missed this the first time through, but someone on the mailing list mentioned it. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg06276/pgp0.pgp Description: PGP signature
Re: fswcert
On Tuesday, 2002-04-09 at 00:03:20 -0400, Noah L. Meyerhans wrote: On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' Mail me directly if you need help setting this up. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
