Re: Moving IKED certificates between routers
So.. finally I made it working. Files to copy: /etc/iked/ca/ca.crt /etc/iked/certs/1.2.3.4.crt /etc/iked/crls/ca.crl /etc/ssl/vpn/* /etc/iked/local.pub /etc/iked/private/local.key > > If you change the hostname then yes you'll need to a certificate with the > > new hostname, but then of course you will need to change clients to connect > > to the new name. Just for test I changed the hostname to some_new_hostname in /etc/myname and rebooted the box. I can still connect to *new* box with my *old* rdk.6501.rac certificate. Tested on Win7 and Win10. New box is 6.6/i386. On Sun, 10 Nov 2019 15:00:58 +0100 Radek wrote: > My new box has the same /etc/myname. > > I copied: > /etc/iked/ca/ca.crt > /etc/iked/certs/1.2.3.4.crt > /etc/iked/crls/ca.crl > /etc/ssl/vpn/* > > What did I do wrong/miss? > > Windows shows error 13826: Failed to verify signature. > > On Sun, 10 Nov 2019 13:30:24 - (UTC) > Stuart Henderson wrote: > > > On 2019-11-10, Radek wrote: > > > Hi Stuart, > > > I have played around with copying them across but no luck (I get error > > > 13801 in win7). I don't know what I'm doing wrong. > > > > > > Do I need to set the same hostname (/etc/myname) in new box to make old > > > certs working? > > > > > > In my *old* box certs were created as below: > > > [1]ikectl ca vpn create #(CN = hostname) > > > [2]ikectl ca vpn install > > > [3]ikectl ca vpn certificate 1.2.3.4 create > > > [4]ikectl ca vpn certificate 1.2.3.4 install > > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > > > [6]ikectl ca vpn certificate rdk.6501.rac export > > > > > > What steps do I need to re-run and what exactly files should be > > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in > > > new box? > > > > Oh, I understood from your email that you were just replacing it > > like-for-like. > > If you change the hostname then yes you'll need to a certificate with the > > new hostname, but then of course you will need to change clients to connect > > to the new name. > > > > > > > > > > On Fri, 8 Nov 2019 11:59:56 - (UTC) > > > Stuart Henderson wrote: > > > > > >> On 2019-11-08, radek wrote: > > >> > Hello, > > >> > > > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > > >> > generate new iked certificates in every new installation or there is a > > >> > way to move and use "old" certificates in new install? Road warriors > > >> > would be happy with that. > > >> > > > >> > Thank you for guiding me on this journey. > > >> > > > >> > > >> Just copy them across. > > >> > > >> > > > > > > > > > > > -- > Radek -- Radek -- Radek
Re: Moving IKED certificates between routers
My new box has the same /etc/myname. I copied: /etc/iked/ca/ca.crt /etc/iked/certs/1.2.3.4.crt /etc/iked/crls/ca.crl /etc/ssl/vpn/* What did I do wrong/miss? Windows shows error 13826: Failed to verify signature. On Sun, 10 Nov 2019 13:30:24 - (UTC) Stuart Henderson wrote: > On 2019-11-10, Radek wrote: > > Hi Stuart, > > I have played around with copying them across but no luck (I get error > > 13801 in win7). I don't know what I'm doing wrong. > > > > Do I need to set the same hostname (/etc/myname) in new box to make old > > certs working? > > > > In my *old* box certs were created as below: > > [1]ikectl ca vpn create #(CN = hostname) > > [2]ikectl ca vpn install > > [3]ikectl ca vpn certificate 1.2.3.4 create > > [4]ikectl ca vpn certificate 1.2.3.4 install > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > > [6]ikectl ca vpn certificate rdk.6501.rac export > > > > What steps do I need to re-run and what exactly files should be > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in > > new box? > > Oh, I understood from your email that you were just replacing it > like-for-like. > If you change the hostname then yes you'll need to a certificate with the > new hostname, but then of course you will need to change clients to connect > to the new name. > > > > > > On Fri, 8 Nov 2019 11:59:56 - (UTC) > > Stuart Henderson wrote: > > > >> On 2019-11-08, radek wrote: > >> > Hello, > >> > > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > >> > generate new iked certificates in every new installation or there is a > >> > way to move and use "old" certificates in new install? Road warriors > >> > would be happy with that. > >> > > >> > Thank you for guiding me on this journey. > >> > > >> > >> Just copy them across. > >> > >> > > > > > -- Radek
Re: Moving IKED certificates between routers
On 2019-11-10, Radek wrote: > Hi Stuart, > I have played around with copying them across but no luck (I get error 13801 > in win7). I don't know what I'm doing wrong. > > Do I need to set the same hostname (/etc/myname) in new box to make old certs > working? > > In my *old* box certs were created as below: > [1]ikectl ca vpn create #(CN = hostname) > [2]ikectl ca vpn install > [3]ikectl ca vpn certificate 1.2.3.4 create > [4]ikectl ca vpn certificate 1.2.3.4 install > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > [6]ikectl ca vpn certificate rdk.6501.rac export > > What steps do I need to re-run and what exactly files should be copied/edited > (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in new box? Oh, I understood from your email that you were just replacing it like-for-like. If you change the hostname then yes you'll need to a certificate with the new hostname, but then of course you will need to change clients to connect to the new name. > > On Fri, 8 Nov 2019 11:59:56 - (UTC) > Stuart Henderson wrote: > >> On 2019-11-08, radek wrote: >> > Hello, >> > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to >> > generate new iked certificates in every new installation or there is a way >> > to move and use "old" certificates in new install? Road warriors would be >> > happy with that. >> > >> > Thank you for guiding me on this journey. >> > >> >> Just copy them across. >> >> > >
Re: Moving IKED certificates between routers
Hi Stuart, I have played around with copying them across but no luck (I get error 13801 in win7). I don't know what I'm doing wrong. Do I need to set the same hostname (/etc/myname) in new box to make old certs working? In my *old* box certs were created as below: [1]ikectl ca vpn create #(CN = hostname) [2]ikectl ca vpn install [3]ikectl ca vpn certificate 1.2.3.4 create [4]ikectl ca vpn certificate 1.2.3.4 install [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) [6]ikectl ca vpn certificate rdk.6501.rac export What steps do I need to re-run and what exactly files should be copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in new box? On Fri, 8 Nov 2019 11:59:56 - (UTC) Stuart Henderson wrote: > On 2019-11-08, radek wrote: > > Hello, > > > > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > > generate new iked certificates in every new installation or there is a way > > to move and use "old" certificates in new install? Road warriors would be > > happy with that. > > > > Thank you for guiding me on this journey. > > > > Just copy them across. > > -- Radek
Re: Moving IKED certificates between routers
On 2019-11-08, radek wrote: > Hello, > > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to generate > new iked certificates in every new installation or there is a way to move and > use "old" certificates in new install? Road warriors would be happy with that. > > Thank you for guiding me on this journey. > Just copy them across.
Moving IKED certificates between routers
Hello, I'm going to replace 6.5 router with new 6.6 box. Is it necessary to generate new iked certificates in every new installation or there is a way to move and use "old" certificates in new install? Road warriors would be happy with that. Thank you for guiding me on this journey. -- Radek