I am close to getting Bering and Dachstein working together to provide an IPSec gateway using x.509 certificates. I am getting errors in the auth.log file (attached inline) that say "no RSA public key known for <DN of my win2k client>" What do I do to solve this? I have attached both the log and the instructions I used to get to this point.
Thanks. I am really close, I can feel it. --------------------------------------------------------------------------- Chad Carr [EMAIL PROTECTED] --------------------------------------------------------------------------- ==========Contents of auth.log========== Feb 3 09:14:12 wlanfw Pluto[1901]: Starting Pluto (FreeS/WAN Version 1.91) Feb 3 09:14:12 wlanfw Pluto[1901]: including X.509 patch (Version 0.9.3) Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/cacerts' Feb 3 09:14:12 wlanfw Pluto[1901]: loaded cacert file 'RootCA.der' (1182 bytes) Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/crls' Feb 3 09:14:12 wlanfw Pluto[1901]: loaded crl file 'crl.pem' (698 bytes) Feb 3 09:14:12 wlanfw Pluto[1901]: loaded my X.509 cert file '/etc/x509cert.der' (1220 bytes) Feb 3 09:14:15 wlanfw Pluto[1901]: added connection description "w2k-road-warriors" Feb 3 09:14:15 wlanfw Pluto[1901]: listening for IKE messages Feb 3 09:14:15 wlanfw Pluto[1901]: adding interface ipsec0/eth0 192.168.3.1 Feb 3 09:14:15 wlanfw Pluto[1901]: loading secrets from "/etc/ipsec.secrets" Feb 3 09:15:58 wlanfw Pluto[1901]: packet from 192.168.3.10:500: ignoring Vendor ID payload Feb 3 09:15:58 wlanfw Pluto[1901]: "w2k-road-warriors" #1: responding to Main Mode from unknown peer 192.168.3.10 Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Certificate is invalid Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: Invalid X.509 certificate Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: deleting connection "w2k-road-warriors" instance with peer 192.168.3.10 Feb 3 09:15:59 wlanfw Pluto[1901]: "w2k-road-warriors" #1: no RSA public key known for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Certificate is invalid Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: Invalid X.509 certificate Feb 3 09:17:21 wlanfw Pluto[1901]: "w2k-road-warriors" #2: no RSA public key known for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' ==========Instructions========== SECTION 4 - TURNING BERING INTO A CERTIFICATE AUTHORITY (BROKEN) Using x.509 certificates - this doesn't quite work yet. I will get this document up to date when it works. The outcome of this whole process: root certificate authority certificate in /etc/ipsec.d/cacerts/RootCA.der root CA certificate revocation list in /etc/ipsec.d/crls/crl.pem binary gateway certificate in /etc/x509cert.der ? ascii private key for gateway in /etc/ipsec.secrets ? ascii gateway certificate in /etc/ipsec.d ? ascii private key for gateway in /etc/ipsec.d/private ? But we must start at the beginning, which is getting openssl onto your system. I did this by doing "apt-get install openssl" on Debian Woody and then waiting for it to install properly, but if you use Red Hat or one of the other distibutions out there, use your way instead. I recommend going with the package way whenever possible. You will have to adjust the paths below to correspond to where your distibution puts things. If you have to install from source, so be it, but there are other better documents for you to learn that from. Try http://www.bayour.com/LDAPv3-HOWTO.html#3.1.OpenSSL|outline. If that doesn't work, search for "openssl howto" on www.yahoo.com and see where life takes you. We want our certificates to be longer than the default 1024 bits, and we want them to last longer than the default 365 days, so we go into the /etc/ssl/openssl.conf file and change default_bits to 2048 and default_days to 3650. Do all of the rest of the operations in your ~scrathc directory. 1) Create a new Trusted Root CA on your compact flash a) generate root certificate i) /usr/lib/ssl/misc/CA.sh -newca (choose a good passphrase) ii) openssl x509 -in demoCA/cacert.pem -outform der -out \ /mnt/cf/etc/ipsec.d/cacerts/RootCA.der b) generate a certificate revocation list openssl ca -gencrl -out /mnt/cf/etc/ipsec.d/crls/crl.pem 2) Create and sign a new certificate for your router on your compact flash a) generate certificate request /usr/lib/ssl/misc/CA.sh -newreq b) sign it with the root certificate /usr/lib/ssl/misc/CA.sh -sign (when prompted, enter the password of the root certificate) c) extract the private part of the signed certificate fswcert -k newreq.pem >> /mnt/cf/etc/ipsec.secrets d) install the binary form of the certificate openssl x509 -in newcert.pem -outform der -out /mnt/cf/etc/x509cert.der e) move newcert.pem and newreq.pem out of the way i) mkdir gateway ii) mv newcert.pem newreq.pem gateway/ 3) Configure FreeS/WAN to respond to client properly a) /etc/ipsec.secrets remove old PSK line ??? b) /etc/ipsec.conf config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=192.168.3.1 leftsubnet=0.0.0.0/0 leftid="/C=US/ST=California/L=Orange/O=Chad's IPSec \ Firewall/CN=Chad [EMAIL PROTECTED]" pfs=yes auto=add conn w2k-road-warriors right=%any c) restart ipsec /etc/init.d/ipsec restart 4) Create and sign a new certificate for the Windows 2000 client a) generate certificate request /usr/lib/ssl/misc/CA.sh -newreq b) sign it with the root certificate /usr/lib/ssl/misc/CA.sh -sign (when prompted, enter the password of the root certificate) c) create pkcs#12 certificate for export to Windows 2000 client (including RootCA certificate) openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -out w2kclient.p12 d) use MMC to import this certificate in the Windows 2000 client e) apply certificate to IPSec Security Policy on both IP Security Rules (in place of preshared key) f) restart IPSec Policy Agent service. 5) Pingy, pingy. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user