LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-16-2003, 06:01 PM   #1
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Rep: Reputation: 30
Help with x509 certificate and freeswan


I am trying to setup a vpn tunnel between a linux shorewall router and windows xp on a laptop. I read that I need x509 certificates to replace the rsakey authentication. While I was able to put together a working router to laptop tunnel with the use of rsa keys, I cant seem to be able to get the tunnel to work with x509 certificates. I guess I still dont understand the basics of setting a tunnel up.

Please correct me if I am wrong, but to setup a tunnel, I need public keys from both tunnel termination points. This key is shown by "ipsec showhostkey -left" (if you are on that particular machine) or ipsec showhostkey -right" (if you are connected to that machine via ssh).

When you go to x509 certificates. One of the tunnel endpoint lets say the shorewall router, needs to generate a Certificate o Authority.

#openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem

The cakey.pem file must be stored in the /etc/ipsec.d/private directory, and the cacert.pem file in the /etc/ipsec.d/cacerts directory.

Now use these to create the x509 certificates for the tunnel endpoints.

Create one for the linux shorewall router:
# openssl req -newkey rsa:1024 -keyout linuxrouterkey.pem -out linuxrouterreq.pem

Create one for the laptop
# openssl req -newkey rsa:1024 -keyout laptopkey.pem -out laptopreq.pem

Now sign the certificates:

# openssl ca -in linuxrouterreq.pem -out linuxroutercert.pem -notext -config ./openssl.cnf

# openssl ca -in laptopreq.pem -out laptopcert.pem -notext -config ./openssl.cnf

In the laptop, put laptopreq.pem in /etc/ipsec.d/private
and laptopcert.pem in /etc/ipsec.d

In the linux router put linuxrouterreq.pem in /etc/ipsec.d/private and
linuxroutercert.pem in /etc/ipsec.d

Additionally, put the linuxroutercert.pem in the laptop's /etc/ipsec.d
and put the laptopcert.pem in the linuxrouter's /etc/ipsec.d

Also put the CA file cacerts.pem from the linuxrouter in the laptop's /etc/ipsec.d/cacerts

In the laptop's /etc/ipsec.secrets
: RSA laptopkey.pem "password"

In the linuxrouter's /etc/ipsec.secrets
: RSA linuxrouterkey.pem "password"

Now configure /etc/ipsec.conf in the linuxrouter and laptop.

DId I miss any important step? I used the linuxjournal article

http://www.linuxjournal.com/article.php?sid=7003

Thanks
 
Old 08-17-2003, 02:27 PM   #2
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
Ok, I figured it out. The signed certificates need to be put in each of the host's /etc/ipsec.d/certs.

I managed to bring up tunnels between my laptop and the rest of the network and between the laptop and "the internet subnet" so all my wireless communication is now encrypted in either Redhat Linux 9 or Windows XP (my laptop dual boots).

Now my problem is that If i switch from Windows XP to Redhat 9 on the laptop, I dont have a connection from Redhat 9 to the rest of the lan and the internet, unless I stop and start the ipsec service in each of the other machines in the lan. It seems as if the tunnels that Windows xp brought up are still in effect and preventing Redhat 9 from connecting.

Is there a way that I might be able to shutdown the ipsec tunnels from Windows XP on exit so that the rest of the lan will allow Redhat 9 to connect?

My conns are dual purpose in each of the lan machines, allowing both redhat 9 and windows xp to connect (if you restart the ipsec service on the other vpn termination point).

The only other solution that might work is If I use the same certificate for both the REdhat 9 and Windows XP partitions in the laptop. So when I reboot to a different os in the laptop, the other lan machines may think that the laptop disappeared and magically reappeared again. Dont know if that will work though. Any ideas? Thanks
 
Old 08-17-2003, 04:00 PM   #3
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
It is as I suspected, the tunnel created by windows xp is not being brought down on shutdown of windows xp. Because of this, when redhat 9 boots, it cannot bring up the tunnels (the eroute is in use by windows xp tunnels ). If I start with redhat 9, and then shutdown to boot windows xp, freeswan correctly brings down the tunnels created by redhat 9. Then when windows xp loads, new tunnels can be created. The end result is that :
1. ipsec on lan machine restart
2. Boot windows --> ipsec tunnel created
3. shut windows --> ipsec tunnel remains
4. Boot redhat ---> cannot create ipsec tunnel
5. shut redhat --> ipsec tunnel destroyed
6. Boot windows --> ipsec tunnel created

or
1. ipsec on lan machine restart
2. Boot redhat 9 --> ipsec tunnel created
3. shut redhat 9 --> ipsec tunnel destroyed
4. Boot windows --> ipsec tunnel created
5. shut windows --> ipsec tunnel remains
6. boot redhat 9 --> cannot create tunnel.

The end result being only the windows xp machine can have consistent connections.

How can freeswan be told to shutdown the tunnels when windows xp shuts down?
 
Old 08-19-2003, 12:18 AM   #4
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
I think the problem is resolved. I changed the IP of winxp os to one that is different from the linux os in the laptop. I then setup different conns for each of them using different certificates and tied to those specific IPs. To the router they look like different computers trying to connect ( just that they cant connect at the same time of course because the laptop is a dualboot system). So far I have no problems.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL x509: Expecting: CERTIFICATE REQUEST chakkerz Linux - Networking 5 06-10-2010 12:28 PM
FreeSwan on slackware 9.1 kkiedrowski Linux - Networking 2 02-05-2005 02:09 AM
freeswan Ammad Linux - Networking 0 10-08-2004 03:36 AM
Freeswan config hlozo Linux - Security 0 06-30-2004 07:25 PM
FreeSwan on 9.1 kkiedrowski Slackware 2 04-01-2004 08:30 AM


All times are GMT -5. The time now is 07:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration