I am trying to setup a vpn tunnel between a linux shorewall router and windows xp on a laptop. I read that I need x509 certificates to replace the rsakey authentication. While I was able to put together a working router to laptop tunnel with the use of rsa keys, I cant seem to be able to get the tunnel to work with x509 certificates. I guess I still dont understand the basics of setting a tunnel up.
Please correct me if I am wrong, but to setup a tunnel, I need public keys from both tunnel termination points. This key is shown by "ipsec showhostkey -left" (if you are on that particular machine) or ipsec showhostkey -right" (if you are connected to that machine via ssh).
When you go to x509 certificates. One of the tunnel endpoint lets say the shorewall router, needs to generate a Certificate o Authority.
#openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem
The cakey.pem file must be stored in the /etc/ipsec.d/private directory, and the cacert.pem file in the /etc/ipsec.d/cacerts directory.
Now use these to create the x509 certificates for the tunnel endpoints.
Create one for the linux shorewall router:
# openssl req -newkey rsa:1024 -keyout linuxrouterkey.pem -out linuxrouterreq.pem
Create one for the laptop
# openssl req -newkey rsa:1024 -keyout laptopkey.pem -out laptopreq.pem
Now sign the certificates:
# openssl ca -in linuxrouterreq.pem -out linuxroutercert.pem -notext -config ./openssl.cnf
# openssl ca -in laptopreq.pem -out laptopcert.pem -notext -config ./openssl.cnf
In the laptop, put laptopreq.pem in /etc/ipsec.d/private
and laptopcert.pem in /etc/ipsec.d
In the linux router put linuxrouterreq.pem in /etc/ipsec.d/private and
linuxroutercert.pem in /etc/ipsec.d
Additionally, put the linuxroutercert.pem in the laptop's /etc/ipsec.d
and put the laptopcert.pem in the linuxrouter's /etc/ipsec.d
Also put the CA file cacerts.pem from the linuxrouter in the laptop's /etc/ipsec.d/cacerts
In the laptop's /etc/ipsec.secrets
: RSA laptopkey.pem "password"
In the linuxrouter's /etc/ipsec.secrets
: RSA linuxrouterkey.pem "password"
Now configure /etc/ipsec.conf in the linuxrouter and laptop.
DId I miss any important step? I used the linuxjournal article