-   Linux - Security (
-   -   Help with x509 certificate and freeswan (

cmisip 08-16-2003 06:01 PM

Help with x509 certificate and freeswan
I am trying to setup a vpn tunnel between a linux shorewall router and windows xp on a laptop. I read that I need x509 certificates to replace the rsakey authentication. While I was able to put together a working router to laptop tunnel with the use of rsa keys, I cant seem to be able to get the tunnel to work with x509 certificates. I guess I still dont understand the basics of setting a tunnel up.

Please correct me if I am wrong, but to setup a tunnel, I need public keys from both tunnel termination points. This key is shown by "ipsec showhostkey -left" (if you are on that particular machine) or ipsec showhostkey -right" (if you are connected to that machine via ssh).

When you go to x509 certificates. One of the tunnel endpoint lets say the shorewall router, needs to generate a Certificate o Authority.

#openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem

The cakey.pem file must be stored in the /etc/ipsec.d/private directory, and the cacert.pem file in the /etc/ipsec.d/cacerts directory.

Now use these to create the x509 certificates for the tunnel endpoints.

Create one for the linux shorewall router:
# openssl req -newkey rsa:1024 -keyout linuxrouterkey.pem -out linuxrouterreq.pem

Create one for the laptop
# openssl req -newkey rsa:1024 -keyout laptopkey.pem -out laptopreq.pem

Now sign the certificates:

# openssl ca -in linuxrouterreq.pem -out linuxroutercert.pem -notext -config ./openssl.cnf

# openssl ca -in laptopreq.pem -out laptopcert.pem -notext -config ./openssl.cnf

In the laptop, put laptopreq.pem in /etc/ipsec.d/private
and laptopcert.pem in /etc/ipsec.d

In the linux router put linuxrouterreq.pem in /etc/ipsec.d/private and
linuxroutercert.pem in /etc/ipsec.d

Additionally, put the linuxroutercert.pem in the laptop's /etc/ipsec.d
and put the laptopcert.pem in the linuxrouter's /etc/ipsec.d

Also put the CA file cacerts.pem from the linuxrouter in the laptop's /etc/ipsec.d/cacerts

In the laptop's /etc/ipsec.secrets
: RSA laptopkey.pem "password"

In the linuxrouter's /etc/ipsec.secrets
: RSA linuxrouterkey.pem "password"

Now configure /etc/ipsec.conf in the linuxrouter and laptop.

DId I miss any important step? I used the linuxjournal article


cmisip 08-17-2003 02:27 PM

Ok, I figured it out. The signed certificates need to be put in each of the host's /etc/ipsec.d/certs.

I managed to bring up tunnels between my laptop and the rest of the network and between the laptop and "the internet subnet" so all my wireless communication is now encrypted in either Redhat Linux 9 or Windows XP (my laptop dual boots).

Now my problem is that If i switch from Windows XP to Redhat 9 on the laptop, I dont have a connection from Redhat 9 to the rest of the lan and the internet, unless I stop and start the ipsec service in each of the other machines in the lan. It seems as if the tunnels that Windows xp brought up are still in effect and preventing Redhat 9 from connecting.

Is there a way that I might be able to shutdown the ipsec tunnels from Windows XP on exit so that the rest of the lan will allow Redhat 9 to connect?

My conns are dual purpose in each of the lan machines, allowing both redhat 9 and windows xp to connect (if you restart the ipsec service on the other vpn termination point).

The only other solution that might work is If I use the same certificate for both the REdhat 9 and Windows XP partitions in the laptop. So when I reboot to a different os in the laptop, the other lan machines may think that the laptop disappeared and magically reappeared again. Dont know if that will work though. Any ideas? Thanks

cmisip 08-17-2003 04:00 PM

It is as I suspected, the tunnel created by windows xp is not being brought down on shutdown of windows xp. Because of this, when redhat 9 boots, it cannot bring up the tunnels (the eroute is in use by windows xp tunnels ). If I start with redhat 9, and then shutdown to boot windows xp, freeswan correctly brings down the tunnels created by redhat 9. Then when windows xp loads, new tunnels can be created. The end result is that :
1. ipsec on lan machine restart
2. Boot windows --> ipsec tunnel created
3. shut windows --> ipsec tunnel remains
4. Boot redhat ---> cannot create ipsec tunnel
5. shut redhat --> ipsec tunnel destroyed
6. Boot windows --> ipsec tunnel created

1. ipsec on lan machine restart
2. Boot redhat 9 --> ipsec tunnel created
3. shut redhat 9 --> ipsec tunnel destroyed
4. Boot windows --> ipsec tunnel created
5. shut windows --> ipsec tunnel remains
6. boot redhat 9 --> cannot create tunnel.

The end result being only the windows xp machine can have consistent connections.

How can freeswan be told to shutdown the tunnels when windows xp shuts down?

cmisip 08-19-2003 12:18 AM

I think the problem is resolved. I changed the IP of winxp os to one that is different from the linux os in the laptop. I then setup different conns for each of them using different certificates and tied to those specific IPs. To the router they look like different computers trying to connect ( just that they cant connect at the same time of course because the laptop is a dualboot system). So far I have no problems.

All times are GMT -5. The time now is 11:58 AM.