Sophie

Sophie

distrib > Mageia > 4 > x86_64 > by-pkgid > a7fdabb8fb4582be84d8f3c8327ce368 > files > 137

openswan-doc-2.6.39-3.2.mga4.x86_64.rpm

Scenario: To setup ipsec with certs in tunnel mode using NSS
------------------------------------------------------------

GW Mahine 1: w1.x1.y1.z1 
GW Mahine 2: w2.x2.y2.z2 

w1.x1.y1.z1 <---> w2.x2.y2.z2

Note: In this example setup, both machines are using NSS. If you want to use NSS only at one machine, say machine 1, you can use the following procedure only at machine 1, and you can use traditional ipsec setup at machine 2.

1. Create a new (if not already) nss db on both machines as follows:

certutil -N -d sql:<path-to-ipsec.d dir>/ipsec.d  (please note "sql:" in the begining of all the path).

2. Creating CA certs at both machines:

On machine 1:
certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d 
sql:<path-to-ipsec.d dir>/ipsec.d

As we want to use the same certificate  "cacert1" at machine 2, it needs to be
exported first. To export the cacert1, do the following at machine 1: 

pk12util -o cacert1.p12 -n cacert1 -d sql:/etc/ipsec.d

Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.

On machine 2:
Import the "cacert1" as follows:

cd /etc/ipsec.d
pk12util -i cacert1.p12 -d sql:/etc/ipsec.d
certutil -M -n cacert1 -t "C, C, C" -d sql:/etc/ipsec.d 

Now machine 2 also has the CA certificates "cacert1" in its NSS database.

3. Creating user certs at both machines:

On machine 1:
certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" 
-d sql:/etc/ipsec.d
(Note this cert is signed by "cacert1")

On machine 2:
certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" 
-d sql:/etc/ipsec.d
(Note this cert is signed by "cacert1" too)


4. Preparing ipsec.conf at both machines 

ipsec.conf at machine 1:


conn    pluto-1-2
        left=w1.x1.y1.z1
        leftid="CN=usercert1"
        leftsourceip=w1.x1.y1.z1
        leftrsasigkey=%cert
        leftcert=usercert1
        leftnexthop=w2.x2.y2.z2
        right=w2.x2.y2.z2
        rightid="CN=usercert2"
        rightsourceip=w2.x2.y2.z2
        rightrsasigkey=%cert
        rightnexthop=w1.x1.y1.z1
        rekey=no
        esp="aes-sha1"
        ike="aes-sha1"
        auto=add


ipsec.conf at machine 2:


conn    pluto-1-2
        left=w2.x2.y2.z2
        leftid="CN=usercert2"
        leftsourceip=w2.x2.y2.z2
        leftrsasigkey=%cert
        leftcert=usercert2
        leftnexthop=w1.x1.y1.z1
        right=w1.x1.y1.z1
        rightid="CN=usercert1"
        rightsourceip=w1.x1.y1.z1
        rightrsasigkey=%cert
        rightnexthop=w2.x2.y2.z2
        rekey=no
        esp="aes-sha1"
        ike="aes-sha1"
        auto=add

5. Preparing ipsec.secrets at both machines 

ipsec.secrets at machine 1:

 : RSA usercert1


ipsec.secrets at machine 1:

 : RSA usercert2

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional