[ previous ] [ next ] [ threads ]
 From:  "Marek Läll" <marek dot lall at neti dot ee>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: certificate based IPSEC VPN
 Date:  Wed, 23 Jan 2008 22:18:05 +0200

Surely you are not the second person ever to try to use the certificate 
based VPN feature
but you are probably the first one who gets answer here. I have asked ~5 
questions but have
got zero responds.

Hope this helps to you:
I used "Debian Etch" distribution of Linux to generate certificates:

In configuration file:

uncomment the following line:

And then start generating certificates/keys

This call generates CA sertificate:
    /usr/lib/ssl/misc/CA.sh -newca

This call generates sertificate and key for each node and also signs it by 
    /usr/lib/ssl/misc/CA.sh -newreq
    /usr/lib/ssl/misc/CA.sh -sign

This call stores private key without password protection
    openssl rsa -inform PEM -in newkey.pem -out newkey2.pem -passin stdin

And then in m0n0wall ipsec config I choose "User FQDN" as "My Identifier" 
and value
is email address that you entered while you generated node certificate/key


"JR" <tiresias at gmail dot com> wrote in message 
news:deee1e610801221211ld0b06c1s6a632b40f56111d3 at mail dot gmail dot com...
> Hello,
> I have some new ALIX routers running 1.3b9 and I'm trying to set up
> site to site certificate based VPN's (using a CA cert). I was not able
> to get this working at first because I kept having Vendor ID problems
> that kept the tunnel from coming up no matter which identifiers I
> chose. Searching the archives turned up questions from one other
> person. Surely I'm not the second person ever to try to use the
> certificate based VPN feature am I?
> http://m0n0.ch/wall/list/showmsg.php?id=206/25
> http://m0n0.ch/wall/list/showmsg.php?id=207/05
> It does seem that racoon's asn1dn identifier option is necessary when
> using certificate based VPN. I hacked this change into my m0n0walls'
> /var/etc/racoon.conf and the VPN came up right away. So is this the
> only way to make it work?
> These are the only options I changed in racoon.conf:
> my_identifier asn1dn;
> peers_identifier asn1dn;
> If the asn1dn identifier is indeed required to make cert based IPSEC
> VPN work, I will be happy to implement the changes required to make
> this configurable in the webgui, but first I want to make sure I'm not
> completely wrong about this.
> Thanks,
> JR