Surely you are not the second person ever to try to use the certificate
based VPN feature
but you are probably the first one who gets answer here. I have asked ~5
questions but have
got zero responds.
Hope this helps to you:
I used "Debian Etch" distribution of Linux to generate certificates:
In configuration file:
uncomment the following line:
And then start generating certificates/keys
This call generates CA sertificate:
This call generates sertificate and key for each node and also signs it by
This call stores private key without password protection
openssl rsa -inform PEM -in newkey.pem -out newkey2.pem -passin stdin
And then in m0n0wall ipsec config I choose "User FQDN" as "My Identifier"
is email address that you entered while you generated node certificate/key
"JR" <tiresias at gmail dot com> wrote in message
news:deee1e610801221211ld0b06c1s6a632b40f56111d3 at mail dot gmail dot com...
> I have some new ALIX routers running 1.3b9 and I'm trying to set up
> site to site certificate based VPN's (using a CA cert). I was not able
> to get this working at first because I kept having Vendor ID problems
> that kept the tunnel from coming up no matter which identifiers I
> chose. Searching the archives turned up questions from one other
> person. Surely I'm not the second person ever to try to use the
> certificate based VPN feature am I?
> It does seem that racoon's asn1dn identifier option is necessary when
> using certificate based VPN. I hacked this change into my m0n0walls'
> /var/etc/racoon.conf and the VPN came up right away. So is this the
> only way to make it work?
> These are the only options I changed in racoon.conf:
> my_identifier asn1dn;
> peers_identifier asn1dn;
> If the asn1dn identifier is indeed required to make cert based IPSEC
> VPN work, I will be happy to implement the changes required to make
> this configurable in the webgui, but first I want to make sure I'm not
> completely wrong about this.