[ previous ] [ next ] [ threads ]
 
 From:  Lynn Grant <lgrant at adamscon dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Quick Start for RSA Signature Authentication
 Date:  Sat, 27 Dec 2008 14:07:24 -0600
Folks...

I have been running a four-M0n0wall VPN network for a while, using Pre-Shared 


managed to get all my M0n0s working with RSA Signature authentication, so I 

certificate documentation, but it might help other folks get started. 

-------------------------------------------------------------------------------------------------------------------------

Quick Start for RSA Signature Authentication



You can do this with OpenSSL, and there are several tutorials on the web 


(http://sourceforge.net/projects/xca) as a *nix tarbal or a Windows exe file, 
and is licensed under a BSD-like license. 

First you need to create a Certification Authority (CA) key to use in signing 



probably about right. 


On the "Create x509 Certificate" page, select "Create a self signed 

name" and "Common name", use something like "My Company Certificate 

State or Province -- spelled out, by the way -- Locality, Organisation, 



Click the "OK" button.

Now that you have a certificate signing certificate, you can make certificates 
for all of your routers. 







the "Source" page, select "Use this Certificate for signing", and select your 



Set the type to "End Entity" and under "Key Identifier", select "Subject Key 
Identifier".


put "IP:" followed by the IP address of the interface, for 

the VPN goes over; if you have VPNs on the WAN interface, and VPNs to 
internal routers on the LAN interface, you will need two separate 

router. 

Now select each router certificate under the "Certificates" tab and click on 

and click "OK".




the router's identity, so be sure to delete them as soon as your are done 
setting up the routers. 

It is probably best to get your VPN tunnel working in Pre-Shared Key mode 
first, so you can get any kinks out of the other parameters, before you add 


Pre-Shared Key mode, you can bring them up side-by-side in two browser 

all the directions before you do anything, so you don't lose contact with the 
remote M0n0wall before you get it set up. 




this: 

-----BEGIN CERTIFICATE-----
MIIDIzCCAoygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCB0zELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCElsbGlub2lzMREwDwYDVQQHEwhQYWxhdGluZTEfMB0GA1UEChMW
Q3Jvc3MgRGVzaWduIEdyb3VwIExMQzEfMB0GA1UECxMWQ2VydGlmaWNhdGUgT3Bl
cmF0aW9uczE1MDMGA1UEAxMsQ3Jvc3MgRGVzaWduIEdyb3VwIExMQyBDZXJ0aWZp
LmNvbSAwHhcNMDgxMjI3MTkwMTEzWhcNMDkxMjI3MTIxMzU4WjCBpjELMAkGA1UE
BhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMR8wHQYD
VQQKExZDcm9zcyBEZXNpZ24gR3QvdXAgTExDMRQwEgYDVQQLEwtUZXN0IHJvdXRl
cjEUMBIGA1UEAxMLVGVzdCByb3V0ZXIxJTAjBgkqhkiG9w0XCQEWFlRlc3RSb3V0
ZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMa+d+T8
Y2F0ZSBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAbmV2YWNyb3Nz
rdr3gomkpeq1Z8gfqXUEehPcZdokA2vMZ9kDykU7IHOlGL5N9dTDIdjmvE6Am4lh
u7mu666PRpLSVK3VALBRK70ycHISOJzs7f2Ixes5SVlfd9r3iRBVQPbtkWIr/xGB
oqSCc6YC7+Tv+c6ElcjwOchlRQWRaL9iYw9XAgMBAAGjMjAwMB0GA1UdDgQWBBQj
g331r3M1BoO6b8Oh+cQVQQOY+zAPBgNVHREECDAGhwQKAAABMA0GCSqGSIb3DQEB
CwUAA4GBAFCXhimp6ISFTBVa8VhJe1tcGioA/T7TrfeeOHtq1z5JPIHate+NqS9L
ZJDT9GsknUq3OVMnCMK5gul+rnIyZaQ2/gof6xMBRtnDkMkm8AiWLaLahoBjfEgL
6mWMh2k/jimSlGuRvrnGgLS+WMkv/w3Ib6f4a01HKFAcma4q2y3z
-----END CERTIFICATE-----

Copy it however your editor does that, and paste it into the "Certificate" box 




box on RouterB's page and the "Peer Certificate" box on RouterA's page. 


something like this: 

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDGvnfk/K3a94KJpKXqtWfIH6l1BHoT3GXaJANrzGfZA8pFOyBz
pRi+TfXUwyHY5rxOgJuJYbu5ruuuj0aS0lSt1QCwUSu9MnByEjic7O39iMXrOUlZ
AoGBAJufzdZbHfAWW/tYMCu/vPJyCIl+5fDjZkX4aU1iE/dVBnBLqk+j+coa1eKy
obBsjQuTnTdodk0h8Z8Qxhx14qORA/BTrhGuucdYrTga6VOplxqq4xt1HWzsaD3x
kXGAtXYW0UU/75+nr9a129/aIAEPrBVVwVmyZYbXVZvFXUYxAkEA+ESARUvSKx+9
yqJkZhjFjpHpwgt6V30iYdR6Ve8iSgKlyUTsHthK5SO6PwqRHCymwYEeN2VbPS3e
YTYqfD/EdQJBAMzvGocjfEy/d/TVrj6m7rYtFJTvM2fVhD8KETHBqFSLerm/8T1z
X3fa94kQVUD27ZFiK/8RxaKkgnOmAu/k7/nOhJXI8DnIZUUFkWi9ImMPVwIDAQAB
veB63Cml/CEk08wTBAHMVnhb/P3AZoQNGxsCQQDnl4cMnXkVj0uNjkUX1H3dzBGC
WRCsMmfzWLEyHpwe7C9Y/HlDIMNk0xo3GpVY8fIwylC0nlEpVfN/PXcOZrHNAkA0
RVhy165AtSWXoVkMSe/hL6ZsRobKGT/eBGdWVZrl1Z27+yVBE2B+/VdimB+zJH2R
M9h1zPTRRkVFQ+niDKW5AkAzQAlDlueTOnncxdF4503dUMc6UjXzuPKjioYP3zSI
UVwlxIN74dNw57XP76l1nzFAYeuW9sb4SynmhmxswOE5
-----END RSA PRIVATE KEY-----




Click the "Save" button on each page. 

You will now have an "Apply Changes" button at the top of each page. Here is 

buttons, you will lose contact with the remote router until the tunnel is 


- Click "Apply Changes" on the remote router's page. 
- Click "Apply Changes" on the local router's page. 


will take a little longer, since the tunnel has to be re-established, but if 


got messed up, like you pasted the wrong certificate in the wrong box, or you 
got the IP address wrong in the subject alternative key, you will have to 
change both M0n0wall's back to Pre-Shared Key authentication (which will 
involve physically going to where the remote router is, since you can't talk 
to it any more) and start over. 

Don't forget to delete the files you exported the private keys to when you are 
done setting up!

--------------------------------------------------------------------------------------------------------------------------------

-- 
Lynn Grant
Cross Design Group LLC