[ previous ] [ next ] [ threads ]
 
 From:  Angus MacGyver <macgyver at calibre dash solutions dot co dot uk>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSec + strongswan road warrior.....
 Date:  Sat, 07 Nov 2009 21:12:43 +0000
Hi all, 

I think I need some pointers with regards to my setup..
I've googled, but nothing is getting *quite* like the setup I would
want/need..

What I need is a road warrior or two using Ubuntu 9.10 and strongswan to
use X509 certs to VPN in to the m0n0wall.

I currently have a static VPN setup from the m0n0 to another site, and
have done for years, and this works perfectly. (until the remote site's
ISP drops)



What I've done is create a CA of my own on an internal server, so that I
can sign a bunch of certs, not just for m0n0..

I've created a new entry under IPSEC->CA's and then copied the contents
of this cacert.pem into the box.

I've then created a private key, and CSR with said key, and signed it
with with the CA for m0n0wall.

The signed part has gone into the IPSEC-> Mobile Clients -> Certificate.

The key part has gone into IPSEC -> Mobile Clients -> Key.


I then did the same for a key and CSR for one of the road warriors...



Using Network Manager, setup new VPN...

Gateway: 
	Address: <External IP of m0n0>
	Certificate : pointing to file of CSR signed cert from m0n0 	
(IPSEC-> Mobile Clients -> Certificate.)


Client:
	Authentication: - Certificate/Private key
	Certificate :-  points to file CSR signed cert for the RW
	Private Key:- Private key file used to create the CSR for RW.


Put a tick in "Request an inner IP address", "Enforce UDP
encapsulation"..



It doesn't work, and not sure why..
I am certain I have done something stupid - but what, that is the
question I'm hoping someone can prod me in the correct direction with...

Only two things I've got are....

Nov  7 18:59:25 laptop-testing NetworkManager: <WARN>
connection_state_changed(): Did not receive a reply. Possible causes
include: the remote application did not send a reply, the message bus
security policy blocked the reply, the reply timeout expired, or the
network connection was broken.

And Network Manager message of "The VPN connection failed because there
were no valid VPN secrets"


Any pointers will be appreciated..

Cheers 


AM