[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Sentinel strongswan howto
From:       sjllera () ya ! com (Javier Sanchez)
Date:       2004-05-24 15:13:02
Message-ID: 1085404401.8981.69.camel () cluster
[Download RAW message or body]


Hello Patrick,


thanks for the point, im changing the web right now. I have some doubts
too about the use of the ca cert, i thought that freeswan opened the
cert using the passphrase to make some kind of checks to the roadwarrior
cert but looks like im crompletelly wrong XD

I think that i must look for some good documents about pki and x509
certs .-)

Best regards

El lun, 24-05-2004 a las 14:37, Patrick Schoenfeld escribi?:
> Hi,
> 
> first of all, i would like to thank Javier for this Howto.
> I haven't read it until the end yet, but it seems to be *really*
> useful for what i'm working on for my company.
> 
>  > In section 2.1 Certificates Installation
>  > you should delete the entry
>  >
>  > : RSA cakey.pem "PASSPHRASE"
>  >
>  > for the private key of the CA because this key is not required
>  > by the IKE protocol. Putting the private CA key onto a VPN
>  > security gateway poses a considerable security risk. If the
>  > gateway gets compromised somehow, the attacker will be in possession
>  > of the private key CA and will get full control of your PKI.
> 
> But as Andreas stated the thing about the CA Private Key thing,
> I'm asking myself the question if it's not also a considerable security
> risk to have the cakey.pem under /etc/ipsec.d/private - also
> i don't see a reason for me laying it down there, because as far
> as i understand the X.509 authentication, the client and gateway
> certs are checked for their ISSUER field, which should be somewhat
> identical to the SUBJECT field of the CA.
> 
> To see what i mean see section 2.1, block 2, sentence 1 in your howto.
> "On /etc/ipsec.d/private the file /opt/certs/demoCA/private/cakey.pem 
> must be copied, this is the private key of our ca, then we must copy the 
> ca itself from /opt/certs/demoCA/cacert.pem to /etc/ipsec.d/cacerts. To 
> let strongswan open its ca cert, we must tell it which the passphrase is 
> for cakey.pem, for this we must declare the cert key in the file 
> /etc/ipsec.secrets."
> 
> Also sentence 2 should be adapted to what Andreas said for making
> the correction complete :-)
> 
> Greets
> 
> Patrick Schoenfeld
> IN MEDIAS RES
> -=Operations=-
> 
> tel. +49 (0) 2166 - 99 99 - 685
> fax. +49 (0) 2166 - 99 99 - 850
> 
> email: schoenfeld@in-medias-res.com
> web: www.in-medias-res.com
> 
> > 
> > Its also strange that the GWcert appears to be loaded as a
> > CA cert in section 2.2. ipsec.conf configuration:
> > 
> >  loaded CA cert file 'GWCert.pem'
> > 
> > The GWcert must be present in /etc/ipsec.d/certs but not in
> > /etc/ipsec.d/cacerts. You also seem to mix up private key files
> > which belong into /etc/ipsec.d/private and which can be
> > protected by a passphrase and certificates which are *not*
> > encrypted.
> > 
> > Regards
> > 
> > Andreas
> > 
> > Javier Sanchez wrote:
> > 
> >>
> >> Hi all,
> >>
> >> i have just end a little document regarding the configuration of
> >> strongswan and sentinel, to let sentinel roadwarrios connect through a
> >> vpn using x509 certs. I have seen son many people having problems with
> >> this issue so thata why i decided to create the howto.
> >>
> >> I allready know that its far from being a perfect ane complete guide but
> >> it maybe help out someone beating his head against the wall XD
> >>
> >> You can read it on:
> >>
> >> http://www.torrejonwireless.net/mywiki/StrongSwanHowto
> >>
> >> The page is located on a wiki so feel free to add or modify it if you
> >> want .-)
> >>
> >>
> >> Best regards
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users@lists.strongswan.org
> >> http://lists.strongswan.org/mailman/listinfo/users
> > 
> > 
> > 


[prev in list] [next in list] [prev in thread] [next in thread]