[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] Sentinel strongswan howto
From: sjllera () ya ! com (Javier Sanchez)
Date: 2004-05-24 15:13:02
Message-ID: 1085404401.8981.69.camel () cluster
[Download RAW message or body]
Hello Patrick,
thanks for the point, im changing the web right now. I have some doubts
too about the use of the ca cert, i thought that freeswan opened the
cert using the passphrase to make some kind of checks to the roadwarrior
cert but looks like im crompletelly wrong XD
I think that i must look for some good documents about pki and x509
certs .-)
Best regards
El lun, 24-05-2004 a las 14:37, Patrick Schoenfeld escribi?:
> Hi,
>
> first of all, i would like to thank Javier for this Howto.
> I haven't read it until the end yet, but it seems to be *really*
> useful for what i'm working on for my company.
>
> > In section 2.1 Certificates Installation
> > you should delete the entry
> >
> > : RSA cakey.pem "PASSPHRASE"
> >
> > for the private key of the CA because this key is not required
> > by the IKE protocol. Putting the private CA key onto a VPN
> > security gateway poses a considerable security risk. If the
> > gateway gets compromised somehow, the attacker will be in possession
> > of the private key CA and will get full control of your PKI.
>
> But as Andreas stated the thing about the CA Private Key thing,
> I'm asking myself the question if it's not also a considerable security
> risk to have the cakey.pem under /etc/ipsec.d/private - also
> i don't see a reason for me laying it down there, because as far
> as i understand the X.509 authentication, the client and gateway
> certs are checked for their ISSUER field, which should be somewhat
> identical to the SUBJECT field of the CA.
>
> To see what i mean see section 2.1, block 2, sentence 1 in your howto.
> "On /etc/ipsec.d/private the file /opt/certs/demoCA/private/cakey.pem
> must be copied, this is the private key of our ca, then we must copy the
> ca itself from /opt/certs/demoCA/cacert.pem to /etc/ipsec.d/cacerts. To
> let strongswan open its ca cert, we must tell it which the passphrase is
> for cakey.pem, for this we must declare the cert key in the file
> /etc/ipsec.secrets."
>
> Also sentence 2 should be adapted to what Andreas said for making
> the correction complete :-)
>
> Greets
>
> Patrick Schoenfeld
> IN MEDIAS RES
> -=Operations=-
>
> tel. +49 (0) 2166 - 99 99 - 685
> fax. +49 (0) 2166 - 99 99 - 850
>
> email: schoenfeld@in-medias-res.com
> web: www.in-medias-res.com
>
> >
> > Its also strange that the GWcert appears to be loaded as a
> > CA cert in section 2.2. ipsec.conf configuration:
> >
> > loaded CA cert file 'GWCert.pem'
> >
> > The GWcert must be present in /etc/ipsec.d/certs but not in
> > /etc/ipsec.d/cacerts. You also seem to mix up private key files
> > which belong into /etc/ipsec.d/private and which can be
> > protected by a passphrase and certificates which are *not*
> > encrypted.
> >
> > Regards
> >
> > Andreas
> >
> > Javier Sanchez wrote:
> >
> >>
> >> Hi all,
> >>
> >> i have just end a little document regarding the configuration of
> >> strongswan and sentinel, to let sentinel roadwarrios connect through a
> >> vpn using x509 certs. I have seen son many people having problems with
> >> this issue so thata why i decided to create the howto.
> >>
> >> I allready know that its far from being a perfect ane complete guide but
> >> it maybe help out someone beating his head against the wall XD
> >>
> >> You can read it on:
> >>
> >> http://www.torrejonwireless.net/mywiki/StrongSwanHowto
> >>
> >> The page is located on a wiki so feel free to add or modify it if you
> >> want .-)
> >>
> >>
> >> Best regards
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users@lists.strongswan.org
> >> http://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic