Index of /log/Interweb/ipsec-2

Me

Categories

Archives

2007-Nov
2007-Oct
2007-Sep
2007-Jul
2007-Jun
2007-May
2007-Apr
2007-Feb
2007-Jan
2006-Dec
2006-Nov
2006-Oct
2006-Sep
2006-Aug
2006-Jul
2006-Jun
2006-May
2006-Apr
2006-Mar
2006-Feb
2006-Jan
2005-Dec
2005-Nov
2005-Oct
2005-Sep
2005-Aug

Mon, 22 Jan 2007

Adding X.509 certificates to your IPsec setup

After setting up IPsec with pre-shared keys (in the previous post), I upgraded my setup to use X.509 certificates. This makes it possible to revoke keys (which makes it impossible to connect using those keys.. always nice if a machine gets compromised), and you'll get a key that's generated by something that knows how to generate secure keys (openssl), which is always better than a short 'human-generated' pre-shared key.

It's probably easiest to set up your own CA for this. You can do this by hand using the CA.pl file included with the openssl package, but it's easier to install the tinyca package, and create the certificates from there.

When you've generated a server key for every host you want to set up IPsec on, and exported the public CA certificate and a CRL, you should put the following things in /etc/racoon/certs:

  1. The CA certificate (the same on all machines)
  2. The CRL (the same on all machines)
  3. The certificate (different on all hosts)
  4. The private key (different on all hosts)

You should make sure the private key isn't encrypted. Racoon can't handle that yet. The easiest way to do this is to export the certificate/key pair from tinyca using the 'tar' option, then extract the files from the .tar file into the /etc/racoon/certs directory, and run openssl rsa -in my_key.pem -out my_key.pem on it, to remove the password from the key.

After this, you need to let racoon be able to find your CRL. This is done by giving it a filename that's identical to the CA certificate hash. You can do this by running the following command: 

# ln -s yourca.crl `openssl x509 -noout -hash -in yourca-cacert.pem`.r0

Now all that's left is actually configuring racoon itself. You need to point it at the certificates you just installed, and have it verify the certificate the other side sends us. All the linked config does is check if it's signed by the same CA, and the signature hasn't been revoked. Check the racoon.conf manual page for more info on the config file format, and the possibility of stricter checks.

[ category: /Interweb | permalink | tags: , , , , | comments: 0 ]

Leave a comment



foodfight.org index

Creative Commons Licentie Op dit werk is een Creative Commons Licentie van toepassing.

© Martijn van de Streek <[email protected]>; Powered by PyBlosxom 2.0 dev