After setting up IPsec with pre-shared keys (in the previous post), I upgraded my setup to use X.509 certificates. This makes it possible to revoke keys (which makes it impossible to connect using those keys.. always nice if a machine gets compromised), and you'll get a key that's generated by something that knows how to generate secure keys (openssl), which is always better than a short 'human-generated' pre-shared key.
It's probably easiest to set up your own
CA for this. You can do this
by hand using the CA.pl file included with the openssl package,
but it's easier to install the tinyca package, and create the
certificates from there.
When you've generated a server key for every host you want to set up IPsec
on, and exported the public CA certificate and a
CRL, you should put the
following things in /etc/racoon/certs:
You should make sure the private key isn't encrypted. Racoon can't handle
that yet. The easiest way to do this is to export the certificate/key pair
from tinyca using the 'tar' option, then extract the files from the .tar
file into the /etc/racoon/certs directory, and run
openssl rsa -in my_key.pem -out my_key.pem on it, to remove
the password from the key.
After this, you need to let racoon be able to find your CRL. This is done by giving it a filename that's identical to the CA certificate hash. You can do this by running the following command:
# ln -s yourca.crl `openssl x509 -noout -hash -in yourca-cacert.pem`.r0
Now all that's left is actually confi