After setting up IPsec with pre-shared keys (in the previous post), I upgraded my setup to use X.509 certificates. This makes it possible to revoke keys (which makes it impossible to connect using those keys.. always nice if a machine gets compromised), and you'll get a key that's generated by something that knows how to generate secure keys (openssl), which is always better than a short 'human-generated' pre-shared key.
It's probably easiest to set up your own
CA for this. You can do this
by hand using the CA.pl file included with the openssl package,
but it's easier to install the tinyca package, and create the
certificates from there.
When you've generated a server key for every host you want to set up IPsec
on, and exported the public CA certificate and a
CRL, you should put the
following things in /etc/racoon/certs:
You should make sure the private key isn't encrypted. Racoon can't handle that yet. The easiest way to do this is to export the certificate/key pair from tinyca using the 'tar' option, then extract the files