Hi Charles, Are you saying that windows 2000 is quite happy with RSA keys, and will still offer a secure path connecting two networks. I am a little confused about the whole concept of which method to use, and the relevance of X509. I had assumed that since it gets mentioned everywhere that it was necessary.
Regards, Simon. -----Original Message----- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: 27 March 2003 13:01 To: Simon Chalk Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Ipsec Setup with Bering LEAF Simon Chalk wrote: > Hi > > We are considering using a Bering firewall to connect two networks via the > internet. Both these networks will have a windows 2000 server which will > need to communicate with each other. > > I have got to grips with installing Bering and Shorewall, but I am > struggling with ipsec > > I have several questions associated with the setup: - > > 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on > each network. The fact that you're using windows 2000 servers doesn't matter if the two bering boxes are the VPN gateways. I'd suggest using plain RSA keys (ie ipsec.lrp) unless you need to interoperate with something that requires the use of certificates. > 2) If I do need ipsec509, then I note that the current release of Bering > seems to have broken links to the ipsec509.lrp file. Can't help with this one. > 3) Is there any further documentation on the setup of ipsec for a network to > network setup, particularily with setup of certificates. I started to go > through the Bering documentation (LEAF "Bering" user's guide), and attempted > to use the openssl, which is installed on my spare Mandrake 9.0 box, but > errors are generated when I try to run the following to setup a certificate > authority. > > # mkdir -p demoCA/private; mkdir -p demoCA/newcerts; > # touch demoCA/index.txt; echo 01 >> demoCA/serial; chmod -R 700 demoCA > # openssl req -x509 -days 3650 -newkey rsa:2048 -keyout > demoCA/private/cakey.pem -out demoCA/cacert.pem > > The above runs ok, but when I run the following > > # openssl ca -gencrl -out crl.pem > > I get no such file or directory trying to load CA private key The main documentation for ipsec is the FreeS/WAN site, which includes *LOTS* of information: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/index.html http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html Note that X.509 support is in the form of a patch, with documentation available at a different location: http://www.strongsec.com/freeswan/ http://www.strongsec.com/freeswan/install.htm -- Charles Steinkuehler [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
