Tibbs, Richard wrote:
Dear list. I have X.509 certificates and private keys generated by openssl. I am currently using these to support an openvpn tunnel between two Bering 1.2 firewalls "home" and "office". viz: tls-server dh dh1024.pem ca itec-ca.crt cert office.crt key office.key
I would like to transition to certificates with ipsec, which I also have running on both bering fw's. Successfully supports a road warrior mode for a laptop anywhere outside office-fw, but it is currently Preshared Key.
I see no reason why I could not use the same certificates and keys on my ipsec connections.
I have office.cert and office.key, which could be used on the office fw. then, for roadwarrior mode, I may as well use home.cert and home.key on the laptop.
A handful of questions: first, how do I use the dh1024.pem file with ipsec?
No need, AFAIK ipsec uses well known diffie hellman groups.
Second --
I am getting confused by some of the file formats, and I have this from
the www.strongsec.com/freeswan/install.htm page:
that freeswan can automatically detect base64 pem format versus binary
DER format. Is binary DER what openssl generates as a .crt file? And
what is PKCS#12, PKCS#7 ?
openssl can generate different file formats. PEM is quite popular.
finally, There does not seem to be any config in ipsec.conf to identify
the CA certificate file. Is this done automatically from some directory?
Yes
/etc/ipsec.d/cacerts
cheers
Erich
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
