subject:"Re\: \[Swan\] Adding host to subnet VPN"

Re: [Swan] Adding host to subnet VPN

2016-02-23 Thread Paul Wouters


On Tue, 23 Feb 2016, Alex wrote:


How did you create your original certificates? You should repeat
the same process for a new certificate. It doesn't much matter
how you do it, as long as you use the same CA for it.


That's kind of the problem - the original certs were created many,
many years ago. I believe it was 2010 when you helped me import them
into NSS, so they were created before even NSS was a thing.


I would not have told you to put the CAcerts into the VPN NSS db, so
you should still have those files somewhere?


I'm familiar with using openssl to create certificates, but it
involves private keys and a CSR.


You can use that too, and then create a PKCS#12 .p12 export file using
openssl.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-22 Thread Paul Wouters


On Mon, 22 Feb 2016, Alex wrote:


I'm confused about the newhostkey part. Can someone help me with the
steps needed to create the host key and certificate?


newhostkey is only used for raw RSA keys, not certificates.


I've read through the NSS HOWTO, and I don't understand :-(


How did you create your original certificates? You should repeat
the same process for a new certificate. It doesn't much matter
how you do it, as long as you use the same CA for it.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-22 Thread Alex

Hi,

>> Can I just leave out the subnet declarations where they're not
>> necessary? Assuming 'arcade' (23.227.181.206) was the name of the
>> roadwarrior host and its default route is 23.227.181.193:
>>
>> conn VPN-DGHQ-DGXO-2
>> auto=start
>> left=68.111.193.42
>> leftnexthop=68.111.193.41
>> leftsubnet=192.168.1.0/24
>> leftid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
>> CN=orion.example.com"
>
> Here you have a problem. When ID start with @, it's ID type FQDN.
> But your id is really ID_DER_ASN1_DN type, certificate subject.
> Remove character "@".

This is actually the configuration I have from a working system. I'll
remove the @, but the problem I'm having now is with creating a new
certificate for another host.

I'm confused about the newhostkey part. Can someone help me with the
steps needed to create the host key and certificate?

I've read through the NSS HOWTO, and I don't understand :-(

Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-22 Thread Tuomo Soini

On Sun, 21 Feb 2016 20:13:38 -0500
Alex  wrote:

> Can I just leave out the subnet declarations where they're not
> necessary? Assuming 'arcade' (23.227.181.206) was the name of the
> roadwarrior host and its default route is 23.227.181.193:
> 
> conn VPN-DGHQ-DGXO-2
> auto=start
> left=68.111.193.42
> leftnexthop=68.111.193.41
> leftsubnet=192.168.1.0/24
> leftid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
> CN=orion.example.com"

Here you have a problem. When ID start with @, it's ID type FQDN.
But your id is really ID_DER_ASN1_DN type, certificate subject.
Remove character "@".

> leftcert=orion
> right=23.227.181.206
> rightnexthop=23.227.181.193
> rightid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
> CN=cyclops.example.com"

Same here.

> rightcert=arcade

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-22 Thread Nick Howitt


Sorry, forgot to reply to all.

Don't you now need a different form of the certutil command for the nss 
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)


Nick



On 2016-02-22 02:05, Paul Wouters wrote:

On Sun, 21 Feb 2016, Alex wrote:


Can I just leave out the subnet declarations where they're not
necessary?


Yes.


Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:

# certutil -L -d /etc/ipsec.d

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI


cyclops  u,u,u
DGHQ Authority - MyCompany Inc,,
orionu,u,u

# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)

Did I somehow screw up the process of creating the CA in the first 
place?


possibly. The easist is to create a PKCS#12 file and run "ipsec import 
file.p12"


Paul

Thanks,
Alex


___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-22 Thread Nick Howitt

Don't you now need a different form of the certutil command for the nss 
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)


Nick

On 2016-02-22 02:05, Paul Wouters wrote:

On Sun, 21 Feb 2016, Alex wrote:


Can I just leave out the subnet declarations where they're not
necessary?


Yes.


Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:

# certutil -L -d /etc/ipsec.d

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI


cyclops  u,u,u
DGHQ Authority - MyCompany Inc,,
orionu,u,u

# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)

Did I somehow screw up the process of creating the CA in the first 
place?


possibly. The easist is to create a PKCS#12 file and run "ipsec import 
file.p12"


Paul

Thanks,
Alex


___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-21 Thread Alex

Hi Paul,

>> certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
>> SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
>> in key database
>> certutil: unable to create cert (The private key for this certificate
>> cannot be found in key database)
>>
>> Did I somehow screw up the process of creating the CA in the first place?
>
> possibly. The easist is to create a PKCS#12 file and run "ipsec import
> file.p12"

I thought I realized how to do this, but apparently I don't.

To create the pkcs12 file using certutil, it requires the working CA,
but that appears to be the problem I'm having, right?

Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-21 Thread Paul Wouters


On Sun, 21 Feb 2016, Alex wrote:


Can I just leave out the subnet declarations where they're not
necessary?


Yes.


Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:

# certutil -L -d /etc/ipsec.d

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

cyclops  u,u,u
DGHQ Authority - MyCompany Inc,,
orionu,u,u

# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)

Did I somehow screw up the process of creating the CA in the first place?


possibly. The easist is to create a PKCS#12 file and run "ipsec import file.p12"

Paul

Thanks,
Alex


___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

2016-02-21 Thread Alex

Hi,

>> I'd now like to add another fedora23 system by itself to the
>> configuration. I suppose this is just a "road warrior" type of
>> configuration.
>>
>> I've experimented quite a bit with adapting my configuration to also
>> create a subnet-to-host setup, and haven't gotten it to work. I don't
>> see any similar examples on the website that describe using certs.
>
>
> I'm not quite sure what you mean.
>
> It seems like you want a roadwarrior, so right=%any and rightid= your cert>
> and then just have the rest similar to your other two conns?

Can I just leave out the subnet declarations where they're not
necessary? Assuming 'arcade' (23.227.181.206) was the name of the
roadwarrior host and its default route is 23.227.181.193:

conn VPN-DGHQ-DGXO-2
auto=start
left=68.111.193.42
leftnexthop=68.111.193.41
leftsubnet=192.168.1.0/24
leftid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
CN=orion.example.com"
leftcert=orion
right=23.227.181.206
rightnexthop=23.227.181.193
rightid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
CN=cyclops.example.com"
rightcert=arcade

So, in other words, there's a subnet behind the rightnexthop, but only
a host (roadwarrior?) on the left side.

Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:

# certutil -L -d /etc/ipsec.d

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

cyclops  u,u,u
DGHQ Authority - MyCompany Inc,,
orionu,u,u

# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)

Did I somehow screw up the process of creating the CA in the first place?

Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

Re: [Swan] Adding host to subnet VPN

9 matches

Site Navigation

Mail list logo

Footer information