[EMAIL PROTECTED] wrote on 10.01.2005 17:38:08: > Once again, I'm looking at setting up a VPN server for mobile remote > users to connect into the company servers. > > Now, I think I'm going about it in the right order so far. > > 1. In VPN - CA, created a CA key using the server hostname.domain.com > name as the Common Name > 2. In VPN - Other Keys, created 2 keys, first for server, using a > different made-up name for the Common Name, and a second key for the > test remote client I'll be using to connect in from. > 3. I copied the files /etc/freeswan/ipsec.d/private/myclient.key > and > /etc/freeswan/ipsec.d/certs/myclient.crt > to my remote test client using scp.
you will also need to copy ca.cert and dh2048.pem > Should i now delete them from the firewall for security reasons? > > 4. Next in VPN -> OpenVPN I created an entry for the server (the > firewall) as follows: > > Type Device Type Local Name Certificate Name Local VPN Point > Port Ping Restart Remote IP CA Name Remote VPN Point Remote > Subnet/Netmask Optional Parameters > 1 tls-server tun dubvpn dubvpn 10.149.32.215 > 1194 30 > ca 10.149.49.1 > 255.255.255.0 > > > I used the hostname for the Local and Certificate names. This is the > same name I used for the CA common name. Does that matter? > > This created the files /etc/openvpn/dubvpn.up and > /etc/openvpn/tls-dubvpn.conf > > Now, the question! > When i look at /etc/openvpn/tls-dubvpn.conf, it says: > > dev tun > ifconfig 10.149.32.215 10.149.49.1 > up /etc/openvpn/dubvpn.up > tls-server > dh /etc/openvpn/dh2048.pem > ca /etc/openvpn/ca.crt > cert /etc/openvpn/dubvpn.crt > key /etc/openvpn/dubvpn.key > port 1194 > verb 3 > > The files for the ca, cert and key files are not in this directory > (/etc/openvpn) being shown here. Therefore, do i need to move: > > a. the ca.crt file from /etc/freeswan/ipsec.d/cacerts/ to /etc/openvpn I would rather copy it. > b. the dubvpn.crt file from /etc/freeswan/ipsec.d/certs/ to /etc/openvpn > c. the dupvpn.key file from /etc/freeswan/ipsec.d/private/ to /etc/openvpn > d. run "openssl dhparam -out /etc/openvpn/dh2048.pem 2048" to create a > file call dh2048.pem in /etc/openvpn Do not forget chown all files to openvpn:openvpn. > > Am i on the right track so far?? > Should the tls file paths not be correct for the crt and key files? > > Do i now need to create an openvpn entry for the client also, and then > copy the relevant tls and up files from /etc/openvpn on the firewall to > the client machine, or is this only meant to be done on the client > itself. In other words, do i need client entries in VPN -> OpenVPN for > all the remote clients who will be connecting in? > If you use MNF as VPN server, you need only to setup the server side on MNF. You should keep in mind that MNF use openvpn version 1.6 and it allows only one simultaneous connection to one server port (1194 in your case). I have four remote clients (Windows XP) than I set four entries for ports 5000-5003 (with the diffrent local name and local IP, but the same server side certificate). If you have many clients, OpenVPN version 2.0 will offer you better solution to manage multiple simultaneous connections. > Now I'm going to do the Firewall -> tunnels section next. Wish me luck!! Look at http://shorewall.net/OPENVPN.html > > > Dj. Good luck ! Jaro Lomencik
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
