On Sun, 31 May 2015, John Crisp wrote:
Thank you for your kind responses. Paul, if I can sort this out I will take you up on wiki access to do a page for numpties like me :-)
Good :)
I think the first thing I need to get straight in my head, and where I am probably tripping up, is the use of certificates themselves. I can see that they can be generated on LibreSwan, and that Endian can create them too. It seem that both ends can be a CA, and therefore issue certificates.
You need to have 1 CA, who is the Certificate Authority. That is the only entity both servers should trust. This entity can live anywhere - usually not on either VPN endpoint but a more secure (or even offline) machine. opensource tools for this are "xca" or "tinyca2" if you run a linux GUI desktop.
I can see that both can generate a PKCS12 .p12 which I believe contains both the public and private key.
A PKCS#12 usually includes: - The end entity public certificate (eg vpn.example.com) - The private key belonging to vpn.example.com's certificate - The public certificate of the CA (eg "Example CA") that signed the client - Optionally, any intermediate CA's needed for the full path from CA that signed the client to a known root CA (mostly used for TLS, less so for IPsec) So you should give each end its own PKCS#12 file. So each end has their set. Since it contains the CA cert, each end can validate the remote peer, and each end can authenticate itself with their own private key. Neither end can pretend to be the other, since they don't have each other's private key.
Now, I had wanted LibreSwan to be just in 'receive' mode - e.g. auto=add with the Endian box making the connection.
For the certificates that does not really matter.
Can someone please explain to me which bit of which cert should go where please ?
For libreswan, use "ipsec import /path/to/file.12". Test your results with: certutl -L -d /etc/ipsec.d (or with git code or 3.14+ version: certutl -L -d sql:/etc/ipsec.d ) for Endian, which i think is strongswan based? You will prob need to extract the p12 file into the cacert.pem, client.pem and client.key and place these in /etc/ipsec.d/cacerts /etc/ipsec.d/certs and /etc/ipsec.d/private you will need several commands to extract this content from the p12 file.
Do both ends need both public and private parts of the same key, or do they both generate their own private key and then exchange just the public pem with each other ?
Each has its own set.
If so then how do I import the pem part only into Libreswan (I could add the whole .p12 cert from Endian but I believe that really the private key should not leave that box ?)
Make sure you have left/rightsendcert=always on libreswan. That will send the certificate over IKE, which is all you need. No special importing is needed beyond the initial import/configuration of the endpoints with their own pkcs#12 set.
I tried to export the pem part from Endian and import to Libre Swan as follows but it errored [root@test certs]# ipsec import Endian.pem
You cannot import a non-pkcs#12 that way. But you do not need to do that. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
