Hi Simo,
[email protected] wrote:
> I have been using strongSwan and Nokia VPN Client with certs for years
> now. Sometime the configuration has been bit tricky, but so far I have
> always been able to get it work at the end.
Okay, that's reassuring.
> My default check list with certs is:
> 1. In the phone VPN settings find the poliview and check the
> certificate status from the policy details. It should show something
> like "ok".
Checked.
> 2. Check that the certificates uses SHA-1 as the signature algorithm.
> (I guess md5 would also work, but I have not tested. I have had
> problems with SHA 256 and SHA 512)
Checked.
"openssl x509 -in certs/nokia_cert.pem -noout -text" shows:
<snip>
Signature Algorithm: sha1WithRSAEncryption
[...]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
</snip>
> 3. The used key sizes should be 1024 or 2048
Checked.
"openssl rsa -in private/vpn_key.pem -noout -text" shows:
<snip>
Private-Key: (1024 bit)
</snip>
> 4. Subject name and issuer name should contain only most common
> components like:
> CN, OU, O, L and C.
Issuer: C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro
Subject: C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
[email protected]
The certificates were created with the following commands:
<snip>
openssl req -new -newkey rsa:1024 -out certs/nokia_csr.pem -keyout
private/nokia_key.pem -days 3650
</snip>
Then the key is signed using:
<snip>
openssl x509 -req -in certs/nokia_csr.pem -out certs/nokia_cert.pem -CA
cacerts/cacert.pem -CAkey private/cakey.pem -CAserial serial -days 3650
</snip>
The PKCS is created with this command:
<snip>
openssl pkcs12 -export -in certs/nokia_cert.pem -inkey
private/nokia_key.pem -out nokia.p12
</snip>
What I'm not sure about is what to select/enter in Nokias Mobile VPN
Client Policy Tool in the fields "Remote ID type" and "Remote ID".
I've got the Remote ID type set to "1 - IPv4" and as Remote ID the local
IP of the strongswan server (192.168.x.x) - that works using PSK at
least. Is that correct?
Cheers,
Robert
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
