Hi,
Playing further with Glendale and Remote Access.
I've setup L2TP/IPsec with certificates(IKE authentication).
Build a quick CA with OpenSSL and issue some certificates(public key
1024 bits). One to Glendale and two to clients(Windows clients).
VPN_Clients---NAT_Device---Glendale---Internal Network
I can successfully connect with one VPN Client behind same NAT device at
a time.
When I try to connect with the second VPN client, IKE MM negotiations
appear to be OK, then the client sends the first IKE QM packet which
generates an INVALID-ID-INFORMATION from Glendale. The client retransmit
the first IKE QM packet and Glendale says INVALID-MESSAGE-ID.
This happens both with pre-shared keys and certificates.
VPN clients have different certificates installed.
With PPTP on the other side I can successfully connect with two VPN
Clients behind same NAT device at a time.
Leaving all these behind, I felt caught in a loop with certificates on
Glendale.
I've put on a CD the required certificates(cacert.pem, crl.pem,
host.vyatta.carbonwind.net.pem, host.vyatta.carbonwind.net.key) and then
copied them myself into the required directories(/etc/ipsec.d/cacerts,
/etc/ipsec.d/crls, /etc/ipsec.d/certs, /etc/ipsec.d/private).
With "set vpn l2tp remote-access ipsec-settings authentication x509
ca-cert-file" Glendale prompts me to specify the location of the ca
certificate. If I indicate /etc/ipsec.d/cacerts/cacert.pem Glendale says
that it cannot copy cacert.pem because the file already exist and the
"commit" fails.
Same thing with the rest "set vpn l2tp remote-access ipsec-settings
authentication x509" commands(server-cert-file...).
I've started all over again with a fresh install and this time I
indicate the cdrom as the location of the cert files.
All went fine and Glendale copies itself the certificates to the
required locations.
Very nice!
However, if I unmount the cd, after some modifications to the
configuration, I hit "commit" and Glendale complains that cert files
cannot be found(on the location of the cdrom).
As said before I connot specify /etc/ipsec.d/*, so I thought to enter
just the name of the certs, since they are in place now (cacert.pem...).
No luck either. The specified file does not exist.
Mount again the cdrom and things are back to "normal".
Obviously I cannot preserve my configuration through a reboot with the
location of cert files on the cd.
I've only managed to preserve the configuration through a reboot only
when I've created a directory and manually copied the cert files there.
But that's not very smart.
Also I think I've spotted an issue with "bigger certificates" (public
key 2048 bits) where IKE fragmentation occurs. But I need to further
test that(it might be just my mistake).
Thanks,
Adrian
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
