Chapter 5
Creating X.509-based Connections
In this first example, we will use X.509 Certificates instead of raw RSA keys with leftrsasigkey= and rightrisasigkey= options. We are not using a CA yet, so we will sign the certificates with themselves, so-called self-signed certificates. In this case the trust comes from both ends having the public key of the other end preloaded. Only the real West and East have the private key corresponding to the public key obtained from the preloaded certificate.
When explicitly loading a certificate, Openswan implicitly trusts it, even if it has expired!
For each host, generate a host keyfile containing the private key, and a host certificate file containing the public key and the DN. You should end up with four files: west.key, west.cert,
east.key, and east.cert:
#openssl genrsa -out west.key 1024
#openssl req -new -key west.key -x509 -out west.cert
#openssl genrsa -out east.key 1024
#openssl req -new -key east.key -x509 -out east.cert
The second command will prompt you to fill in the RDNs to build a DN. It does not matter what you use for those DNs (such as country, name, or organization), since the DNs will be loaded from the two certificates, and will therefore always match. Each end will need its own private and public key, as well as the public key of the other end.
If you wish to use a passphrase to protect the key, you can add the option -des3 to the OpenSSL command, or at any later time run the following:
#mv west.key west.key.old
#openssl rsa -des3 -in west.key.old -out west.key
#rm west.key.old
Next, define the proper connection definition on East and West. On West, this would look like:
conn west-east left=193.110.157.81 leftcert=west.cert right=205.150.200.209 rightcert=east.cert #sendcr=always #nocrsend=yes auto=add
The file west.key is placed in /etc/ipsec.d/private/. The file east.key should not be present on West, as this is East's private key. The certificate files east.cert and west.cert should be placed in /etc/ipsec.d/certs/. The private keys will be loaded when Openswan starts, or when you run ipsec secrets. If they are passphrase protected, you will either need to type in the passphrase when you bring the connection up, or you can put the passphrase in the file
/etc/ipsec.secrets:
: RSA /etc/ipsec.d/private/west.key %prompt
or:
: RSA /etc/ipsec.d/private/west.key "YourPassphrase"
117
X.509 Certificates
It is best to avoid placing whitespace before the :, since older versions of Openswan are not able to parse such lines properly.
If you use prompt mode, then the private key will fail to load if Openswan is started from the system startup script, or if the service is restarted. To force Openswan to prompt for the passphrases, use the following command:
# ipsec secrets
If the passphrase is incorrect, Openswan will complain about this:
003 "/etc/ipsec.secrets" line 25: error loading RSA private key file
The logs would also show:
Feb 28 23:11:20 |
west pluto[24030]: forgetting secrets |
|
||
Feb 28 |
23:11:20 |
west pluto[24030]: loading secrets from |
"/etc/ipsec.secrets" |
|
Feb 28 |
23:11:20 |
west pluto[24030]: |
loaded private key |
file |
'/etc/ipsec.d/private/west.key' (1751 bytes) |
|
|||
Feb 28 |
23:11:20 |
west pluto[24030]: |
invalid passphrase |
|
Feb 28 |
23:11:20 |
west pluto[24030]: "/etc/ipsec.secrets" |
line 25: error loading |
|
RSA private key |
file |
|
|
|
If the certificates loaded correctly and the private key was successfully unlocked and loaded, you should see something like:
Feb 25 01:48:12 west pluto[9656]: Changing |
to directory '/etc/ipsec.d/cacerts' |
||
Feb 25 01:48:12 west pluto[9656]: Changing |
to directory '/etc/ipsec.d/aacerts' |
||
Feb 25 01:48:12 west pluto[9656]: Changing |
to directory |
||
'/etc/ipsec.d/ocspcerts' |
|
|
|
Feb 25 01:48:12 west pluto[9656]: Changing |
to directory '/etc/ipsec.d/crls' |
||
Feb 25 01:48:12 west pluto[9656]: |
loaded |
host cert file |
|
'/etc/ipsec.d/certs/east.cert' (1610 bytes) |
|
||
Feb 25 |
01:48:12 west pluto[9656]: |
loaded |
host cert file |
'/etc/ipsec.d/certs/west.cert' (1545 bytes) |
|
||
Feb 25 |
01:48:12 west pluto[9656]: added connection description "west-east" |
||
Feb 25 |
01:48:12 west pluto[9656]: loading secrets from "/etc/ipsec.secrets" |
||
Feb 25 |
01:48:12 west pluto[9656]: |
loaded |
private key file |
'/etc/ipsec.d/private/west.key' (1751 bytes)
You can also use the listall command to show the status of the X.509 Certificates and keys:
# ipsec auto --listall 000
000 List of Public Keys:
000
000 Feb 28 22:20:44 2005, 1024 RSA Key AwEAAdJlV, until Mar 30 21:13:24 2005 ok 000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, CN=west.xelerance.com, E=west@xelerance.com'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, CN=west.xelerance.com, E=west@xelerance.com'
000 Feb 28 22:20:44 2005, 1024 RSA Key AwEAAdSGS, until Mar 30 21:13:59 2005 ok 000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, CN=east.xelerance.com, E=east@xelerance.com'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, CN=east.xelerance.com, E=east@xelerance.com'
118
Chapter 5
000 |
|
|
000 |
List of X.509 End Certificates: |
|
000 |
|
|
000 |
Feb 28 22:20:44 2005, count: 1 |
|
000 |
subject: 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, |
|
CN=west.xelerance.com, E=west@xelerance.com' |
||
000 |
issuer: 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, |
|
CN=west.xelerance.com, E=west@xelerance.com' |
||
000 |
serial: |
00 |
000 |
pubkey: |
1024 RSA Key AwEAAdJlV |
000 |
validity: not before Feb 28 20:13:24 2005 ok |
|
000 |
not after Mar 30 21:13:24 2005 warning (expires in 29 days) |
|
000 |
subjkey: 38:66:c9:78:2a:81:74:dc:73:3b:21:d3:55:39:14:2c:0d:d7:be:f2 |
|
000 |
authkey: 38:66:c9:78:2a:81:74:dc:73:3b:21:d3:55:39:14:2c:0d:d7:be:f2 |
|
000 |
aserial: |
00 |
000 |
Feb 28 22:20:44 2005, count: 1 |
|
000 |
subject: 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, |
|
CN=east.xelerance.com, E=east@xelerance.com' |
||
000 |
issuer: 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Writers, |
|
CN=east.xelerance.com, E=east@xelerance.com' |
||
000 |
serial: |
00 |
000 |
pubkey: |
1024 RSA Key AwEAAdSGS, has private key |
000 |
validity: not before Feb 28 20:13:59 2005 ok |
|
000 |
not after Mar 30 21:13:59 2005 warning (expires in 29 days) |
|
000 |
subjkey: 93:23:8a:64:84:73:a1:17:99:a4:f3:9f:7b:b6:91:37:ba:dc:52:e8 |
|
000 |
authkey: 93:23:8a:64:84:73:a1:17:99:a4:f3:9f:7b:b6:91:37:ba:dc:52:e8 |
|
000 |
aserial: |
00 |
Note that if the private key is not available on this host, either because it is the private key of the remote side, or because our local private key failed to load, you will be able to determine this by looking at the pubkey: line, which will be missing the text "has private key". The above example shows we only have our own private key of East, and not the private key of West. On West, you should see the opposite situation. A good habit is to verify the keyids on the pubkey line to ensure you have transferred the proper key to the proper host.
Do not specify any leftid= or rightid=. Openswan will take the DN from the certificates and use that as the ID for IKE. In fact, either East or West can be a roadwarrior, while the other end can specify right=%any because the rightid= comes from the DN.
Now we can finally bring our connection up (or, if we use auto=start, it will come up automatically at startup unless the passphrase-prompting mode is enabled).
# ipsec auto --up west-east
If everything goes well, the log should show something like:
Feb 28 23:30:38 xsable pluto[24759]: "x509" #3: initiating Main |
Mode |
|
Feb 28 |
23:30:38 xsable pluto[24759]: "x509" #3: transition from |
state |
STATE_MAIN_I1 to state STATE_MAIN_I2 |
|
|
Feb 28 |
23:30:38 xsable pluto[24759]: "x509" #3: I am sending my |
cert |
Feb 28 |
23:30:38 xsable pluto[24759]: "x509" #3: I am sending a certificate |
|
request |
|
|
Feb 28 |
23:30:38 xsable pluto[24759]: "x509" #3: transition from |
state |
119