[strongSwan] StrongSwan Setup Questions

Chris Arnold carnold at electrichendrix.com
Sat Mar 31 18:24:58 CEST 2012 

Alright, i am running into some many issues while generating certs, i am forced to backup and revisit what we need.
We have a remote site that we need to establish a secure connection with. They need to access our NAS which is on our trusted LAN (192.168.123.x)and we need to have access to their server (192.168.1.x). They also will have approx. 6 roadwarriors that will need access to files on the server (probably through a mapped drive) and printing. Their client PC's are Windows 7, Vista and XP. They have a netgear 
(with a public IP) and we have a sonicwall (with a public IP) so we will not be able to do a hardware VPN as the netgear can not be an endpoint. So we have to do a software VPN (so far so good). I have selected to use strongswan and a host to host VPN because the site to site looks like you need a different subnet behind the gateways.

So there is what we need. Can we get what we need from the host to host VPN or does it need to be something else?


----- Original Message -----
From: "Julian Poschmann" <julian.poschmann at rwth-aachen.de>
To: users at lists.strongswan.org
Sent: Saturday, March 31, 2012 11:10:22 AM
Subject: Re: [strongSwan] StrongSwan Setup Questions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 31.03.2012 05:17, schrieb Chris Arnold:
> conn host-host left=192.168.123.3 
> leftcert=/etc/ipsec.d/cacerts/self_teknerds.pem 
> leftid=@servername.electricdomain.com leftfirewall=yes
You said the hosts themselfs don't use software firewall (i.e.
iptables). Therefore "leftfirewall" is useless here. Please read about
the options you are using in the man page.

Ok, for certificates: Don't know if self-signed certificates will
work, never tried. But for left/rightcert you don't want to specify a
ca-certificate. They are used to verify the certificates used for the
connection. Normally, you will want to use three certificates, one ca
and one for each host, signed by the ca. Put the ca-certicate in
/etc/ipsec.d/cacert/ and your host certificate in /etc/ipsec.d/certs/
and you can omit the paths in ipsec.conf. You should end up with
something like on host1:

ca teknerds
	cacert=self_teknerds.pem

conn host-host
	[...]
	leftcert=host1.pem
	[...]

Also, if you override leftid, the certifacte must certify the value
you set, so the cert would have to have either CN or a subjectAltName
with servername.electricdomain.com


> 
> -ipsec.secrets: : RSA /etc/ipsec.d/cacerts/self_teknerds.pem
You have to point to the private key used for the certificate, which
should be stored in /etc/ipsec.d/private/. Using the above, you should
end up with something like

: RSA host1.key

> 
> and the strongswan conf is below.
> 
> -Results of ipsec up host-host: no socket implementation
> registered, receiving failed
Have a look at this:
<https://lists.strongswan.org/pipermail/dev/2010-May/000204.html>

> Is this right for the log file? I also restarted ipsec and looked
> in /var/log to see if i see the charon file and do not.
You are defining two charon{...} sections, don't do that. Merge the
filelog{...} section into the existing one.


- -- 
Julian Poschmann
Zeppelinstr. 31
52068 Aachen

Telefon: +49 170 3295135
E-Mail: julian.poschmannn at rwth-aachen.de
PGP-ID: 0x7D51DD8B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk93Hl4ACgkQJmSm8H1R3YsJ/gCeO4Kw8NJFzKN/q/rW/a8WrvLi
VbcAn23G9j7eRwLp1FC6sGcM68wc5/iU
=ACNQ
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list