"Dr. David Alan Gilbert" <gilbertd@...> writes:
> Now that 2.5.x seems to run happily on my machine I've started looking
> at trying to convert from using FreeS/WAN to using the ipsec
> implementation in Linux 2.5.
Excellent. We could use more people finding the problems in this
code. I've already found one major architectural issue and I'm not
sure how to get around it. In particular, I have not figured out how
to set up a Linux-2.5 + IPsec-tools machine to act as a VPN Server for
a bunch of road-warriors. I believe that there is no way to configure
racoon to do this, and there is no way to configure the SPD to do this
> I have a freeswan setup that uses rsa signatures, without certificates
> and am trying to figure out how to use the keys from the freeswan
> configuration to create certificates for use with ipsec-tools.
> (I really don't want to have to have a new set of keys generated on both
> ends; especially since I can see other people I know wanting to do this
> as well).
At one point I saw patches to OpenSSL that would let you "sign" a raw
key to make a certificate.. But I've never actually used that code.
Another option is implementing rawkey support in racoon. It's on my
list of things to do, but if someone else wants to submit a patch
I'll gladly incorporate it into the code.
> (I guess this is going to be come common as people start to move to
> What I have to work with is:
> 1) My ipsec.conf/ipsec_client.conf from freeswan which have
> 'leftrsasigkey' and 'rightrsasigkey' and an ipsec.secrets.
> 2) A perl script my Mike Gerber (see
> 01/msg00212.html) that takes the ipsec.secrets and produces
> a DER format file for the private key.
Ooh, cool! That would let you self-sign your own rawkey, if you
found the openssl rawkey patches.
> My problem is I can't see how to create the public key.
> I should at this point say I know nothing about the format of the
> files openssl uses (and have failed to find any documentation on them).
As I mentioned, the public key file is an x.509 certificate. You can
create it by using the OpenSSL 'sign' method, but you need to find the
> I tried taking a .PEM file and replacing the meat of it with the
> rsasigkey data (after removing the 0s) but openssl gave the error:
> PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:741:
> on trying to read it.
> The freeswan documents describes these fields:
> leftrsasigkey the left participant's public key for RSA
> signature authentication, in RFC 2537 format using ipsec_ttodata(3)
> and ipsec_ttodata says:
> A base64 text value begins with a 0s (or 0S) prefix and continues
> with four-digit groups of base64 digits (A-Z, a-z, 0-9, +,
> and /), each group encoding the value of three binary bytes as
> described in section 6.8 of RFC 2045. Note that the last one or
> two digits of a base64 group can be = to indicate that
> fewer than three binary bytes are encoded.
> I'm not really sure where to go next - I guess a decent understanding of
> what the PEM format is supposed to be like would be a good start;
> although a tool to do the conversion would be a lot nicer.
The PEM format is just a radix-64 encoding of the raw DER-encoded
X.509 cert. You still need to actually _generate_ an X.509 cert in
order to get it to work.
Or you can change racoon to accept the 0x... and 0s... key formats
and send me the patches ;)
> Thanks in advance for any advice,
Computer and Internet Security Consultant