From: Uri <uri...@op...> - 2005-06-20 03:22:35
|
Mike, In short, what I'm seeing now is: 1. Racoon can handle only one "peers_certfile" per one "remote {}" block. So for "remote anonymous" "peers_certfile" is unacceptable - you need to create your own (OpenSSL-based) CA and sign the public keys of your clients. 2. There's a bug in either OpenSSL or Racoon code that affects local certificates - in my case when I use peer's cert stored on my local disk, authentication fails because of PKCS1 padding check failure. Same cert sent by the peer (Win XP) over the wire works like charm. > I have had a successful connection when I set "verify_identifier on", > "verify_cert on" and "peers_certfile x509 <file>", where the cert in > the peers_certfile directive matches the cert issued to the client, > however I will have 5 or more RoadWarrior users all from dynamic IP's, > and it doesn't seem to be possible to specify multiple peers_certfile > directives in "remote anonymous" and have them all checked as a client > connects (racoon seems to use only the last one specified - and if it > doesn't match the one on the client the connect fails). That's more than I can say - "peers_certfile x509 whatever" spells doom on my connections. > I also connect successfully when I use pre-shared keys, but I really > don't want to use this method if I can avoid it! Yes this works fine - and you could indeed dedicate a bunch of DHCP-assigned addresses to your clients and assign the same password to them. Needless to say, it's not the safest way... > OpenSSL on the VPN Server machine verifies the certificates OK, and > all certificates are linked to their magic hash. Windows also > verifies all the certificates OK, and has a valid private key for the > client certificate. For the moment, I'm trying to connect from the > same network in a test environment before rolling out to the live > environment. If you set a local CA on Linux, you can interoperate with Win XP IPsec. I've just done it. Certs work. Storing them locally doesn't work for me (yet?). > # Anonymous connection section > # > remote anonymous { > passive on; > support_mip6 off; > # peers_certfile x509 "VPN_Client_Test_4_cert.pem"; > peers_certfile x509 "VPN_Client_Test_5_cert.pem"; This is where the doom is spelled. Don't specify the local files. Let the clients provide theis certs within the IKE exchange. Then everything will work fine. > my_identifier asn1dn "CN=172.16.32.1 <http://172.16.32.1>, C=GB, > L=Test, ST=Site, O=VPN Cert Test, OU=VPN Test OU"; > peers_identifier asn1dn "CN=*, C=GB, L=Test, ST=Site, O=VPN Cert Test, > OU=VPN Test OU"; I wouldn't do this, unless you have only one client. Let your ID be figured out fro your cert, and client's ID - from his. > script "/etc/racoon/ph1_up" phase1_up; > script "/etc/racoon/ph1_down" phase1_down; I wonder what you're putting inside those scripts. Care to share with me? |