Re: [Ipsec-tools-devel] Help with Windows 2000 <--> Racoon w/X509

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Mike,

In short, what I'm seeing now is:

1. Racoon can handle only one "peers_certfile" per  one "remote {}" block.
So for "remote anonymous" "peers_certfile" is unacceptable - you need to
create your own (OpenSSL-based) CA and sign the public keys of your clients.

2. There's a bug in either OpenSSL or Racoon code that affects local
certificates - in my case when I use peer's cert stored on my local disk,
authentication fails because of PKCS1 padding check failure. Same cert
sent by the peer (Win XP) over the wire works like charm.

> I have had a successful connection when I set "verify_identifier on", 
> "verify_cert on" and "peers_certfile x509 <file>", where the cert in 
> the peers_certfile directive matches the cert issued to the client, 
> however I will have 5 or more RoadWarrior users all from dynamic IP's, 
> and it doesn't seem to be possible to specify multiple peers_certfile 
> directives in "remote anonymous" and have them all checked as a client 
> connects (racoon seems to use only the last one specified - and if it 
> doesn't match the one on the client the connect fails).

That's more than I can say - "peers_certfile x509 whatever" spells doom 
on my connections.

> I also connect successfully when I use pre-shared keys, but I really 
> don't want to use this method if I can avoid it!

Yes this works fine - and you could indeed dedicate a bunch of 
DHCP-assigned addresses to
your clients and assign the same password to them. Needless to say, it's 
not the safest way...

> OpenSSL on the VPN Server machine verifies the certificates OK, and 
> all certificates are linked to their magic hash.  Windows also 
> verifies all the certificates OK, and has a valid private key for the 
> client certificate.  For the moment, I'm trying to connect from the 
> same network in a test environment before rolling out to the live 
> environment.

If you set a local CA on Linux, you can interoperate with Win XP IPsec. 
I've just done it. Certs work.
Storing them locally doesn't work for me (yet?).

> # Anonymous connection section
> #
> remote anonymous {
> passive on;
> support_mip6 off;
> # peers_certfile x509 "VPN_Client_Test_4_cert.pem";
> peers_certfile x509 "VPN_Client_Test_5_cert.pem";

This is where the doom is spelled. Don't specify the local files. Let
the clients provide theis certs within the IKE exchange. Then everything
will work fine.

> my_identifier asn1dn "CN=172.16.32.1 <http://172.16.32.1>, C=GB, 
> L=Test, ST=Site, O=VPN Cert Test, OU=VPN Test OU";
> peers_identifier asn1dn "CN=*, C=GB, L=Test, ST=Site, O=VPN Cert Test, 
> OU=VPN Test OU";

I wouldn't do this, unless you have only one client. Let your ID be 
figured out fro your cert,
and client's ID - from his.

> script "/etc/racoon/ph1_up" phase1_up;
> script "/etc/racoon/ph1_down" phase1_down;

I wonder what you're putting inside those scripts. Care to share with me?