Re: [Ipsec-tools-devel] Question re: certificate based authentication

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Sorry, I accidentally pressed send too soon :X

 > cat ifcfg-ipsec0
DST=128.135.19.61
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK

I don't understand how this file should be modified, and I can't really 
find any documentation on how to do this.  I'm assuming the IKE_METHOD 
should be set to RSA or something among those lines, but I can't find 
any man page or good documentation for these interface configuration 
files.  Am I looking in the wrong place?

I guess I don't really understand how the ipsec0 interface configuration 
relates to the racoon daemon itself.  It seems like these parameters are 
already configured in the racoon.conf and are redundant.

Can somebody maybe point me to some documentation or explain how 
ifcfg-eth0 should be configured for RSA certificate authentication?

Thanks,

Dan

Dan Sullivan wrote:
> Hello,
> 
> I am not 100% sure I'm asking this question in the right place but I'll 
> take a stab at sending to this list again.  The support I got here last 
> time was great, so I'm hoping that somebody could either answer my 
> question or point me in the right direction.
> 
> Basically, a while back I had some questions about setkey/racoon.conf 
> and building Phase 2 SA using a PSK.  I got that up working fine, but 
> now I want to take it a step further.  I'm trying to get this setup 
> using certificates.
> 
> It looks to me like the racoon configuration to do this is 
> straightforward; essesntially do the following;
> 
> 1) cp /path/to/cacert.pem /etc/racoon/certs
> 2) cd /etc/racoon/certs
> 3) ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0
> 4) change racoon.conf to change authentication type, set certificate 
> type, set identifier, and turn verify_cert on
> 
> So, I understand that part and I am pretty confident that it will work. 
>   What I am really confused about and can't find any documentation for 
> is how the ipsec0 interface should be configured.  Currently, my 
> ifcfg-ipsec0 configuration file looks like this:
> 
> 
> 
> 