Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] x.509 and ipsec.secrets

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Thu Mar 28 2002 - 08:27:30 CET

Next message: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Previous message: Andreas Steffen: "Re: [Users] Win2k - Freeswan: Windows CryptVerifySignature error"
In reply to: Marc: "[Users] x.509 and ipsec.secrets"
Next in thread: Marc Tinnemeyer: "Re: [Users] x.509 and ipsec.secrets"
Reply: Marc Tinnemeyer: "Re: [Users] x.509 and ipsec.secrets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Currently you can have several different private keys for roadwarrior
connections only if you define them explicitly for each roadwarrior:

"<DN of roadwarrior 1>" : RSA <private key 1>

"<DN of roadwarrior 2>" : RSA <private key 2, might equal private key 1>

...

where DN is a distinguished name of the form C=DE, ST=state, ...

additionally you could then have a single anonymous definition for
your existing rsasig tunnels:

: RSA <default private key>

Or the other way round: A single anonymous definition handling all
your roadwarriors and an explicit definition for each of your
tunnel connections using a second private key.

What is not possible right now, are anonymous definitions of the kind:

: RSA <private key 1>

: RSA <private key 2>

This will become reality in version 0.9.10 of the X.509 patch to
be released concurrently with freeswan-1.97.

Andreas

Marc wrote:
>
> Hello all,
>
> I have a problem using freeS/WAN with multiple tunnels. There are some
> tunnels running via the common way (rsasig).
>
> Now I want to add some Roadwarriors to connect to that Gateway, that
> shall be done via certificates. So far so good, my trouble is that I
> don't know how to handle the private key stuff. The one I use for the
> "common"-connections is in RSA : {.....} format, the one I created for
> x.509 is not. The documentations says it is possible to have several
> private keys in /etc/ipsec.secrets, but which ID does the key need ?
>
> I tried:
>
> C=DE, ST=state, O=organization, CN=user_at_host 0.0.0.0 : RSA ....
> C=DE, ST=state, O=organization, CN=user_at_host %any : RSA ...
>
> but it does not work. When I remove the "old" key and set the x.509 key
> as key for all connectiona (: RSA ...) the Roasdwarrior connection
> worked.
>
> So Roadwarrior in general works. On the other hand I cannot use the
> x.509 key for my old connections, because I am not able to extract
> rsasigs, which are neccessary for my old connections.
>
> has anyone a clue on this ?
>
> Thanks in advance
>
> Regards
>
> Marc
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                     e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur      home:   http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland)    phone:  +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Previous message: Andreas Steffen: "Re: [Users] Win2k - Freeswan: Windows CryptVerifySignature error"
In reply to: Marc: "[Users] x.509 and ipsec.secrets"
Next in thread: Marc Tinnemeyer: "Re: [Users] x.509 and ipsec.secrets"
Reply: Marc Tinnemeyer: "Re: [Users] x.509 and ipsec.secrets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST