From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sun Oct 20 2002 - 13:20:28 CEST
We set up a Contivity <=> FreeS/WAN connection using X.509
certificates at the IPsec Global Summit 2001 in Paris. The link
http://www.hsc.fr/ressources/ipsec/ipsec2001/
gives you the details. The IDX-PKI (which is an OpenSource
graphical front end to OpenSSL) was used to generate the
certificates. One problem we had to circumvent was the fact
that Nortel Contivity does not send the individual relative
distinguished names (e.g., C=CH, O=ACME, etc.) in the same
order as OpenSSL creates them. The X.509 patch cannot handle
this case (although the X.509 standards allow an arbitrary
ordering). Therefore we used a FQDN (i.e. hostname) as the ID
for the Contivity end and put the FQDN into the subjectAltName
field of the Contivity's certificate.
Hope this helps!
Andreas
Joe Philipps wrote:
> I've seen many Web pages that talk about Contivity <=> FreeSWAN
> interoperability. A good percentage of them are some takeoff on the
> interoperability page, about how to configure the FreeSWAN side and
> the Contivity side, citing lots of parameters, most notably that PSKs
> are necessary. Since my IP address doesn't change "often" (maybe once
> every other month), it is so far not a problem. I've read a little
> bit of the extensive PDF Contivity documentation from Nortel's site.
> For Road Warriers, the only "officially blessed" option seems to be an
> on-site Entrust or VeriSign setup, but that is EXTRAORDINARILY
> expensive IMHO for a strictly privately managed set of IPsec tunnels.
> IN THEORY, couldn't one just generate one's own CA with OpenSSL (let's
> call it pvtca), generate a CSR with the Contivity, sign it with pvtca,
> deliver this signed cert and this CA's cert to the Contivity, then
> start authenticating Road Warriors with certs signed by pvtca? The
> only hangup I see (being "stupid" and ignorant, that is) is that
> Nortel does not officially mention OpenSSL in its documentation, and
> therefore might open up a severe support liability should one's
> Contivity have problems. That would make most Contivity users quite
> nervous ("we paid WHAT for this, and now it's basically useless?").
> *I* certainly don't have thousands of dollars to throw away on a
> Contivity to test this with :-). Has anyone on this list been brave
> enough to try anything like this?
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Mon Oct 21 2002 - 05:20:28 CEST