News: This forum is now permanently frozen.
Pages: [1]
Topic: Ipsec site-to-site using certificates ?  (Read 6316 times)
« on: October 18, 2007, 16:40:35 »
ET *
Posts: 25

Hi.
I have two M0n0walls running  firmware 1.3b4. I have a site-to-site Ipsec vpn between them using PSK.
Now I would like to change to certificates instead PSK. Can anyone help me with this ? Maybe a small how to ?
TIA
« Reply #1 on: January 13, 2008, 18:21:55 »
ET *
Posts: 25

No one on this forum uses site to site Ipsec vpn with certificates ?
« Reply #2 on: March 07, 2008, 15:14:24 »
ET *
Posts: 25

Any news on this topic ? I got my ipsec vpn up and going with trial and error but I still got a warrning:
racoon: WARNING: No ID match.
Can someone explain to me what does it mean ?
TIA.
« Reply #3 on: March 13, 2008, 12:22:59 »
acid-mic *
Posts: 11

It looks like your Cert-Entry for subjectAltName and your "My Identifier" won't match or is missing. You have to create a v3 certificate.

With OpenSSL i've added the Entry subjectAltName=IP:x.x.x.x to my openssl.cnf in [usr_cert] and create the certificate with it. In m0m0wall config i've edit the "My Identifier" value to the same value of my cert: IP address   x.x.x.x

I hope this may help you.
« Reply #4 on: March 13, 2008, 21:11:14 »
ET *
Posts: 25

OK. I've got the certificates right. They have subjectAltName=IP:x.x.x.x.
Can you please write how to edit the m0n0wall config to change the "My Identifier" to the same value as my certificate ? Do I have to edit the xml config file or edit "My Identifier" over WebUI of m0n0wall ?
Let's say my certificate has IP 83.13.86.98. What should I enter as "My Identifier" ?
« Last Edit: March 13, 2008, 21:12:48 by ET »
« Reply #5 on: March 14, 2008, 13:12:21 »
acid-mic *
Posts: 11

You may change it in the web-gui.

VPN -> IPSec -> Edit Tunnel:

My identifier (in Phase 1 Section):   (combobox:)IP address   (textfield:)83.13.86.98


OK?
« Reply #6 on: March 14, 2008, 16:35:50 »
ET *
Posts: 25

OK. Now I've got no warning about no id match, but there are two more warnings.

racoon: WARNING: /var/etc/racoon.conf:10: ""peer1-signed.pem" This directive without certtype will be removed!

and

racoon: WARNING: /var/etc/racoon.conf:10: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead.

Should I worry about those warnings ?
« Reply #7 on: March 14, 2008, 17:40:38 »
ET *
Posts: 25

OK. Everything works now. I'm using CA certificate now and not the peer certificate. Using CA certificate causes only errors about no CRL's for my certificates.
Thank you very much acid-mic. You're my savior  Smiley
« Reply #8 on: March 15, 2008, 13:16:43 »
ET *
Posts: 25

Well I got one big issue with my ipsec setup when using certificates  Angry
I've got 4 sites.
Site A, B, C and D.
Site A is my main office.
Site B, C, and D are branch office.
Every branch office is connected with one ipsec vpn tunnel to the main office.
The problem is: when I restart m0n0 in a branch office the tunnel comes up fine, but when I restart m0n0 on the main office the tunnels won't come up. Pinging from branch office to main office also doesn't make the tunnel to come up. Only pingigng from main office to a branch office makes the tunnel to come up.
But with a psk setup when I restarted the main office m0n0 the tunnels came up just after succesfull bootup of main office m0n0.
When rebooting the main office m0n0 the branch office m0n0 has SAD active. When I delete the SAD on branch office m0n0 the tunnel comes up fine.

Any suggestions on this issue  Huh
« Last Edit: March 15, 2008, 13:33:58 by ET »
« Reply #9 on: March 17, 2008, 09:55:11 »
acid-mic *
Posts: 11

Hello!

I've got this two warnings too - so it maybe normal?!? But anything works fine for me too, i think we just should ignore it! Smiley

With the other Problem you have i can't help you at this time. At the moment i'm building also a second tunnel to another location. I'll tell you more if i ran into the same problem.
« Reply #10 on: March 17, 2008, 11:04:07 »
ET *
Posts: 25

I also found out that you don't have to set the field "My Identifier" to Ip address and type the ip address from your certificate. For me it works with standard "My IP address".
I'm also looking at pfSense. It has an option in tunnel config to ping the other end or ip of the tunnel, which in my case would resolve problems with ipsec vpn.
« Reply #11 on: March 17, 2008, 18:05:19 »
ChainSaw
Guest

As far as I can tell, "My IP address" means your current IP address and the box to the right should really not except any input.  In any case I always leave the box empty when I use that option and have never had any problems.  It looks to me like a small UI bug.

CS...
« Reply #12 on: March 20, 2008, 09:42:21 »
acid-mic *
Posts: 11

I have intended multiple Tunnels to one location - so i think i need to have different identifiers?!?
The two tunnels today works for me fine.
« Reply #13 on: March 20, 2008, 12:27:28 »
ET *
Posts: 25

Every m0n0 I manage, which has an IPSEC VPN has it's own certificate with altsubjectname=his public IP.
I'm using CA certificate for identity validation with "My identifier" field set to "My IP address".
I don't think you need different identifiers. VPN should work if you have multiple Tunnels with the same identifier in this case I suppose the IP, but you will have to enter it in "My identifier" as "Ip address". I just wanted to be able to define that cert A is for m0n0 in location A etc.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines