From Fedora Project Wiki

(Created page with 'To setup ipsec with certs in tunnel mode using NSS GW Machine 1: w1.x1.y1.z1 GW Machine 2: w2.x2.y2.z2 w1.x1.y1.z1 <---> w2.x2.y2.z2 Note: In this example setup, both machines...')
 
m (Add draft notice and move to NSS Test Cases category)
Line 1: Line 1:
{{draft}}
To setup ipsec with certs in tunnel mode using NSS
To setup ipsec with certs in tunnel mode using NSS


Line 87: Line 89:


: RSA usercert2
: RSA usercert2
[[Category:NSS Test Cases]]

Revision as of 12:22, 16 October 2009

Warning.png
This page is a draft only
It is still under construction and content may change. Do not rely on the information on this page.

To setup ipsec with certs in tunnel mode using NSS

GW Machine 1: w1.x1.y1.z1 GW Machine 2: w2.x2.y2.z2

w1.x1.y1.z1 <---> w2.x2.y2.z2

Note: In this example setup, both machines are using NSS. If you want to use NSS only at one machine, say machine 1, you can use the following procedure only at machine 1, and you can use traditional ipsec setup at machine 2.

1. Create a new (if not already) nss db on both machines as follows:

certutil -N -d <path-to-ipsec.d dir>/ipsec.d

2. Creating CA certs at both machines:

On machine 1: certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d <path-to-ipsec.d dir>/ipsec.d

As we want to use the same certificate "cacert1" at machine 2, it needs to be exported first. To export the cacert1, do the following at machine 1: pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d

Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.

On machine 2: Import the "cacert1" as follows:

cd /etc/ipsec.d pk12util -i cacert1.p12 -d /etc/ipsec.d certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d Now machine 2 also has the CA certificates "cacert1" in its NSS database.

3. Creating user certs at both machines:

On machine 1: certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" -d /etc/ipsec.d (Note this cert is signed by "cacert1")

On machine 2: certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" -d /etc/ipsec.d (Note this cert is signed by "cacert1" too)

4. Preparing ipsec.conf at both machines ipsec.conf at machine 1:

conn pluto-1-2 

      left=w1.x1.y1.z1
      leftid="CN=usercert1"
      leftsourceip=w1.x1.y1.z1
      leftrsasigkey=%cert
      leftcert=usercert1
      leftnexthop=w2.x2.y2.z2
      right=w2.x2.y2.z2
      rightid="CN=usercert2"
      rightsourceip=w2.x2.y2.z2
      rightrsasigkey=%cert
      rightnexthop=w1.x1.y1.z1
      rekey=no
      esp="aes-sha1"
      ike="aes-sha1"
      auto=add

ipsec.conf at machine 2:

conn pluto-1-2 

      left=w2.x2.y2.z2
      leftid="CN=usercert2"
      leftsourceip=w2.x2.y2.z2
      leftrsasigkey=%cert
      leftcert=usercert2
      leftnexthop=w1.x1.y1.z1
      right=w1.x1.y1.z1
      rightid="CN=usercert1"
      rightsourceip=w1.x1.y1.z1
      rightrsasigkey=%cert
      rightnexthop=w2.x2.y2.z2
      rekey=no
      esp="aes-sha1"
      ike="aes-sha1"
      auto=add

5. Preparing ipsec.secrets at both machines ipsec.secrets at machine 1:

RSA usercert1

ipsec.secrets at machine 1:

RSA usercert2
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Openswan_with_nss&oldid=130402"