[Swan] Building site-to-site from old systems

Paul Wouters paul at nohats.ca
Mon Sep 22 04:08:26 EEST 2014 

On Fri, 19 Sep 2014, Alex wrote:

>> An example with X.509 certificates:
>>
>> https://libreswan.org/wiki/Using_NSS_with_libreswan#Using_certificates_with_NSS
>
> Using these instructions, it looks like I need the following to
> recreate the CA and certs for each side:
>
> # Create a certificate authority
> # certutil -S -k rsa -n "ExampleCA" -s "CN=Example CA Inc" -v 12 -t
> "C,C,C" -x -d /etc/ipsec.d
> # Create a user (host) cert for  both sides:
> # certutil -S -k rsa -c "ExampleCA" -n "user1" -s "CN=User Common
> Name" -v 12 -t "u,u,u" -d /etc/ipsec.d
>
> So after running these commands, the certs and CA is in cert8.db,
> key3.db and secmod.db, correct?

I think so. You can also have a look at using openssl, which we use for
our tests:

https://github.com/libreswan/libreswan/tree/master/testing/x509

> I can then export the CA and import it on the other side. Should I
> just recreate both host certs on the other side as well?

If you want to use certs, yes you can just import both pkcs#12 files on
each end. Although it is not needed to have the private key on both
sides (the pkcs12 contains privkey+cert+cacert)

> And this automatically creates 2048-bit keys?

Not sure, might be another option to certutil.

> So no actual certificate files are necessary, as they are with older openswan?

Correct. libreswan does not use /etc/ipsec.d/private or
/etc/ipsec.d/certs/ and does not need to use /etc/ipsec.d/cacerts/

> Is there a way to test this setup with just one side using libreswan
> and the other side using the ancient 1024-bit keys?

You can always use your existing certificates and import those instead
of creating new ones. If you create new ones, you will have to export
it to pkcs12, then extract the pkcs12 into separate files to get the
key/cert/cacert to install on the openswan endpoint. Unless your
openswan endpoint is rhel/centos based in which case it already supports
nss so you can then just use pk12util to import it.

> Do I need to worry about NAT traversal for the one side that's using a
> 192.168. network, or is that done automatically?

That's done automatically. nothing changed wrt libreswan/openswan.

> I did have this in the ipsec.conf that I pasted here originally. Is
> this secrets file used when it's configured to use X.509 certificates?

Yes, it used to make a reference between the certificate and the private
key inside the nss database. We are working on no longer requiring that,
but for now you still need that : RSA entry in ipsec.secrets even if the
private key actually lives in the nss db and not in a
/etc/ipsec.d/private file.

Paul

More information about the Swan mailing list