[Swan] Adding host to subnet VPN

Alex mysqlstudent at gmail.com
Mon Feb 22 01:13:38 UTC 2016 

Hi,

>> I'd now like to add another fedora23 system by itself to the
>> configuration. I suppose this is just a "road warrior" type of
>> configuration.
>>
>> I've experimented quite a bit with adapting my configuration to also
>> create a subnet-to-host setup, and haven't gotten it to work. I don't
>> see any similar examples on the website that describe using certs.
>
>
> I'm not quite sure what you mean.
>
> It seems like you want a roadwarrior, so right=%any and rightid=<the CN from
> your cert>
> and then just have the rest similar to your other two conns?

Can I just leave out the subnet declarations where they're not
necessary? Assuming 'arcade' (23.227.181.206) was the name of the
roadwarrior host and its default route is 23.227.181.193:

conn VPN-DGHQ-DGXO-2
    auto=start
    left=68.111.193.42
    leftnexthop=68.111.193.41
    leftsubnet=192.168.1.0/24
    leftid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
CN=orion.example.com"
    leftcert=orion
    right=23.227.181.206
    rightnexthop=23.227.181.193
    rightid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
CN=cyclops.example.com"
    rightcert=arcade

So, in other words, there's a subnet behind the rightnexthop, but only
a host (roadwarrior?) on the left side.

Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:

# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cyclops                                                      u,u,u
DGHQ Authority - MyCompany Inc                        ,,
orion                                                        u,u,u

# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)

Did I somehow screw up the process of creating the CA in the first place?

Thanks,
Alex

More information about the Swan mailing list