[Swan] Adding host to subnet VPN
mysqlstudent at gmail.com
Mon Feb 22 01:13:38 UTC 2016
>> I'd now like to add another fedora23 system by itself to the
>> configuration. I suppose this is just a "road warrior" type of
>> I've experimented quite a bit with adapting my configuration to also
>> create a subnet-to-host setup, and haven't gotten it to work. I don't
>> see any similar examples on the website that describe using certs.
> I'm not quite sure what you mean.
> It seems like you want a roadwarrior, so right=%any and rightid=<the CN from
> your cert>
> and then just have the rest similar to your other two conns?
Can I just leave out the subnet declarations where they're not
necessary? Assuming 'arcade' (22.214.171.124) was the name of the
roadwarrior host and its default route is 126.96.36.199:
leftid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
rightid="@C=US, ST=New Jersey, L=Newark, O=My Company Inc,
So, in other words, there's a subnet behind the rightnexthop, but only
a host (roadwarrior?) on the left side.
Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:
# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust Attributes
DGHQ Authority - MyCompany Inc ,,
# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)
Did I somehow screw up the process of creating the CA in the first place?
More information about the Swan