Emaldonado (talk | contribs) (Created page with 'To setup ipsec with certs in tunnel mode using NSS GW Machine 1: w1.x1.y1.z1 GW Machine 2: w2.x2.y2.z2 w1.x1.y1.z1 <---> w2.x2.y2.z2 Note: In this example setup, both machines...') |
No edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{draft}} | |||
To setup ipsec with certs in tunnel mode using NSS | To setup ipsec with certs in tunnel mode using NSS | ||
| Line 27: | Line 29: | ||
cd /etc/ipsec.d | cd /etc/ipsec.d | ||
pk12util -i cacert1.p12 -d /etc/ipsec.d | pk12util -i cacert1.p12 -d /etc/ipsec.d | ||
certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d | certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d | ||
Now machine 2 also has the CA certificates "cacert1" in its NSS database. | Now machine 2 also has the CA certificates "cacert1" in its NSS database. | ||
| Line 87: | Line 89: | ||
: RSA usercert2 | : RSA usercert2 | ||
[[Category:NSS Test Cases]] | |||
Latest revision as of 13:50, 16 May 2011
It is still under construction and content may change. Do not rely on the information on this page.
To setup ipsec with certs in tunnel mode using NSS
GW Machine 1: w1.x1.y1.z1 GW Machine 2: w2.x2.y2.z2
w1.x1.y1.z1 <---> w2.x2.y2.z2
Note: In this example setup, both machines are using NSS. If you want to use NSS only at one machine, say machine 1, you can use the following procedure only at machine 1, and you can use traditional ipsec setup at machine 2.
1. Create a new (if not already) nss db on both machines as follows:
certutil -N -d <path-to-ipsec.d dir>/ipsec.d
2. Creating CA certs at both machines:
On machine 1: certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d <path-to-ipsec.d dir>/ipsec.d
As we want to use the same certificate "cacert1" at machine 2, it needs to be exported first. To export the cacert1, do the following at machine 1: pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.
On machine 2: Import the "cacert1" as follows:
cd /etc/ipsec.d pk12util -i cacert1.p12 -d /etc/ipsec.d certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d Now machine 2 also has the CA certificates "cacert1" in its NSS database.
3. Creating user certs at both machines:
On machine 1: certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" -d /etc/ipsec.d (Note this cert is signed by "cacert1")
On machine 2: certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" -d /etc/ipsec.d (Note this cert is signed by "cacert1" too)
4. Preparing ipsec.conf at both machines ipsec.conf at machine 1:
conn pluto-1-2
left=w1.x1.y1.z1
leftid="CN=usercert1"
leftsourceip=w1.x1.y1.z1
leftrsasigkey=%cert
leftcert=usercert1
leftnexthop=w2.x2.y2.z2
right=w2.x2.y2.z2
rightid="CN=usercert2"
rightsourceip=w2.x2.y2.z2
rightrsasigkey=%cert
rightnexthop=w1.x1.y1.z1
rekey=no
esp="aes-sha1"
ike="aes-sha1"
auto=add
ipsec.conf at machine 2:
conn pluto-1-2
left=w2.x2.y2.z2
leftid="CN=usercert2"
leftsourceip=w2.x2.y2.z2
leftrsasigkey=%cert
leftcert=usercert2
leftnexthop=w1.x1.y1.z1
right=w1.x1.y1.z1
rightid="CN=usercert1"
rightsourceip=w1.x1.y1.z1
rightrsasigkey=%cert
rightnexthop=w2.x2.y2.z2
rekey=no
esp="aes-sha1"
ike="aes-sha1"
auto=add
5. Preparing ipsec.secrets at both machines ipsec.secrets at machine 1:
- RSA usercert1
ipsec.secrets at machine 1:
- RSA usercert2