Installation GuideSummary:This X.509 patch for Linux FreeS/WAN, written in 2000 by three students of the Zurich University of Applied Sciences in Winterthur (Switzerland) and now maintained by Andreas Steffen, is an extension of a freeswan-pgpnet patch originally developped by Kai Martius. The X.509 patch supports RSA based authentication using X.509 certificates between a Linux FreeS/WAN host and an unlimited number of IPsec peers. Compatibility has been successfully tested with peers running the FreeS/WAN, SafeNet/Soft-PK, PGPnet, SSH Sentinel, and Microsoft Windows 2000 Professional / Advanced Server IPsec clients. Potentially any IPsec implementation with X.509 certificate support can be made to cooperate with X.509-enabled FreeS/WAN. Andreas Gruenbacher has generously contributed the fswcert tool based on the OpenSSL 0.9.5a package. The utility extracts public keys and ASN.1 distinguished subject names from *.PEM, *.DER and *.P12 certificate files and private keys from RSA and *.P12 files. The X.509 patch also supports RSA based authentication using OpenPGP certificates and PGP's proprietary Key IDs. The keyextractor tool written by Kai Martius and currently available from http://www.zengl.net/freeswan is required to extract public and private keys from OpenPGP certificates. Installation
1. Apply patch to FreeS/WAN (Pluto)Copy the patch pluto.diff to the FreeS/WAN pluto
directory
2. Install the "fswcert" key and subject extraction toolConsult the README in the fswcert directory for details of use and installation. After optionally adapting the paths for the IPSEC and SSL directories, type: followed by to compile and install the fswcert tool, respectively. 3. Extract distinguished name and public key from X.509 certificatesUse the commands: or or to extract the subject name and public key of the peer from a X.509 certificate in the PEM or DER format or from a PKCS#12 file, respectively. The output of fswcert has the form: The character "~" is used by the X.509 patch to tell pluto that the identification is of type ID_DER_ASN1_DN. It is used in a similar way as the "#" character already defined by Kai Martius for the id type ID_KEY_ID. Do the same with your own X.509 certificate: or or when the certificate is part of a PKCS#12 file. The output from fswcert has the form
4. Edit /etc/ipsec.confAssuming that the PGPnet peer is left and the FreeS/WAN security gateway is right, paste the fswcert outputs into /etc/ipsec.conf:
conn peer 5. Elegant alternative offered by "fswcert"If you apply the _confread.patch found in the fswcert directory to FreeS/WAN's /util/_confread utility, you don't even have to extract subject names and public keys from the certificates manually. Thus you can forget about installation steps 3 and 4, by doing step 5 instead. By calling fswcert the _confread utility will automatically generate the required ..id and ..rsasigkey entries and pass them to pluto during startup. Using the new keywords leftcert and rightcert, the entries in /etc/ipsec.conf are reduced to
conn peer 6. Extract and install private keyIf your private key is stored in the encrypted binary PKCS#12 format together with your X.509 certificate and quite often also containing the Root CA certificate, use
to extract the private key. If your key is stored in the RSA private key format generated e.g. by OpenSSL, use the command
to extract the private key. In both cases you will be prompted for the passphrase protecting the private key. The output of fswcert has the form
which can be pasted into the file /etc/ipsec.secrets. 7. Install X.509 certificate of FreeS/WAN security gatewayCopy your DER encoded binary X.509 certificate into /etc/x509cert.der
If your certificate is in PEM format, then the following command converts it into binary DER format:
The content of this binary certificate file will be transmitted to the PGPnet peer as part of ISAKMP messages #5 or #6 during IKE Main Mode. 8. Import X.509 certificates into PGPnet peerUse e.g. the file peerCert.p12 to import the PGPnet peer's X.509 certificate plus encrypted private key in binary PKCS#12 format into the PGPkey tool. You will be prompted for the passphrase securing the private key. Use e.g. the file myCert.pem to import the X.509 certificate of the FreeS/WAN security gateway into the PGPkey tool. Unfortunately the PGPkeyTool of PGP does not accept X.509 certificates in binary DER format, so it must be imported in the following base64 format:
9. ConnectIf pluto is already up and running on the FreeS/WAN host, press the "Connect" button in the PGPnet window of the PGPnet peer in order to start up the IPsec connection. You're done :-) 10. Compatibility issues with PGPnet 6.5.xIf the FreeS/WAN security gateway is using a RSA public key >= 1024 bits and its certificate contains a long ASN.1 distinguished name like:
the ISAKMP messages #5 or #6 might become larger than the physical MTU, causing a fragmentation of the UDP packet transmitted by the Linux FreeS/WAN host to the PGPnet peer. In that case PGPnet 6.5.x will not be able to set up a secure connection !!! PGPnet 6.5.x cannot handle fragmented UDP packets when they arrive in reverse order (this being a Linux specialty). Using the same large X.509 certificates in a PGPnet-to-PGPnet connection, IKE main mode exchanges with fragmented UDP packets sent in normal order pose no problem. :-( 11. Compatibility issues with PGPnet 7.0The fragmenting problem has been fixed with PGPnet 7.0! FreeS/WAN now connects successfully with PGPnet 7.0 clients, even with large certificates. This has been tested against two Windows 98 boxes equipped with 3Com network interface cards. Unfortunately all connection attempts with a notebook computer equipped with a 2 Mbit/s IEEE 802.11 wireless LAN card (Harris PRISM chip set / AMD MAC chip) failed miserably. This is probably a driver issue between the WLAN NIC and PGPnet 7.0, since a couple of other network services stopped to work, too, after installation of PGPnet 7.0. 12. Compatibility issues with SafeNet/Soft-PK 5.1.0When generating X.509 certificates using e.g. OpenSSL, take care not to include an e-mail address in the ASN.1 distinguished name of the subject, since SafeNet/Soft-PK does only support the attributes Country (C=), State (ST=), City (L=), Company (O=), Department (OU=), and Name (CN=) in exactly this order. With the exception of the Common Name (CN=), any of these fields can be omitted in the X.509 certificate if the corresponding fields in the SafeNet/Soft-PK configuration menu are left empty. This is always the case with the Postal Code field which is not supported by the basic configuration of OpenSSL. SafeNet/Soft-PK 5.1.0 also cannot handle fragmented UDP packets received in reverse order. So keep the size of the transmitted FreeS/WAN certificate to an absolute minimum, by choosing a short ASN.1 distinguished name and including only those X.509v3 extensions that are really required. | ||
|
X.509 FreeS/WAN patch: Copyright © 2000-2001, Andreas Hess, Patric Lichtsteiner, Roger Wegmann & PGPnet-RSA parts of patch: Copyright © 2000, Kai Martius <kai@secunet.de > fswcert utility: Copyright © 2000, Andreas Grünbacher <a.gruenbacher@computer.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See http://www.fsf.org/copyleft/gpl.txt. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FO A PARTICULAR PURPOSE. See the GNU General Public License for more details.
| ||
|