Transport mode between Racoon and Windows hosts with x509 authentication

Intro

Network diagram

Creating a Certification Authority


We create a folder which will contain certificates : /var/certs :

root@host:~# cd /var/;  mkdir certs; cd certs/; mkdir v01; cd v01/ 
				

NB : The /usr/lib/ssl/openssl.cnf file allow to pre-populate some informations (Country Name, State Or Privince etc...).
We create the Certification Authority thanks to the /usr/lib/ssl/misc/CA.pl script :

root@host:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create) 

Making CA certificate ... 
Generating a 1024 bit RSA private key 
.............................................++++++ 
............++++++ 
writing new private key to './demoCA/private/cakey.pem' 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MARS 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:RootCA 
Email Address []:admin@company.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:  
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8b 
	Validity 
		Not Before: Oct  1 13:41:51 2012 GMT 
	Not After : Oct  1 13:41:51 2016 GMT 
	Subject: 
		countryName               = US
		stateOrProvinceName       = MP
		organizationName          = SheBang
		commonName                = RootCA
		emailAddress              = admin@company.fr 
	X509v3 extensions: 
		X509v3 Subject Key Identifier:
		B4:B6:FD:F4:33:62:76:B7:7B:3C:8A:18:9D:00:A4:0A:E0:5A:3C:DB 
		X509v3 Authority Key Identifier:
		keyid:C4:B6:FD:F4:33:63:76:B7:7A:30:8A:18:9D:00:B4:0A:E0:5B:3C:DB 
			DirName:/C=FR/ST=MP/O=SheBang/CN=RootCA/emailAddress=admin@company.fr 
			serial:D9:34:84:C4:17:20:26:8B 

	X509v3 Basic Constraints: 
		CA:TRUE 
Certificate is to be certified until Oct  1 13:41:51 2016 GMT (1095 days) 

Write out database with 1 new entries 
Data Base Updated

Alice

Installation

root@host:~# apt-get install racoon ipsec-tools

Debian gateway certificates :

root@host:~# openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout privkey.pem -outform PEM -out newreq.pem

Generating a 1024 bit RSA private key 
.++++++ 
..............++++++ 
writing new private key to 'privkey.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:FR 
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MA_VILLE 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SheBang 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:VPN-Gateway-Debian 
Email Address []:admin@societe.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:  
					

We sign the certificate with the CA :

root@host:~# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8c 
	Validity 
		Not Before: Oct  1 13:44:34 2012 GMT 
		Not After : Oct  1 13:44:34 2013 GMT 
	Subject: 
		countryName               = US
		stateOrProvinceName       = MP 
		localityName              = MARS 
		organizationName          = SheBang 
		commonName                = VPN-Gateway-Debian 
		emailAddress              = admin@company.fr 
	X509v3 extensions: 
		X509v3 Basic Constraints: 
			CA:FALSE 
		Netscape Comment: 
			OpenSSL Generated Certificate 
		X509v3 Subject Key Identifier:
			65:DF:0F:06:02:6F:34:8D:AB:63:E0:5B:1E:26:31:5E:B8:50:19:13
		X509v3 Authority Key Identifier:
			keyid:B4:B6:FD:F4:33:62:76:B7:7A:30:8A:18:9D:00:A4:0A:E0:5B:3C:DB

Certificate is to be certified until Oct  1 13:44:34 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
Signed certificate is in newcert.pem 
				
root@host:~# mkdir debian; mv newcert.pem newreq.pem privkey.pem -t debian/; cp debian/* /etc/racoon/certs

Recognize the certificate

root@host:~# ln -s /var/certs/v01/demoCA/cacert.pem `openssl x509 -noout -hash -in /var/certs/v01/demoCA/cacert.pem`.0

/etc/racoon/certs content

user@alice # ls /etc/racoon/certs/
3fda260d.0  cacert.pem  newcert.pem  privkey.pem

/etc/racoon/racoon.conf

#path pre_shared_key "/etc/racoon/psk.txt"; 
path certificate "/etc/racoon/certs"; 

remote 192.168.0.85 { 
	exchange_mode main; 
	my_identifier asn1dn; 
	peers_identifier asn1dn; 
	verify_identifier on; 
	certificate_type x509 "newcert.pem" "privkey.pem"; 
	proposal { 
		encryption_algorithm 3des; 
		hash_algorithm sha1; 
		authentication_method rsasig ; 
		dh_group 2; 
	} 
} 
 
sainfo address 192.168.0.84 any address 192.168.0.85 any { 
	#pfs_group modp768; 
	#pfs_group 2; 
	lifetime time 1 hour; 
	encryption_algorithm 3des; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
} 
					

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

# 
## Flush the SAD and SPD 
flush; 
spdflush; 

# 
spdadd 192.168.0.84 192.168.0.85 any -P out ipsec 
    esp/transport//require; 
#                      
spdadd 192.168.0.85 192.168.0.84 any -P in ipsec 
   esp/transport//require; 
# 
					

Régis

Windows 7 certificate creation

user@alice # openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout privkey.pem -outform PEM -out newreq.pem 

Generating a 1024 bit RSA private key 
.................................++++++ 
......++++++ 
writing new private key to 'privkey.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:US 
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MARS 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:Host-Windows 
Email Address []:admin@societe.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
					

We sign the certificate with the CA

user@alice # /usr/lib/ssl/misc/CA.pl -sign 
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8d 
	Validity 
		Not Before: Oct  1 13:48:48 2012 GMT 
		Not After : Oct  1 13:48:48 2013 GMT 
	Subject: 
		countryName               = US 
		stateOrProvinceName       = MP 
		localityName              = MARS 
		organizationName          = COMPANY 
		commonName                = Host-Windows 
		emailAddress              = admin@company.fr 
	X509v3 extensions:  
		X509v3 Basic Constraints: 
			CA:FALSE 
		Netscape Comment: 
			OpenSSL Generated Certificate 
		X509v3 Subject Key Identifier:
			3F:8B:22:32:82:01:3A:5A:F6:F4:67:70:BF:06:19:B4:FF:9A:6C:38 
		X509v3 Authority Key Identifier:
			keyid:B4:B6:FD:F4:33:62:76:B7:7A:30:8A:18:9D:00:A4:0A:E0:5B:3C:DB 

Certificate is to be certified until Oct  1 13:48:48 2013 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
Signed certificate is in newcert.pem 
					

Export certificate to PKCS12 format

user@alice # openssl pkcs12 -export -inkey privkey.pem -in newcert.pem -certfile demoCA/cacert.pem -out export.p12 -name "Windows Cert" 
Enter Export Password: 
Verifying - Enter Export Password:
					

/var/certs content

user@alice # ls -R 
debian  demoCA  export.p12  newcert.pem  newreq.pem  privkey.pem 

./debian: 
newcert.pem  newreq.pem  privkey.pem 

./demoCA: 
cacert.pem  careq.pem  certs  crl  crlnumber  index.txt  index.txt.attr  index.txt.attr.old  index.txt.old  newcerts  private  serial  serial.old 

./demoCA/certs: 

./demoCA/crl: 

./demoCA/newcerts: 
D93484C41720268B.pem  D93484C41720268C.pem  D93484C41720268D.pem 

./demoCA/private: 
cakey.pem

Some useful commands

user@alice # setkey -FP
user@alice # racoon -F -f /etc/racoon/racoon.conf
user@alice # setkey -f /etc/ipsec-tools.conf

Certificate installation on the Windows host

Open the Microsoft Management Console :

We add the same information already precised here

Certificate installation

We go back to the MMC console :

Summary

Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :