From: Jacques A. Vidrine (nectarFreeBSD.org)
Date: Thu May 08 2003 - 07:26:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 07, 2003 at 07:21:33PM -0700, Michael Collette wrote:
> Scenario:
> FreeBSD box running IPFW acting as a gateway to private network. The private
> network is made up of entirely routeable IP addresses. External users
> running Win2k and XP on DSL connections with dynamic IPs.
[...]
> Where I totally lost it was on the FreeBSD setup. The author is referring to
> certificates that he never described how they should be created. I didn't
> know what in the heck to do here.
[...]

It's hard to tell from your message where you are getting lost, but I'll
give it a shot. Assuming you have all your certificates (let's call
them client.crt/client.key, server.crt/server.key, and ca-local.crt):

 (1) Add a `path certificate' directive to racoon.conf, e.g.
       path certificate "/usr/local/etc/racoon/cert" ;

 (2) Create that directory

 (3) Store your CA's certficate in that directory in PEM format, e.g.
     /usr/local/etc/racoon/cert/ca-local.pem.

 (4) Create a symlink in that directory based on the CA cert's hash,
     e.g.
       cd /usr/local/etc/racoon/cert
       ln -s ca-local.pem `openssl x509 -noout -hash -in ca-local.pem`.0

Heh, I found some pages that might be useful to you while I was Google'ing
to double-check my openssl syntax:

<URL: http://www.kame.net/newsletter/20001119b/ >
<URL: http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html?page=2 >

Hope this helps,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectarcelabo.org . jvidrineverio.net . nectarfreebsd.org . nectarkth.se
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]