Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 May 2003 07:26:37 -0500
From:      "Jacques A. Vidrine" <nectar@FreeBSD.org>
To:        Michael Collette <metrol@metrol.net>
Cc:        FreeBSD Security <freebsd-security@freebsd.org>
Subject:   Re: VPN through BSD for Win2k, totally baffled
Message-ID:  <20030508122637.GA97715@madman.celabo.org>
In-Reply-To: <200305071921.33596.metrol@metrol.net>
References:  <200305071921.33596.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, May 07, 2003 at 07:21:33PM -0700, Michael Collette wrote:
> Scenario:
> FreeBSD box running IPFW acting as a gateway to private network.  The private 
> network is made up of entirely routeable IP addresses.  External users 
> running Win2k and XP on DSL connections with dynamic IPs.
[...]
> Where I totally lost it was on the FreeBSD setup.  The author is referring to 
> certificates that he never described how they should be created.  I didn't 
> know what in the heck to do here.
[...]

It's hard to tell from your message where you are getting lost, but I'll
give it a shot.  Assuming you have all your certificates (let's call
them client.crt/client.key, server.crt/server.key, and ca-local.crt):

 (1) Add a `path certificate' directive to racoon.conf, e.g.
       path certificate "/usr/local/etc/racoon/cert" ;

 (2) Create that directory

 (3) Store your CA's certficate in that directory in PEM format, e.g.
     /usr/local/etc/racoon/cert/ca-local.pem.

 (4) Create a symlink in that directory based on the CA cert's hash,
     e.g.
       cd /usr/local/etc/racoon/cert
       ln -s ca-local.pem `openssl x509 -noout -hash -in ca-local.pem`.0

Heh, I found some pages that might be useful to you while I was Google'ing
to double-check my openssl syntax:

<URL: http://www.kame.net/newsletter/20001119b/ >
<URL: http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html?page=2 >

Hope this helps,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030508122637.GA97715>