Configuring racoon/ipsec-tools to use x509 Certificates

This paper reviews the process to configure racoon/ipsec-tools to authenticate IPSec communications via x509 certificates.

Our example does not cover howto configure a Certificate Authority (CA). This process will be examined in another paper. Our example also assumes the clients are both NetBSD, however the procedures are nearly the same for Linux, FreeBSD and MacOSX as well.

Our example assumes a host to host IPSec connection, however this has no bearing on the x509 authentication and could just as easily be a gateway to gateway connection.

In our example, the hosts have the IP addresses 10.0.5.5 and 10.0.7.5.
Continue reading

Posted in DragonFlyBSD, FreeBSD, NetBSD, Networking, Papers, Security | 1 Comment

How to install NetBSD on Compact Flash (for the Soekris 4501)

This was tested on NetBSD 3.99.16, however the instructions should apply to older (and newer) versions as well. I have attempted to flag steps where you may run into version incompatabilities with “Version Note”.

There are a number of devices that will allow you to read your CF card on a NetBSD machine, the device I chose was the mediaGear Keychain Compact Flash Reader.

A snippet of your dmesg output should appear as follows:

  [...]
  umass0 at uhub1 port 1 configuration 1 interface 0
  umass0: mediaGear Compact Flash Keychain, rev 1.10/1.00, addr 2
  umass0: using SCSI over Bulk-Only
  scsibus0 at umass0: 2 targets, 1 lun per target
  sd0 at scsibus0 target 0 lun 0: <MG, CF-Key, 1.00> disk removable
  sd0: fabricating a geometry
  sd0: 244 MB, 244 cyl, 64 head, 32 sec, 512 bytes/sect x 500400 sectors
  [...]

Run the following commands:

  # cd /root
  # mkdir cfimage
  # dd if=/dev/zero of=netbsd.img bs=512 count=500400
  # vnconfig vnd0 netbsd.img
  # fdisk -ua0 vnd0
  # disklabel -e -I vnd0
  # newfs /dev/rvnd0a
  # mount /dev/vnd0a /root/cfimage
  # cd /root/cfimage && mtree -Udef /etc/mtree/NetBSD.dist
  # tar xzpf i386/binary/sets/base.tgz
  # tar xzpf i386/binary/sets/kern-GENERIC.tgz
  # cp i386/binary/sets/etc.tgz /root/cfimage/root

  # chroot /root/cfimage /bin/sh

You are in the chroot environment, continue with
Continue reading

Posted in NetBSD, Papers, System Administration | 5 Comments

Configuring IPSec with x509 certificates on OpenBSD

This document will explain howto configure OpenBSD’s IPSec to authenticate via a Certificate Authority and x509 certificates. It is demonstrated with OpenBSD 4.1 and depends upon ipsecctl which first appeared in OpenBSD 3.8.

First you will need to place your CA certificate in /etc/isakmpd/ca.

  # ls -al /etc/isakmpd/ca
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:25 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3460 Jun  1 12:27 cacert.pem

Next you will to place your hosts certificate in /etc/isakmpd/certs.

  # ls -al /etc/isakmpd/certs
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:59 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3008 Jun  1 13:59 192.168.25.25.pem

This certificate should be processed with a subjectAltName extension field as described in the isakmpd man page.

  # setenv CERTIP 192.168.25.25
  # openssl x509 -req -days 365 -in 192.168.25.25.csr \
          -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
          -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
          -extensions x509v3_IPAddr -out 192.168.25.25.pem

When you view the resulting certificate, you should see similar results in the X509v3 extensions.

[...]
  X509v3 extensions:
      X509v3 Subject Alternative Name:
          IP Address:192.168.25.25
[...]

Continue reading

Posted in Networking, OpenBSD, Papers, Security | 3 Comments