This chapter gives examples of connecting external clients (road warriors) to the SISO router using an IPsec tunnel. Certificates will be used to verify the identity of the client. The chapter first explains the process of generating certificates. It then continues by describing the matching server and client configurations. Examples for Linux and Windows/XP clients will be presented.
This chapter is a part of the "Secure Internet Appliance for Small Office / Home Office HOWTO". It relies on the environment variables listed in Section 2.1, “Environment Variables”.
Buying certificates from the official Root Certificate Authorities (CA) for all the hosts in a network is expensive, and not necessary. This section shows how to create your own Root CA, and generate and certify X.509 certificates.
The examples presented in this chapter uses the
gencert to generate the certificates.
The script and its support files can be found at:
gencert script requires the following
environment variables to be set:
yourpasswordexport SSL_DIR=$PRJ_DIR/openssl export OPENSSL_CONF=$SSL_DIR/openssl.conf
Create a Root CA certificate; and make a Windows/XP importable PCKS#12 copy of it.
$SSL_DIR/gencert --ca "
Create a certificate for each host; sign it; and make a Windows readable PKCS#12 copy of it. The Extended Key Usage (EKU) parameters are not needed for IPsec, but are needed for other usages such as secure wireless.
$SSL_DIR/gencert --server siso.vonk $SSL_DIR/gencert --client bor.vonk $SSL_DIR/gencert --client crox.vonk $SSL_DIR/gencert --client truus.vonk