{"id":1869,"date":"2010-12-05T18:41:41","date_gmt":"2010-12-05T17:41:41","guid":{"rendered":"http:\/\/www.devco.net\/?p=1869"},"modified":"2010-12-05T19:05:50","modified_gmt":"2010-12-05T18:05:50","slug":"redhat_ipsec_and_x509_certificates","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2010\/12\/05\/redhat_ipsec_and_x509_certificates.php","title":{"rendered":"RedHat IPSec and x509 certificates"},"content":{"rendered":"

I’ve previously blogged<\/a> about IPSec on RedHat and mentioned how great the ifcfg<\/i> scripts are to get IPSec VPNs going.<\/p>\n

In that post I used a pre-shared key to start the VPNs, that was fine then but now I need something a bit better. IPSec supports the standard PKI infrastructure and the RedHat scripts support those too. Their use though isn’t well documented so here is what I found through investigation.<\/p>\n

First you’ll need a CA. The CA should be used to self sign your certificates and every node needs one matching their Common Name. You also need a CRL and the CA certificate on all the machines. How you go about making a CA is a bit out of scope for this post, there are many options out there like TinyCA<\/a>.<\/p>\n

The complexity comes in how to install these certificates into the Racoon directory as it depends on very specific file names.<\/p>\n

Given the RedHat interface config script below that can be saved in \/etc\/sysconfig\/network-scripts\/ifcfg-ipsec.remote.host.net<\/i>:<\/p>\n

<\/p>\n

\r\nDST=1.2.3.4\r\nTYPE=IPSEC\r\nONBOOT=yes\r\nIKE_CERTFILE=\/etc\/racoon\/certs\/host.cert\r\n<\/pre>\n
<\/code><\/p>\n
You need to have the following files installed:<\/p>\n