| Using X.509 certificates to authenticate multiple Road Warriors to a Smoothwall Express firewall running VPN pack 3.1.1 |
|
Mark A. Dods 28-02-2006.
- Modified 03-03-2006 to install Openswan upgrade before NAT Traversal kernel to avoid having to use the i_have_the_right_kernel.pl script to install Openswan.
- Ensure patches up to fixes8 installed on Smoothwall
- Install Openswan upgrade on Smoothwall
- Install NAT Traversal patched kernel on Smoothwall
- Install VPN IPSec pack V3.1.1 on Smoothwall
- Configure a "Road Warrior" connection on the Smoothwall according to the instructions in section VI of the VPN FAQ
- SSH into the smoothwall as root
- Add locations of ssl utils to path
PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/misc - Edit OpenSSL config file
joe /usr/local/ssl/openssl.cnf
In the [ CA_default ] section- dir = /var/sslca
- default_days = 5475
- default_bits = 1024
- Edit the Certificate Authority script
joe /usr/local/ssl/misc/CA.sh
- DAYS="-days 7500"
- CATOP=/var/sslca
- Create and change to the Certificate Authority data directory
mkdir /var/sslca
cd /var/sslca - Create the Certificate Authority certificate
/usr/local/ssl/misc/CA.sh -newca- [Enter] to create a certificate
- Enter and confirm a pass phrase
- Enter country code
- Enter State
- Enter Town/Suburb
- Enter Company or leave blank
- Leave Organisational unit blank
- Enter a name for your Certificate Authority
- Enter an email address for your Certificate Authority
- Install the Certificate Authority certificate
cp cacert.pem /etc/ipsec.d/cacerts - Generate the CRL file (for revoking certificates)
openssl ca -gencrl -out crl.pem - Install the CRL file
cp crl.pem /etc/ipsec.d/crls - Create a certificate for the smoothwall
/usr/local/ssl/misc/CA.sh -newreq- Enter and verify a password
- Enter country code
- Enter State
- Enter Town/Suburb
- Enter Company or leave blank
- Leave Organisational unit blank
- For the Common Name enter something to identify the machine this certificate is for. Suggest "smoothwall"
- Enter an email address for this machine or leave blank
- Leave challenge password and optional company name blank
- Sign the certificate for the smoothwall
/usr/local/ssl/misc/CA.sh -sign- Enter the CA pass phrase
- Y to sign the certificate
- Y to commit
- Install the smoothwall's certificate
cp newcert.pem smoothwall.pem
cp newkey.prm smoothwall.key
cp smoothwall.pem /etc/ipsec.d
cp smoothwall.key /etc/ipsec.d/private/smoothwall.pem - Create a certificate for the first road warrior (laptop1)
/usr/local/ssl/misc/CA.sh -newreq
- As for creating smoothwall's certificate except enter laptop1 for the common name
- Sign the certificate for the first road warrior (laptop1)
/usr/local/ssl/misc/CA.sh -sign
- As for signing the smoothwall's certificate
- Pack the certificate and key into a .p12 file for use on a Windows PC
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile cacert.pem -out newcert.p12 - Install the road warrior's certificate
cp newcert.pem laptop1.pem
cp newkey.pem laptop1.key
cp newcert.p12 laptop1.p12
cp laptop1.pem /etc/ipsec.d
cp laptop1.key /etc/ipsec.d/private/laptop1.pem - Configure the Road Warrior VPN connection to use the certificates
cd /var/smoothwall/vpn
joe ipsec.conf
In the 'conn %default' section, add the lines:- authby=rsasig
- leftrsasigkey=%cert
- rightrsasigkey=%cert
- leftcert=smoothwall.pem
- rightcert=laptop1.pem
- Tell Openswan the pass phrases for the certificate files
joe ipsec.secrets
Enter these lines at the end of the file- <Red hostname or IP> %any : RSA smoothwall.pem "<pass phrase>"
- <Red hostname or IP> %any : RSA laptop1.pem "<pass phrase>"
- Restart Openswan using the Restart button on the 'ipsec control' page in the VPN section of the smoothwall web based management
- Install WinSCP on the Road Warrior PC
- Use WinSCP to copy the certificates to the Road Warrior PC
From /var/sslca copy:- cacert.pem
- smoothwall.pem
- laptop1.p12
- On the Road Warrior PC, rename the .pem files to .cer
- Install SSH Sentinel 1.3.2 on the Road Warrior PC
- Start the SSH Sentinel Policy Editor
Start -> Programs -> SSH Sentinel -> SSH Sentinel Policy Editor - Install the Certificate Authority certificate as a trusted CA
In Key Management tab of the Policy Editor- Expand the Trusted Certificate branch of the tree
- Right click on "Certification Authorities" and select "Import"
- Select the cacert.cer file and click "Open"
- Click "Yes" to accept the certificate
- Install the smoothwall certificate as a trusted host
In Key Management tab of the Policy Editor- Expand the Trusted Certificate branch of the tree
- Right click on "Remote Hosts" and select "Import"
- Select the smoothwall.cer file and click "Open"
- Click "Yes" to accept the certificate
- Install the Road Warrior certificate as a key
In Key Management tab of the Policy Editor- Right click on "My Keys" and select "Import"
- Select the laptop1.p12 file and click "Open"
- Enter the certificate's pass phrase when prompted
- Click "Yes" to accept the certificate
- Configure the VPN connection in SSH Sentinel
In Security Policy tab of the Policy Editor- Right click on VPN Connections and select 'Add Rule'
- Enter the Red hostname or IP address of the smoothwall as the Gateway Name
(Click on the IP button if entering an IP Address) - Click on the '...' button to configure the remote subnet, then select it in the Remote network drop down menu
- Select the certificate you imported for the road warrior in the Authentication key menu
- Click OK
- If the road warrior is behind a NATing router:
I have found that NAT Traversal needs to be enabled in SSH Sentinel to properly operate through a NATing router. Others have advised against enabling this. YMMV. To enable NAT Traversal:- If necessary, expand the VPN Connections branch of the tree
- Right click on the new VPN connection and select 'Properties'
- Click on the Advanced tab
- Select the 'Enable Network Address Translation Traversal (Nat-T)' option
- Click OK
- Test the connection
- Click on the new VPN connection and click the Diagnostics button. If all is well with the configurations at each end, you will get a success message. Otherwise, time to start looking at the Smoothwall IPSec logs. I found using
tail -f /var/log/secure
more convenient than using the log display in the Smoothwall's web interface.
- Click on the new VPN connection and click the Diagnostics button. If all is well with the configurations at each end, you will get a success message. Otherwise, time to start looking at the Smoothwall IPSec logs. I found using
- Connect
- Right click on the SSH Sentinel icon in the system tray and select your new VPN connection from the 'Select VPN' sub menu.
- You should get a successful connect message.
- Ping a host on the remote network to confirm connectivity
- Add more Road Warriors
- Generate, sign, pack into a .p12 file, and install a new certificate for the new road warrior
- Edit /var/smoothwall/vpn/ipsec.conf and duplicate the 'conn' section for the first road warrior. Give it a new title (conn xxxx) and edit the rightcert line
- Add a line to /var/smoothwall/vpn/ipsec.secrets for the new certificate
- Restart Openswan
- Transfer the certificates to the new road warrior
- Install SSH Sentinel, import the certificates, and configure the connections
- Test
- If you've go this far, Celebrate!
Notes
Here's how to avoid some traps I fell into:- Once you have edited /var/smoothwall/vpn/ipsec.conf or /var/smoothwall/vpn/ipsec.secrets manually, DO NOT use the 'ipsec connections' page of the VPN section of the Smoothwall web based interface again. It will overwrite these two files.
- Be consistent when referring to the Red interface of your Smoothwall. Stick to either the host name or the IP address in ipsec.conf, ipsec.secrets and SSH Sentinel
- Once the X.509 certificate lines are added to a 'conn' in ipsec.conf, the status of the connection in the web interface is listed as 'CONFIGURATION NOT ADDED'. This is not necessarily accurate. You need to check the logs manually.
References