Uatoken в Linux и Windows
Материал из Xgu.ru
Содержание |
[править] Uatoken в Linux и Windows
В данной статье описан пример настройки аутентификации пользователей, подключающихся к vpn-серверу под управлением ОС Debian GNU/Linux, с использованием сертификатов. В качестве туннельного протокола - L2TP с использованием PreShared Keys. Сертификат пользователя, его закрытый ключ, должны находиться всегда на usb-устройстве uatoken. В качестве такого устройства может использоваться как устройство с маркировкой uatoken, так и uatoken S (только последнее может быть использовано в unix ос). В качестве клиента используется компьютер, под управлением OC Windows XP SP3.
Так как в данной статье используется устройство uatoken, то использование более простого способа с помощью OpenVPN не достаточно. Это связано с тем, что клиент OpenVNP не способен с использованием ПО производителя обратиться к usb-устройству:
C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "c:\Program Files\uaToken\Drivers\utpkcs11.dll" The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark.
При использовании другого свободно распространяемого программного обеспечения результат тот же:
C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\WINDOWS\system32\opensc-pkcs11.dll" The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark.
В то же время стандартный vpn-клиент windows способен получить доступ к usb-устройству. Следовательно необходимо настроить серверную часть, под управлением ОС Debian GNU/Linux, так чтобы стандартный vpn-клиент windows мог установить vpn-соединение поверх туннельного протокола L2TP с использованием Preshared Keys и аутентифицировать пользователя по сертификату с его usb-брелка. Ниже пойдет речь именно об этом
[править] Настройка серверной части
[править] Установка необходимого ПО
sudo apt-get install openswan xl2tpd ppp openssl
[править] OpenSwan
Подробное описание различных вариантов настроек и схему взаимодействия различных сервисов см. Using a Linux L2TP/IPsec VPN server
[править] Создание Сертификатов
[править] Создание сертификата СА
clint:~/keys1$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.............++++++
.++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UA
State or Province Name (full name) [Some-State]:Kievskaya
Locality Name (eg, city) []:Kiev
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techexpert LTD
Organizational Unit Name (eg, section) []:Education Center "Networking Technologies"
Common Name (eg, YOUR name) []:Techexpert CA
Email Address []:scherepenin@techexpert.ua
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 10 22:06:35 2009 GMT
Not After : Mar 9 22:06:35 2012 GMT
Subject:
countryName = UA
stateOrProvinceName = Kievskaya
organizationName = Techexpert LTD
organizationalUnitName = Education Center "Networking Technologies"
commonName = Techexpert CA
emailAddress = scherepenin@techexpert.ua
X509v3 extensions:
X509v3 Subject Key Identifier:
10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
DirName:/C=UA/ST=Kievskaya/O=Techexpert LTD/OU=Education Center "Networking Technologies"/CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
serial:00
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 9 22:06:35 2012 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[править] Создание CRL
Прежде, чем создавать crl, необходимо закомментировать строку
sudo vim /usr/lib/ssl/openssl.cnf #crlnumber = $dir/crlnumber # the current crl number
clint:~/keys1$ openssl ca -gencrl -out crl.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:
[править] Создание клиентского сертификата
- Запрос на новый сертификат
clint:~/keys1$ /usr/lib/ssl/misc/CA.sh -newreq Generating a 1024 bit RSA private key ....................++++++ ........++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UA State or Province Name (full name) [Some-State]:Kievskaya Locality Name (eg, city) []:Kiev Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techexpert LTD Organizational Unit Name (eg, section) []:Education Center "Networking Technologies" Common Name (eg, YOUR name) []:Techexpert CA Email Address []:scherepenin@techexpert.ua Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
- Подпись запроса
clint:~/keys1$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 10 22:15:16 2009 GMT
Not After : Mar 10 22:15:16 2010 GMT
Subject:
countryName = UA
stateOrProvinceName = Kievskaya
localityName = Kiev
organizationName = Techexpert LTD
organizationalUnitName = Education Center "Networking Technologies"
commonName = Techexpert CA
emailAddress = scherepenin@techexpert.ua
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:D8:81:72:FD:A7:49:FA:F0:32:A4:63:00:E8:3C:A4:54:C0:5F:F7
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
Certificate is to be certified until Mar 10 22:15:16 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UA, ST=Kievskaya, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Validity
Not Before: Mar 10 22:15:16 2009 GMT
Not After : Mar 10 22:15:16 2010 GMT
Subject: C=UA, ST=Kievskaya, L=Kiev, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:2d:cc:93:87:11:70:60:f7:13:fb:bb:df:bc:
c6:00:b2:2e:fe:46:d1:69:29:fe:19:18:1e:b1:4d:
6b:11:c0:43:4d:5d:a2:5d:29:4f:95:35:68:cc:4c:
e7:a2:76:4e:b2:f9:b0:55:6f:66:83:c4:3e:26:3d:
52:7e:72:60:d5:36:fe:97:c6:fe:93:81:1c:c1:ec:
20:fa:91:eb:dd:7f:79:71:37:32:fb:c7:9b:e1:63:
48:f1:86:d7:d0:67:f4:92:f3:47:de:b1:0f:07:4c:
00:65:98:6c:fb:f0:2a:c0:25:44:91:ef:54:e4:0b:
5c:60:ca:90:e4:ed:87:9b:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:D8:81:72:FD:A7:49:FA:F0:32:A4:63:00:E8:3C:A4:54:C0:5F:F7
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
Signature Algorithm: sha1WithRSAEncryption
84:f9:63:99:e6:02:16:6f:81:b9:39:fc:ad:f7:a9:75:13:5e:
de:28:6e:86:f9:07:ac:3c:6d:5d:f4:b4:0d:74:45:95:66:9f:
db:62:50:51:6b:4f:1d:7a:f2:31:6f:15:16:50:3b:af:48:ec:
2c:d0:4c:14:73:57:3d:54:7c:71:c0:2b:91:21:ce:43:b4:30:
e6:6e:3e:c5:66:4a:c5:07:b6:ac:9a:cf:7d:e8:b4:37:ca:07:
95:90:24:b8:f4:10:58:75:58:50:41:71:28:d5:20:28:67:8d:
69:8f:de:2f:9f:e0:de:1b:72:31:b0:92:bc:9d:ca:71:a5:03:
71:16
-----BEGIN CERTIFICATE-----
MIIDZDCCAs2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVUEx
EjAQBgNVBAgTCUtpZXZza2F5YTEXMBUGA1UEChMOVGVjaGV4cGVydCBMVEQxMzAx
BgNVBAsUKkVkdWNhdGlvbiBDZW50ZXIgIk5ldHdvcmtpbmcgVGVjaG5vbG9naWVz
IjEWMBQGA1UEAxMNVGVjaGV4cGVydCBDQTEoMCYGCSqGSIb3DQEJARYZc2NoZXJl
cGVuaW5AdGVjaGV4cGVydC51YTAeFw0wOTAzMTAyMjE1MTZaFw0xMDAzMTAyMjE1
MTZaMIHAMQswCQYDVQQGEwJVQTESMBAGA1UECBMJS2lldnNrYXlhMQ0wCwYDVQQH
EwRLaWV2MRcwFQYDVQQKEw5UZWNoZXhwZXJ0IExURDEzMDEGA1UECxQqRWR1Y2F0
aW9uIENlbnRlciAiTmV0d29ya2luZyBUZWNobm9sb2dpZXMiMRYwFAYDVQQDEw1U
ZWNoZXhwZXJ0IENBMSgwJgYJKoZIhvcNAQkBFhlzY2hlcmVwZW5pbkB0ZWNoZXhw
ZXJ0LnVhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/LcyThxFwYPcT+7vf
vMYAsi7+RtFpKf4ZGB6xTWsRwENNXaJdKU+VNWjMTOeidk6y+bBVb2aDxD4mPVJ+
cmDVNv6Xxv6TgRzB7CD6kevdf3lxNzL7x5vhY0jxhtfQZ/SS80fesQ8HTABlmGz7
8CrAJUSR71TkC1xgypDk7YebcQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
PtiBcv2nSfrwMqRjAOg8pFTAX/cwHwYDVR0jBBgwFoAUEN39tL1iySmrWt9G8pf4
dTQQhvYwDQYJKoZIhvcNAQEFBQADgYEAhPljmeYCFm+BuTn8rfepdRNe3ihuhvkH
rDxtXfS0DXRFlWaf22JQUWtPHXryMW8VFlA7r0jsLNBMFHNXPVR8ccArkSHOQ7Qw
5m4+xWZKxQe2rJrPfei0N8oHlZAkuPQQWHVYUEFxKNUgKGeNaY/eL5/g3htyMbCS
vJ3KcaUDcRY=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
- Переименование файлов
clint:~/keys1$ mv newkey.pem client_priv_key.pem clint:~/keys1$ cat client_priv_key.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,9356117DDF581516 fKb3hTKCLXjcKvxH4F2yFySgquEk7Sy43JMfuDsulG103xA/gc3RgMwr1r0t2IIc 5gd8ZOjXN5+IGTBq4d8mZHhs1NJ6oIqJqkXzxr6hoeARmvW673sqNiCg8EhZ4RrF DusFUEFPAi2pmPG4dZT6lZS3HdaCqKb+e0uC0+xI8/HrUH+bOrvL15t1g8cReFiq 9wGYh/Cu2JfW4YvNAl49knckHROvTVl5MbkTTVRcn1UcMPlyGhZ8Gk9Qg85mZz3G aPcqrKhkkezP7U2LihBWoKT4ycHlGq4NQPaHar/N7W4k8lsPjHqX+09n5eiCjDwu PuSLwqSQDq33T1CsUse8wc1nfIon9hvBLECr0dRpoDL1ezQTG4FoTwrS+LsHKQca 3fgjZAYDtSf+iU75zUpbLaC+3FumTy6KJlHXd0oLPXx1BFtvfn6rrvuBVBhW9Yle +oALa+7FMdn7DpCBqZrU187gVw86T1zJaGDvI/P7MgG3nZhskPh4kuG4u8gUatFB +n4TOcq0LLm6i2hsM0DNqjZ26KrgmIMxaNH0xQgIOVK8ZJnVoOrDEVgpiWfQW0zt gj7+SqyNwocPck/fzfQ/3nJaj7ZS463cD8bhKdqshKRMokDu8nkssk5/9XCfMfcV OzLHylEpEZm3BRN6f6nnFOw/Wd03qMlmniz/n/Zoo1Gor404G6k4ONc/mBOqwNuE 4nVZ4GMcclrxgnqelGbJMDARHHSHm4AJVSE/Ax/pm/yETRzN+6IuLHt7/Bx4qXSo VEy2/Yh+3rCvVrFbiKTMuq87s2gb/+H+yYFLa8pv+zxyDNKoboN1Vw== -----END RSA PRIVATE KEY-----
clint:~/keys1$ mv newcert.pem client_cert.pem
clint:~/keys1$ cat client_cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UA, ST=Kievskaya, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Validity
Not Before: Mar 10 22:15:16 2009 GMT
Not After : Mar 10 22:15:16 2010 GMT
Subject: C=UA, ST=Kievskaya, L=Kiev, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:2d:cc:93:87:11:70:60:f7:13:fb:bb:df:bc:
c6:00:b2:2e:fe:46:d1:69:29:fe:19:18:1e:b1:4d:
6b:11:c0:43:4d:5d:a2:5d:29:4f:95:35:68:cc:4c:
e7:a2:76:4e:b2:f9:b0:55:6f:66:83:c4:3e:26:3d:
52:7e:72:60:d5:36:fe:97:c6:fe:93:81:1c:c1:ec:
20:fa:91:eb:dd:7f:79:71:37:32:fb:c7:9b:e1:63:
48:f1:86:d7:d0:67:f4:92:f3:47:de:b1:0f:07:4c:
00:65:98:6c:fb:f0:2a:c0:25:44:91:ef:54:e4:0b:
5c:60:ca:90:e4:ed:87:9b:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:D8:81:72:FD:A7:49:FA:F0:32:A4:63:00:E8:3C:A4:54:C0:5F:F7
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
Signature Algorithm: sha1WithRSAEncryption
84:f9:63:99:e6:02:16:6f:81:b9:39:fc:ad:f7:a9:75:13:5e:
de:28:6e:86:f9:07:ac:3c:6d:5d:f4:b4:0d:74:45:95:66:9f:
db:62:50:51:6b:4f:1d:7a:f2:31:6f:15:16:50:3b:af:48:ec:
2c:d0:4c:14:73:57:3d:54:7c:71:c0:2b:91:21:ce:43:b4:30:
e6:6e:3e:c5:66:4a:c5:07:b6:ac:9a:cf:7d:e8:b4:37:ca:07:
95:90:24:b8:f4:10:58:75:58:50:41:71:28:d5:20:28:67:8d:
69:8f:de:2f:9f:e0:de:1b:72:31:b0:92:bc:9d:ca:71:a5:03:
71:16
-----BEGIN CERTIFICATE-----
MIIDZDCCAs2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVUEx
EjAQBgNVBAgTCUtpZXZza2F5YTEXMBUGA1UEChMOVGVjaGV4cGVydCBMVEQxMzAx
BgNVBAsUKkVkdWNhdGlvbiBDZW50ZXIgIk5ldHdvcmtpbmcgVGVjaG5vbG9naWVz
IjEWMBQGA1UEAxMNVGVjaGV4cGVydCBDQTEoMCYGCSqGSIb3DQEJARYZc2NoZXJl
cGVuaW5AdGVjaGV4cGVydC51YTAeFw0wOTAzMTAyMjE1MTZaFw0xMDAzMTAyMjE1
MTZaMIHAMQswCQYDVQQGEwJVQTESMBAGA1UECBMJS2lldnNrYXlhMQ0wCwYDVQQH
EwRLaWV2MRcwFQYDVQQKEw5UZWNoZXhwZXJ0IExURDEzMDEGA1UECxQqRWR1Y2F0
aW9uIENlbnRlciAiTmV0d29ya2luZyBUZWNobm9sb2dpZXMiMRYwFAYDVQQDEw1U
ZWNoZXhwZXJ0IENBMSgwJgYJKoZIhvcNAQkBFhlzY2hlcmVwZW5pbkB0ZWNoZXhw
ZXJ0LnVhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/LcyThxFwYPcT+7vf
vMYAsi7+RtFpKf4ZGB6xTWsRwENNXaJdKU+VNWjMTOeidk6y+bBVb2aDxD4mPVJ+
cmDVNv6Xxv6TgRzB7CD6kevdf3lxNzL7x5vhY0jxhtfQZ/SS80fesQ8HTABlmGz7
8CrAJUSR71TkC1xgypDk7YebcQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
PtiBcv2nSfrwMqRjAOg8pFTAX/cwHwYDVR0jBBgwFoAUEN39tL1iySmrWt9G8pf4
dTQQhvYwDQYJKoZIhvcNAQEFBQADgYEAhPljmeYCFm+BuTn8rfepdRNe3ihuhvkH
rDxtXfS0DXRFlWaf22JQUWtPHXryMW8VFlA7r0jsLNBMFHNXPVR8ccArkSHOQ7Qw
5m4+xWZKxQe2rJrPfei0N8oHlZAkuPQQWHVYUEFxKNUgKGeNaY/eL5/g3htyMbCS
vJ3KcaUDcRY=
-----END CERTIFICATE-----
[править] Создание сертификата сервера
- Создание запроса сертификата сервера:
clint:~/keys1$ /usr/lib/ssl/misc/CA.sh -newreq Generating a 1024 bit RSA private key .......++++++ ....................................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UA State or Province Name (full name) [Some-State]:Kievskaya Locality Name (eg, city) []:Kiev Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techexpert LTD Organizational Unit Name (eg, section) []:Education Center "Networking Technologies" Common Name (eg, YOUR name) []:Techexpert CA Email Address []:scherepenin@techexpert.ua Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem clint:~/keys1$ mv new newkey.pem newreq.pem
- Подпись запроса:
clint:~/keys1$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 10 22:27:10 2009 GMT
Not After : Mar 10 22:27:10 2010 GMT
Subject:
countryName = UA
stateOrProvinceName = Kievskaya
localityName = Kiev
organizationName = Techexpert LTD
organizationalUnitName = Education Center "Networking Technologies"
commonName = Techexpert CA
emailAddress = scherepenin@techexpert.ua
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6E:D2:03:4F:1E:FC:72:68:71:13:87:CD:CD:1B:2B:5F:DF:CB:1F:BA
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
Certificate is to be certified until Mar 10 22:27:10 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UA, ST=Kievskaya, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Validity
Not Before: Mar 10 22:27:10 2009 GMT
Not After : Mar 10 22:27:10 2010 GMT
Subject: C=UA, ST=Kievskaya, L=Kiev, O=Techexpert LTD, OU=Education Center "Networking Technologies", CN=Techexpert CA/emailAddress=scherepenin@techexpert.ua
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c2:f4:39:e3:3c:bf:c9:5d:13:19:8f:4e:37:e8:
9f:64:1b:ab:88:35:87:19:af:1f:a6:df:ae:64:a7:
ed:77:8e:a5:ff:a1:0d:7b:6f:28:55:9d:b9:52:30:
39:db:5b:5f:95:1b:db:f8:81:fd:c4:47:de:ed:b1:
d5:97:95:74:b7:dd:4f:c9:73:92:47:28:e3:1e:34:
d4:98:4b:e6:43:cb:ec:08:ef:f6:2c:a2:3c:98:be:
aa:2b:05:19:a4:fd:be:6a:80:69:c2:11:75:a6:95:
8d:95:a4:ff:cd:c6:c3:f4:4f:ab:47:be:58:26:3e:
7e:a6:67:0e:8b:91:a6:ae:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6E:D2:03:4F:1E:FC:72:68:71:13:87:CD:CD:1B:2B:5F:DF:CB:1F:BA
X509v3 Authority Key Identifier:
keyid:10:DD:FD:B4:BD:62:C9:29:AB:5A:DF:46:F2:97:F8:75:34:10:86:F6
Signature Algorithm: sha1WithRSAEncryption
20:6a:20:63:fd:22:a8:d4:87:f2:b0:8a:18:b6:c8:79:b5:d2:
2d:eb:d7:b2:24:fa:25:71:6a:90:c2:c0:e1:de:7c:27:2b:f8:
8f:74:6c:08:e5:99:a6:00:04:64:d6:9e:19:fb:b3:03:65:ad:
15:2e:e0:5a:e3:bd:59:1a:14:4b:ac:c1:7f:f4:a7:49:39:b7:
c8:86:23:a4:b4:5c:a8:9c:f4:fd:09:91:f2:99:12:69:e4:81:
ed:a9:6f:da:0b:e6:26:6b:ac:e7:33:b7:fd:cf:dd:37:20:92:
6c:55:f1:ec:aa:ef:28:c1:97:4c:1f:85:67:9e:ee:3d:0e:4e:
ce:72
-----BEGIN CERTIFICATE-----
MIIDZDCCAs2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVUEx
EjAQBgNVBAgTCUtpZXZza2F5YTEXMBUGA1UEChMOVGVjaGV4cGVydCBMVEQxMzAx
BgNVBAsUKkVkdWNhdGlvbiBDZW50ZXIgIk5ldHdvcmtpbmcgVGVjaG5vbG9naWVz
IjEWMBQGA1UEAxMNVGVjaGV4cGVydCBDQTEoMCYGCSqGSIb3DQEJARYZc2NoZXJl
cGVuaW5AdGVjaGV4cGVydC51YTAeFw0wOTAzMTAyMjI3MTBaFw0xMDAzMTAyMjI3
MTBaMIHAMQswCQYDVQQGEwJVQTESMBAGA1UECBMJS2lldnNrYXlhMQ0wCwYDVQQH
EwRLaWV2MRcwFQYDVQQKEw5UZWNoZXhwZXJ0IExURDEzMDEGA1UECxQqRWR1Y2F0
aW9uIENlbnRlciAiTmV0d29ya2luZyBUZWNobm9sb2dpZXMiMRYwFAYDVQQDEw1U
ZWNoZXhwZXJ0IENBMSgwJgYJKoZIhvcNAQkBFhlzY2hlcmVwZW5pbkB0ZWNoZXhw
ZXJ0LnVhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC9DnjPL/JXRMZj043
6J9kG6uINYcZrx+m365kp+13jqX/oQ17byhVnblSMDnbW1+VG9v4gf3ER97tsdWX
lXS33U/Jc5JHKOMeNNSYS+ZDy+wI7/YsojyYvqorBRmk/b5qgGnCEXWmlY2VpP/N
xsP0T6tHvlgmPn6mZw6LkaauXQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
btIDTx78cmhxE4fNzRsrX9/LH7owHwYDVR0jBBgwFoAUEN39tL1iySmrWt9G8pf4
dTQQhvYwDQYJKoZIhvcNAQEFBQADgYEAIGogY/0iqNSH8rCKGLbIebXSLevXsiT6
JXFqkMLA4d58Jyv4j3RsCOWZpgAEZNaeGfuzA2WtFS7gWuO9WRoUS6zBf/SnSTm3
yIYjpLRcqJz0/QmR8pkSaeSB7alv2gvmJmus5zO3/c/dNyCSbFXx7KrvKMGXTB+F
Z57uPQ5OznI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
- Переименование файлов
clint:~/keys1$ mv newcert.pem server_cert.pem
clint:~/keys1$ mv newkey.pem server_priv_key.pem
- Копирование на сервер
debian:/etc/ipsec.d/certs# scp clint@192.168.70.3:~/keys1/client_cert.pem . client_cert.pem 100% 3497 3.4KB/s 00:00 debian:/etc/ipsec.d/certs# ls client_cert.pem debian:/etc/ipsec.d/certs# scp clint@192.168.70.3:~/keys1/server_cert.pem . server_cert.pem 100% 3497 3.4KB/s 00:00 debian:/etc/ipsec.d/certs# cd ../private/ debian:/etc/ipsec.d/private# scp clint@192.168.70.3:/home/clint/keys1/server_priv_key.pem . server_priv_key.pem 100% 963 0.9KB/s 00:00 debian:/etc/ipsec.d/private# scp clint@192.168.70.3:/home/clint/keys1/client_priv_key.pem . client_priv_key.pem 100% 963 0.9KB/s 00:00 debian:/etc/ipsec.d/private# cd ../cacerts/ debian:/etc/ipsec.d/cacerts# ls debian:/etc/ipsec.d/cacerts# scp clint@192.168.70.3:/home/clint/keys1/demoCA/cacert.pem . cacert.pem 100% 3786 3.7KB/s 00:00 debian:/etc/ipsec.d/cacerts# cd ../ aacerts/ cacerts/ certs/ crls/ examples/ ocspcerts/ policies/ private/ debian:/etc/ipsec.d/cacerts# cd ../crls/ debian:/etc/ipsec.d/crls# scp clint@192.168.70.3:/home/clint/keys1/crl.pem . crl.pem 100% 564 0.6KB/s 00:00
- Переформатирование сертификатов
clint:~/keys1$ openssl pkcs12 -export -in client_cert.pem -inkey client_priv_key.pem -certfile demoCA/cacert.pem -out client_cert_pkcs12.p12 Enter pass phrase for client_priv_key.pem: Enter Export Password: Verifying - Enter Export Password:
clint:~/keys1$ openssl pkcs12 -export -in demoCA/cacert.pem -inkey demoCA/private/cakey.pem -certfile demoCA/cacert.pem -out ca_cert_pkcs12.p12 Enter pass phrase for demoCA/private/cakey.pem: Enter Export Password: Verifying - Enter Export Password:
[править] Настройка openswan
- Конфигурационный файл OpenSWAN:
egrep -v "^#|^ *$|.*#.*" /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
OE=off
protostack=netkey
include /etc/ipsec.d/examples/l2tp-psk.conf
include /etc/ipsec.d/examples/l2tp-psk2.conf
egrep -v "^#|^ *$|.*#.*" /etc/ipsec.d/examples/l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.16.3
leftprotoport=17/1701
right=192.168.16.234
rightprotoport=17/0
- Файл, содержащий Preshared Keys для установки L2TP-туннеля:
egrep -v "^#|^ *$|.*#.*" /etc/ipsec.secrets 192.168.16.3 192.168.16.234: PSK "password" 192.168.16.3 10.0.17.111: PSK "password"
[править] Настройка xl2tpd
grep -v '^;' /etc/xl2tpd/xl2tpd.conf [lns default] ; Our fallthrough LNS definition exclusive = no ; * Only permit one tunnel per host ip range = 192.168.20.1-192.168.20.20 ; * Allocate from this IP range local ip = 192.168.20.21 ; * Our local IP to use length bit = yes ; * Use length bit in payload? require authentication = yes ; * Require peer to authenticate ppp debug = yes ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file flow bit = yes ; * Include sequence numbers refuse pap = yes ; * Refuse PAP authentication refuse chap = yes
cat /etc/ppp/options.l2tpd.lns name l2tp mtu 1410 mru 1410 lcp-echo-interval 3 lcp-echo-failure 8 require-mppe-128 logfile /var/log/pppd nodeflate nobsdcomp nopcomp noaccomp noproxyarp defaultroute lock auth password password - <==Пароль на использование закрытого ключа сервера plugin radius.so plugin radattr.so
[править] Настройка pppd
Прежде чем настраивать демон pppd необходимо его скомпилировать с поддержкой EAP для проверки подлинности сертификата, предъявляемого клиентов при соединении для аутентификации.
- Установка необходимого ПО:
apt-get install libcurl4-openssl-dev
- Сборка pppd
wget -c ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz tar xvzf ppp-2.4.4.tar.gz cd ppp-2.4.4/ patch -p1 < ../ppp-2.4.4-eaptls-mppe-0.94.patch ./configure make make install make install-etcppp debian:/usr/src/pppd-eap/ppp-2.4.4# mv /usr/sbin/pppd /usr/sbin/pppd-real debian:/usr/src/pppd-eap/ppp-2.4.4# mv /usr/lib/pppd /usr/lib/pppd-real debian:/usr/src/pppd-eap/ppp-2.4.4# ln -s /usr/local/sbin/pppd /usr/sbin/pppd debian:/usr/src/pppd-eap/ppp-2.4.4# ln -s /usr/lib/pppd /usr/local/lib/pppd
- Настройка pppd
cat /etc/ppp/eaptls-server # Parameters for authentication using EAP-TLS (server) # client name (can be *) # server name (can be *) # client certificate file (optional, if unused put '-') # server certificate file (required) # CA certificate file (required) # server private key file (required) # allowed addresses (required, can be *) #client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 * * - /root/keys/server_cert.pem /root/keys/demoCA/cacert.pem /root/keys server_priv_key.pem *
[править] Тестирование соединения
Процесс настройки vpn-клиента, под управлением ос Windows XP SP3 и вывод журналов подключения на сервере детально показан на :
|
|
Флэш-ролик |
