Please keep in mind that all usual disclaimers apply:
/usr/local/etc/openssl
or /var/openssl
. Create the necessary subdirectories and files:
mkdir /var/openssl/certs
mkdir /var/openssl/crl
mkdir /var/openssl/newcerts
mkdir /var/openssl/private
echo "01" > /var/openssl/serial
touch /var/openssl/index.txt
RANDFILE = /var/openssl/.rand
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /var/openssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are
kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/clr/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number
file
#x509_extensions = x509v3_extensions # The extentions
to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ] default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = UK
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default = Cambridge
organizationName = Organization Name (eg, company)
organizationName_default = IP Access
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_default = ipaccess.com
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = root-ca@ipaccess.com
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
openssl req -new -x509 -keyout /var/openssl/private/CAkey.pem \
-out /var/openssl/private/CAcert.pem -config openssl.conf
openssl pkcs12 -export -in private/CAcert.pem \
-inkey private/CAcert.pem -nokeys -out CA.p12
openssl req -new -keyout server-key-encrypted.pem \
-out server.pem -days 360 -config openssl.conf
cat server.pem server-key.pem > server-req.pem
openssl ca -policy policy_match -out server-signed.pem \
-config openssl.conf -infiles server-req.pem
openssl rsa -in server-key-encrypted.pem -out server-key.pem
openssl rsa
line.
openssl req -new -keyout user-key.pem -out user.pem \
-days 360 -config openssl.conf
cat user.pem user-key.pem > user-req.pem
openssl ca -policy policy_match -out user-signed.pem \
-config openssl.conf -infiles user-req.pem
openssl pkcs12 -export -in user-signed.pem -inkey user-key.pem \
-name "User Name Goes Here" -certfile private/CA.pem -out user.p12
You will also need to copy the certificates to the FreeBSD VPN system and symlink them to their checksums (see section 3.2).
options IPSEC #IP security
options IPSEC_ESP
/usr/ports/security/racoon
. In most cases a simple
make install
should be enough. Best of all put the config under
its own directory like /usr/local/etc/racoon/
. The config is quite simple:
path pre_shared_key "/usr/local/etc/racoon/racoon.keys" ;
path certificate "/usr/local/etc/racoon/cert" ;
log debug;
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main, aggressive, base;
my_identifier address 192.168.3.5;
passive off;
certificate_type x509 "server-signed.pem" "server-key.pem";
my_identifier asn1dn;
verify_cert off;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method rsasig ;
dh_group 1 ;
}
}
sainfo anonymous
{
encryption_algorithm des, 3des ;
authentication_algorithm non_auth, hmac_sha1;
compression_algorithm deflate;
}
ln -s demon.pem `openssl x509 -noout -hash -in demon.pem`.0
/usr/ports/net/poptop
.
FreeBSD by default builds
it with userland ppp which does not support RC4 encryption. Considering
that encryption is delegated to IPSec this is not a problem.
Alternatively there is another VPN daemon and kernel ppp both of which
support RC4 but I have not tested them. At least the kernel ppp with
the RC4 patches
is reported to be unstable. It may also be illegal to use it in some
countties.
After building it you need to add the following section to the bsd ppp options file.
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 192.168.20.1 192.168.20.130-192.168.20.254 255.255.255.255
set server /tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
enable chap
disable pap
# Authenticate against /etc/passwd
#enable passwdauth
# The next depends on your routing. Proxy arp is an easy way out
# enable proxy
accept dns
# DNS Servers to assign client
# set dns 192.168.0.1 192.168.0.2
# NetBIOS/WINS Servers to assign client
# set nbns 192.168.0.15 192.168.0.16
set device !/etc/ppp/secure
setkey -c
spdadd 172.28.1.2 0.0.0.0/0 gre -P out ipsec
esp/transport//require;
spdadd 0.0.0.0/0 172.28.1.2 gre -P in ipsec
esp/transport//require;
spdadd 172.28.1.2[1723] 0.0.0.0/0 tcp -P out ipsec
esp/transport//require;
spdadd 0.0.0.0/0 172.28.1.2[1723] tcp -P in ipsec
esp/transport//require;
Under the Certificates, right button click on Trusted Root Certification
authorities
. From all actions
choose import
. Import your certificate authority PKCS#12 certificate here. Check if it
is displayed.
Under the Certificates, right button click on Personal
.
From all actions
choose import
. Import the user
PKCS#12 certificate here. Check if it is correctly displayed and the root
authority is known.
Under IP Security policies choose a policy which you are not using. Modify it as follows:
require data encryption
field is left blank. You
do not need it. This is the RC4 encryption for the PPTP which will be unnecessary
overhead if IPSEC is protecting the connection.
openssl rsa
in order to decrypt
it.