This font and colour is to indicate screen output
This font indicates information typed by the user 
This font and colour represents data within files, either edited or produced
This is a comment

Creating a .p12 certificate

You've already got your key pair from following this document and they are named host.public.pem and host.private.key respectably

You now need to create a .p12 file (thats 12 as in "twelve", not an "L"). To do this, run the command :
• openssl pkcs12 -export -in host.public.pem -inkey host.private.key -certfile demoCA/cacert.pem -out host.p12
  That will produce a binary file.
• Run the command and make note out the output:
  openssl x509 -in demoCA/cacert.pem -noout -subject
• I redirect the output to a file and copy that along with the keys, like so:
  openssl x509 -in demoCA/cacert.pem -noout -subject > key.info

  If you look, that will have given you a line that looks like :
  subject= /C=Au/ST=WA/L=Perth/O=UWA/OU=CS/CN=Fred/Email=fred@cs.uwa.edu.au

Installing IP Sec on Windows 2000

Most of this is stolen from http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509

Assumes:
• IPsec is configured and working on one end of the tunnel
• That machine has the public key
• You have Admin privlidges

Need the following files:
• IPsec executable (From Marcus Muller - http://vpn.ebootis.de)
• IPSecPol - from the 2000 resource kit or download it from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp
• Public and private key pair as well as the file in the .p12 format

Create a IPSEC + Certificates MMC

• Start/Run/MMC
• File (or Console) - Add/Remove Snap-in
• Click on 'Add'
• Click on 'Certificates', then 'Add'
• Select 'Computer Account', and 'Next'.
• Select 'Local computer', and 'Finish'.
• Click on 'IP Security Policy Management', and 'Add'.
• Select 'Local Computer', and 'Finish'
• Click 'Close' then 'OK'

Add the certificate

• Click the plus arrow by 'Certificates (Local Computer)'
• Right-click 'Personal', and click 'All Tasks' then 'Import'
• Click Next
• Type in the path to the .p12 file (or browse and select the file), and click 'Next'
• Type the export password, and click Next
• Select 'Automatically select the certificate store based on the type of certificate', and click Next
• Click Finish, and say yes to any prompts that pop up
• Exit the MMC, and save it as a file so you don't have to re-add the Snap Ins each time

Next, create/edit the configuration file ipsec.conf :

conn %default
	dial=

conn acer
	left=%any
	right=192.168.68.1
	rightca="C=AU, S=WA, L=Perth, O=UWA, OU=CS, CN=wireless, Email=wireless@cs.uwa.edu.au"
	rightsubnet=*
	network=auto
	auto=start
	pfs=yes

The rightca field is the information produced from :

openssl x509 -in demoCA/cacert.pem -noout -subject

subject= /C=Au/ST=WA/L=Perth/O=UWA/OU=CS/CN=Fred/Email=fred@cs.uwa.edu.au

rightca="C=Au, S=WA, L=Perth, O=UWA, OU=CS, CN=Fred, Email=fred@cs.uwa.edu.au"

The IP in the right= field is the IP address of the other side of the tunnel. In our case it is our gateway.

Once that is up, you can start the tunnel by typing "ipsec" and you should see something like the following:

C:\Temp\ipsec>ipsec IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller Getting running Config ... Microsoft's Windows 2000 identified Host name is: acer No RAS connections found. LAN IP address: 192.168.68.80 Setting up IPSec ... Deactivating old policy... Removing old policy... Connection acer: MyTunnel : 192.168.68.80 MyNet : 192.168.68.80/255.255.255.255 PartnerTunnel: 192.168.68.1 PartnerNet : * CA (ID) : C=AU, S=WA, L=Perth, O=UWA, OU=CS, CN=Fred, Em... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy...

If you then try to ping across the link, you should be told "Negotiating IP security" a few times, then it will start to work

To check the link status, you can use "IPSecmon" command to look at current security associations. You should see something like:

---

Back to Top

Questions?