Zunaechst habe ich keine Ahnung in welchen Forenbereich das hier gehoert und ob es ueberhaupt von Interesse ist. Jedenfalls habe ich ein kleines Shell Skript geschrieben das eine Certificate Authority erstellt und fuer die gewuenschte Anzahl an Clients Zertifikate erstellt.
Der einfachste Aufruf sieht so aus:
./certify createAll ip1 ip2 ip3 ...
in der isakmpd.policy muss Licensees auf den distinguished name der CA gesetzt werden
Hier noch ein paar Hinweise, die allerdings nicht auf die Konfiguration der isakmpd.conf und isakmpd.policy eingehen:
1) place the "certify" script on a live cd system or one that is permanently
disconnected from network access
2) run certify e.g.:
certify createAll 192.168.1.11 192.168.1.12 192.168.1.13
This will create a Root Certificate Authority and a custom amount of client
certificates. The files created:
ca.key
ca.crt
192.168.1.11.key
192.168.1.11.crt
192.168.1.12.key
192.168.1.12.crt
192.168.1.13.key
192.168.1.14.crt
3) Distribute the files using a secure medium
Each VPN Server needs its private key, its certificate, the CA that
signed its certificate and the configuration files isakmpd.conf and
isakmpd.policy.
file | rights | directory
---------------|--------|---------------
ca.crt | 444 | /etc/isakmpd/ca/
a.b.c.d.crt | 444 | /etc/isakmpd/cert/
local.key | 400 | /etc/isakmpd/private/
isakmpd.conf | 400 | /etc/isakmpd/
isakmpd.policy | 400 | /etc/isakmpd/
For the more paranoid persons out there - you don't have to create server keys
centralized. It's perfectly valid to create the server keys aswell as the
signing requests on each server, transport latter to the CA and finally
distribute the certificates among the servers.
4) Enable forwarding
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
5) Enable pf to restrict traffic to those directed over the VPN
pfctl -ef /etc/pf.conf
6) start the vpn
isakmpd
Eine passende isakmpd.conf koennte so aussehen:
isakmpd.conf
isakmpd.policy
Anmerkungen, Verbesserungen und Fragen sind willkommen.
Der einfachste Aufruf sieht so aus:
./certify createAll ip1 ip2 ip3 ...
in der isakmpd.policy muss Licensees auf den distinguished name der CA gesetzt werden
Hier noch ein paar Hinweise, die allerdings nicht auf die Konfiguration der isakmpd.conf und isakmpd.policy eingehen:
1) place the "certify" script on a live cd system or one that is permanently
disconnected from network access
2) run certify e.g.:
certify createAll 192.168.1.11 192.168.1.12 192.168.1.13
This will create a Root Certificate Authority and a custom amount of client
certificates. The files created:
ca.key
ca.crt
192.168.1.11.key
192.168.1.11.crt
192.168.1.12.key
192.168.1.12.crt
192.168.1.13.key
192.168.1.14.crt
3) Distribute the files using a secure medium
Each VPN Server needs its private key, its certificate, the CA that
signed its certificate and the configuration files isakmpd.conf and
isakmpd.policy.
file | rights | directory
---------------|--------|---------------
ca.crt | 444 | /etc/isakmpd/ca/
a.b.c.d.crt | 444 | /etc/isakmpd/cert/
local.key | 400 | /etc/isakmpd/private/
isakmpd.conf | 400 | /etc/isakmpd/
isakmpd.policy | 400 | /etc/isakmpd/
For the more paranoid persons out there - you don't have to create server keys
centralized. It's perfectly valid to create the server keys aswell as the
signing requests on each server, transport latter to the CA and finally
distribute the certificates among the servers.
4) Enable forwarding
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
5) Enable pf to restrict traffic to those directed over the VPN
pfctl -ef /etc/pf.conf
6) start the vpn
isakmpd
Eine passende isakmpd.conf koennte so aussehen:
isakmpd.conf
isakmpd.policy
Anmerkungen, Verbesserungen und Fragen sind willkommen.