OpenBSD IPSec + PGPnet (or other Windoze IPSec client)
Martin Portmann
Has anybody experience with OpenBSD 2.7 (or 2.8beta) and
PGPnet (as mobile user or any other Windoze IPSec client
that can do tunnel mode) using X.509 certificates? Any help
is apreciated ...
------------------------------------------------------------
Martin Portmann Phone +41-41-7832720
infinitum AG, Switzerland Fax +41-41-7832721
Software Solutions www.infinitum.ch
"Time is the best teacher, unfortunately it kills all its
students"
Craig Anderson
On Thu, 5 Oct 2000, Martin Portmann wrote:
>
> Has anybody experience with OpenBSD 2.7 (or 2.8beta) and
> PGPnet (as mobile user or any other Windoze IPSec client
> that can do tunnel mode) using X.509 certificates? Any help
> is apreciated ...
>
<--( SNIP )-->
Helu,
Shared key authentication works well, but isn't scalable. I found that
X.509 was impossible because of the way they want you to import
certificates in the client software.
It seems that if you sign your own certificates with your own local CA
key, and then copy the client certificate to the machine with the VPN
client on it, and then import the certificate onto your keyring.. it will
not recognize it as a valid certificate ( i.e. once it's on your keyring,
you go to choose X.509 authentication with PGPNet and it says that you
don't have a certificate to choose from ).
It wants you to use a commercial CA, or at least hack some sort of
web-based retrieval for it ( so Entrust, Baltimore, VeriSign
OnSite.. etc.. those work ).
In short, it's f**king ANNOYING, and the machinations you have to set
forth seem not to be worth the effort.
I didn't have time to muck with setting up something for it to recognize
as a valid CA Server/retrieval mechanism.
If anyone has had the time to look further into this matter and sort out
the issues, please post them to the list. Also if anyone has had no
problems with at least one VPN client with X.509 authentication, please
share your experience.
Thanks,
-- Craig