Comments on: Configuring an IPsec tunnel with Openswan and l2tpd http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/ All geek, most of the time Wed, 08 Feb 2012 15:03:29 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: VPN for security http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/comment-page-1/#comment-312369 VPN for security Tue, 12 Apr 2011 19:36:12 +0000 http://www.natecarlson.com/?p=299#comment-312369 [...] systems, and so I will link to a fairly generic installation that will be based on Debian Sarge: Configuring an IPsec tunnel with Openswan and l2tpd Configuring an IPsec tunnel with Openswan and l2tpd Client-side, if you are using Windows then [...] [...] systems, and so I will link to a fairly generic installation that will be based on Debian Sarge: Configuring an IPsec tunnel with Openswan and l2tpd Configuring an IPsec tunnel with Openswan and l2tpd Client-side, if you are using Windows then [...]

]]> By: Philipp http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/comment-page-1/#comment-312230 Philipp Wed, 22 Dec 2010 18:21:04 +0000 http://www.natecarlson.com/?p=299#comment-312230 Thank you for helpful article! Some observations: 1) If you have "error while loading CRL number" with crl.pem - you need to run this: $ echo "01" > ./demoCA/crlnumber $ openssl ca -gencrl -out crl.pem If you already generated other certificates with empty crl.pem - remove them and generate again. 2) If you have problem with converting certificates for using in Windows with Openssl module pkcs12, try this: You have following files in work directory: newcert.pem newreq.pem newkey.pem crl.pem and demoCA/cacert.pem. In compliance with the article, newcert.pem renamed to host.example.com.pem and newreq.pem to host.example.com.key. This command: $ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12 does not work because it uses request file in -inkey option. Try this: $ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out winhost.p12 Thank you for helpful article!
Some observations:
1) If you have “error while loading CRL number” with crl.pem – you need to run this:

$ echo “01″ > ./demoCA/crlnumber
$ openssl ca -gencrl -out crl.pem
If you already generated other certificates with empty crl.pem – remove them and generate again.

2) If you have problem with converting certificates for using in Windows with Openssl module pkcs12, try this:
You have following files in work directory: newcert.pem newreq.pem newkey.pem crl.pem and demoCA/cacert.pem.
In compliance with the article, newcert.pem renamed to host.example.com.pem and newreq.pem to host.example.com.key.
This command:
$ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12
does not work because it uses request file in -inkey option. Try this:
$ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out winhost.p12

]]> By: JML http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/comment-page-1/#comment-312226 JML Thu, 16 Dec 2010 21:00:41 +0000 http://www.natecarlson.com/?p=299#comment-312226 I think debian openssl makes a newkey.pem instead of overwriting newreq.pem as a key, so you should try using -inkey newkey.pem in your command. You will know this is what happened if you have newkey.pem in the working directory and when you cat your winhost.example.com.key file it starts with NEW CERTIFICATE REQUEST or similar instead of BEGIN PRIVATE KEY (these are a paraphrases). At least that is what happened to me. I think debian openssl makes a newkey.pem instead of overwriting newreq.pem as a key, so you should try using -inkey newkey.pem in your command. You will know this is what happened if you have newkey.pem in the working directory and when you cat your winhost.example.com.key file it starts with NEW CERTIFICATE REQUEST or similar instead of BEGIN PRIVATE KEY (these are a paraphrases).

At least that is what happened to me.

]]> By: Pinko P http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/comment-page-1/#comment-311915 Pinko P Thu, 27 May 2010 12:01:54 +0000 http://www.natecarlson.com/?p=299#comment-311915 I followed your guide and when I try convert it to a p12 format: $ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12 I receive this error: "unable to load private key" Any sugestions? I followed your guide and when I try convert it to a p12 format:
$ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12
I receive this error: “unable to load private key”

Any sugestions?

]]>