Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 634 — #660
i
i
i
i
i
i
i
i
Creating Server Certificates
Create the server certificate with the YaST CA Management module (see
Section 26.1.2 on page 627). Then save the certificate together with the key
and all participating CAs in a PKCS12 file (see Section 26.1.2 on page 631).
Note
If certificates should be created for IPsec applications with Win-
dows XP, client certificates must be used. The “KeyUsage” exten-
sion there contains the values expected by Windows.
Note
Importing a Server Certificate on the Server
Start the ‘VPN’ YaST module on the server in the YaST control center un-
der ‘Security and Users’. In the overview, shown in Figure 26.5 on the fac-
ing page, click ‘Certificates’ ➝ ‘Import’ then select your saved PKCS12 file.
Enter the PKCS12 password for the import. After this, the certificate is dis-
played in the certificate list. Clicking ‘Next’ returns to the overview.
Note
You should not use the general server certificate of the YaST
CA Management module here because IPsec manages its own
certificates.
Note
Setting up a VPN Connection
Another connection must be set up to ensure that the certificate can be used
for IPsec. In the overview (Figure 26.5 on the next page), click ‘Connec-
tions’ then select ‘Add’ in the connection overview. After you have selected
‘Road Warrior Server’ a configuration is created that accepts connections
from any client if it has a valid certificate signed by the CA.
Select the connection settings in the next dialog (Figure 26.6 on page 636).
Enter your own IP address in ‘Local IP Address’. In the case of Inter-
net dial-up access, this is not usually known prior to the dial-up. How-
ever, in the case of Internet access, there is usually a default route. The
%defaultroute setting instructs the server to use the interface to which
the default route points.
634 26.2. VPN with SUSE LINUX