Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
661662663664665666667668669670
“main” (Installation and Administration) 2004/6/25 13:29 page 638 #664
i
i
i
i
i
i
i
i
Manual Client Configuration
If the client computer does not have a YaST VPN module, import the cer-
tificates manually:
1. Copy the client certificate to /etc/ipsec.d/certs.
2. Copy the CA certificate to /etc/ipsec.d/cacerts.
3. Copy the key to /etc/ipsec.d/private. Only the root user
should have access to this file. Adjust the permissions accordingly.
4. Enter the password for the key in /etc/ipsec.secrets. This file
should also only be accessible as root.
The openssl command line program can be used to extract the certificate
from the PKCS12 file:
openssl pkcs12 -clcerts -nokeys -in DATEI.p12 -out \
/etc/ipsec.d/certs/cert_01.pem
The same applies to the CA certificate:
openssl pkcs12 -cacerts -nokeys -in DATEI.p12 -out \
/etc/ipsec.d/cacerts/cacert_01.pem
and also to the keys:
openssl pkcs12 -nocerts -nodes -in USER.p12 -out \
/etc/ipsec.d/private/key_01.pem
chmod 600 /etc/ipsec.d/private/key_01.pem
The -nodes option ensures that the key is stored without a password. That
is no harm in this case because the file can only be read by root in any
case. Another entry is required in /etc/ipsec.secrets so FreeS/WAN
recognizes the key. Add it with:
echo ’: RSA /etc/ipsec.d/private/key_01.pem ""’ \
>> /etc/ipsec.secrets
chmod 600 /etc/ipsec.secrets
638 26.2. VPN with SUSE LINUX