The following are command examples that may be used to create secrets for the VPN connection.
It is assumed that these commands are typed on the server on which the VPN daemon will be installed.
First, create a root certification authority. This will be used to sign the VPN and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).
# Work in /etc/ipsec.d cd /etc/ipsec.d # Create a 4096 bit private key ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem chmod 600 private/rootca.pem # Create a 10 year certificate ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
Then, create a certificate and private key that will be used by the VPN server:
# Create a 2048 bit VPN private key ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem chmod 600 private/vpnkey.pem # Create a 2 year VPN certificate ipsec pki --pub --in private/vpnkey.pem --type rsa \ | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
Still, on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.
# Create a 2048 bit client private key ipsec pki --gen --type rsa --size 2048 --outform pem >private/ibts_060434.pem chmod 600 private/ibts_060434.pem # Create a 2 year client certificate ipsec pki --pub --in private/ibts_060434.pem --type rsa \ | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-lpbs-060434" --outform pem > certs/ibts_060434.pem
The Wirnet iBTS and iFemtoCell use the secrets in a PKCS#12 encoded file. To generate one .p12
file from the generated certificates/keys:
openssl pkcs12 -export -inkey private/ibts_060434.pem -in certs/ibts_060434.pem -name "iBTS 0x2e060434" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ibts_060434.p12 Enter Export Password: Verifying - Enter Export Password:
The password will have to be entered in the client configuration file (the one that is ciphered, see Setting up the VPN client).
EasyRSA can be used to quickly generate secrets for the VPN server.
It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the pkcs12 <file>
directive of the server configuration file.
A DH file has to be generated with
openssl dhparam -out dh2048.pem 2048
Next step is VPN server configuration.