VPN problem...

[Joshua Judson Rosen]

Ben Scott <dragonhawk at gmail.com> writes:
>
> On Thu, Oct 1, 2009 at 5:50 PM, Hewitt_Tech <hewitt_tech at comcast.net> wrote:
> >>  Any idea what protocols the LinkSys is using?  IPsec?  IKE?  SSL/TLS?
> >>  X.509?
> >
> > It's definitely using IKE.
> 
>   Okay, IPsec with IKE can use PSK or X.509 certificates.  Which one
> is your LinkSys using?
[...]
>   If you want to persue the certificate+time thing: Does the device
> have the option of letting you load your own certificate and key?  If
> so, you could use OpenSSL's CA support on a Linux box to generate
> certificates for each device, specifying a "Not Before" date of
> 1/1/1900 or whatever the device thinks the date is.
> 
>   One word of warning: If you haven't used the OpenSSL CA stuff
> already, it is extremely cryptic and very poorly documented.  Even by
> Linux standards.  It doesn't help that X.509 is a nightmare, too.  It
> will probabbly be cheaper to just buy a real VPN box than spend the
> time and effort in figuring it all out -- especially since we're not
> even sure that's the problem.

When I started using x.509 certificates with openVPN, I found that the
OpenSSL CA stuff was sufficiently documented in an easy-to-understand
way--just not in the OpenSSL documentation :)

The *OpenVPN* manpage actually provided (and still does) simple
instructions in the style of `this is the command that you need to run
to generate a CA key and certificate, and this is the commands that
you need to run on each system to generate keys and associated
certificates signed by the CA that you just created'.

When I forget how to use OpenSSL, I still refer to the OpenVPN
documentation.

-- 
Don't be afraid to ask (Lf.((Lx.xx) (Lr.f(rr)))).