Our university college
(HiST) is trying to establish an
IPSec tunnel between a FreeRadius server using Openswan
OpenSwan
2.4.12 and a Cisco WLC running 4.2.173.00.
To start the IPSec negotiation we need
RSA-keys at
both ends of the tunnel ( freeradius, WLC
Cisco), or Pre-shared keys (PSK).
Case 1:
On the Freeradius Server we two pairs of keys on the command line
as follows:
- Keypair for the FreeRadius-server:
Freradiushost#
ipsec newhostkey –-hostname “FreeRadius” –output
/etc/ipsec.secrets –bits 1024.
- Keypair for the wlc:
Freradiushost#
ipsec newhostkey –hostname “wlcname”
–output “RSAKeyFileName”
–bits 1024
However, the WLC doesn‘t
accept the RSA keys generated.
The
file produced looks
like this:
:
RSA {
# RSA 1024 bits ”wlcname” etc.
#
for signatures only etc.
#pubkey=xxxxxxx
Modulus: xxxx
PublicExponent:
xxx
#everything after this point is secret
PrivateExponent: xxx
Prime1: xxxx
Prime2: xxxx
Exponent1: xxxx
Exponent2: xxxx
Coefficient:
xxxx
}
We
try to paste the wlc's keys into the web interface under the
menu Security, Advanced, CA Certificate, IPSec Certs.
But, to no avail, the page at ”ip-number of wlc”
says: Error in setting Certificate”.
How
should we generate the RSA keys in OpenSwan in order to get them into the Cisco WLC?
Case
2:
We have also tried to use Pre-shared keys. But alas, the Cisco
WLC doesn’t respond to the request from Freeradius
Server.
How should these PSK's be formed and what settings should be used?
Any configuration examples of IPSEC on the OpenSwan, or generic explanations
would be welcome as well.
Shared Secret Format: ASCII
Shared Secret: <same as on OpenSwan>
Key Wrap: <not used>
Port Number: 1812
Server Status: Enabled
Support for RFC 3576 : Enabled
Server Timeout: 2 seconds
Network User: Enable
Management: Enable
IPSec
Enable
IPsec Parameters
IPSec: HMAC SHA1
IPSEC Encryption: AES CBS
(Shared Secret will be used as the Preshared Key)
IKE Phase 1 Aggressive (tried main as well, with
corresponding settings in OpenSwan)
Lifetime (seconds) 28800
IKE Diffie Hellman Group Group 2 (1024 bits)
Remarks:
I
would like to mention two
tings:
The
path is open between FreeRadius server and WLC Cisco.
The
FreeRadius server was tested with other Linux IPSec tunnels, and this worked
flawlessly.
The
setup of the FreeRadius is changed in each case to correspond with settings on
the WLC.
Looking forward to getting help from you!
P.S.: It seems that IPSEC tunnels vs. WLCs is not what's easy to
get help with; we've contacted several major Norwegian consulting firms with
little or no response.
Regards
Saleh
Abuzid
Dept. engineer, Dept. of servers- and networks,
HiST – Sor-Trondelag University College (www.hist.no)
Phone: ++47 73559672
E-mail:
Saleh.Abuzid@hist.no
Saleh
Abuzid
Gunnerus
gate 1
Høgskolen
i Sør-Trøndlag (HiST)
SPO-IKT
Avdelingsingeniør
tlf:
73559672
E-mail:
Saleh.Abuzid@hist.no