IPSEC-tunnell from FreeRadius to WLC Cisco

Saleh Abuzid Saleh.Abuzid at hist.no
Wed May 13 15:12:03 CEST 2009 

Our university college (HiST) is trying to establish an IPSec tunnel between a FreeRadius server using Openswan OpenSwan 2.4.12 and a Cisco WLC running 4.2.173.00. 

 

To start the IPSec negotiation we need RSA-keys at both ends of the tunnel ( freeradius, WLC  Cisco), or Pre-shared keys (PSK).

 

Case 1:

 

On the Freeradius Server we two pairs of keys on the command line  as follows:

 

- Keypair for the FreeRadius-server:

Freradiushost# ipsec newhostkey --hostname "FreeRadius" -output  /etc/ipsec.secrets  -bits 1024.

 

- Keypair for the wlc:

Freradiushost# ipsec newhostkey -hostname "wlcname" -output "RSAKeyFileName" -bits 1024

However, the WLC doesn't accept the RSA keys generated.

 

The file produced looks like this:

 

: RSA   {

            # RSA 1024 bits "wlcname" etc.

            # for signatures only etc.

            #pubkey=xxxxxxx

            Modulus: xxxx

            PublicExponent: xxx

            #everything after this point is secret

            PrivateExponent: xxx

            Prime1: xxxx

            Prime2: xxxx

            Exponent1: xxxx

            Exponent2: xxxx

            Coefficient: xxxx

            }

 

We try to paste the wlc's keys into the web interface under the menu Security, Advanced, CA Certificate, IPSec Certs. 

 

But, to no avail, the page at "ip-number of wlc" says: Error in setting Certificate".

 

How should we generate the RSA keys in OpenSwan in order to get them into the Cisco WLC?

 

Case 2:

 

We have also tried to use Pre-shared keys. But alas, the Cisco WLC doesn't respond to the request from Freeradius Server.

How should these PSK's be formed and what settings should be used? Any configuration examples of IPSEC on the OpenSwan, or generic explanations would be welcome as well.

 

Shared Secret Format: ASCII

Shared Secret: <same as on OpenSwan>

Key Wrap: <not used>

Port Number: 1812

Server Status: Enabled

Support for RFC 3576 : Enabled

Server Timeout:  2 seconds

Network User:    Enable

Management:     Enable

IPSec                Enable

IPsec Parameters 

IPSec: HMAC SHA1

IPSEC Encryption: AES CBS

(Shared Secret will be used as the Preshared Key)

IKE Phase 1     Aggressive (tried main as well, with corresponding settings in OpenSwan)

Lifetime (seconds) 28800

IKE Diffie Hellman Group Group 2 (1024 bits)

 

Remarks:

 

I would like to mention two tings:

 

The path is open between FreeRadius server and WLC Cisco.

The FreeRadius server was tested with other Linux IPSec tunnels, and this worked flawlessly.

The setup of the FreeRadius is changed in each case to correspond with settings on the WLC.

 

Looking forward to getting help from you! 

 

P.S.: It seems that IPSEC tunnels vs. WLCs is not what's easy to get help with; we've contacted several major Norwegian consulting firms with little or no response.

 

 

Regards

 

Saleh Abuzid

Dept. engineer, Dept. of servers- and networks,

HiST - Sor-Trondelag University College (www.hist.no <http://www.hist.no/> )

 

 Phone: ++47 73559672

E-mail: Saleh.Abuzid at hist.no

 

 

Saleh Abuzid

 

Gunnerus gate 1

Høgskolen i Sør-Trøndlag (HiST)

 SPO-IKT

Avdelingsingeniør

 

tlf: 73559672

E-mail: Saleh.Abuzid at hist.no

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090513/bceeb865/attachment.html>

More information about the Freeradius-Users mailing list