Announcement

Collapse
No announcement yet.

EAP in PPTP?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    EAP in PPTP?

    I am trying to configure PPTP connection with EAP-TLS.
    I already configured PPTP with MSCHAPv2 and it works fine. But I need higher security.
    So under Advanced I chose EAP but there is no option to select the certificate. I have user's PK12 and CA certificates. Where do I input them?
    I am using default KDE connection manager.

    #2
    Solved

    I think I solved this by myself.
    This is about connecting to Windows network with PKI and EAP-TLS PPTP Windows servers.
    So I had Windows CA certificate (.crt) and my user certificate with private key and certificate chain (.pfx).
    First task is to get .pem files from those certificates.
    Create folder ~\certs (or name it as you like and where you like) and put your certificates into it. Cd into that folder.
    openssl pkcs12 -in mypersonalcert.pfx -out test.pem -nodes
    That command will create test.pem file with all the certificates you need in PEM format.
    Copy/paste PEM Base64 segments into kate and make CA.pem, mycert.pem, and mycertkey.pem.
    If you didin't find CA Base64 certificate in pfx (if it is not chained) then use this command to make CA pem file:
    openssl x509 -inform der -in CA.crt -out CA.pem
    chmod 600 the pem files.

    Now you have to sudo kate /etc/ppp/eaptls-client and put one line into it.
    Syntax is explained in http://www.nikhef.nl/~janjust/ppp/README.eap-tls paragraph 3.2.
    Example
    * * /home/xyz/certs/mycert.pem - /home/xyz/certs/CA.pem /home/xyz/certs/mycertkey.pem
    Use TAB as delimiter.
    chmod 600 that file too.

    That's all, try connecting, If it doesn't work, use sudo tail -100 /var/log/syslog and check for errors.

    But I am little worried about security. Should decrypted key file be among the files on the system, even if it is chmoded 600? Maybe certificates should be in openssl store and used from there? I don't really know how to do that.


    Not tied to this problematic, there was another issue.
    After connection was established, with "Use only for resources on this connection" option on, it would not ping any hosts in remote network because pptp didn't create a route for it.
    Add this to /etc/ppp/ip-up
    /sbin/route add -net xxx.xxx.xxx.0 netmask 255.255.255.0 gw $5
    where xxx.xxx.xxx.0 is subnet of remote network.
    That will obviously add a route to all VPN connections but I have only one VPN connection so its fine for me. Maybe with if and cut commands it could be done better to limit it to only this connection.

    Comment


      #3
      Originally posted by prosoor View Post
      I think I solved this by myself.
      Nicely done.

      Originally posted by prosoor View Post
      But I am little worried about security. Should decrypted key file be among the files on the system, even if it is chmoded 600? Maybe certificates should be in openssl store and used from there? I don't really know how to do that.
      If the EAP-TLS stuff can't work with an encrypted key file, then setting the file's attributes to 600 is the right thing to do.

      Comment

      Working...
      X