[Vpn-help] New 2.1.0 alpha 8 release ...

Matthew Grooms mgrooms at shrew.net
Thu Feb 21 19:36:38 CST 2008

David Santinoli wrote:
> On Wed, Feb 20, 2008 at 09:23:09PM -0600, Matthew Grooms wrote:
>> RSA keys and certificate data is now encapsulated in exported site
>> configuration files.
> Great!  Thanks a lot, Matthew!
> Can you confirm that the entries in the configuration file are the
> base64-encoded version of the textual (PEM) representation of the
> keys/certs?  I am aiming towards the fully-automated generation of such
> configuration files, and the goal seems really near now.

Yes. The rudimentary configuration file format encodes any binary value 
as base64. Currently, the only two uses are auth-mutual-psk and the 
auth-server-cert-data attribute. The latter attribute is only found in 
an exported configuration file.

> BTW, does the client always need to dump key and certs to local files?
> What would happen if I removed the 'auth-client-cert' and similar
> entries from the configuration file?

Here is how it works. A configuration on windows is stored in the 
registry while configurations on unix are stored in files under the 
~/.ike/sites directory. When you request that a file be exported, the 
access manager finds a key/cert file based on the path contained in the 
attribute value, truncates the path down to only the file name and adds 
a new binary attribute that contains the file contents. The process is 
reversed for an import. For example ...

s:auth-server-cert:<path to file>\ca.crt

... gets exported as ...

b:auth-server-cert-data:<base64 data of ca.crt>

... I forgot to mention in the latest release email that a configuration 
directory hierarchy similar to the one used on unix platforms is now 
created on windows platforms as well. It exists as ...

<My Docs>\Shrew Soft VPN
<My Docs>\Shrew Soft VPN\certs
<My Docs>\Shrew Soft VPN\sites

... So, back to the configuration example ...

b:auth-server-cert-data:<base64 data of ca.crt>

... gets imported as ...

( on windows )
s:auth-server-cert:<My Docs>\Shrew Soft VPN\certs\ca.crt

( on unix )

... The file referenced by the auth-server-cert attribute is created 
using the base64 encoded data contained in the auth-server-cert-data 
attribute. After the file is created, the data attribute is deleted.

To answer your last question, if you removed the attributes from an 
exported file then the imported site configuration would be non functional.

Hope this helps,


More information about the vpn-help mailing list