Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Aus Opennet
Zim (Diskussion | Beiträge) (ips, again) |
Zim (Diskussion | Beiträge) K |
||
Zeile 54: | Zeile 54: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
isakmp 2001:6f8:1044::1; | isakmp 2001:6f8:1044::1; | ||
} | } | ||
− | |||
remote 2001:6f8:1044::2 | remote 2001:6f8:1044::2 | ||
{ | { | ||
Zeile 65: | Zeile 63: | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
− | |||
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
# peers_certfile x509 "host-B-cert.pem"; | # peers_certfile x509 "host-B-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
Zeile 86: | Zeile 82: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
− | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { | ||
Zeile 104: | Zeile 99: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
Zeile 110: | Zeile 104: | ||
isakmp 2001:6f8:1044::2; | isakmp 2001:6f8:1044::2; | ||
} | } | ||
− | |||
#remote 2001:6f8:1044::2 | #remote 2001:6f8:1044::2 | ||
remote 2001:6f8:1044::1 | remote 2001:6f8:1044::1 | ||
Zeile 117: | Zeile 110: | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
− | |||
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
# peers_certfile x509 "host-A-cert.pem"; | # peers_certfile x509 "host-A-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
Zeile 138: | Zeile 129: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
− | + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | |
− | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | + | |
{ | { | ||
lifetime time 1 hour; | lifetime time 1 hour; | ||
Zeile 162: | Zeile 152: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
isakmp 2001:6f8:1044::1; | isakmp 2001:6f8:1044::1; | ||
} | } | ||
− | |||
remote 2001:6f8:1044::2 | remote 2001:6f8:1044::2 | ||
{ | { | ||
Zeile 173: | Zeile 161: | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
− | |||
certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
peers_certfile x509 "host-B-cert.pem"; | peers_certfile x509 "host-B-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
Zeile 194: | Zeile 180: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
− | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { | ||
Zeile 212: | Zeile 197: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
Zeile 218: | Zeile 202: | ||
isakmp 2001:6f8:1044::2; | isakmp 2001:6f8:1044::2; | ||
} | } | ||
− | |||
#remote 2001:6f8:1044::2 | #remote 2001:6f8:1044::2 | ||
remote 2001:6f8:1044::1 | remote 2001:6f8:1044::1 | ||
Zeile 225: | Zeile 208: | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
− | |||
certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
peers_certfile x509 "host-A-cert.pem"; | peers_certfile x509 "host-A-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
Zeile 246: | Zeile 227: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
− | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { |
Version vom 9. Februar 2009, 16:05 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; # peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; # peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
mode: transport
keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - certs
host: B
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
todo:
- roadwarrior-mode