Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Zim (Diskussion | Beiträge) (start, pre-shared) |
Zim (Diskussion | Beiträge) |
||
(14 dazwischenliegende Versionen von einem Benutzer werden nicht angezeigt) | |||
Zeile 2: | Zeile 2: | ||
benoetigte pakete: | benoetigte pakete: | ||
− | - ipsec-tools | + | - ipsec-tools |
− | - racoon (evtl schon in ipsec-tools enthalten) | + | - racoon (evtl schon in ipsec-tools enthalten) |
+ | ---- | ||
+ | Update: | ||
+ | Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config: | ||
+ | file: /etc/racoon/racoon-tool.conf | ||
+ | connection(bezeichner): | ||
+ | src_ip: loc-IP | ||
+ | dst_ip: remote-IP | ||
+ | authentication_algorithm: hmac_sha1 | ||
+ | admin_status: yes | ||
+ | peer(remote-IP): | ||
+ | passive:off | ||
+ | verify_identifier: on | ||
+ | lifetime: time 30 min | ||
+ | hash_algorithm[0]: sha1 | ||
+ | encryption_algorithm[0]: aes | ||
+ | my_identifier: address loc-IP | ||
+ | peers_identifier: address remote-IP | ||
+ | |||
+ | Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig. | ||
+ | |||
+ | ---- | ||
mode: transport | mode: transport | ||
keys: preshared | keys: preshared | ||
Zeile 12: | Zeile 33: | ||
host: A und B | host: A und B | ||
− | # /etc/racoon/psk.txt | + | # /etc/racoon/psk.txt |
− | # IPv4/v6 addresses | + | # IPv4/v6 addresses |
− | 2001:6f8:1044: | + | 2001:6f8:1044::1 secret |
− | #10.160.94.3 mekmitasdigoat | + | 2001:6f8:1044::2 secret |
− | #172.16.1.133 0x12345678 | + | #10.160.94.3 mekmitasdigoat |
− | #194.100.55.1 whatcertificatereally | + | #172.16.1.133 0x12345678 |
− | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat | + | #194.100.55.1 whatcertificatereally |
− | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat | + | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat |
− | # USER_FQDN | + | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat |
− | #foo@kame.net mekmitasdigoat | + | # USER_FQDN |
− | # FQDN | + | #foo@kame.net mekmitasdigoat |
− | #foo.kame.net hoge | + | # FQDN |
+ | #foo.kame.net hoge | ||
file: setkey.txt | file: setkey.txt | ||
Zeile 29: | Zeile 51: | ||
host: A | host: A | ||
− | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
− | flush; | + | flush; |
− | spdflush; | + | spdflush; |
− | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require; |
file: setkey.txt | file: setkey.txt | ||
Zeile 39: | Zeile 61: | ||
host: B | host: B | ||
− | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
− | flush; | + | flush; |
− | spdflush; | + | spdflush; |
− | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require; |
file: racoon.conf | file: racoon.conf | ||
− | desc: | + | desc: racoon config for host A - preshared keys |
host: A | host: A | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | path pre_shared_key "/etc/racoon/psk.txt"; | + | path pre_shared_key "/etc/racoon/psk.txt"; |
− | #path certificate "/etc/racoon/certs"; | + | #path certificate "/etc/racoon/certs"; |
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:1044::1; | ||
+ | } | ||
+ | remote 2001:6f8:1044::2 | ||
+ | { | ||
+ | exchange_mode main; | ||
+ | # my_identifier asn1dn; | ||
+ | # peers_identifier asn1dn; | ||
+ | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
+ | # peers_certfile x509 "host-B-cert.pem"; | ||
+ | lifetime time 24 hour; | ||
+ | proposal | ||
+ | { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | # authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
− | |||
− | |||
− | |||
− | |||
− | remote 2001:6f8:1044:: | + | file: racoon.conf |
− | { | + | desc: racoon config for host B - preshared keys |
+ | host: B | ||
+ | |||
+ | # | ||
+ | path include "/etc/racoon"; | ||
+ | path pre_shared_key "/etc/racoon/psk.txt"; | ||
+ | #path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | # isakmp 2001:6f8:1044::1; | ||
+ | isakmp 2001:6f8:1044::2; | ||
+ | } | ||
+ | #remote 2001:6f8:1044::2 | ||
+ | remote 2001:6f8:1044::1 | ||
+ | { | ||
exchange_mode main; | exchange_mode main; | ||
− | # my_identifier asn1dn; | + | # my_identifier asn1dn; |
− | # peers_identifier asn1dn; | + | # peers_identifier asn1dn; |
+ | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
+ | # peers_certfile x509 "host-A-cert.pem"; | ||
+ | lifetime time 24 hour; | ||
+ | proposal | ||
+ | { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | # authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
− | + | ---- | |
− | + | mode: transport | |
+ | keys: certificate | ||
+ | desc: only change racoon.conf | ||
+ | |||
+ | |||
+ | file: racoon.conf | ||
+ | desc: racoon config for host A - certs | ||
+ | host: A | ||
+ | |||
+ | # | ||
+ | path include "/etc/racoon"; | ||
+ | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:1044::1; | ||
+ | } | ||
+ | remote 2001:6f8:1044::2 | ||
+ | { | ||
+ | exchange_mode main; | ||
+ | my_identifier asn1dn; | ||
+ | peers_identifier asn1dn; | ||
+ | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
+ | peers_certfile x509 "host-B-cert.pem"; | ||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
− | + | # authentication_method pre_shared_key; | |
− | + | authentication_method rsasig; | |
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
file: racoon.conf | file: racoon.conf | ||
− | desc: | + | desc: racoon config for host B - certs |
host: B | host: B | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | path pre_shared_key "/etc/racoon/psk.txt"; | + | #path pre_shared_key "/etc/racoon/psk.txt"; |
− | + | path certificate "/etc/racoon/certs"; | |
+ | listen | ||
+ | { | ||
+ | # isakmp 2001:6f8:1044::1; | ||
+ | isakmp 2001:6f8:1044::2; | ||
+ | } | ||
+ | #remote 2001:6f8:1044::2 | ||
+ | remote 2001:6f8:1044::1 | ||
+ | { | ||
+ | exchange_mode main; | ||
+ | my_identifier asn1dn; | ||
+ | peers_identifier asn1dn; | ||
+ | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
+ | peers_certfile x509 "host-A-cert.pem"; | ||
+ | lifetime time 24 hour; | ||
+ | proposal | ||
+ | { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | # authentication_method pre_shared_key; | ||
+ | authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
− | + | ---- | |
− | + | Roadwarrior-Config: | |
− | + | ||
− | + | ||
− | + | ||
− | + | Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | Serversite: | |
− | + | ||
+ | setkey.sh: | ||
+ | - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; | ||
+ | spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use; | ||
+ | |||
+ | racoon.conf: | ||
+ | - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet | ||
+ | |||
+ | #/etc/racoon/racoon.conf | ||
+ | path include "/etc/racoon"; | ||
+ | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:900:8a6::2; | ||
+ | } | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode aggressive,main,base; | ||
+ | my_identifier asn1dn; | ||
+ | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
+ | ca_type x509 "cacert.cert"; | ||
+ | passive on; | ||
+ | generate_policy on; | ||
+ | proposal { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | lifetime time 24 hour; | ||
+ | } | ||
+ | } | ||
+ | sainfo anonymous | ||
+ | { | ||
+ | pfs_group 2; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | |||
+ | client-site: | ||
+ | |||
+ | setkey.conf: kann so bleiben, evtl noch vereinfachbar | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; | ||
+ | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; | ||
+ | |||
+ | racoon.conf: | ||
+ | |||
+ | #/etc/racoon/racoon.conf | ||
+ | path include "/etc/racoon"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
+ | } | ||
+ | remote 2001:6f8:900:8a6::2 | ||
+ | { | ||
+ | exchange_mode aggressive,main,base; | ||
+ | my_identifier asn1dn; | ||
+ | peers_identifier asn1dn; | ||
+ | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
+ | peers_certfile x509 "host-A-cert.pem"; | ||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
− | + | authentication_method rsasig; | |
− | + | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
+ | sainfo anonymous | ||
+ | { | ||
+ | pfs_group 2; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } |
Aktuelle Version vom 22. Juli 2009, 10:58 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
Update: Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config:
file: /etc/racoon/racoon-tool.conf
connection(bezeichner): src_ip: loc-IP dst_ip: remote-IP authentication_algorithm: hmac_sha1 admin_status: yes peer(remote-IP): passive:off verify_identifier: on lifetime: time 30 min hash_algorithm[0]: sha1 encryption_algorithm[0]: aes my_identifier: address loc-IP peers_identifier: address remote-IP
Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig.
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; # peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; # peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
mode: transport keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - certs
host: B
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
Roadwarrior-Config:
Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server
Serversite:
setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;
racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet
#/etc/racoon/racoon.conf path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:900:8a6::2; } remote anonymous { exchange_mode aggressive,main,base; my_identifier asn1dn; certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; ca_type x509 "cacert.cert"; passive on; generate_policy on; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig; dh_group 2; lifetime time 24 hour; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate;
client-site:
setkey.conf: kann so bleiben, evtl noch vereinfachbar
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
racoon.conf:
#/etc/racoon/racoon.conf path include "/etc/racoon"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::211:2fff:febe:666a; } remote 2001:6f8:900:8a6::2 { exchange_mode aggressive,main,base; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }