Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Aus Opennet
Zim (Diskussion | Beiträge) (dateinamen verallgemeinert) |
Zim (Diskussion | Beiträge) (code formatiert) |
||
Zeile 12: | Zeile 12: | ||
host: A und B | host: A und B | ||
− | # /etc/racoon/psk.txt | + | # /etc/racoon/psk.txt |
− | # IPv4/v6 addresses | + | # IPv4/v6 addresses |
− | 2001:6f8:1044:0:211:2fff:febe:666a secret | + | 2001:6f8:1044:0:211:2fff:febe:666a secret |
− | #10.160.94.3 mekmitasdigoat | + | #10.160.94.3 mekmitasdigoat |
− | #172.16.1.133 0x12345678 | + | #172.16.1.133 0x12345678 |
− | #194.100.55.1 whatcertificatereally | + | #194.100.55.1 whatcertificatereally |
− | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat | + | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat |
− | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat | + | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat |
− | # USER_FQDN | + | # USER_FQDN |
− | #foo@kame.net mekmitasdigoat | + | #foo@kame.net mekmitasdigoat |
− | # FQDN | + | # FQDN |
− | #foo.kame.net hoge | + | #foo.kame.net hoge |
file: setkey.txt | file: setkey.txt | ||
Zeile 29: | Zeile 29: | ||
host: A | host: A | ||
− | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
− | flush; | + | flush; |
− | spdflush; | + | spdflush; |
− | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; | + | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require; | + | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require; |
file: setkey.txt | file: setkey.txt | ||
Zeile 39: | Zeile 39: | ||
host: B | host: B | ||
− | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
− | flush; | + | flush; |
− | spdflush; | + | spdflush; |
− | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; | + | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; | + | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; |
file: racoon.conf | file: racoon.conf | ||
Zeile 49: | Zeile 49: | ||
host: A | host: A | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | path pre_shared_key "/etc/racoon/psk.txt"; | + | path pre_shared_key "/etc/racoon/psk.txt"; |
− | #path certificate "/etc/racoon/certs"; | + | #path certificate "/etc/racoon/certs"; |
− | listen | + | listen |
− | { | + | { |
isakmp 2001:6f8:900:8a6::2; | isakmp 2001:6f8:900:8a6::2; | ||
− | } | + | } |
− | remote 2001:6f8:1044::211:2fff:febe:666a | + | remote 2001:6f8:1044::211:2fff:febe:666a |
− | { | + | { |
exchange_mode main; | exchange_mode main; | ||
− | # my_identifier asn1dn; | + | # my_identifier asn1dn; |
− | # peers_identifier asn1dn; | + | # peers_identifier asn1dn; |
− | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | + | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; |
− | # peers_certfile x509 "host-B-cert.pem"; | + | # peers_certfile x509 "host-B-cert.pem"; |
lifetime time 24 hour; | lifetime time 24 hour; | ||
Zeile 74: | Zeile 74: | ||
hash_algorithm md5; | hash_algorithm md5; | ||
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
− | # authentication_method rsasig; | + | # authentication_method rsasig; |
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
Zeile 84: | Zeile 84: | ||
host: B | host: B | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | path pre_shared_key "/etc/racoon/psk.txt"; | + | path pre_shared_key "/etc/racoon/psk.txt"; |
− | #path certificate "/etc/racoon/certs"; | + | #path certificate "/etc/racoon/certs"; |
− | listen | + | listen |
− | { | + | { |
− | # isakmp 2001:6f8:900:8a6::2; | + | # isakmp 2001:6f8:900:8a6::2; |
isakmp 2001:6f8:1044::211:2fff:febe:666a; | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
− | } | + | } |
− | #remote 2001:6f8:1044::211:2fff:febe:666a | + | #remote 2001:6f8:1044::211:2fff:febe:666a |
− | remote 2001:6f8:900:8a6::2 | + | remote 2001:6f8:900:8a6::2 |
− | { | + | { |
exchange_mode main; | exchange_mode main; | ||
− | # my_identifier asn1dn; | + | # my_identifier asn1dn; |
− | # peers_identifier asn1dn; | + | # peers_identifier asn1dn; |
− | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | + | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; |
− | # peers_certfile x509 "host-A-cert.pem"; | + | # peers_certfile x509 "host-A-cert.pem"; |
lifetime time 24 hour; | lifetime time 24 hour; | ||
Zeile 111: | Zeile 111: | ||
hash_algorithm md5; | hash_algorithm md5; | ||
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
− | # authentication_method rsasig; | + | # authentication_method rsasig; |
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
Zeile 127: | Zeile 127: | ||
host: A | host: A | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | #path pre_shared_key "/etc/racoon/psk.txt"; | + | #path pre_shared_key "/etc/racoon/psk.txt"; |
− | path certificate "/etc/racoon/certs"; | + | path certificate "/etc/racoon/certs"; |
− | listen | + | listen |
− | { | + | { |
isakmp 2001:6f8:900:8a6::2; | isakmp 2001:6f8:900:8a6::2; | ||
− | } | + | } |
− | remote 2001:6f8:1044::211:2fff:febe:666a | + | remote 2001:6f8:1044::211:2fff:febe:666a |
− | { | + | { |
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
Zeile 151: | Zeile 151: | ||
encryption_algorithm 3des; | encryption_algorithm 3des; | ||
hash_algorithm md5; | hash_algorithm md5; | ||
− | # authentication_method pre_shared_key; | + | # authentication_method pre_shared_key; |
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
Zeile 162: | Zeile 162: | ||
host: B | host: B | ||
− | # | + | # |
− | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
− | #path pre_shared_key "/etc/racoon/psk.txt"; | + | #path pre_shared_key "/etc/racoon/psk.txt"; |
− | path certificate "/etc/racoon/certs"; | + | path certificate "/etc/racoon/certs"; |
− | listen | + | listen |
− | { | + | { |
− | # isakmp 2001:6f8:900:8a6::2; | + | # isakmp 2001:6f8:900:8a6::2; |
isakmp 2001:6f8:1044::211:2fff:febe:666a; | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
− | } | + | } |
− | #remote 2001:6f8:1044::211:2fff:febe:666a | + | #remote 2001:6f8:1044::211:2fff:febe:666a |
− | remote 2001:6f8:900:8a6::2 | + | remote 2001:6f8:900:8a6::2 |
− | { | + | { |
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
Zeile 188: | Zeile 188: | ||
encryption_algorithm 3des; | encryption_algorithm 3des; | ||
hash_algorithm md5; | hash_algorithm md5; | ||
− | # authentication_method pre_shared_key; | + | # authentication_method pre_shared_key; |
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
− | } | + | } |
Version vom 8. Februar 2009, 16:38 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete: - ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044:0:211:2fff:febe:666a secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
file: racoon.conf desc: host: A
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs";
listen { isakmp 2001:6f8:900:8a6::2; }
remote 2001:6f8:1044::211:2fff:febe:666a { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn;
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; # peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } }
file: racoon.conf
desc:
host: B
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs";
listen { # isakmp 2001:6f8:900:8a6::2; isakmp 2001:6f8:1044::211:2fff:febe:666a; }
#remote 2001:6f8:1044::211:2fff:febe:666a remote 2001:6f8:900:8a6::2 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn;
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; # peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } }
mode: transport
keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc:
host: A
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs";
listen { isakmp 2001:6f8:900:8a6::2; }
remote 2001:6f8:1044::211:2fff:febe:666a { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } }
file: racoon.conf
desc:
host: B
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs";
listen { # isakmp 2001:6f8:900:8a6::2; isakmp 2001:6f8:1044::211:2fff:febe:666a; }
#remote 2001:6f8:1044::211:2fff:febe:666a remote 2001:6f8:900:8a6::2 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } }