Benutzer:Zim/ip6sec
beispielconfig fuer ipsec/ipv6
benoetigte pakete: - ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
- /etc/racoon/psk.txt
- IPv4/v6 addresses
2001:6f8:1044:0:211:2fff:febe:666a secret
- 10.160.94.3 mekmitasdigoat
- 172.16.1.133 0x12345678
- 194.100.55.1 whatcertificatereally
- 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
- 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
- USER_FQDN
- foo@kame.net mekmitasdigoat
- FQDN
- foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
- !/usr/sbin/setkey -f
flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
- !/usr/sbin/setkey -f
flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
file: racoon.conf desc: host: A
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";
- path certificate "/etc/racoon/certs";
listen {
isakmp 2001:6f8:900:8a6::2;
}
remote 2001:6f8:1044::211:2fff:febe:666a {
exchange_mode main;
- my_identifier asn1dn;
- peers_identifier asn1dn;
- certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
- peers_certfile x509 "ramiel-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key;
- authentication_method rsasig;
dh_group 2; }
}
file: racoon.conf
desc:
host: B
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";
- path certificate "/etc/racoon/certs";
listen {
- isakmp 2001:6f8:900:8a6::2;
isakmp 2001:6f8:1044::211:2fff:febe:666a;
}
- remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2 {
exchange_mode main;
- my_identifier asn1dn;
- peers_identifier asn1dn;
- certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
- peers_certfile x509 "re01.dyndns.org-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key;
- authentication_method rsasig;
dh_group 2; }
}
mode: transport
keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc:
host: A
path include "/etc/racoon";
- path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 2001:6f8:900:8a6::2;
}
remote 2001:6f8:1044::211:2fff:febe:666a {
exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn;
certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem"; peers_certfile x509 "ramiel-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5;
- authentication_method pre_shared_key;
authentication_method rsasig; dh_group 2; }
}
file: racoon.conf
desc:
host: B
path include "/etc/racoon";
- path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
- isakmp 2001:6f8:900:8a6::2;
isakmp 2001:6f8:1044::211:2fff:febe:666a;
}
- remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2 {
exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn;
certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem"; peers_certfile x509 "re01.dyndns.org-cert.pem";
lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5;
- authentication_method pre_shared_key;
authentication_method rsasig; dh_group 2; }
}