Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Aus Opennet
Zim (Diskussion | Beiträge) (start, pre-shared) |
Zim (Diskussion | Beiträge) |
||
| (14 dazwischenliegende Versionen von einem Benutzer werden nicht angezeigt) | |||
| Zeile 2: | Zeile 2: | ||
benoetigte pakete: | benoetigte pakete: | ||
| − | - ipsec-tools | + | - ipsec-tools |
| − | - racoon (evtl schon in ipsec-tools enthalten) | + | - racoon (evtl schon in ipsec-tools enthalten) |
| + | ---- | ||
| + | Update: | ||
| + | Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config: | ||
| + | file: /etc/racoon/racoon-tool.conf | ||
| + | connection(bezeichner): | ||
| + | src_ip: loc-IP | ||
| + | dst_ip: remote-IP | ||
| + | authentication_algorithm: hmac_sha1 | ||
| + | admin_status: yes | ||
| + | peer(remote-IP): | ||
| + | passive:off | ||
| + | verify_identifier: on | ||
| + | lifetime: time 30 min | ||
| + | hash_algorithm[0]: sha1 | ||
| + | encryption_algorithm[0]: aes | ||
| + | my_identifier: address loc-IP | ||
| + | peers_identifier: address remote-IP | ||
| + | |||
| + | Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig. | ||
| + | |||
| + | ---- | ||
mode: transport | mode: transport | ||
keys: preshared | keys: preshared | ||
| Zeile 12: | Zeile 33: | ||
host: A und B | host: A und B | ||
| − | # /etc/racoon/psk.txt | + | # /etc/racoon/psk.txt |
| − | # IPv4/v6 addresses | + | # IPv4/v6 addresses |
| − | 2001:6f8:1044: | + | 2001:6f8:1044::1 secret |
| − | #10.160.94.3 mekmitasdigoat | + | 2001:6f8:1044::2 secret |
| − | #172.16.1.133 0x12345678 | + | #10.160.94.3 mekmitasdigoat |
| − | #194.100.55.1 whatcertificatereally | + | #172.16.1.133 0x12345678 |
| − | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat | + | #194.100.55.1 whatcertificatereally |
| − | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat | + | #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat |
| − | # USER_FQDN | + | #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat |
| − | #foo@kame.net mekmitasdigoat | + | # USER_FQDN |
| − | # FQDN | + | #foo@kame.net mekmitasdigoat |
| − | #foo.kame.net hoge | + | # FQDN |
| + | #foo.kame.net hoge | ||
file: setkey.txt | file: setkey.txt | ||
| Zeile 29: | Zeile 51: | ||
host: A | host: A | ||
| − | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
| − | flush; | + | flush; |
| − | spdflush; | + | spdflush; |
| − | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; |
| − | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require; |
file: setkey.txt | file: setkey.txt | ||
| Zeile 39: | Zeile 61: | ||
host: B | host: B | ||
| − | #!/usr/sbin/setkey -f | + | #!/usr/sbin/setkey -f |
| − | flush; | + | flush; |
| − | spdflush; | + | spdflush; |
| − | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; |
| − | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require; |
file: racoon.conf | file: racoon.conf | ||
| − | desc: | + | desc: racoon config for host A - preshared keys |
host: A | host: A | ||
| − | # | + | # |
| − | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
| − | path pre_shared_key "/etc/racoon/psk.txt"; | + | path pre_shared_key "/etc/racoon/psk.txt"; |
| − | #path certificate "/etc/racoon/certs"; | + | #path certificate "/etc/racoon/certs"; |
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:1044::1; | ||
| + | } | ||
| + | remote 2001:6f8:1044::2 | ||
| + | { | ||
| + | exchange_mode main; | ||
| + | # my_identifier asn1dn; | ||
| + | # peers_identifier asn1dn; | ||
| + | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
| + | # peers_certfile x509 "host-B-cert.pem"; | ||
| + | lifetime time 24 hour; | ||
| + | proposal | ||
| + | { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method pre_shared_key; | ||
| + | # authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | remote 2001:6f8:1044:: | + | file: racoon.conf |
| − | { | + | desc: racoon config for host B - preshared keys |
| + | host: B | ||
| + | |||
| + | # | ||
| + | path include "/etc/racoon"; | ||
| + | path pre_shared_key "/etc/racoon/psk.txt"; | ||
| + | #path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | # isakmp 2001:6f8:1044::1; | ||
| + | isakmp 2001:6f8:1044::2; | ||
| + | } | ||
| + | #remote 2001:6f8:1044::2 | ||
| + | remote 2001:6f8:1044::1 | ||
| + | { | ||
exchange_mode main; | exchange_mode main; | ||
| − | # my_identifier asn1dn; | + | # my_identifier asn1dn; |
| − | # peers_identifier asn1dn; | + | # peers_identifier asn1dn; |
| + | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
| + | # peers_certfile x509 "host-A-cert.pem"; | ||
| + | lifetime time 24 hour; | ||
| + | proposal | ||
| + | { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method pre_shared_key; | ||
| + | # authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| − | + | ---- | |
| − | + | mode: transport | |
| + | keys: certificate | ||
| + | desc: only change racoon.conf | ||
| + | |||
| + | |||
| + | file: racoon.conf | ||
| + | desc: racoon config for host A - certs | ||
| + | host: A | ||
| + | |||
| + | # | ||
| + | path include "/etc/racoon"; | ||
| + | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:1044::1; | ||
| + | } | ||
| + | remote 2001:6f8:1044::2 | ||
| + | { | ||
| + | exchange_mode main; | ||
| + | my_identifier asn1dn; | ||
| + | peers_identifier asn1dn; | ||
| + | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
| + | peers_certfile x509 "host-B-cert.pem"; | ||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
| − | + | # authentication_method pre_shared_key; | |
| − | + | authentication_method rsasig; | |
dh_group 2; | dh_group 2; | ||
} | } | ||
| − | } | + | } |
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
file: racoon.conf | file: racoon.conf | ||
| − | desc: | + | desc: racoon config for host B - certs |
host: B | host: B | ||
| − | # | + | # |
| − | path include "/etc/racoon"; | + | path include "/etc/racoon"; |
| − | path pre_shared_key "/etc/racoon/psk.txt"; | + | #path pre_shared_key "/etc/racoon/psk.txt"; |
| − | + | path certificate "/etc/racoon/certs"; | |
| + | listen | ||
| + | { | ||
| + | # isakmp 2001:6f8:1044::1; | ||
| + | isakmp 2001:6f8:1044::2; | ||
| + | } | ||
| + | #remote 2001:6f8:1044::2 | ||
| + | remote 2001:6f8:1044::1 | ||
| + | { | ||
| + | exchange_mode main; | ||
| + | my_identifier asn1dn; | ||
| + | peers_identifier asn1dn; | ||
| + | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
| + | peers_certfile x509 "host-A-cert.pem"; | ||
| + | lifetime time 24 hour; | ||
| + | proposal | ||
| + | { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | # authentication_method pre_shared_key; | ||
| + | authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| − | + | ---- | |
| − | + | Roadwarrior-Config: | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | Serversite: | |
| − | + | ||
| + | setkey.sh: | ||
| + | - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen | ||
| + | |||
| + | #!/usr/sbin/setkey -f | ||
| + | flush; | ||
| + | spdflush; | ||
| + | spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; | ||
| + | spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use; | ||
| + | |||
| + | racoon.conf: | ||
| + | - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet | ||
| + | |||
| + | #/etc/racoon/racoon.conf | ||
| + | path include "/etc/racoon"; | ||
| + | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:900:8a6::2; | ||
| + | } | ||
| + | remote anonymous | ||
| + | { | ||
| + | exchange_mode aggressive,main,base; | ||
| + | my_identifier asn1dn; | ||
| + | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
| + | ca_type x509 "cacert.cert"; | ||
| + | passive on; | ||
| + | generate_policy on; | ||
| + | proposal { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | lifetime time 24 hour; | ||
| + | } | ||
| + | } | ||
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | |||
| + | client-site: | ||
| + | |||
| + | setkey.conf: kann so bleiben, evtl noch vereinfachbar | ||
| + | |||
| + | #!/usr/sbin/setkey -f | ||
| + | flush; | ||
| + | spdflush; | ||
| + | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; | ||
| + | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; | ||
| + | |||
| + | racoon.conf: | ||
| + | |||
| + | #/etc/racoon/racoon.conf | ||
| + | path include "/etc/racoon"; | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
| + | } | ||
| + | remote 2001:6f8:900:8a6::2 | ||
| + | { | ||
| + | exchange_mode aggressive,main,base; | ||
| + | my_identifier asn1dn; | ||
| + | peers_identifier asn1dn; | ||
| + | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
| + | peers_certfile x509 "host-A-cert.pem"; | ||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
| − | + | authentication_method rsasig; | |
| − | + | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
| − | } | + | } |
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
Aktuelle Version vom 22. Juli 2009, 10:58 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
Update: Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config:
file: /etc/racoon/racoon-tool.conf
connection(bezeichner): src_ip: loc-IP dst_ip: remote-IP authentication_algorithm: hmac_sha1 admin_status: yes peer(remote-IP): passive:off verify_identifier: on lifetime: time 30 min hash_algorithm[0]: sha1 encryption_algorithm[0]: aes my_identifier: address loc-IP peers_identifier: address remote-IP
Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig.
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
# peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
# peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
mode: transport keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - certs
host: B
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Roadwarrior-Config:
Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server
Serversite:
setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;
racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet
#/etc/racoon/racoon.conf
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:900:8a6::2;
}
remote anonymous
{
exchange_mode aggressive,main,base;
my_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
ca_type x509 "cacert.cert";
passive on;
generate_policy on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
lifetime time 24 hour;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
client-site:
setkey.conf: kann so bleiben, evtl noch vereinfachbar
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
racoon.conf:
#/etc/racoon/racoon.conf
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::211:2fff:febe:666a;
}
remote 2001:6f8:900:8a6::2
{
exchange_mode aggressive,main,base;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
