Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen

Aus Opennet
Wechseln zu: Navigation, Suche
(certificate)
(dateinamen verallgemeinert)
Zeile 65: Zeile 65:
 
#        peers_identifier asn1dn;
 
#        peers_identifier asn1dn;
  
#        certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
+
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
#        peers_certfile x509 "ramiel-cert.pem";
+
#        peers_certfile x509 "host-B-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;
Zeile 102: Zeile 102:
 
#        peers_identifier asn1dn;
 
#        peers_identifier asn1dn;
  
#        certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
+
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
#        peers_certfile x509 "re01.dyndns.org-cert.pem";
+
#        peers_certfile x509 "host-A-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;
Zeile 143: Zeile 143:
 
         peers_identifier asn1dn;
 
         peers_identifier asn1dn;
  
         certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
+
         certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
         peers_certfile x509 "ramiel-cert.pem";
+
         peers_certfile x509 "host-B-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;
Zeile 180: Zeile 180:
 
         peers_identifier asn1dn;
 
         peers_identifier asn1dn;
  
         certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
+
         certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
         peers_certfile x509 "re01.dyndns.org-cert.pem";
+
         peers_certfile x509 "host-A-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;

Version vom 8. Februar 2009, 16:35 Uhr

beispielconfig fuer ipsec/ipv6

benoetigte pakete: - ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)

mode: transport keys: preshared

file: psk.txt desc: enthaelt preshared keys host: A und B

  1. /etc/racoon/psk.txt
  2. IPv4/v6 addresses

2001:6f8:1044:0:211:2fff:febe:666a secret

  1. 10.160.94.3 mekmitasdigoat
  2. 172.16.1.133 0x12345678
  3. 194.100.55.1 whatcertificatereally
  4. 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
  5. 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
  6. USER_FQDN
  7. foo@kame.net mekmitasdigoat
  8. FQDN
  9. foo.kame.net hoge

file: setkey.txt desc: shellscript to set up spd-policies host: A

  1. !/usr/sbin/setkey -f

flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;

file: setkey.txt desc: shellscript to set up spd-policies host: B

  1. !/usr/sbin/setkey -f

flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;

file: racoon.conf desc: host: A

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";

  1. path certificate "/etc/racoon/certs";

listen { 

       isakmp  2001:6f8:900:8a6::2;

}

remote 2001:6f8:1044::211:2fff:febe:666a { 

       exchange_mode main;
  1. my_identifier asn1dn;
  2. peers_identifier asn1dn;
  1. certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
  2. peers_certfile x509 "host-B-cert.pem"; 
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
  1. authentication_method rsasig; 
               dh_group 2;
       }

}


file: racoon.conf desc: host: B

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";

  1. path certificate "/etc/racoon/certs";

listen {

  1. isakmp 2001:6f8:900:8a6::2; 
       isakmp  2001:6f8:1044::211:2fff:febe:666a;

}

  1. remote 2001:6f8:1044::211:2fff:febe:666a

remote 2001:6f8:900:8a6::2 { 

       exchange_mode main;
  1. my_identifier asn1dn;
  2. peers_identifier asn1dn;
  1. certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
  2. peers_certfile x509 "host-A-cert.pem"; 
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
  1. authentication_method rsasig; 
               dh_group 2;
       }

}


mode: transport keys: certificate

desc: only change racoon.conf


file: racoon.conf desc: host: A

path include "/etc/racoon";

  1. path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

listen { 

       isakmp  2001:6f8:900:8a6::2;

}

remote 2001:6f8:1044::211:2fff:febe:666a { 

       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;

       certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
       peers_certfile x509 "host-B-cert.pem";

       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
  1. authentication_method pre_shared_key; 
               authentication_method rsasig;
               dh_group 2;
       }

}


file: racoon.conf desc: host: B

path include "/etc/racoon";

  1. path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

listen {

  1. isakmp 2001:6f8:900:8a6::2; 
       isakmp  2001:6f8:1044::211:2fff:febe:666a;

}

  1. remote 2001:6f8:1044::211:2fff:febe:666a

remote 2001:6f8:900:8a6::2 { 

       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;

       certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
       peers_certfile x509 "host-A-cert.pem";

       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
  1. authentication_method pre_shared_key; 
               authentication_method rsasig;
               dh_group 2;
       }

}

Von „http://wiki.opennet-initiative.de/w/index.php?title=Benutzer:Zim/ip6sec&oldid=14677
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge