Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Aus Opennet
Zim (Diskussion | Beiträge) (todo-list) |
Zim (Diskussion | Beiträge) |
||
| (8 dazwischenliegende Versionen von einem Benutzer werden nicht angezeigt) | |||
| Zeile 4: | Zeile 4: | ||
- ipsec-tools | - ipsec-tools | ||
- racoon (evtl schon in ipsec-tools enthalten) | - racoon (evtl schon in ipsec-tools enthalten) | ||
| + | ---- | ||
| + | Update: | ||
| + | Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config: | ||
| + | file: /etc/racoon/racoon-tool.conf | ||
| + | connection(bezeichner): | ||
| + | src_ip: loc-IP | ||
| + | dst_ip: remote-IP | ||
| + | authentication_algorithm: hmac_sha1 | ||
| + | admin_status: yes | ||
| + | peer(remote-IP): | ||
| + | passive:off | ||
| + | verify_identifier: on | ||
| + | lifetime: time 30 min | ||
| + | hash_algorithm[0]: sha1 | ||
| + | encryption_algorithm[0]: aes | ||
| + | my_identifier: address loc-IP | ||
| + | peers_identifier: address remote-IP | ||
| + | |||
| + | Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig. | ||
| + | |||
| + | ---- | ||
mode: transport | mode: transport | ||
keys: preshared | keys: preshared | ||
| Zeile 14: | Zeile 35: | ||
# /etc/racoon/psk.txt | # /etc/racoon/psk.txt | ||
# IPv4/v6 addresses | # IPv4/v6 addresses | ||
| − | 2001:6f8:1044: | + | 2001:6f8:1044::1 secret |
| + | 2001:6f8:1044::2 secret | ||
#10.160.94.3 mekmitasdigoat | #10.160.94.3 mekmitasdigoat | ||
#172.16.1.133 0x12345678 | #172.16.1.133 0x12345678 | ||
| Zeile 32: | Zeile 54: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
| − | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; |
| − | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require; |
file: setkey.txt | file: setkey.txt | ||
| Zeile 42: | Zeile 64: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
| − | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; |
| − | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require; |
file: racoon.conf | file: racoon.conf | ||
| Zeile 53: | Zeile 75: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| − | isakmp 2001:6f8: | + | isakmp 2001:6f8:1044::1; |
} | } | ||
| − | + | remote 2001:6f8:1044::2 | |
| − | remote 2001:6f8:1044:: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
| − | |||
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
# peers_certfile x509 "host-B-cert.pem"; | # peers_certfile x509 "host-B-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
# authentication_method rsasig; | # authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
} | } | ||
| Zeile 88: | Zeile 120: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| − | # isakmp 2001:6f8: | + | # isakmp 2001:6f8:1044::1; |
| − | isakmp 2001:6f8:1044:: | + | isakmp 2001:6f8:1044::2; |
} | } | ||
| − | + | #remote 2001:6f8:1044::2 | |
| − | #remote 2001:6f8:1044:: | + | remote 2001:6f8:1044::1 |
| − | remote 2001:6f8: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
| − | |||
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
# peers_certfile x509 "host-A-cert.pem"; | # peers_certfile x509 "host-A-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
# authentication_method rsasig; | # authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
} | } | ||
| − | + | ---- | |
mode: transport | mode: transport | ||
keys: certificate | keys: certificate | ||
| Zeile 131: | Zeile 173: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| − | isakmp 2001:6f8: | + | isakmp 2001:6f8:1044::1; |
} | } | ||
| − | + | remote 2001:6f8:1044::2 | |
| − | remote 2001:6f8:1044:: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
| − | |||
certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
peers_certfile x509 "host-B-cert.pem"; | peers_certfile x509 "host-B-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
# authentication_method pre_shared_key; | # authentication_method pre_shared_key; | ||
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
} | } | ||
| Zeile 166: | Zeile 218: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| − | # isakmp 2001:6f8: | + | # isakmp 2001:6f8:1044::1; |
| − | isakmp 2001:6f8:1044:: | + | isakmp 2001:6f8:1044::2; |
} | } | ||
| − | + | #remote 2001:6f8:1044::2 | |
| − | #remote 2001:6f8:1044:: | + | remote 2001:6f8:1044::1 |
| − | remote 2001:6f8: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
| − | |||
certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
peers_certfile x509 "host-A-cert.pem"; | peers_certfile x509 "host-A-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
| − | encryption_algorithm | + | encryption_algorithm aes; |
| − | hash_algorithm | + | hash_algorithm sha1; |
# authentication_method pre_shared_key; | # authentication_method pre_shared_key; | ||
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
| + | { | ||
| + | lifetime time 1 hour; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
} | } | ||
| + | ---- | ||
| + | Roadwarrior-Config: | ||
| − | + | Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server | |
| − | - | + | |
| + | Serversite: | ||
| + | |||
| + | setkey.sh: | ||
| + | - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen | ||
| + | |||
| + | #!/usr/sbin/setkey -f | ||
| + | flush; | ||
| + | spdflush; | ||
| + | spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; | ||
| + | spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use; | ||
| + | |||
| + | racoon.conf: | ||
| + | - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet | ||
| + | |||
| + | #/etc/racoon/racoon.conf | ||
| + | path include "/etc/racoon"; | ||
| + | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:900:8a6::2; | ||
| + | } | ||
| + | remote anonymous | ||
| + | { | ||
| + | exchange_mode aggressive,main,base; | ||
| + | my_identifier asn1dn; | ||
| + | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
| + | ca_type x509 "cacert.cert"; | ||
| + | passive on; | ||
| + | generate_policy on; | ||
| + | proposal { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | lifetime time 24 hour; | ||
| + | } | ||
| + | } | ||
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | |||
| + | client-site: | ||
| + | |||
| + | setkey.conf: kann so bleiben, evtl noch vereinfachbar | ||
| + | |||
| + | #!/usr/sbin/setkey -f | ||
| + | flush; | ||
| + | spdflush; | ||
| + | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; | ||
| + | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; | ||
| + | |||
| + | racoon.conf: | ||
| + | |||
| + | #/etc/racoon/racoon.conf | ||
| + | path include "/etc/racoon"; | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | listen | ||
| + | { | ||
| + | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
| + | } | ||
| + | remote 2001:6f8:900:8a6::2 | ||
| + | { | ||
| + | exchange_mode aggressive,main,base; | ||
| + | my_identifier asn1dn; | ||
| + | peers_identifier asn1dn; | ||
| + | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
| + | peers_certfile x509 "host-A-cert.pem"; | ||
| + | lifetime time 24 hour; | ||
| + | proposal | ||
| + | { | ||
| + | encryption_algorithm aes; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | encryption_algorithm aes; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
Aktuelle Version vom 22. Juli 2009, 10:58 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
Update: Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config:
file: /etc/racoon/racoon-tool.conf
connection(bezeichner): src_ip: loc-IP dst_ip: remote-IP authentication_algorithm: hmac_sha1 admin_status: yes peer(remote-IP): passive:off verify_identifier: on lifetime: time 30 min hash_algorithm[0]: sha1 encryption_algorithm[0]: aes my_identifier: address loc-IP peers_identifier: address remote-IP
Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig.
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
# peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
# peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
mode: transport keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - certs
host: B
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Roadwarrior-Config:
Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server
Serversite:
setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;
racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet
#/etc/racoon/racoon.conf
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:900:8a6::2;
}
remote anonymous
{
exchange_mode aggressive,main,base;
my_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
ca_type x509 "cacert.cert";
passive on;
generate_policy on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
lifetime time 24 hour;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
client-site:
setkey.conf: kann so bleiben, evtl noch vereinfachbar
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
racoon.conf:
#/etc/racoon/racoon.conf
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::211:2fff:febe:666a;
}
remote 2001:6f8:900:8a6::2
{
exchange_mode aggressive,main,base;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
