Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Zim (Diskussion | Beiträge) (todo-list) |
Zim (Diskussion | Beiträge) |
||
(8 dazwischenliegende Versionen von einem Benutzer werden nicht angezeigt) | |||
Zeile 4: | Zeile 4: | ||
- ipsec-tools | - ipsec-tools | ||
- racoon (evtl schon in ipsec-tools enthalten) | - racoon (evtl schon in ipsec-tools enthalten) | ||
+ | ---- | ||
+ | Update: | ||
+ | Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config: | ||
+ | file: /etc/racoon/racoon-tool.conf | ||
+ | connection(bezeichner): | ||
+ | src_ip: loc-IP | ||
+ | dst_ip: remote-IP | ||
+ | authentication_algorithm: hmac_sha1 | ||
+ | admin_status: yes | ||
+ | peer(remote-IP): | ||
+ | passive:off | ||
+ | verify_identifier: on | ||
+ | lifetime: time 30 min | ||
+ | hash_algorithm[0]: sha1 | ||
+ | encryption_algorithm[0]: aes | ||
+ | my_identifier: address loc-IP | ||
+ | peers_identifier: address remote-IP | ||
+ | |||
+ | Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig. | ||
+ | |||
+ | ---- | ||
mode: transport | mode: transport | ||
keys: preshared | keys: preshared | ||
Zeile 14: | Zeile 35: | ||
# /etc/racoon/psk.txt | # /etc/racoon/psk.txt | ||
# IPv4/v6 addresses | # IPv4/v6 addresses | ||
− | 2001:6f8:1044: | + | 2001:6f8:1044::1 secret |
+ | 2001:6f8:1044::2 secret | ||
#10.160.94.3 mekmitasdigoat | #10.160.94.3 mekmitasdigoat | ||
#172.16.1.133 0x12345678 | #172.16.1.133 0x12345678 | ||
Zeile 32: | Zeile 54: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
− | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require; |
file: setkey.txt | file: setkey.txt | ||
Zeile 42: | Zeile 64: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
− | spdadd 2001:6f8: | + | spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; |
− | spdadd 2001:6f8:1044:: | + | spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require; |
file: racoon.conf | file: racoon.conf | ||
Zeile 53: | Zeile 75: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
− | isakmp 2001:6f8: | + | isakmp 2001:6f8:1044::1; |
} | } | ||
− | + | remote 2001:6f8:1044::2 | |
− | remote 2001:6f8:1044:: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
− | |||
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
# peers_certfile x509 "host-B-cert.pem"; | # peers_certfile x509 "host-B-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
# authentication_method rsasig; | # authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
} | } | ||
Zeile 88: | Zeile 120: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
− | # isakmp 2001:6f8: | + | # isakmp 2001:6f8:1044::1; |
− | isakmp 2001:6f8:1044:: | + | isakmp 2001:6f8:1044::2; |
} | } | ||
− | + | #remote 2001:6f8:1044::2 | |
− | #remote 2001:6f8:1044:: | + | remote 2001:6f8:1044::1 |
− | remote 2001:6f8: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
− | |||
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
# peers_certfile x509 "host-A-cert.pem"; | # peers_certfile x509 "host-A-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
authentication_method pre_shared_key; | authentication_method pre_shared_key; | ||
# authentication_method rsasig; | # authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
} | } | ||
− | + | ---- | |
mode: transport | mode: transport | ||
keys: certificate | keys: certificate | ||
Zeile 131: | Zeile 173: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
− | isakmp 2001:6f8: | + | isakmp 2001:6f8:1044::1; |
} | } | ||
− | + | remote 2001:6f8:1044::2 | |
− | remote 2001:6f8:1044:: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
− | |||
certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
peers_certfile x509 "host-B-cert.pem"; | peers_certfile x509 "host-B-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
# authentication_method pre_shared_key; | # authentication_method pre_shared_key; | ||
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
} | } | ||
Zeile 166: | Zeile 218: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
− | |||
listen | listen | ||
{ | { | ||
− | # isakmp 2001:6f8: | + | # isakmp 2001:6f8:1044::1; |
− | isakmp 2001:6f8:1044:: | + | isakmp 2001:6f8:1044::2; |
} | } | ||
− | + | #remote 2001:6f8:1044::2 | |
− | #remote 2001:6f8:1044:: | + | remote 2001:6f8:1044::1 |
− | remote 2001:6f8: | + | |
{ | { | ||
exchange_mode main; | exchange_mode main; | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
− | |||
certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
peers_certfile x509 "host-A-cert.pem"; | peers_certfile x509 "host-A-cert.pem"; | ||
− | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
{ | { | ||
− | encryption_algorithm | + | encryption_algorithm aes; |
− | hash_algorithm | + | hash_algorithm sha1; |
# authentication_method pre_shared_key; | # authentication_method pre_shared_key; | ||
authentication_method rsasig; | authentication_method rsasig; | ||
dh_group 2; | dh_group 2; | ||
} | } | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
+ | { | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
} | } | ||
+ | ---- | ||
+ | Roadwarrior-Config: | ||
− | + | Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server | |
− | - | + | |
+ | Serversite: | ||
+ | |||
+ | setkey.sh: | ||
+ | - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; | ||
+ | spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use; | ||
+ | |||
+ | racoon.conf: | ||
+ | - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet | ||
+ | |||
+ | #/etc/racoon/racoon.conf | ||
+ | path include "/etc/racoon"; | ||
+ | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:900:8a6::2; | ||
+ | } | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode aggressive,main,base; | ||
+ | my_identifier asn1dn; | ||
+ | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
+ | ca_type x509 "cacert.cert"; | ||
+ | passive on; | ||
+ | generate_policy on; | ||
+ | proposal { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | lifetime time 24 hour; | ||
+ | } | ||
+ | } | ||
+ | sainfo anonymous | ||
+ | { | ||
+ | pfs_group 2; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | |||
+ | client-site: | ||
+ | |||
+ | setkey.conf: kann so bleiben, evtl noch vereinfachbar | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; | ||
+ | spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require; | ||
+ | |||
+ | racoon.conf: | ||
+ | |||
+ | #/etc/racoon/racoon.conf | ||
+ | path include "/etc/racoon"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | listen | ||
+ | { | ||
+ | isakmp 2001:6f8:1044::211:2fff:febe:666a; | ||
+ | } | ||
+ | remote 2001:6f8:900:8a6::2 | ||
+ | { | ||
+ | exchange_mode aggressive,main,base; | ||
+ | my_identifier asn1dn; | ||
+ | peers_identifier asn1dn; | ||
+ | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
+ | peers_certfile x509 "host-A-cert.pem"; | ||
+ | lifetime time 24 hour; | ||
+ | proposal | ||
+ | { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method rsasig; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | sainfo anonymous | ||
+ | { | ||
+ | pfs_group 2; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } |
Aktuelle Version vom 22. Juli 2009, 10:58 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
Update: Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config:
file: /etc/racoon/racoon-tool.conf
connection(bezeichner): src_ip: loc-IP dst_ip: remote-IP authentication_algorithm: hmac_sha1 admin_status: yes peer(remote-IP): passive:off verify_identifier: on lifetime: time 30 min hash_algorithm[0]: sha1 encryption_algorithm[0]: aes my_identifier: address loc-IP peers_identifier: address remote-IP
Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig.
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; # peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
# path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; #path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; # my_identifier asn1dn; # peers_identifier asn1dn; # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; # peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; # authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
mode: transport keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::1; } remote 2001:6f8:1044::2 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; peers_certfile x509 "host-B-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
file: racoon.conf
desc: racoon config for host B - certs
host: B
# path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { # isakmp 2001:6f8:1044::1; isakmp 2001:6f8:1044::2; } #remote 2001:6f8:1044::2 remote 2001:6f8:1044::1 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; # authentication_method pre_shared_key; authentication_method rsasig; dh_group 2; } } sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
Roadwarrior-Config:
Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server
Serversite:
setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use; spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;
racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet
#/etc/racoon/racoon.conf path include "/etc/racoon"; #path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:900:8a6::2; } remote anonymous { exchange_mode aggressive,main,base; my_identifier asn1dn; certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; ca_type x509 "cacert.cert"; passive on; generate_policy on; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig; dh_group 2; lifetime time 24 hour; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate;
client-site:
setkey.conf: kann so bleiben, evtl noch vereinfachbar
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
racoon.conf:
#/etc/racoon/racoon.conf path include "/etc/racoon"; path certificate "/etc/racoon/certs"; listen { isakmp 2001:6f8:1044::211:2fff:febe:666a; } remote 2001:6f8:900:8a6::2 { exchange_mode aggressive,main,base; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; peers_certfile x509 "host-A-cert.pem"; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }