Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen
Aus Opennet
Zim (Diskussion | Beiträge) (ips, again) |
Zim (Diskussion | Beiträge) K |
||
| Zeile 54: | Zeile 54: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
isakmp 2001:6f8:1044::1; | isakmp 2001:6f8:1044::1; | ||
} | } | ||
| − | |||
remote 2001:6f8:1044::2 | remote 2001:6f8:1044::2 | ||
{ | { | ||
| Zeile 65: | Zeile 63: | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
| − | |||
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | # certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
# peers_certfile x509 "host-B-cert.pem"; | # peers_certfile x509 "host-B-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
| Zeile 86: | Zeile 82: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
| − | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { | ||
| Zeile 104: | Zeile 99: | ||
path pre_shared_key "/etc/racoon/psk.txt"; | path pre_shared_key "/etc/racoon/psk.txt"; | ||
#path certificate "/etc/racoon/certs"; | #path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| Zeile 110: | Zeile 104: | ||
isakmp 2001:6f8:1044::2; | isakmp 2001:6f8:1044::2; | ||
} | } | ||
| − | |||
#remote 2001:6f8:1044::2 | #remote 2001:6f8:1044::2 | ||
remote 2001:6f8:1044::1 | remote 2001:6f8:1044::1 | ||
| Zeile 117: | Zeile 110: | ||
# my_identifier asn1dn; | # my_identifier asn1dn; | ||
# peers_identifier asn1dn; | # peers_identifier asn1dn; | ||
| − | |||
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | # certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
# peers_certfile x509 "host-A-cert.pem"; | # peers_certfile x509 "host-A-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
| Zeile 138: | Zeile 129: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
| − | + | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | |
| − | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | + | |
{ | { | ||
lifetime time 1 hour; | lifetime time 1 hour; | ||
| Zeile 162: | Zeile 152: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
isakmp 2001:6f8:1044::1; | isakmp 2001:6f8:1044::1; | ||
} | } | ||
| − | |||
remote 2001:6f8:1044::2 | remote 2001:6f8:1044::2 | ||
{ | { | ||
| Zeile 173: | Zeile 161: | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
| − | |||
certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | certificate_type x509 "host-A-cert.pem" "host-A-key.pem"; | ||
peers_certfile x509 "host-B-cert.pem"; | peers_certfile x509 "host-B-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
| Zeile 194: | Zeile 180: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
| − | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { | ||
| Zeile 212: | Zeile 197: | ||
#path pre_shared_key "/etc/racoon/psk.txt"; | #path pre_shared_key "/etc/racoon/psk.txt"; | ||
path certificate "/etc/racoon/certs"; | path certificate "/etc/racoon/certs"; | ||
| − | |||
listen | listen | ||
{ | { | ||
| Zeile 218: | Zeile 202: | ||
isakmp 2001:6f8:1044::2; | isakmp 2001:6f8:1044::2; | ||
} | } | ||
| − | |||
#remote 2001:6f8:1044::2 | #remote 2001:6f8:1044::2 | ||
remote 2001:6f8:1044::1 | remote 2001:6f8:1044::1 | ||
| Zeile 225: | Zeile 208: | ||
my_identifier asn1dn; | my_identifier asn1dn; | ||
peers_identifier asn1dn; | peers_identifier asn1dn; | ||
| − | |||
certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | certificate_type x509 "host-B-cert.pem" "host-B-key.pem"; | ||
peers_certfile x509 "host-A-cert.pem"; | peers_certfile x509 "host-A-cert.pem"; | ||
| − | |||
lifetime time 24 hour; | lifetime time 24 hour; | ||
proposal | proposal | ||
| Zeile 246: | Zeile 227: | ||
compression_algorithm deflate; | compression_algorithm deflate; | ||
} | } | ||
| − | |||
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any | ||
{ | { | ||
Version vom 9. Februar 2009, 16:05 Uhr
beispielconfig fuer ipsec/ipv6
benoetigte pakete:
- ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)
mode: transport keys: preshared
file: psk.txt desc: enthaelt preshared keys host: A und B
# /etc/racoon/psk.txt # IPv4/v6 addresses 2001:6f8:1044::1 secret 2001:6f8:1044::2 secret #10.160.94.3 mekmitasdigoat #172.16.1.133 0x12345678 #194.100.55.1 whatcertificatereally #3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat #3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat # USER_FQDN #foo@kame.net mekmitasdigoat # FQDN #foo.kame.net hoge
file: setkey.txt desc: shellscript to set up spd-policies host: A
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;
file: setkey.txt desc: shellscript to set up spd-policies host: B
#!/usr/sbin/setkey -f flush; spdflush; spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;
file: racoon.conf desc: racoon config for host A - preshared keys host: A
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
# peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - preshared keys
host: B
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
# my_identifier asn1dn;
# peers_identifier asn1dn;
# certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
# peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
mode: transport
keys: certificate
desc: only change racoon.conf
file: racoon.conf
desc: racoon config for host A - certs
host: A
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
isakmp 2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
peers_certfile x509 "host-B-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
file: racoon.conf
desc: racoon config for host B - certs
host: B
#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
# isakmp 2001:6f8:1044::1;
isakmp 2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
peers_certfile x509 "host-A-cert.pem";
lifetime time 24 hour;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
todo:
- roadwarrior-mode
