Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen

Aus Opennet
Wechseln zu: Navigation, Suche
(start, pre-shared)
 
(certificate)
Zeile 112: Zeile 112:
 
                 authentication_method pre_shared_key;
 
                 authentication_method pre_shared_key;
 
#                authentication_method rsasig;
 
#                authentication_method rsasig;
 +
                dh_group 2;
 +
        }
 +
}
 +
 +
 +
mode: transport
 +
keys: certificate
 +
 +
desc: only change racoon.conf
 +
 +
 +
file: racoon.conf
 +
desc:
 +
host: A
 +
 +
#
 +
path include "/etc/racoon";
 +
#path pre_shared_key "/etc/racoon/psk.txt";
 +
path certificate "/etc/racoon/certs";
 +
 +
listen
 +
{
 +
        isakmp  2001:6f8:900:8a6::2;
 +
}
 +
 +
remote 2001:6f8:1044::211:2fff:febe:666a
 +
{
 +
        exchange_mode main;
 +
        my_identifier asn1dn;
 +
        peers_identifier asn1dn;
 +
 +
        certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
 +
        peers_certfile x509 "ramiel-cert.pem";
 +
 +
        lifetime time 24 hour;
 +
        proposal
 +
        {
 +
                encryption_algorithm 3des;
 +
                hash_algorithm md5;
 +
#                authentication_method pre_shared_key;
 +
                authentication_method rsasig;
 +
                dh_group 2;
 +
        }
 +
}
 +
 +
 +
file: racoon.conf
 +
desc:
 +
host: B
 +
 +
#
 +
path include "/etc/racoon";
 +
#path pre_shared_key "/etc/racoon/psk.txt";
 +
path certificate "/etc/racoon/certs";
 +
 +
listen
 +
{
 +
#      isakmp  2001:6f8:900:8a6::2;
 +
        isakmp  2001:6f8:1044::211:2fff:febe:666a;
 +
}
 +
 +
#remote 2001:6f8:1044::211:2fff:febe:666a
 +
remote 2001:6f8:900:8a6::2
 +
{
 +
        exchange_mode main;
 +
        my_identifier asn1dn;
 +
        peers_identifier asn1dn;
 +
 +
        certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
 +
        peers_certfile x509 "re01.dyndns.org-cert.pem";
 +
 +
        lifetime time 24 hour;
 +
        proposal
 +
        {
 +
                encryption_algorithm 3des;
 +
                hash_algorithm md5;
 +
#                authentication_method pre_shared_key;
 +
                authentication_method rsasig;
 
                 dh_group 2;
 
                 dh_group 2;
 
         }
 
         }
 
}
 
}

Version vom 8. Februar 2009, 15:33 Uhr

beispielconfig fuer ipsec/ipv6

benoetigte pakete: - ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)

mode: transport keys: preshared

file: psk.txt desc: enthaelt preshared keys host: A und B

  1. /etc/racoon/psk.txt
  2. IPv4/v6 addresses

2001:6f8:1044:0:211:2fff:febe:666a secret

  1. 10.160.94.3 mekmitasdigoat
  2. 172.16.1.133 0x12345678
  3. 194.100.55.1 whatcertificatereally
  4. 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
  5. 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
  6. USER_FQDN
  7. foo@kame.net mekmitasdigoat
  8. FQDN
  9. foo.kame.net hoge

file: setkey.txt desc: shellscript to set up spd-policies host: A

  1. !/usr/sbin/setkey -f

flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;

file: setkey.txt desc: shellscript to set up spd-policies host: B

  1. !/usr/sbin/setkey -f

flush; spdflush; spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require; spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;

file: racoon.conf desc: host: A

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";

  1. path certificate "/etc/racoon/certs";

listen {

       isakmp  2001:6f8:900:8a6::2;

}

remote 2001:6f8:1044::211:2fff:febe:666a {

       exchange_mode main;
  1. my_identifier asn1dn;
  2. peers_identifier asn1dn;
  1. certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
  2. peers_certfile x509 "ramiel-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
  1. authentication_method rsasig;
               dh_group 2;
       }

}


file: racoon.conf desc: host: B

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt";

  1. path certificate "/etc/racoon/certs";

listen {

  1. isakmp 2001:6f8:900:8a6::2;
       isakmp  2001:6f8:1044::211:2fff:febe:666a;

}

  1. remote 2001:6f8:1044::211:2fff:febe:666a

remote 2001:6f8:900:8a6::2 {

       exchange_mode main;
  1. my_identifier asn1dn;
  2. peers_identifier asn1dn;
  1. certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
  2. peers_certfile x509 "re01.dyndns.org-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
  1. authentication_method rsasig;
               dh_group 2;
       }

}


mode: transport keys: certificate

desc: only change racoon.conf


file: racoon.conf desc: host: A

path include "/etc/racoon";

  1. path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

listen {

       isakmp  2001:6f8:900:8a6::2;

}

remote 2001:6f8:1044::211:2fff:febe:666a {

       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "re01.dyndns.org-cert.pem" "re01.dyndns.org-key.pem";
       peers_certfile x509 "ramiel-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
  1. authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }

}


file: racoon.conf desc: host: B

path include "/etc/racoon";

  1. path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

listen {

  1. isakmp 2001:6f8:900:8a6::2;
       isakmp  2001:6f8:1044::211:2fff:febe:666a;

}

  1. remote 2001:6f8:1044::211:2fff:febe:666a

remote 2001:6f8:900:8a6::2 {

       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "ramiel-cert.pem" "ramiel-key.pem";
       peers_certfile x509 "re01.dyndns.org-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
  1. authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }

}

Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge