Benutzer:Zim/ip6sec: Unterschied zwischen den Versionen

Aus Opennet
Wechseln zu: Navigation, Suche
(dateinamen verallgemeinert)
(code formatiert)
Zeile 12: Zeile 12:
 
host: A und B
 
host: A und B
  
# /etc/racoon/psk.txt
+
# /etc/racoon/psk.txt
# IPv4/v6 addresses
+
# IPv4/v6 addresses
2001:6f8:1044:0:211:2fff:febe:666a      secret
+
2001:6f8:1044:0:211:2fff:febe:666a      secret
#10.160.94.3    mekmitasdigoat
+
#10.160.94.3    mekmitasdigoat
#172.16.1.133  0x12345678
+
#172.16.1.133  0x12345678
#194.100.55.1  whatcertificatereally
+
#194.100.55.1  whatcertificatereally
#3ffe:501:410:ffff:200:86ff:fe05:80fa  mekmitasdigoat
+
#3ffe:501:410:ffff:200:86ff:fe05:80fa  mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa  mekmitasdigoat
+
#3ffe:501:410:ffff:210:4bff:fea2:8baa  mekmitasdigoat
# USER_FQDN
+
# USER_FQDN
#foo@kame.net  mekmitasdigoat
+
#foo@kame.net  mekmitasdigoat
# FQDN
+
# FQDN
#foo.kame.net  hoge
+
#foo.kame.net  hoge
  
 
file: setkey.txt
 
file: setkey.txt
Zeile 29: Zeile 29:
 
host: A
 
host: A
  
#!/usr/sbin/setkey -f
+
#!/usr/sbin/setkey -f
flush;
+
flush;
spdflush;
+
spdflush;
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require;
+
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require;
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;
+
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;
  
 
file: setkey.txt
 
file: setkey.txt
Zeile 39: Zeile 39:
 
host: B
 
host: B
  
#!/usr/sbin/setkey -f
+
#!/usr/sbin/setkey -f
flush;
+
flush;
spdflush;
+
spdflush;
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require;
+
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require;
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
+
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;
  
 
file: racoon.conf
 
file: racoon.conf
Zeile 49: Zeile 49:
 
host: A
 
host: A
  
#
+
#
path include "/etc/racoon";
+
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
+
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
+
#path certificate "/etc/racoon/certs";
  
listen
+
listen
{
+
{
 
         isakmp  2001:6f8:900:8a6::2;
 
         isakmp  2001:6f8:900:8a6::2;
}
+
}
  
remote 2001:6f8:1044::211:2fff:febe:666a
+
remote 2001:6f8:1044::211:2fff:febe:666a
{
+
{
 
         exchange_mode main;
 
         exchange_mode main;
#        my_identifier asn1dn;
+
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
+
#        peers_identifier asn1dn;
  
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
+
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
#        peers_certfile x509 "host-B-cert.pem";
+
#        peers_certfile x509 "host-B-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;
Zeile 74: Zeile 74:
 
                 hash_algorithm md5;
 
                 hash_algorithm md5;
 
                 authentication_method pre_shared_key;
 
                 authentication_method pre_shared_key;
#                authentication_method rsasig;
+
#                authentication_method rsasig;
 
                 dh_group 2;
 
                 dh_group 2;
 
         }
 
         }
}
+
}
  
  
Zeile 84: Zeile 84:
 
host: B
 
host: B
  
#
+
#
path include "/etc/racoon";
+
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
+
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
+
#path certificate "/etc/racoon/certs";
  
listen
+
listen
{
+
{
#      isakmp  2001:6f8:900:8a6::2;
+
#      isakmp  2001:6f8:900:8a6::2;
 
         isakmp  2001:6f8:1044::211:2fff:febe:666a;
 
         isakmp  2001:6f8:1044::211:2fff:febe:666a;
}
+
}
  
#remote 2001:6f8:1044::211:2fff:febe:666a
+
#remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2
+
remote 2001:6f8:900:8a6::2
{
+
{
 
         exchange_mode main;
 
         exchange_mode main;
#        my_identifier asn1dn;
+
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
+
#        peers_identifier asn1dn;
  
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
+
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
#        peers_certfile x509 "host-A-cert.pem";
+
#        peers_certfile x509 "host-A-cert.pem";
  
 
         lifetime time 24 hour;
 
         lifetime time 24 hour;
Zeile 111: Zeile 111:
 
                 hash_algorithm md5;
 
                 hash_algorithm md5;
 
                 authentication_method pre_shared_key;
 
                 authentication_method pre_shared_key;
#                authentication_method rsasig;
+
#                authentication_method rsasig;
 
                 dh_group 2;
 
                 dh_group 2;
 
         }
 
         }
}
+
}
  
  
Zeile 127: Zeile 127:
 
host: A
 
host: A
  
#
+
#
path include "/etc/racoon";
+
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
+
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
+
path certificate "/etc/racoon/certs";
  
listen
+
listen
{
+
{
 
         isakmp  2001:6f8:900:8a6::2;
 
         isakmp  2001:6f8:900:8a6::2;
}
+
}
  
remote 2001:6f8:1044::211:2fff:febe:666a
+
remote 2001:6f8:1044::211:2fff:febe:666a
{
+
{
 
         exchange_mode main;
 
         exchange_mode main;
 
         my_identifier asn1dn;
 
         my_identifier asn1dn;
Zeile 151: Zeile 151:
 
                 encryption_algorithm 3des;
 
                 encryption_algorithm 3des;
 
                 hash_algorithm md5;
 
                 hash_algorithm md5;
#                authentication_method pre_shared_key;
+
#                authentication_method pre_shared_key;
 
                 authentication_method rsasig;
 
                 authentication_method rsasig;
 
                 dh_group 2;
 
                 dh_group 2;
 
         }
 
         }
}
+
}
  
  
Zeile 162: Zeile 162:
 
host: B
 
host: B
  
#
+
#
path include "/etc/racoon";
+
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
+
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
+
path certificate "/etc/racoon/certs";
  
listen
+
listen
{
+
{
#      isakmp  2001:6f8:900:8a6::2;
+
#      isakmp  2001:6f8:900:8a6::2;
 
         isakmp  2001:6f8:1044::211:2fff:febe:666a;
 
         isakmp  2001:6f8:1044::211:2fff:febe:666a;
}
+
}
  
#remote 2001:6f8:1044::211:2fff:febe:666a
+
#remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2
+
remote 2001:6f8:900:8a6::2
{
+
{
 
         exchange_mode main;
 
         exchange_mode main;
 
         my_identifier asn1dn;
 
         my_identifier asn1dn;
Zeile 188: Zeile 188:
 
                 encryption_algorithm 3des;
 
                 encryption_algorithm 3des;
 
                 hash_algorithm md5;
 
                 hash_algorithm md5;
#                authentication_method pre_shared_key;
+
#                authentication_method pre_shared_key;
 
                 authentication_method rsasig;
 
                 authentication_method rsasig;
 
                 dh_group 2;
 
                 dh_group 2;
 
         }
 
         }
}
+
}

Version vom 8. Februar 2009, 15:38 Uhr

beispielconfig fuer ipsec/ipv6

benoetigte pakete: - ipsec-tools - racoon (evtl schon in ipsec-tools enthalten)

mode: transport keys: preshared

file: psk.txt desc: enthaelt preshared keys host: A und B

# /etc/racoon/psk.txt
# IPv4/v6 addresses
2001:6f8:1044:0:211:2fff:febe:666a      secret
#10.160.94.3    mekmitasdigoat
#172.16.1.133   0x12345678
#194.100.55.1   whatcertificatereally
#3ffe:501:410:ffff:200:86ff:fe05:80fa   mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa   mekmitasdigoat
# USER_FQDN
#foo@kame.net   mekmitasdigoat
# FQDN
#foo.kame.net   hoge

file: setkey.txt desc: shellscript to set up spd-policies host: A

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P out ipsec esp/transport//require;
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P in ipsec esp/transport//require;

file: setkey.txt desc: shellscript to set up spd-policies host: B

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require;
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;

file: racoon.conf desc: host: A

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:900:8a6::2;
}
remote 2001:6f8:1044::211:2fff:febe:666a
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
#        peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}


file: racoon.conf desc: host: B

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:900:8a6::2;
       isakmp  2001:6f8:1044::211:2fff:febe:666a;
}
#remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
#        peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}


mode: transport keys: certificate

desc: only change racoon.conf


file: racoon.conf desc: host: A

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:900:8a6::2;
}
remote 2001:6f8:1044::211:2fff:febe:666a
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
       peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}


file: racoon.conf desc: host: B

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:900:8a6::2;
       isakmp  2001:6f8:1044::211:2fff:febe:666a;
}
#remote 2001:6f8:1044::211:2fff:febe:666a
remote 2001:6f8:900:8a6::2
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
       peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm 3des;
               hash_algorithm md5;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge