Benutzer:Zim/ip6sec

Aus Opennet
Wechseln zu: Navigation, Suche

beispielconfig fuer ipsec/ipv6

benoetigte pakete:

- ipsec-tools
- racoon (evtl schon in ipsec-tools enthalten)

mode: transport keys: preshared

file: psk.txt desc: enthaelt preshared keys host: A und B

# /etc/racoon/psk.txt
# IPv4/v6 addresses
2001:6f8:1044::1      secret
2001:6f8:1044::2      secret
#10.160.94.3    mekmitasdigoat
#172.16.1.133   0x12345678
#194.100.55.1   whatcertificatereally
#3ffe:501:410:ffff:200:86ff:fe05:80fa   mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa   mekmitasdigoat
# USER_FQDN
#foo@kame.net   mekmitasdigoat
# FQDN
#foo.kame.net   hoge

file: setkey.txt desc: shellscript to set up spd-policies host: A

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require;
spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;

file: setkey.txt desc: shellscript to set up spd-policies host: B

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require;
spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;

file: racoon.conf desc: racoon config for host A - preshared keys host: A

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
#        peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


file: racoon.conf desc: racoon config for host B - preshared keys host: B

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:1044::1;
       isakmp  2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
#        peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


mode: transport keys: certificate

desc: only change racoon.conf


file: racoon.conf desc: racoon config for host A - certs host: A

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
       peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


file: racoon.conf desc: racoon config for host B - certs host: B

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:1044::1;
       isakmp  2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
       peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


Roadwarrior-Config:

Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server

Serversite:

setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use;
spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;

racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen

#/etc/racoon/racoon.conf
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:900:8a6::2;
}
remote anonymous
{
       exchange_mode aggressive,main,base;
       my_identifier asn1dn;
       certificate_type x509 "server.cert" "server.key";
       ca_type x509 "cacert.cert";
       passive on;
       generate_policy on;
       proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
                lifetime time 24 hour;
       }
}
sainfo anonymous
{
       pfs_group 2;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge