Benutzer:Zim/ip6sec

Aus Opennet
Wechseln zu: Navigation, Suche

beispielconfig fuer ipsec/ipv6

benoetigte pakete:

- ipsec-tools
- racoon (evtl schon in ipsec-tools enthalten)

Update: Dem racoon-Paket liegt noch eine weiteres Tool racoon-tool bei. Damit lassen sich die ewig langen Configdateien auf ein Minimum zurecht stutzen. Beispiel für PSK-transport-Config:

file: /etc/racoon/racoon-tool.conf

connection(bezeichner):
src_ip: loc-IP
dst_ip: remote-IP
authentication_algorithm: hmac_sha1
admin_status: yes
peer(remote-IP):
passive:off
verify_identifier: on
lifetime: time 30 min
hash_algorithm[0]: sha1
encryption_algorithm[0]: aes
my_identifier: address loc-IP
peers_identifier: address remote-IP

Das Gleiche mit getauschten IPs auf dem remote-Host und dann per 'racoon-tool start' anwenden. Fertig.


mode: transport keys: preshared

file: psk.txt desc: enthaelt preshared keys host: A und B

# /etc/racoon/psk.txt
# IPv4/v6 addresses
2001:6f8:1044::1      secret
2001:6f8:1044::2      secret
#10.160.94.3    mekmitasdigoat
#172.16.1.133   0x12345678
#194.100.55.1   whatcertificatereally
#3ffe:501:410:ffff:200:86ff:fe05:80fa   mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa   mekmitasdigoat
# USER_FQDN
#foo@kame.net   mekmitasdigoat
# FQDN
#foo.kame.net   hoge

file: setkey.txt desc: shellscript to set up spd-policies host: A

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P out ipsec esp/transport//require;
spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P in ipsec esp/transport//require;

file: setkey.txt desc: shellscript to set up spd-policies host: B

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 2001:6f8:1044::2 any -P in ipsec esp/transport//require;
spdadd 2001:6f8:1044::2 2001:6f8:1044::1 any -P out ipsec esp/transport//require;

file: racoon.conf desc: racoon config for host A - preshared keys host: A

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
#        peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


file: racoon.conf desc: racoon config for host B - preshared keys host: B

#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:1044::1;
       isakmp  2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
       exchange_mode main;
#        my_identifier asn1dn;
#        peers_identifier asn1dn;
#        certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
#        peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
#                authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

mode: transport keys: certificate

desc: only change racoon.conf


file: racoon.conf desc: racoon config for host A - certs host: A

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:1044::1;
}
remote 2001:6f8:1044::2
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
       peers_certfile x509 "host-B-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}


file: racoon.conf desc: racoon config for host B - certs host: B

#
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
#       isakmp  2001:6f8:1044::1;
       isakmp  2001:6f8:1044::2;
}
#remote 2001:6f8:1044::2
remote 2001:6f8:1044::1
{
       exchange_mode main;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
       peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
#                authentication_method pre_shared_key;
               authentication_method rsasig;
               dh_group 2;
       }
}
sainfo address 2001:6f8:1044::1 any address 2001:6f8:1044::2 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
sainfo address 2001:6f8:1044::2 any address 2001:6f8:1044::1 any
{
       lifetime time 1 hour;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

Roadwarrior-Config:

Ziel: Verbindung von beliebigem Client (zb dynIP) zu Server

Serversite:

setkey.sh: - destIP in Bereicht (::/0) geaendert; level von 'require' nach 'use', damit hosts ohne ipsec auch verbinden koennen

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:1044::1 ::/0 any -P out ipsec esp/transport//use;
spdadd ::/0 2001:6f8:1044::1 any -P in ipsec esp/transport//use;

racoon.conf: - statt feste IPs der client-site, nun "anonymous"; ausserdem auf 'passiv' damit versucht der Server keine Verbindung herzustellen, sondern nur auf eingehende antwortet

#/etc/racoon/racoon.conf
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:900:8a6::2;
}
remote anonymous
{
       exchange_mode aggressive,main,base;
       my_identifier asn1dn;
       certificate_type x509 "host-A-cert.pem" "host-A-key.pem";
       ca_type x509 "cacert.cert";
       passive on;
       generate_policy on;
       proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
                lifetime time 24 hour;
       }
}
sainfo anonymous
{
       pfs_group 2;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;

client-site:

setkey.conf: kann so bleiben, evtl noch vereinfachbar

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2001:6f8:900:8a6::2 2001:6f8:1044::211:2fff:febe:666a any -P in ipsec esp/transport//require;
spdadd 2001:6f8:1044::211:2fff:febe:666a 2001:6f8:900:8a6::2 any -P out ipsec esp/transport//require;

racoon.conf:

#/etc/racoon/racoon.conf
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
listen
{
       isakmp  2001:6f8:1044::211:2fff:febe:666a;
}
remote 2001:6f8:900:8a6::2
{
       exchange_mode aggressive,main,base;
       my_identifier asn1dn;
       peers_identifier asn1dn;
       certificate_type x509 "host-B-cert.pem" "host-B-key.pem";
       peers_certfile x509 "host-A-cert.pem";
       lifetime time 24 hour;
       proposal
       {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method rsasig;
               dh_group 2;
       }
}
sainfo anonymous
{
       pfs_group 2;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge