https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Strongswan_zu_racoon_cert 2026-06-29T06:03:41Z Versionsgeschichte dieser Seite in Xinux Wiki MediaWiki 1.35.1 https://wiki.ixheim.de/index.php?title=Strongswan_zu_racoon_cert&diff=12773&oldid=prev 2017-03-30T13:24:21Z

<p>Die Seite wurde neu angelegt: „==Tunnel Parameter definieren== ;certs /etc/ipsec.d/certs/huey.xinux.org.crt /etc/ipsec.d/crls/xinux-ca.crl /etc/ipsec.d/cacerts/xinux-ca.crt /etc/ipsec.d/…“</p> <p><b>Neue Seite</b></p><div>==Tunnel Parameter definieren==<br /> ;certs<br /> /etc/ipsec.d/certs/huey.xinux.org.crt<br /> /etc/ipsec.d/crls/xinux-ca.crl<br /> /etc/ipsec.d/cacerts/xinux-ca.crt<br /> /etc/ipsec.d/private/huey.xinux.org.key<br /> ;Tunnelkonfiguration<br /> /etc/ipsec.conf<br /> conn net<br /> keyexchange=ikev1<br /> authby=rsasig<br /> left=192.168.244.152<br /> leftsubnet=10.88.88.0/24<br /> leftid=&quot;C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de&quot;<br /> right=192.168.244.151<br /> rightid=&quot;C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, E=technik@xinux.de&quot;<br /> rightsubnet=10.18.44.0/24<br /> rightcert=huey.xinux.org.crt<br /> ike=aes192-md5-modp1024<br /> esp=aes192-md5-modp1024<br /> auto=start<br /> ;X509 definieren<br /> /etc/ipsec.secrets<br /> 192.168.244.152 192.168.244.151 : RSA huey.xinux.org.key &quot;&quot;<br /> <br /> =Racoon ( X509 )=<br /> ==Tunnel Parameter definieren==<br /> ;certs<br /> /etc/racoon/certs/dewey.xinux.org.key<br /> /etc/racoon/certs/dewey.xinux.org.crt<br /> /etc/racoon/certs/ca.crl<br /> /etc/racoon/certs/ca.crt<br /> ;cd /etc/racoon/certs/<br /> diese verlinkungen sind meiner meinung nach nicht mehr notwendig wenn man ca_type angibt<br /> ln -s ca.crt $(openssl x509 -noout -hash -in ca.crt).0<br /> ln -s ca.crl $(openssl x509 -noout -hash -in ca.crl).r0<br /> ;Tunnelkonfiguration<br /> /etc/racoon/racoon.conf<br /> &lt;pre&gt;<br /> path certificate &quot;/etc/racoon/certs&quot;;<br /> log debug;<br /> <br /> remote 192.168.244.151 {<br /> exchange_mode main;<br /> ca_type x509 &quot;ca.crt&quot;;<br /> certificate_type x509 &quot;dewey.xinux.org.crt&quot; &quot;dewey.xinux.org.key&quot;;<br /> my_identifier asn1dn;<br /> verify_cert on;<br /> peers_identifier asn1dn &quot;C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de&quot;;<br /> proposal {<br /> encryption_algorithm aes192;<br /> hash_algorithm md5;<br /> authentication_method rsasig;<br /> dh_group 2;<br /> }<br /> generate_policy off;<br /> }<br /> <br /> sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {<br /> pfs_group modp1024;<br /> encryption_algorithm aes192;<br /> authentication_algorithm hmac_md5;<br /> compression_algorithm deflate;<br /> }<br /> &lt;/pre&gt;<br /> ;SA Konfig<br /> ipsec-tools.conf<br /> &lt;pre&gt;<br /> #!/usr/sbin/setkey -f<br /> flush;<br /> spdflush;<br /> <br /> spdadd 10.88.88.0/24 10.18.44.0/24 any -P out ipsec<br /> esp/tunnel/192.168.244.152-192.168.244.151/require;<br /> <br /> spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec<br /> esp/tunnel/192.168.244.151-192.168.244.152/require;<br /> &lt;/pre&gt;</div>

Thomas