Strongswan zu racoon: Unterschied zwischen den Versionen

@@ Zeile 1: / Zeile 1: @@
-=Strongswan konfigurieren ( PSK )=
-==Tunnel Parameter definieren==
-;Tunnelkonfiguration
-/etc/ipsec.conf
-   keyexchange=ikev1
-   authby=secret
-   left=192.168.244.152
-   leftsubnet=10.88.88.0/24
-   right=192.168.244.151
-   rightsubnet=10.18.44.0/24
-   ike=aes256-md5-modp1024
-   esp=aes256-md5-modp1024
-   auto=add
-;PSK definieren
-/etc/ipsec.secrets
-.168.244.152 192.168.244.151 : PSK "katzenklo"
-=Racoon (PSK )=
-==Tunnel Parameter definieren==
-;Tunnelkonfiguration
-/etc/racoon/racoon.conf
-<pre>
-path pre_shared_key "/etc/racoon/psk.txt";
-remote 192.168.244.151 {
-        exchange_mode main;
-        proposal {
-                encryption_algorithm aes256;
-                hash_algorithm md5;
-                authentication_method pre_shared_key;
-                dh_group modp1024;
-        }
-        generate_policy off;
-}
-sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {
-        pfs_group modp1024;
-        encryption_algorithm aes256;
-        authentication_algorithm hmac_md5;
-        compression_algorithm deflate;
-}
-</pre>
-/etc/ipsec-tools.conf
-<pre>
-#!/usr/sbin/setkey -f
-flush;
-spdflush;
-spdadd 10.88.88.0/24  10.18.44.0/24 any -P out ipsec
-    esp/tunnel/192.168.244.152-192.168.244.151/require;
-spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec
-    esp/tunnel/192.168.244.151-192.168.244.152/require;
-</pre>
-;PSK definieren
-/etc/racoon/psk.txt
-.168.244.151 katzenklo
-=Strongswan konfigurieren ( X509 )=
-==Tunnel Parameter definieren==
-;certs
- /etc/ipsec.d/certs/huey.xinux.org.crt
- /etc/ipsec.d/crls/xinux-ca.crl
- /etc/ipsec.d/cacerts/xinux-ca.crt
- /etc/ipsec.d/private/huey.xinux.org.key
-;Tunnelkonfiguration
-/etc/ipsec.conf
- conn net
-       keyexchange=ikev1
-       authby=rsasig
-       left=192.168.244.152
-       leftsubnet=10.88.88.0/24
-       leftid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de"
-       right=192.168.244.151
-       rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de"
-       rightsubnet=10.18.44.0/24
-       rightcert=huey.xinux.org.crt
-       ike=aes192-md5-modp1024
-       esp=aes192-md5-modp1024
-       auto=start
-;X509 definieren
-/etc/ipsec.secrets
-.168.244.152 192.168.244.151 :  RSA huey.xinux.org.key ""
-=Racoon ( X509 )=
-==Tunnel Parameter definieren==
-;certs
- /etc/racoon/certs/dewey.xinux.org.key
- /etc/racoon/certs/dewey.xinux.org.crt
- /etc/racoon/certs/ca.crl
- /etc/racoon/certs/ca.crt
-;cd /etc/racoon/certs/
- ln -s ca.crt $(openssl x509 -noout -hash -in ca.crt).0
- ln -s ca.crl $(openssl x509 -noout -hash -in ca.crl).r0
-;Tunnelkonfiguration
-/etc/racoon/racoon.conf
-<pre>
-path certificate "/etc/racoon/certs";
-log debug;
-remote 192.168.244.151 {
-        exchange_mode main;
-        ca_type x509 "ca.crt";
-        certificate_type x509 "dewey.xinux.org.crt" "dewey.xinux.org.key";
-        my_identifier asn1dn;
-        verify_cert on;
-        peers_identifier asn1dn "C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de";
-        proposal {
-                encryption_algorithm aes192;
-                hash_algorithm md5;
-                authentication_method rsasig;
-                dh_group 2;
-        }
-        generate_policy off;
-}
-sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {
-        pfs_group modp1024;
-        encryption_algorithm aes192;
-        authentication_algorithm hmac_md5;
-        compression_algorithm deflate;
-}
-</pre>
-;SA Konfig
-ipsec-tools.conf
-<pre>
-#!/usr/sbin/setkey -f
-flush;
-spdflush;
-spdadd 10.88.88.0/24  10.18.44.0/24 any -P out ipsec
-    esp/tunnel/192.168.244.152-192.168.244.151/require;
-spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec
-    esp/tunnel/192.168.244.151-192.168.244.152/require;
-</pre>

Strongswan zu racoon: Unterschied zwischen den Versionen

Aktuelle Version vom 30. März 2017, 13:24 Uhr

Navigationsmenü

Suche