Strongswan zu racoon: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| Zeile 84: | Zeile 84: | ||
;Tunnelkonfiguration | ;Tunnelkonfiguration | ||
/etc/racoon/racoon.conf | /etc/racoon/racoon.conf | ||
| + | <pre> | ||
| + | path certificate "/etc/racoon/certs"; | ||
| + | log debug; | ||
| + | |||
| + | remote 192.168.244.151 { | ||
| + | exchange_mode main; | ||
| + | ca_type x509 "ca.crt"; | ||
| + | certificate_type x509 "dewey.xinux.org.crt" "dewey.xinux.org.key"; | ||
| + | my_identifier asn1dn; | ||
| + | verify_cert on; | ||
| + | peers_identifier asn1dn "C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de"; | ||
| + | proposal { | ||
| + | encryption_algorithm aes192; | ||
| + | hash_algorithm md5; | ||
| + | authentication_method rsasig; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | generate_policy off; | ||
| + | } | ||
| + | |||
| + | sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any { | ||
| + | pfs_group modp1024; | ||
| + | encryption_algorithm aes192; | ||
| + | authentication_algorithm hmac_md5; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | </pre> | ||
Version vom 17. Oktober 2014, 17:46 Uhr
Strongswan konfigurieren ( PSK )
Tunnel Parameter definieren
- Tunnelkonfiguration
/etc/ipsec.conf
keyexchange=ikev1 authby=secret left=192.168.244.152 leftsubnet=10.88.88.0/24 right=192.168.244.151 rightsubnet=10.18.44.0/24 ike=aes256-md5-modp1024 esp=aes256-md5-modp1024 auto=add
- PSK definieren
/etc/ipsec.secrets
192.168.244.152 192.168.244.151 : PSK "katzenklo"
Racoon (PSK )
Tunnel Parameter definieren
- Tunnelkonfiguration
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote 192.168.244.151 {
exchange_mode main;
proposal {
encryption_algorithm aes256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {
pfs_group modp1024;
encryption_algorithm aes256;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
/etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.88.88.0/24 10.18.44.0/24 any -P out ipsec
esp/tunnel/192.168.244.152-192.168.244.151/require;
spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec
esp/tunnel/192.168.244.151-192.168.244.152/require;
- PSK definieren
/etc/racoon/psk.txt
192.168.244.151 katzenklo
Strongswan konfigurieren ( X509 )
Tunnel Parameter definieren
- certs
/etc/ipsec.d/certs/huey.xinux.org.crt /etc/ipsec.d/crls/xinux-ca.crl /etc/ipsec.d/cacerts/xinux-ca.crt /etc/ipsec.d/private/huey.xinux.org.key
- Tunnelkonfiguration
/etc/ipsec.conf
conn net
keyexchange=ikev1
authby=rsasig
left=192.168.244.152
leftsubnet=10.88.88.0/24
leftid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de"
right=192.168.244.151
rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de"
rightsubnet=10.18.44.0/24
rightcert=huey.xinux.org.crt
ike=aes192-md5-modp1024
esp=aes192-md5-modp1024
auto=start
- X509 definieren
/etc/ipsec.secrets
192.168.244.152 192.168.244.151 : RSA huey.xinux.org.key ""
Racoon ( X509 )
Tunnel Parameter definieren
- Tunnelkonfiguration
/etc/racoon/racoon.conf
path certificate "/etc/racoon/certs";
log debug;
remote 192.168.244.151 {
exchange_mode main;
ca_type x509 "ca.crt";
certificate_type x509 "dewey.xinux.org.crt" "dewey.xinux.org.key";
my_identifier asn1dn;
verify_cert on;
peers_identifier asn1dn "C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de";
proposal {
encryption_algorithm aes192;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
generate_policy off;
}
sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {
pfs_group modp1024;
encryption_algorithm aes192;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}