Strongswan zu racoon cert

Aus xinux.net
Zur Navigation springen Zur Suche springen

Tunnel Parameter definieren

certs
/etc/ipsec.d/certs/huey.xinux.org.crt
/etc/ipsec.d/crls/xinux-ca.crl
/etc/ipsec.d/cacerts/xinux-ca.crt
/etc/ipsec.d/private/huey.xinux.org.key
Tunnelkonfiguration

/etc/ipsec.conf 

conn net
      keyexchange=ikev1
      authby=rsasig
      left=192.168.244.152
      leftsubnet=10.88.88.0/24
      leftid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de"
      right=192.168.244.151
      rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, E=technik@xinux.de"
      rightsubnet=10.18.44.0/24
      rightcert=huey.xinux.org.crt
      ike=aes192-md5-modp1024
      esp=aes192-md5-modp1024
      auto=start
X509 definieren

/etc/ipsec.secrets 

192.168.244.152 192.168.244.151 :  RSA huey.xinux.org.key ""

Racoon ( X509 )

Tunnel Parameter definieren

certs
/etc/racoon/certs/dewey.xinux.org.key
/etc/racoon/certs/dewey.xinux.org.crt
/etc/racoon/certs/ca.crl
/etc/racoon/certs/ca.crt
cd /etc/racoon/certs/

diese verlinkungen sind meiner meinung nach nicht mehr notwendig wenn man ca_type angibt 

ln -s ca.crt $(openssl x509 -noout -hash -in ca.crt).0
ln -s ca.crl $(openssl x509 -noout -hash -in ca.crl).r0
Tunnelkonfiguration

/etc/racoon/racoon.conf 

path certificate "/etc/racoon/certs";
log debug;

remote 192.168.244.151 {
        exchange_mode main;
        ca_type x509 "ca.crt";
        certificate_type x509 "dewey.xinux.org.crt" "dewey.xinux.org.key";
        my_identifier asn1dn;
        verify_cert on;
        peers_identifier asn1dn "C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de";
        proposal {
                encryption_algorithm aes192;
                hash_algorithm md5;
                authentication_method rsasig;
                dh_group 2;
        }
        generate_policy off;
}

sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any {
        pfs_group modp1024;
        encryption_algorithm aes192;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
SA Konfig

ipsec-tools.conf 

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 10.88.88.0/24  10.18.44.0/24 any -P out ipsec
    esp/tunnel/192.168.244.152-192.168.244.151/require;

spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec
    esp/tunnel/192.168.244.151-192.168.244.152/require;
Abgerufen von „https://xinux.net/index.php?title=Strongswan_zu_racoon_cert&oldid=12773