Strongswan zu racoon cert
Zur Navigation springen
Zur Suche springen
Tunnel Parameter definieren
- certs
/etc/ipsec.d/certs/huey.xinux.org.crt /etc/ipsec.d/crls/xinux-ca.crl /etc/ipsec.d/cacerts/xinux-ca.crt /etc/ipsec.d/private/huey.xinux.org.key
- Tunnelkonfiguration
/etc/ipsec.conf
conn net keyexchange=ikev1 authby=rsasig left=192.168.244.152 leftsubnet=10.88.88.0/24 leftid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=dewey.xinux.org, E=technik@xinux.de" right=192.168.244.151 rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, E=technik@xinux.de" rightsubnet=10.18.44.0/24 rightcert=huey.xinux.org.crt ike=aes192-md5-modp1024 esp=aes192-md5-modp1024 auto=start
- X509 definieren
/etc/ipsec.secrets
192.168.244.152 192.168.244.151 : RSA huey.xinux.org.key ""
Racoon ( X509 )
Tunnel Parameter definieren
- certs
/etc/racoon/certs/dewey.xinux.org.key /etc/racoon/certs/dewey.xinux.org.crt /etc/racoon/certs/ca.crl /etc/racoon/certs/ca.crt
- cd /etc/racoon/certs/
diese verlinkungen sind meiner meinung nach nicht mehr notwendig wenn man ca_type angibt
ln -s ca.crt $(openssl x509 -noout -hash -in ca.crt).0 ln -s ca.crl $(openssl x509 -noout -hash -in ca.crl).r0
- Tunnelkonfiguration
/etc/racoon/racoon.conf
path certificate "/etc/racoon/certs"; log debug; remote 192.168.244.151 { exchange_mode main; ca_type x509 "ca.crt"; certificate_type x509 "dewey.xinux.org.crt" "dewey.xinux.org.key"; my_identifier asn1dn; verify_cert on; peers_identifier asn1dn "C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, emailAddress=technik@xinux.de"; proposal { encryption_algorithm aes192; hash_algorithm md5; authentication_method rsasig; dh_group 2; } generate_policy off; } sainfo address 10.88.88.0/24 any address 10.18.44.0/24 any { pfs_group modp1024; encryption_algorithm aes192; authentication_algorithm hmac_md5; compression_algorithm deflate; }
- SA Konfig
ipsec-tools.conf
#!/usr/sbin/setkey -f flush; spdflush; spdadd 10.88.88.0/24 10.18.44.0/24 any -P out ipsec esp/tunnel/192.168.244.152-192.168.244.151/require; spdadd 10.18.44.0/24 10.88.88.0/24 any -P in ipsec esp/tunnel/192.168.244.151-192.168.244.152/require;