BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Cryptosystems: Configuring IPSec
Pages: 1, 2, 3

We're ready to start the configurations. I'll start with the racoon configuration file on Gateway A. The racoon port installed two sample configuration files in /usr/local/etc/racoon:

cd /usr/local/etc/racoon
ls
psk.txt.dist	racoon.conf.dist

I'll start by copying the sample file to the file which will be used by racoon:

cp racoon.conf.dist racoon.conf

Now, let's take a look at that file:

 $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not 
# use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

Since I'm using a pre-shared secret as the authentication method, I'll leave the above lines as-is.

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;

I removed those 3 lines as I won't be using a CA.

# "log" specifies logging level.  
#It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

As the comment indicates, the above lines should be left as-is.

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative's port by kmpstat.
	#strict_address; 	# required all addresses must be bound.
}

See those last four lines with # in front of them? I kept the one with an IP address, but changed the address to the external IP of Gateway A.

# Specification of default various timer.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 30 sec;
	phase2 15 sec;
}

This section should stay as-is.

remote anonymous
{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	#my_identifier address;
	my_identifier user_fqdn "sakane@kame.net";
	peers_identifier user_fqdn "sakane@kame.net";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour
	initial_contact on;
	support_mip6 on;
	proposal_check obey;	# obey, strict or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}
}

remote ::1 [8000]
{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "sakane@kame.net";
	peers_identifier user_fqdn "sakane@kame.net";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}
}

All of that remote stuff is your Phase One policy. Notice that you can have as many remote sections as you require. If you have multiple peers using different policies, you can create a remote section for each peer by specifying the peer's IP address. Whatever you place in remote anonymous will affect all peers that don't have a specific remote section matching their IP.

sainfo anonymous
{
	pfs_group 1;
	lifetime time 30 sec;
	encryption_algorithm 3des ;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate ;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
	pfs_group 1;
	lifetime time 30 sec;
	encryption_algorithm des ;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate ;
}

sainfo address ::1 icmp6 address ::1 icmp6
{
	pfs_group 1;
	lifetime time 60 sec;
	encryption_algorithm 3des, cast128, blowfish 448, des ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}

All of that sainfo stuff is the Phase Two configuration. Again, you can have sainfo sections for specified peer IPs or you can use sainfo anonymous.

Now let's see what that file looks like after I've removed the sections I don't need and inserted my own policy parameters:

 $ more /usr/local/etc/racoon/racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

path include "/usr/local/etc/racoon" ;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
	isakmp A.A.A.A [500];
}

# Specification of default various timer.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote B.B.B.B
{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	nonce_size 16;
	lifetime time 60 min;	# sec,min,hour
	initial_contact on;
	support_mip6 on;
	proposal_check obey;	# obey, strict or claim

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 5 ;
	}
}

sainfo B.B.B.B
{
	pfs_group 5;
	lifetime time 24 hour;
	encryption_algorithm blowfish ;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate ;
}

If you compare that file to my sketched out policy, you'll see that most of the configuration parameters are put into this file. Notice that I used A's external IP in the listen directive, and made Phase One and Phase Two policies for B's external IP. Since both policies need to be identical on both peers, I can simply copy that file over to Gateway B while remembering to switch the addresses so B's configuration file listens on B's address and has configuration sections for A.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: