2010-02-08

実装 : 事前共有鍵認証 トランスポートモード(esp)

 
◆ 構成


              ┌────┴────┐
              │                  │ 
 192.168.0.1┌┴┐              ┌┴┐192.168.0.2
            │ │              │ │
            └┬┘              └┬┘
              │                  │



◆ 192.168.0.1 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
    isakmp 192.168.0.1 [500];
}
remote anonymous {
    exchange_mode aggressive;
    lifetime time 8 hour;
    passive on;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}
sainfo anonymous {
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/transport//require;
spdadd 192.168.0.2 192.168.0.1 any -P in ipsec esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.2 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt


# iptables の設定
#iptables -A INPUT -s 192.168.0.2 -p esp -j ACCEPT
#iptables -A INPUT -s 192.168.0.2 -p udp -m udp --dport 500 -j ACCEPT
※ その他諸々いるかもしれない



◆ 192.168.0.2 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
    isakmp 192.168.0.2 [500];
}
remote 192.168.0.1 {
    exchange_mode aggressive;
    lifetime time 8 hour;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}
sainfo anonymous {
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.2 192.168.0.1 any -P out ipsec esp/transport//require;
spdadd 192.168.0.1 192.168.0.2 any -P in ipsec esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.1 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt



◆ 実行


/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP
/usr/local/sbin/setkey -f /home/racoon/sample1/ipsec.conf
/usr/local/sbin/racoon -f /home/racoon/sample1/racoon.conf



◆ 接続


# 192.168.0.2
#ping 192.168.0.1


# 192.168.0.1 - log
INFO: respond new phase 1 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: begin Aggressive mode.
INFO: received Vendor ID: DPD
NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
INFO: ISAKMP-SA established 192.168.0.1[500]-192.168.0.2[500] spi:201e2979eee6c7ab:aa97388530b073a7
INFO: respond new phase 2 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: IPsec-SA established: ESP/Transport 192.168.0.2[500]->192.168.0.1[500] spi=166677082(0x9ef4a5a)
INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->192.168.0.2[500] spi=106004457(0x6517fe9)



◇ 環境


CentOS release 5.4 (Final) + kernel 2.6.18
ipsec-tools 0.6.5
 

0 件のコメント:

コメントを投稿