2010-03-15

実装 : 事前共有鍵認証 トンネルモード(esp)

 
◆ 構成


             ┌────────┐
 192.168.0.1 │                │ 192.168.0.2
           ┌┴┐            ┌┴┐
           │ │============│ │
           └┬┘            └┬┘
             │                │



◆ 192.168.0.1 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 192.168.0.1 [500];
}
remote anonymous {
  exchange_mode aggressive;
  lifetime time 8 hour;
  passive on;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/tunnel/192.168.0.1-192.168.0.2/require;
spdadd 192.168.0.2 192.168.0.1 any -P in ipsec esp/tunnel/192.168.0.2-192.168.0.1/require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.2 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt


# iptables の設定
#iptables -A INPUT -s 192.168.0.2 -p esp -j ACCEPT
#iptables -A INPUT -s 192.168.0.2 -p udp -m udp --dport 500 -j ACCEPT
※ その他諸々いるかもしれない



◆ 192.168.0.2 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 192.168.0.2 [500];
}
remote 192.168.0.1 {
  exchange_mode aggressive;
  lifetime time 8 hour;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.2 192.168.0.1 any -P out ipsec esp/tunnel/192.168.0.2-192.168.0.1/require;
spdadd 192.168.0.1 192.168.0.2 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.2/require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.1 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt



◆ 実行


/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP
/usr/local/sbin/setkey -f /home/racoon/sample1/ipsec.conf
/usr/local/sbin/racoon -f /home/racoon/sample1/racoon.conf



◆ 接続


# 192.168.0.2
#ping 192.168.0.1


# 192.168.0.1 - log
INFO: respond new phase 1 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: begin Aggressive mode.
INFO: received Vendor ID: DPD
NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
INFO: ISAKMP-SA established 192.168.0.1[500]-192.168.0.2[500] spi:b426a0c6d8d77478:0175a0c2f99a39e2
INFO: respond new phase 2 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.2[500]->192.168.0.1[500] spi=171417387(0xa379f2b)
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.1[500]->192.168.0.2[500] spi=193833491(0xb8daa13)



◇ 環境


CentOS release 5.4 (Final) + kernel 2.6.18
ipsec-tools 0.6.5
 

0 件のコメント:

コメントを投稿