Hi all,
hopefully someone can help me with my following configuration problem
of ipsec-tools, racoon and routing. I'd like to create a new private
network with some "roadwarrior" systems (except they have known
ip-adresses and should NOT get new virtual adresses on connection but
use their preconfigured ones) and a gateway with other systems
behind it.
[System A] [System B - Gateway]
"Public" Adress: "Public" Adress:
192.168.1.1 192.168.2.2
"Private" Adress: "Private" Adresses:
10.0.0.1 ============================= 10.0.0.x
I already managed to get transport mode with certificates between two
public adresses work, but i really have problems to make the above
configuration work, especially regarding the routing and setting the
correct spd's (do i use the private adresses or the public ones...).
Any link to an example would be great.
The relevant parts of my current transport-mode configurations for one
host are:
/etc/ipsec-tools.conf:
----------------------
spdadd 192.168.1.1 192.168.2.2 any -P out ipsec esp/transport//require;
spdadd 192.168.2.2 192.168.1.1 any -P in ipsec esp/transport//require;
/etc/racoon/racoon.conf:
------------------------
remote 192.168.2.2 {
exchange_mode main;
certificate_type x509 "host-cert.pem" "host-key.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 192.168.1.1 any address 192.168.2.2 any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
# Extra sainfo for port 500 needed, taken from
# <http://bugs.debian.org/341398#msg69>
sainfo address 192.168.1.1[500] any address 192.168.2.2[500] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
tia
Marco
|
Similar Threads
Linear Mode
