353 lines
7.3 KiB
HTML
353 lines
7.3 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Automatic or Manual Key connections</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Linux FreeS/WAN VPN"
|
|
HREF="fSWAn.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Configure to optimise"
|
|
HREF="chap25sec202.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="The /etc/ipsec.conf file"
|
|
HREF="chap25sec203e.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap25sec202.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 25. Linux FreeS/WAN VPN</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap25sec203e.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN14737"
|
|
>25.5. Automatic or Manual Key connections</A
|
|
></H1
|
|
><P
|
|
> The configuration file for FreeS/WAN <TT
|
|
CLASS="filename"
|
|
>/etc/ipsec.conf</TT
|
|
> allows you to configure your <SPAN
|
|
CLASS="acronym"
|
|
>IPSEC</SPAN
|
|
> configurations, control information and connections types. <SPAN
|
|
CLASS="acronym"
|
|
>IPSEC</SPAN
|
|
> currently
|
|
supports two types of connections:
|
|
<P
|
|
></P
|
|
><DIV
|
|
CLASS="variablelist"
|
|
><DL
|
|
><DT
|
|
>Manually keyed</DT
|
|
><DD
|
|
><P
|
|
> Manually keyed connections use keys stored in the <TT
|
|
CLASS="filename"
|
|
>/etc/ipsec.conf</TT
|
|
> file. This type of connection is less secure then automatically keyed.
|
|
</P
|
|
></DD
|
|
><DT
|
|
>Automatically keyed.</DT
|
|
><DD
|
|
><P
|
|
> Automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The key negotiation protocol, used by default and named IKE, authenticates the other system using shared secrets stored in <TT
|
|
CLASS="filename"
|
|
>/etc/ipsec.secrets</TT
|
|
> file.
|
|
|
|
</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
>
|
|
The difference is strictly in how they are keyed. For these reasons, we will use and show you the automatically keyed connection that is more secure then the manually keyed connection. <EM
|
|
>Once again, it is highly recommended that
|
|
you use the automatically keyed connection</EM
|
|
>.
|
|
</P
|
|
><P
|
|
> In our example configuration below, we configure a sample tunnel with a firewall-penetrating tunnel, and we assume that firewalling is being done on the left and right side. We choose to show you this configuration
|
|
since we assume it is what most users and companies will use. Also, it allows us to play with more options in the configuration file <TT
|
|
CLASS="filename"
|
|
>ipsec.conf</TT
|
|
> for automatically keyed connections. Different
|
|
configurations exist and you may consult the <TT
|
|
CLASS="filename"
|
|
>doc/examples</TT
|
|
> file under the subdirectory <TT
|
|
CLASS="filename"
|
|
>doc</TT
|
|
> of the frees/WAN source directory for more information and other
|
|
possible configurations.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> SubnetDeep======Deep------Deepgate..........Mailgate-------Mail======SubnetMail
|
|
Untrusted net
|
|
|
|
leftsubnet = SubnetDeep (192.168.1.0/24)
|
|
left = Deep (deep.openna.com)
|
|
leftnexthop = Deepgate (the first router in the direction or ISP router for deep.openna.com)
|
|
Internet = Untrusted net
|
|
rightnexthop = Mailgate (the first router in the direction or ISP router for mail.openna.com)
|
|
right = Mail (mail.openna.com)
|
|
rightsubnet = SubnetMail (192.168.1.0/24)
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
SubnetDeep<br>
|
|
\ 192.168.1.0/24 /<br>
|
|
+--------------------+<br>
|
|
|<br>
|
|
</P
|
|
>
|
|
SubnetDeep is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> network address of your private internal network on the first gateway. eth1 is attached to the internal network.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
Deep<br>
|
|
\ 208.164.186.1 /<br>
|
|
+-------------------+<br>
|
|
|<br>
|
|
</P
|
|
>
|
|
Deep is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address of your first Gateway. eth0 is attached to the Internet.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
Deepgate<br>
|
|
\ 205.151.222.250 /<br>
|
|
+----------------------+<br>
|
|
|<br>
|
|
<br>
|
|
</P
|
|
>
|
|
Deepgate is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address of the first router in the direction of your second gateway <TT
|
|
CLASS="literal"
|
|
>mail.openna.com</TT
|
|
> or your <SPAN
|
|
CLASS="acronym"
|
|
>ISP</SPAN
|
|
> router.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
I N T E R N E T<br>
|
|
|<br>
|
|
<br>
|
|
</P
|
|
>
|
|
INTERNET is the untrusted network.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
Mailgate<br>
|
|
/ 205.151.222.251 \<br>
|
|
+------------------------+<br>
|
|
|<br>
|
|
</P
|
|
>
|
|
Mailgate is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address of the first router in the direction of your first gateway <TT
|
|
CLASS="literal"
|
|
>deep.openna.com</TT
|
|
> or your <SPAN
|
|
CLASS="acronym"
|
|
>ISP</SPAN
|
|
> router.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
Mail<br>
|
|
/ 208.164.186.2 \<br>
|
|
+---------------------+<br>
|
|
|<br>
|
|
<br>
|
|
</P
|
|
>
|
|
Mail is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address of your second Gateway. eth0 is attached to the Internet.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
CLASS="literallayout"
|
|
><br>
|
|
SubnetMail<br>
|
|
/ 192.168.1.0/24 \<br>
|
|
+----------------------+<br>
|
|
</P
|
|
>
|
|
SubnetMail is the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> network address of your private internal network on the second gateway. eth1 is attached to the internal network.
|
|
</P
|
|
></LI
|
|
></UL
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap25sec202.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap25sec203e.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Configure to optimise</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="fSWAn.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>The <TT
|
|
CLASS="filename"
|
|
>/etc/ipsec.conf</TT
|
|
> file</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |