Slackware 13.1 - IPSec ====================== Public domain ******************************************************************************** ### Installation cd /usr/src wget -c "ftp://ftp.heanet.ie/mirrors/sourceforge/i/ip/ipsec-tools/ipsec-tools/0.8.0/ipsec-tools-0.8.0.tar.bz2" su - install cd /usr/src tar xf ipsec-tools-0.8.0.tar.bz2 cd ipsec-tools-0.8.0 ./configure \ --prefix=/usr \ --enable-hybrid \ --enable-frag \ --enable-dpd \ --enable-natt=yes \ --with-kernel-headers=/usr/include \ --enable-security-context=no # Slackware 13.1 patch sed -i -e '/^CFLAGS/s,$, -fno-strict-aliasing,' src/racoon/Makefile make && make install DESTDIR=/usr/local/encap/ipsec-tools-0.8.0 logout cd /usr/local/encap/ mv ipsec-tools-0.8.0/usr{/share/man/,} chown -R root:root ipsec-tools-0.8.0/ epkg ipsec-tools-0.8.0 ******************************************************************************** ### Commands mkdir -p /etc/ipsec touch /etc/ipsec/setkey.conf chmod 600 /etc/ipsec/setkey.conf ******************************************************************************** ### 83.170.43.20 : /etc/ipsec/setkey.conf #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # AH: Authentication Header # keys created using: echo 0x$(dd if=/dev/random count=16 bs=1 | xxd -ps) add 213.191.25.20 83.170.43.20 ah 0x200 -A hmac-md5 0x3c64015e1f7a7bd3dd0068e53778a314; add 83.170.43.20 213.191.25.20 ah 0x300 -A hmac-md5 0x7db9dd867764c60c5240afbc7f172639; # ESP: Encapsulating Security Payload # keys created using: echo 0x$(dd if=/dev/random count=24 bs=1 | xxd -ps) add 213.191.25.20 83.170.43.20 esp 0x201 -E 3des-cbc 0x2797e628f67ca5f5d0637ce6705529a778b59f1277132b12; add 83.170.43.20 213.191.25.20 esp 0x301 -E 3des-cbc 0x7365e5a5bfb5c1d5d4a4509b9596a160ed66ec22b4b0dffd; # IPSEC: local_ip remote_ip -P out spdadd 83.170.43.20 213.191.25.20 any -P out ipsec esp/transport//require ah/transport//require; # IPSEC: remote_ip local_ip -P in spdadd 213.191.25.20 83.170.43.20 any -P in ipsec esp/transport//require ah/transport//require; ******************************************************************************** ### 213.191.25.20 : /etc/ipsec/setkey.conf #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # AH: Authentication Header # keys created using: echo 0x$(dd if=/dev/random count=16 bs=1 | xxd -ps) add 213.191.25.20 83.170.43.20 ah 0x200 -A hmac-md5 0x3c64015e1f7a7bd3dd0068e53778a314; add 83.170.43.20 213.191.25.20 ah 0x300 -A hmac-md5 0x7db9dd867764c60c5240afbc7f172639; # ESP: Encapsulating Security Payload # keys created using: echo 0x$(dd if=/dev/random count=24 bs=1 | xxd -ps) add 213.191.25.20 83.170.43.20 esp 0x201 -E 3des-cbc 0x2797e628f67ca5f5d0637ce6705529a778b59f1277132b12; add 83.170.43.20 213.191.25.20 esp 0x301 -E 3des-cbc 0x7365e5a5bfb5c1d5d4a4509b9596a160ed66ec22b4b0dffd; # IPSEC: local_ip remote_ip -P out spdadd 213.191.25.20 83.170.43.20 any -P out ipsec esp/transport//require ah/transport//require; # IPSEC: remote_ip local_ip -P in spdadd 83.170.43.20 213.191.25.20 any -P in ipsec esp/transport//require ah/transport//require; ******************************************************************************** ### Startup echo "/usr/sbin/setkey -f /etc/ipsec/setkey.conf" >> /etc/rc.d/rc.local ******************************************************************************** ### Enable setkey -f /etc/ipsec/setkey.conf ******************************************************************************** ### Disable setkey -P -F ******************************************************************************** ******************************************************************************** ## IKE (internet key exchange) ******************************************************************************** ******************************************************************************** ### 83.170.43.20 : /etc/ipsec/setkey.conf #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # IPSEC spdadd 83.170.43.20 213.191.25.20 any -P out ipsec esp/transport//require; spdadd 213.191.25.20 83.170.43.20 any -P in ipsec esp/transport//require; ******************************************************************************** ### 83.170.43.20 : /etc/ipsec/racoon.conf path pre_shared_key "/etc/ipsec/psk.txt"; path certificate "/etc/ipsec/certs"; # Security associations info: Phase 2 sainfo anonymous { { # Diffie-Hellman bit length # Group2: 1024 bit, Group14: 2048 bit pfs_group 2; lifetime time 1 hour; encryption_algorithm 3des, blowfish 448, rijndael; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } # Host authentication: Phase 1 remote 213.191.25.20 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } ******************************************************************************** ### 83.170.43.20 : /etc/ipsec/psk.txt 213.191.25.20 test123 ******************************************************************************** ### 213.191.25.20 : /etc/ipsec/setkey.conf #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # IPSEC spdadd 213.191.25.20 83.170.43.20 any -P out ipsec esp/transport//require; spdadd 83.170.43.20 213.191.25.20 any -P in ipsec esp/transport//require; ******************************************************************************** ### 213.191.25.20 : /etc/ipsec/racoon.conf path pre_shared_key "/etc/ipsec/psk.txt"; path certificate "/etc/ipsec/certs"; # Security associations info: Phase 2 sainfo anonymous { { # Diffie-Hellman bit length # Group2: 1024 bit, Group14: 2048 bit pfs_group 2; lifetime time 1 hour; encryption_algorithm 3des, blowfish 448, rijndael; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } # Host authentication: Phase 1 remote 83.170.43.20 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } ******************************************************************************** ### 213.191.25.20 : /etc/ipsec/psk.txt 83.170.43.20 test123 ******************************************************************************** ### Commands chmod 600 /etc/ipsec/psk.txt # -F forground debug racoon -f /etc/ipsec/racoon.conf -F setkey -f /etc/setkey.conf tail -f /var/log/messages ******************************************************************************** ### Disable setkey -F -P killall racoon ******************************************************************************** _BY: Pejman Moghadam_ _TAG: ipsec, setkey, racoon_ _DATE: 2012-11-06 10:50:19_