user@alice # apt-get install uml-utilities user@alice # tunctl -u admin user@alice # ifconfig tap0 172.31.0.1 user@alice # ifconfig tap0 up
#path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 192.168.0.84 [500]; } remote 192.168.0.95 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "newcert.pem" "privkey.pem"; proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method rsasig ; #authentication_method pre_shared_key; #dh_group modp1024; dh_group 15; } # generate_policy off; } mode_cfg { network4 172.31.0.2; # 192.168.100.1 est la premiere adresse allouee aux clients VPN split_network include 172.31.0.0/24; pool_size 20; netmask4 255.255.255.0; auth_source system; #dns4 192.168.200.254; # 192.168.200.254 est l'adresse du DNS dans le reseau local distant banner "/etc/racoon/motd"; #pfs_group 0; } #sainfo address 10.0.0.200 any address 10.0.0.118 any { sainfo anonymous { lifetime time 1 hour; encryption_algorithm aes 128; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
#!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; spdadd 172.31.0.1 172.31.0.10 any -P out ipsec esp/tunnel/192.168.0.84-192.168.0.95/require; spdadd 172.31.0.10 172.31.0.1 any -P in ipsec esp/tunnel/192.168.0.95-192.168.0.84/require;
user@bob # ifconfig eth1:1 172.31.0.10 netmask 255.255.255.0
user@bob # apt-get install racoon ipsec-tools
NB : Il faut choisir l'option modification directe lors de l'installation de raccon. Pour des raisons de sécurité, il vaut mieux priviligier une interface virtuelle tun0 plutot qu'un alias eth1:1
path certificate "/etc/racoon/certs"; remote 192.168.0.84 { exchange_mode main; certificate_type x509 "newcert.pem" "privkey.pem"; ca_type x509 "cacert.pem"; #certificate type and file name my_identifier asn1dn; proposal_check obey; #obeying the options requested by other peer ike_frag on; #IKE fragmentation enabled mode_cfg on; #accepting information about the network being connected to verify_cert off; #verifying certificates set to off proposal { #cryptography and hash algorithm encryption_algorithm aes 256; hash_algorithm sha1; #authentication method authentication_method rsasig ; #Diffie-Hellman exponential group dh_group 15; } generate_policy off; # script "/etc/racoon/phase1-up.sh" phase1_up; # script "/etc/racoon/phase1-down.sh" phase1_down; } sainfo anonymous { #second phase information lifetime lifetime time 1 hour; #cryptography, authentication and compression algorithm encryption_algorithm aes 128; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
#!/usr/sbin/setkey -f ## Flush the SAD and SPD # flush; spdflush; ## Some sample SPDs for use racoon # spdadd 172.31.0.10 172.31.0.1 any -P out ipsec esp/tunnel/192.168.0.95-192.168.0.84/require; # spdadd 172.31.0.1 172.31.0.10 any -P in ipsec esp/tunnel/192.168.0.84-192.168.0.95/require;
Contact :