Get Mozilla Firefox
user@alice # apt-get install uml-utilities user@alice # tunctl -u admin user@alice # ifconfig tap0 172.31.0.1 user@alice # ifconfig tap0 up
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 192.168.0.84 [500];
}
remote 192.168.0.95 {
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
certificate_type x509 "newcert.pem" "privkey.pem";
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig ;
#authentication_method pre_shared_key;
#dh_group modp1024;
dh_group 15;
}
# generate_policy off;
}
mode_cfg {
network4 172.31.0.2; # 192.168.100.1 est la premiere adresse allouee aux clients VPN
split_network include 172.31.0.0/24;
pool_size 20;
netmask4 255.255.255.0;
auth_source system;
#dns4 192.168.200.254; # 192.168.200.254 est l'adresse du DNS dans le reseau local distant
banner "/etc/racoon/motd";
#pfs_group 0;
}
#sainfo address 10.0.0.200 any address 10.0.0.118 any {
sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; spdadd 172.31.0.1 172.31.0.10 any -P out ipsec esp/tunnel/192.168.0.84-192.168.0.95/require; spdadd 172.31.0.10 172.31.0.1 any -P in ipsec esp/tunnel/192.168.0.95-192.168.0.84/require;
user@bob # ifconfig eth1:1 172.31.0.10 netmask 255.255.255.0
user@bob # apt-get install racoon ipsec-tools
NB : Il faut choisir l'option modification directe lors de l'installation de raccon. Pour des raisons de sécurité, il vaut mieux priviligier une interface virtuelle tun0 plutot qu'un alias eth1:1
path certificate "/etc/racoon/certs";
remote 192.168.0.84 {
exchange_mode main;
certificate_type x509 "newcert.pem" "privkey.pem";
ca_type x509 "cacert.pem"; #certificate type and file name
my_identifier asn1dn;
proposal_check obey; #obeying the options requested by other peer
ike_frag on; #IKE fragmentation enabled
mode_cfg on; #accepting information about the network being connected to
verify_cert off; #verifying certificates set to off
proposal {
#cryptography and hash algorithm
encryption_algorithm aes 256;
hash_algorithm sha1;
#authentication method
authentication_method rsasig ;
#Diffie-Hellman exponential group
dh_group 15;
}
generate_policy off;
# script "/etc/racoon/phase1-up.sh" phase1_up;
# script "/etc/racoon/phase1-down.sh" phase1_down;
}
sainfo anonymous {
#second phase information lifetime
lifetime time 1 hour;
#cryptography, authentication and compression algorithm
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#!/usr/sbin/setkey -f ## Flush the SAD and SPD # flush; spdflush; ## Some sample SPDs for use racoon # spdadd 172.31.0.10 172.31.0.1 any -P out ipsec esp/tunnel/192.168.0.95-192.168.0.84/require; # spdadd 172.31.0.1 172.31.0.10 any -P in ipsec esp/tunnel/192.168.0.84-192.168.0.95/require;
Contact :
