Update sample config file to higher security settings
This commit is contained in:
manu
parent
aed94b2d22
commit
a5a80e2b4d
|
|
@ -1,5 +1,12 @@
|
|||
2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
|
||||
|
||||
* src/racoon/samples/roadwarrior/client/racoon.conf
|
||||
src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
|
||||
src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
|
||||
src/racoon/samples/roadwarrior/README: update config files to
|
||||
higher security settings. Remove now useless phase 1 down
|
||||
script on server side.
|
||||
|
||||
* src/racoon/ipsec_doi.c: check for lifebyte in proposals
|
||||
* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
|
||||
|
||||
|
|
|
|||
|
|
@ -23,20 +23,14 @@ authentication, IP allocation and accounting. The address and secret
|
|||
to be used for the RADIUS server are configured in /etc/radius.conf,
|
||||
see radius.conf(5).
|
||||
|
||||
Both config files use the server/phase1-down.sh script, which is
|
||||
used to work around a bug in raccon with flushing automatically
|
||||
generated SAD and SPD entries. This script will not be needed
|
||||
anymore when this problem will be fixed.
|
||||
|
||||
Both configurations can be used with the Cisco VPN client if it
|
||||
is set up to use hybrid authentication (aka mutual group authentication,
|
||||
available in Cisco VPN client version 4.0.5 and above). The group
|
||||
password configured in the Cisco VPN client is not used by racoon.
|
||||
|
||||
After you have installed /etc/racoon/racoon.conf and
|
||||
/etc/racoon/phase1-down.sh, you will also have to install a server
|
||||
certificate and key in /etc/openssl/certs/server.crt and
|
||||
/etc/openssl/certs/server.key
|
||||
After you have installed /etc/racoon/racoon.conf, you will also have
|
||||
to install a server certificate and key in /etc/openssl/certs/server.crt
|
||||
and /etc/openssl/certs/server.key
|
||||
|
||||
|
||||
Client setup
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ remote 192.0.2.50 {
|
|||
script "/etc/racoon/phase1-down.sh" phase1_down;
|
||||
passive off;
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
encryption_algorithm aes;
|
||||
hash_algorithm sha1;
|
||||
authentication_method hybrid_rsa_client;
|
||||
dh_group 2;
|
||||
|
|
@ -26,8 +26,8 @@ remote 192.0.2.50 {
|
|||
|
||||
sainfo anonymous {
|
||||
pfs_group 2;
|
||||
lifetime time 12 hour ;
|
||||
encryption_algorithm 3des, cast128, blowfish 448;
|
||||
lifetime time 1 hour;
|
||||
encryption_algorithm aes;
|
||||
authentication_algorithm hmac_sha1;
|
||||
compression_algorithm deflate ;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
# Correctly flush automatically generated SAD and SPD entries
|
||||
# This should go away the day racoon will properly do the job.
|
||||
|
||||
echo "
|
||||
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
|
||||
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
|
||||
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
|
||||
-P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
|
||||
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}/32[any] any
|
||||
-P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
|
||||
"|setkey -c
|
||||
|
|
@ -8,14 +8,13 @@ remote anonymous {
|
|||
exchange_mode aggressive;
|
||||
certificate_type x509 "server.crt" "server.key";
|
||||
my_identifier asn1dn;
|
||||
proposal_check obey;
|
||||
proposal_check claim;
|
||||
generate_policy on;
|
||||
nat_traversal on;
|
||||
dpd_delay 20;
|
||||
ike_frag on;
|
||||
script "/etc/racoon/phase1-down.sh" phase1_down;
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
encryption_algorithm aes;
|
||||
hash_algorithm sha1;
|
||||
authentication_method hybrid_rsa_server;
|
||||
dh_group 2;
|
||||
|
|
@ -30,12 +29,13 @@ mode_cfg {
|
|||
dns4 10.0.12.1;
|
||||
wins4 10.0.12.1;
|
||||
banner "/etc/racoon/motd";
|
||||
pfs_group 2;
|
||||
}
|
||||
|
||||
sainfo anonymous {
|
||||
pfs_group 2;
|
||||
lifetime time 12 hour;
|
||||
encryption_algorithm 3des, cast128, blowfish 448;
|
||||
lifetime time 1 hour;
|
||||
encryption_algorithm aes;
|
||||
authentication_algorithm hmac_sha1;
|
||||
compression_algorithm deflate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,14 +8,13 @@ remote anonymous {
|
|||
exchange_mode aggressive;
|
||||
certificate_type x509 "server.crt" "server.key";
|
||||
my_identifier asn1dn;
|
||||
proposal_check obey;
|
||||
proposal_check claim;
|
||||
generate_policy on;
|
||||
nat_traversal on;
|
||||
dpd_delay 20;
|
||||
ike_frag on;
|
||||
script "/etc/racoon/phase1-down.sh" phase1_down;
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
encryption_algorithm aes;
|
||||
hash_algorithm sha1;
|
||||
authentication_method hybrid_rsa_server;
|
||||
dh_group 2;
|
||||
|
|
@ -30,12 +29,13 @@ mode_cfg {
|
|||
dns4 10.0.12.1;
|
||||
wins4 10.0.12.1;
|
||||
banner "/etc/racoon/motd";
|
||||
pfs_group 2;
|
||||
}
|
||||
|
||||
sainfo anonymous {
|
||||
pfs_group 2;
|
||||
lifetime time 12 hour;
|
||||
encryption_algorithm 3des, cast128, blowfish 448;
|
||||
lifetime time 1 hour;
|
||||
encryption_algorithm aes;
|
||||
authentication_algorithm hmac_sha1;
|
||||
compression_algorithm deflate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#define TOP_PACKAGE "ipsec-tools"
|
||||
#define TOP_PACKAGE_NAME "ipsec-tools"
|
||||
#define TOP_PACKAGE_VERSION "0.6-nb200500507"
|
||||
#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050507"
|
||||
#define TOP_PACKAGE_VERSION "0.6-nb20050510"
|
||||
#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050510"
|
||||
#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"
|
||||
|
|
|
|||
Loading…
Reference in New Issue