Shrew Soft client doesn't support Transport mode but it allows to use AES (more secure than 3DES). So, in order to make our hosts communicate we need to create a virtual interface on the GNU/Linux host.
user@alice # apt-get install uml-utilities tunctl -u admin ifconfig tap0 172.31.0.1 ifconfig tap0 up
Fr
#!/usr/sbin/setkey -f
## Flush the SAD and SPD
#
flush;
spdflush;
spdadd 10.0.0.200 10.0.0.118 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.118 10.0.0.200 any -P in ipsec
esp/transport//require;
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 10.0.0.200 [500];
}
#remote 10.0.0.118 {
remote anonymous {
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "newcert.pem" "privkey.pem";
ca_type x509 "cacert.pem";
passive on;
generate_policy unique;
ike_frag on;
nat_traversal on;
dpd_delay 30;
proposal_check claim;
lifetime time 24 hours;
verify_identifier on;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 15;
}
}
mode_cfg {
network4 172.31.0.2; # 192.168.100.1 est la première adresse allouee aux clients VPN
split_network include 172.31.0.0/24;
pool_size 20;
netmask4 255.255.255.0;
auth_source system;
#dns4 192.168.200.254; # 192.168.200.254 est l'adresse du DNS dans le reseau local distant
banner "/etc/racoon/motd";
#pfs_group 0;
}
#sainfo address 10.0.0.200 any address 10.0.0.118 any {
sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Contact :
