Mode Transport entre deux stations GNU/Linux avec Racoon et authentification x509

Préambule

Synoptique

Création de l’autorité de certification

Voir ici

Alice

/etc/racoon/racoon.conf

#path pre_shared_key "/etc/racoon/psk.txt"; 
path certificate "/etc/racoon/certs"; 

listen { 
	isakmp 192.168.0.84 [500]; 
} 

#remote 192.168.0.85 { 
remote 192.168.0.95 { 
	exchange_mode main; 
	my_identifier asn1dn; 
	peers_identifier asn1dn; 
	verify_identifier on; 
	certificate_type x509 "newcert.pem" "privkey.pem"; 
	proposal { 
		encryption_algorithm aes 256; 
		hash_algorithm sha1; 
		authentication_method rsasig ; 
		#authentication_method pre_shared_key; 
		#dh_group modp1024; 
		dh_group 15; 
	} 
#        generate_policy off; 
} 

mode_cfg { 
	network4 172.31.0.2;     # 192.168.100.1 est la premiere adresse allouee aux clients VPN 
	split_network include 172.31.0.0/24; 
	pool_size 20; 
	netmask4 255.255.255.0; 
	auth_source system; 
	#dns4 192.168.200.254;       # 192.168.200.254 est l'adresse du DNS dans le reseau local distant 
	banner "/etc/racoon/motd"; 
	#pfs_group 0; 
} 

#sainfo address 10.0.0.200 any address 10.0.0.118 any { 
sainfo anonymous { 
	lifetime time 1 hour; 
	encryption_algorithm aes 128; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
} 

					

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

spdadd 192.168.0.84 192.168.0.95 any -P out ipsec 
	esp/transport//require; 
spdadd 192.168.0.95 192.168.0.84 any -P in ipsec 
	esp/transport//require; 
						

Bob

Installation des paquets nécessaires

user@bob # apt-get install racoon ipsec-tools

NB : Il faut choisir l'option modification directe lors de l'installation de raccon.

/etc/racoon/racoon.conf

path certificate "/etc/racoon/certs"; 
listen { 
        isakmp 192.168.0.95 [500]; 
} 

remote anonymous { 
        exchange_mode main; 
        my_identifier asn1dn; 
        peers_identifier asn1dn; 
        verify_identifier on; 
        certificate_type x509 "newcert.pem" "privkey.pem"; 
        ca_type x509 "cacert.pem";      #certificate type and file name 
        proposal_check obey;            #obeying the options requested by other peer 
        ike_frag on;                    #IKE fragmentation enabled 
        mode_cfg on;                    #accepting information about the network being connected to 
        verify_cert on;                #verifying certificates set to off 
        proposal { 
                #cryptography and hash algorithm 
                encryption_algorithm aes 256; 
                hash_algorithm sha1; 
                #authentication method 
                authentication_method rsasig ; 
                #Diffie-Hellman exponential group 
                dh_group 15; 
        } 
        #generate_policy off; 

#       script "/etc/racoon/phase1-up.sh" phase1_up; 
#       script "/etc/racoon/phase1-down.sh" phase1_down; 

} 

sainfo anonymous { 
        #second phase information lifetime 
        lifetime time 1 hour; 
        #cryptography, authentication and compression algorithm 
        encryption_algorithm aes 128; 
        authentication_algorithm hmac_sha1; 
        compression_algorithm deflate; 
}

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## Some sample SPDs for use racoon 
# 
spdadd 192.168.0.95 192.168.0.84 any -P out ipsec 
	esp/transport//require; 
spdadd 192.168.0.84 192.168.0.95 any -P in ipsec 
	esp/transport//require;

Sommaire

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :