Securing-Optimizing-RH-Linux-1_2_303
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
303
other case, if the first gateway use eth0 and the second use eth1, you must change the line
interfaces= on the second gateway to match the interface eth1.
left=208.164.186.1
This option specifies the IP address of the gateway's external interface used to talk to the other
gateway.
leftsubnet=192.168.1.0/24
This option specifies the IP network or address of the private subnet behind the gateway.
leftnexthop=205.151.222.250
This option specifies the IP address of the first router in the appropriate direction or ISP router.
right=208.164.186.2
This is the same explanation as left= but for the right destination.
rightsubnet=192.168.1.0/24
This is the same explanation as leftsubnet= but for the right destination.
rightnexthop=205.151.222.251
This is the same explanation as leftnexthop= but for the right destination.
keyingtries=0
This option specifies how many attempts (an integer) should be made in (re)keying negotiations.
The default value 0 (retry forever) is recommended.
auth=ah
This option specifies whether authentication should be done separately using AH (Authentication
Header), or be included as part of the ESP (Encapsulated Security Payload) service. This is
preferable where the IP headers are exposed to prevent man-in-the-middle attacks.
auto=start
This option specifies whether automatic startup operation should be done at IPSEC startup.
NOTE: A data mismatch anywhere in this configuration ipsec.conf will cause FreeS/WAN to fail
and to log various error messages.
Configure the /etc/ipsec.secrets file
The file ipsec.secrets stores the secrets used by the pluto daemon to authenticate
communication between both gateways. Two different kinds of secrets can be configured in this
file, which are preshared secrets and RSA private keys. You must check the modes and
permissions of this file to be sure the super-user root own the file, and its permissions is set to
block all access by others.
Step 1
An example secret is supplied in the ipsec.secrets file by default and you should change it by
creating your own. With automatic keying you may have a shared secret up to 256 bits, which is
then used during the key exchanges to make sure a man in the middle attack does not occur.
·
To create a new shared secret, use the following commands:
[root@deep /]# ipsec ranbits 256 > temp
A new random keys are created with the ranbits(8) utility in the file named temp. The ranbits
utility may pause for a few seconds if not enough entropy is available immediately.