HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_304
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 304 NOTE: Don’t forget to delete the temporary file as soon as you are done with it. Step 2 Now that our new shared secret key has been created in the “temp” file, we must put it in the “/etc/ipsec.secrets” file. When editing the “ipsec.secrets” file, you should see something like the following appearing in your text editor. Each line has the IP addresses of the two gateways plus the secret. It should look something like this: # This file holds shared secrets which are currently the only inter-Pluto # authentication mechanism.  See ipsec_pluto(8) manpage.  Each secret is  # (oversimplifying slightly) for one pair of negotiating hosts. # The shared secrets are arbitrary character strings and should be both  # long and hard to guess. # Note that all secrets must now be enclosed in quotes, even if they have  # no white space inside them. 10.0.0.1 11.0.0.1         "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu V2WjjRRnulmlkmU1Run5VSnnRT" Edit the ipsec.secrets file (vi /etc/ipsec.secrets) and change the default secrets keys: 10.0.0.1 11.0.0.1  " jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu V2WjjRRnulmlkmU1Run5VSnnRT " To read: 208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed" Where 208.164.186.1 208.164.186.2 are the IP addresses of the two gateways and "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed" (note that the quotes are required) the shared secret we have generated above with the command “ipsec ranbits 256 > temp” in the “temp” file. Step 3 The files “ipsec.conf”, and “ipsec.secrets” must be copied to the second gateway machine to be identical on both ends. The only exception comes from the “ipsec.conf” file, which must have in it section labeled by the line config setup the correct interfaces setting for the second gateway if it differ from the first gateway. The  “ipsec.secrets” file contrarily to RSA private key should absolutely have the same-shared secrets on the two gateways. NOTE: The file “/etc/ipsec.secrets” should have permissions rw------- (600) and be owned by the super-user “root”. The file “/etc/ipsec.conf” is installed with permissions rw-r--r— (644) and must be owned also by “root”. Configure RSA private keys secrets Recall that currently with FreeSWAN software there are two kinds of secrets: preshared secrets and RSA private keys. The preshared secrets is what we are configured in our “ipsec.conf” and “ipsec.secrets” files example above. Some peoples may prefer to use RSA private keys for authentication by the daemon Pluto of the other hosts. If you are on this situation, you will have to make some minor modifications of your “ipsec.conf” and “ipsec.secrets” files as described in the following steps: