Securing-Optimizing-RH-Linux-1_2_304
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
304
NOTE: Dont forget to delete the temporary file as soon as you are done with it.
Step 2
Now that our new shared secret key has been created in the temp file, we must put it in the
/etc/ipsec.secrets file. When editing the ipsec.secrets file, you should see something like the
following appearing in your text editor. Each line has the IP addresses of the two gateways plus
the secret. It should look something like this:
# This file holds shared secrets which are currently the only inter-Pluto
# authentication mechanism. See ipsec_pluto(8) manpage. Each secret is
# (oversimplifying slightly) for one pair of negotiating hosts.
# The shared secrets are arbitrary character strings and should be both
# long and hard to guess.
# Note that all secrets must now be enclosed in quotes, even if they have
# no white space inside them.
10.0.0.1 11.0.0.1 "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
V2WjjRRnulmlkmU1Run5VSnnRT"
Edit the ipsec.secrets file (vi /etc/ipsec.secrets) and change the default secrets keys:
10.0.0.1 11.0.0.1 " jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
V2WjjRRnulmlkmU1Run5VSnnRT "
To read:
208.164.186.1 208.164.186.2
"0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
Where 208.164.186.1 208.164.186.2 are the IP addresses of the two gateways and
"0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed" (note
that the quotes are required) the shared secret we have generated above with the command
ipsec ranbits 256 > temp in the temp file.
Step 3
The files ipsec.conf, and ipsec.secrets must be copied to the second gateway machine to be
identical on both ends. The only exception comes from the ipsec.conf file, which must have in it
section labeled by the line config setup the correct interfaces setting for the second gateway if it
differ from the first gateway. The ipsec.secrets file contrarily to RSA private key should
absolutely have the same-shared secrets on the two gateways.
NOTE: The file /etc/ipsec.secrets should have permissions rw------- (600) and be owned by the
super-user root. The file /etc/ipsec.conf is installed with permissions rw-r--r (644) and must
be owned also by root.
Configure RSA private keys secrets
Recall that currently with FreeSWAN software there are two kinds of secrets: preshared secrets
and RSA private keys. The preshared secrets is what we are configured in our ipsec.conf and
ipsec.secrets files example above. Some peoples may prefer to use RSA private keys for
authentication by the daemon Pluto of the other hosts. If you are on this situation, you will have to
make some minor modifications of your ipsec.conf and ipsec.secrets files as described in the
following steps: