HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_305
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 305 You need to create a separate RSA key for *each* gateway. Each one gets its private key in its own “ipsec.secrets” file, and the public keys go in leftrsasigkey and rightrsasigkey parameters in the conn description of “ipsec.conf” file, which goes to both. Step 1 Create a separate RSA key for *each* gateway: · On the first gateway (e.i. deep), use the following commands: [root@deep /]# cd / [root@deep /]# ipsec rsasigkey --verbose 1024 > deep-keys computing primes and modulus... getting 64 random bytes from /dev/random  looking for a prime starting there found it after 30 tries getting 64 random bytes from /dev/random  looking for a prime starting there found it after 230 tries  swapping primes so p is the larger computing (p-1)*(q-1)... computing d... computing exp1, exp1, coeff... output... · On the second gateway (e.i. mail), use the following commands: [root@mail /]# cd / [root@mail /]# ipsec rsasigkey --verbose 1024 > mail-keys computing primes and modulus... getting 64 random bytes from /dev/random  looking for a prime starting there found it after 30 tries getting 64 random bytes from /dev/random  looking for a prime starting there found it after 230 tries  swapping primes so p is the larger computing (p-1)*(q-1)... computing d... computing exp1, exp1, coeff... output... The rsasigkey utility generates an RSA public and private key pair of 1024-bit signature key and puts it in the file deep-keys (mail-keys for the second command on the second gateway). The private key can be inserted verbatim into the “ipsec.secrets” file, and the public key into the “ipsec.conf” file. NOTE: The rsasigkey utility may pause for a few seconds if not enough entropy is available immediately. You may want to give it some bogus activity such as random mouse movements. The temporary RSA “deep-keys” and “mail-keys” files should be deleted as soon as you are done with it. Don’t forget to delete the deep-keys and mail-keys RSA files. Step 2 Modify your “/etc/ipsec.conf” files to use RSA public keys in *each* gateway: Edit you original ipsec.conf file (vi /etc/ipsec.conf) and add the following parameters related to RSA in the conn desciption of your “ipsec.conf” file on both gateway: # sample connection conn deep-mail         left=208.164.186.1