---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 309 The “ipsec.secrets” file for gateway mail: [root@mail /]# vi /etc/ipsec.secrets 208.164.186.1 208.164.186.2: RSA {         Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0 fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f0 84186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f         PublicExponent: 0x03         # everything after this point is secret         PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2 b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246b e924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b         Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d 21af7fee79c5d45546bea3ccc7b744254f6f0b847f         Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f4 5b0e96cb4aef8918ca333a326d3f6dc2c72b75361         Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be16 74fff4512e8d8e2f29c2888524d818df9f5d02ff         Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e7 5f0f3231f5061086ccd176f37f9e81da1cf8ceb         Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f 767f3f5a5731a73875d30186520f1753a7e325 } Authentication by RSA Signatures requires that each host have its own private key. The key part of an entry may start with a token indicating the kind of key. “RSA” signifies RSA private key and “PSK” (which is the default) signifies PreShared Key. Since “PSK” is the default, we must specify “RSA” to be able to use RSA private key in this file (ipsec.secrets). The super-user “root” should own the file “ipsec.secrets”, and its permissions should be set to block all access by others. Requiring network setup for IPSec There are some considerations you must ensure are correct before running FreeS/WAN software. These considerations are important if you don’t want to receive error messages during start up of your VPN. The following are the steps you may get: Step1 You will need to enable TCP/IP forwarding on the both gateway servers, in Red Hat Linux this is accomplished by changing the line in “/etc/sysconfig/network” file from: FORWARD_IPV4="false” To read: FORWARD_IPV4="yes" Step 2 Recall that automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The pluto daemon will startup, try to connect to the Pluto daemon at the other end of the tunnel, and establish a connection. For this reason, an IPSEC gateway should have packet filters rules (in the firewall script file) permitting the following protocols to traverse the gateway when talking to other IPSEC gateway: