Securing-Optimizing-RH-Linux-1_2_309
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
309
The ipsec.secrets file for gateway mail:
[root@mail /]# vi /etc/ipsec.secrets
208.164.186.1 208.164.186.2: RSA {
Modulus:
0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0
fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f0
84186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent:
0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2
b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246b
e924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b
Prime1:
0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d
21af7fee79c5d45546bea3ccc7b744254f6f0b847f
Prime2:
0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f4
5b0e96cb4aef8918ca333a326d3f6dc2c72b75361
Exponent1:
0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be16
74fff4512e8d8e2f29c2888524d818df9f5d02ff
Exponent2:
0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e7
5f0f3231f5061086ccd176f37f9e81da1cf8ceb
Coefficient:
0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f
767f3f5a5731a73875d30186520f1753a7e325
}
Authentication by RSA Signatures requires that each host have its own private key. The key part
of an entry may start with a token indicating the kind of key. RSA signifies RSA private key and
PSK (which is the default) signifies PreShared Key. Since PSK is the default, we must specify
RSA to be able to use RSA private key in this file (ipsec.secrets). The super-user root should
own the file ipsec.secrets, and its permissions should be set to block all access by others.
Requiring network setup for IPSec
There are some considerations you must ensure are correct before running FreeS/WAN software.
These considerations are important if you dont want to receive error messages during start up of
your VPN. The following are the steps you may get:
Step1
You will need to enable TCP/IP forwarding on the both gateway servers, in Red Hat Linux this is
accomplished by changing the line in /etc/sysconfig/network file from:
FORWARD_IPV4="false
To read:
FORWARD_IPV4="yes"
Step 2
Recall that automatically keyed connections use keys automatically generated by the Pluto key
negotiation daemon. The pluto daemon will startup, try to connect to the Pluto daemon at the
other end of the tunnel, and establish a connection. For this reason, an IPSEC gateway should
have packet filters rules (in the firewall script file) permitting the following protocols to traverse the
gateway when talking to other IPSEC gateway: