- PR -

VPNセキュリティゲートウェイを追加する場合の/etc/ipsec.secretsの書き方は?

1
投稿者投稿内容
Yuka
会議室デビュー日: 2003/12/06
投稿数: 9
投稿日時: 2004-04-01 14:51
全てRedHat9で(ipsec)VPNを構築しています。

jitaku.dyndns.com
|
WAN─daigaku.dyndns.net
|
shokuba.dyndns.co.jp

という構成になっていまして今現在は

[root@jitaku.dyndns.com]# rpm -qa |grep freeswan
freeswan-userland-2.01_2.4.20_8-0
freeswan-module-2.01_2.4.20_8-0

[root@jitaku.dyndns.com]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
conn %default
type=tunnel
keyingtries=10
authby=rsasig
keylife=1h
pfs=yes
conn jitaku-to-shokuba
left=jjj.jjj.jjj.jjj
leftsubnet=192.168.0.0/24
leftid=@jitaku.dyndns.com
leftrsasigkey=0sAQPUbp…9VU9
leftnexthop=JJJ.JJJ.JJJ.JJJ
right=sss.sss.sss.sss
rightsubnet=192.168.2.0/24
rightid=@shokuba.dyndns.co.jp
rightrsasigkey=0sAQN7m…S6IXIn
rightnexthop=SSS.SSS.SSS.SSS
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore

[root@jitaku.dyndns.com]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$
jjj.jjj.jjj.jjj sss.sss.sss.sss : PSK "xxxxxxxx"
: RSA {
# RSA 2192 bits jitaku.dyndns.com Mon Sep 8 16:30:37 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPUbp…pA9VU9
Modulus: 0xd46e…0f5553d
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x2367c…a52775
Prime1: 0xeb9059…f6ec48d3
Prime2: 0xe6dc806…3c22a1faf
Exponent1: 0x9d0ae6…f9f2db37
Exponent2: 0x99e85…2c1c151f
Coefficient: 0xbda1bd9…8ffef5d6b
}

[root@shokuba.dyndns.co.jp]# rpm -qa |grep freeswan
freeswan-userland-2.01_2.4.20_8-0
freeswan-module-2.01_2.4.20_8-0

[root@shokuba.dyndns.co.jp]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
conn %default
type=tunnel
keyingtries=0
authby=rsasig
keylife=1h
pfs=yes
conn jitaku-to-shokuba
left=sss.sss.sss.sss
leftsubnet=192.168.2.0/24
leftid=@shokuba.dyndns.co.jp
leftrsasigkey=0sAQN7m1v82…plU5S6IXIn
leftnexthop=SSS.SSS.SSS.SSS
right=jjj.jjj.jjj.jjj
rightsubnet=192.168.0.0/24
rightid=@jitaku.dyndns.com
rightrsasigkey=0sAQPUbp…pA9VU9
rightnexthop=JJJ.JJJ.JJJ.JJJ
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore

[root@shokuba.dyndns.co.jp]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$
sss.sss.sss.sss jjj.jjj.jjj.jjj : PSK "xxxxxxxx"
: RSA {
# RSA 2192 bits shokuba.dyndns.co.jp Thu Sep 4 21:06:29 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQN7m1…lU5S6IXIn
Modulus: 0x7b9b5bf…4ba217227
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1499e4aa…a942fe407
Prime1: 0xd49903…905e9559b
Prime2: 0x94d76bb…3b18c465
Exponent1: 0x8dbb57ab…0ae9b8e67
Exponent2: 0x633a47c…2765d843
Coefficient: 0x245402…d45dc3fd3

と設定してから

[root@jitaku.dyndns.com]# service ipsec start
[root@shokuba.dyndns.co.jp]# service ipsec start
[root@jitaku.dyndns.com]# ipsec auto --up jitaku-to-shokuba

としてjitaku.dyndns.com⇔shokuba.dyndns.co.jp
にVPNが構築出来ました。この状況下で
次に新たにdaigaku.dyndns.netを追加して

      jitaku.dyndns.com
        /   \
shokuba.dyndns.co.jp─daigaku.dyndns.net

のVPNも追加構築したいのです。その為に先ず

jitaku.dyndns.com⇔daigaku.dyndns.net
を構築しようとjitaku.dyndns.comの/etc/ipsec.confにて「conn jitaku-to-daigaku」セクションを加筆して

[root@jitaku.dyndns.com]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
conn %default
type=tunnel
keyingtries=10
authby=rsasig
keylife=1h
pfs=yes
conn jitaku-to-shokuba
left=jjj.jjj.jjj.jjj
leftsubnet=192.168.0.0/24
leftid=@jitaku.dyndns.com
leftrsasigkey=0sAQPUbp…9VU9
leftnexthop=JJJ.JJJ.JJJ.JJJ
right=sss.sss.sss.sss
rightsubnet=192.168.2.0/24
rightid=@shokuba.dyndns.co.jp
rightrsasigkey=0sAQN7m…S6IXIn
rightnexthop=SSS.SSS.SSS.SSS
auto=add
conn jitaku-to-daigaku
left=jjj.jjj.jjj.jjj
leftsubnet=192.168.0.0/24
leftid=@jitaku.dyndns.com
leftrsasigkey=0sAQPUbp…A9VU9
leftnexthop=JJJ.JJJ.JJJ.JJJ
right=ddd.ddd.ddd.ddd
rightsubnet=192.168.3.0/24
rightid=@daigaku.dyndns.net
rightrsasigkey=0sAQOa…UjSRYiap
rightnexthop=DDD.DDD.DDD.DDD
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore

[root@daigaku.dyndns.net]# rpm -qa | grep freeswan
freeswan-module-2.05_2.4.20_8-0
freeswan-userland-2.05_2.4.20_8-0

[root@daigaku.dyndns.net]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
conn %default
type=tunnel
keyingtries=10
authby=rsasig
keylife=1h
pfs=yes
conn jitaku-to-daigaku
left=ddd.ddd.ddd.ddd
leftsubnet=192.168.3.0/24
leftid=@daigaku.dyndns.net
leftrsasigkey=0sAQOa+…jSRYiap
leftnexthop=DDD.DDD.DDD.DDD
right=jjj.jjj.jjj.jjj
rightsubnet=192.168.1.0/24
rightid=@jitaku.dyndns.com
rightrsasigkey=0sAQPUbp…pd0UpA9VU9
rightnexthop=JJJ.JJJ.JJJ.JJJ
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore

[root@daigaku.dyndns.net]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$
ddd.ddd.ddd.ddd jjj.jjj.jjj.jjj : PSK "xxxxxxxx"
: RSA {
# RSA 2048 bits daigaku.dyndns.net Wed Mar 31 23:43:59 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOa+…jSRYiap
Modulus: 0x9afb716…226a9
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x19d492…a17bf6e3
Prime1: 0xdf26012…0570545
Prime2: 0xb1cc65…8235815
Exponent1: 0x94c400…03a0383
Exponent2: 0x768843…56ce563
Coefficient: 0x75af19…5897052
}

までは記述できたのですがroot@jitaku.dyndns.comの/etc/ipsec.secretsを

jjj.jjj.jjj.jjj ddd.ddd.ddd.ddd : PSK "xxxxxxxx"
: RSA {
# RSA 2192 bits jitaku.dyndns.com Mon Sep 8 16:30:37 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPUbp…pA9VU9
Modulus: 0xd46e…0f5553d
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x2367c…a52775
Prime1: 0xeb9059…f6ec48d3
Prime2: 0xe6dc806…3c22a1faf
Exponent1: 0x9d0ae6…f9f2db37
Exponent2: 0x99e85…2c1c151f
Coefficient: 0xbda1bd9…8ffef5d6b
}

と書き直して

[root@jitaku.dyndns.com]# service ipsec start
[root@daigaku.dyndns.net]# service ipsec start
[root@jitaku.dyndns.com]# ipsec auto --up jitaku-to-daigaku

とすると
jitaku.dyndns.com⇔daigaku.dyndns.net
のVPNが構築できるかもしれませんが折角接続出来てた
jitaku.dyndns.com⇔shokuba.dyndns.co.jp
が切断されてしまいますよね。

どう記述すればいいのでしょうか?

Yuka
会議室デビュー日: 2003/12/06
投稿数: 9
投稿日時: 2004-04-25 16:36
解決できました。

各/etc/ipsec.secretsの1行目
ddd.ddd.ddd.ddd jjj.jjj.jjj.jjj : PSK "xxxxxxxx"
を取っ払って
上手くいきました。
どうもお騒がせ致しました。
1

スキルアップ/キャリアアップ(JOB@IT)