- - PR -
VPNセキュリティゲートウェイを追加する場合の/etc/ipsec.secretsの書き方は?
1
投稿者 | 投稿内容 |
---|---|
|
投稿日時: 2004-04-01 14:51
全てRedHat9で(ipsec)VPNを構築しています。
jitaku.dyndns.com | WAN─daigaku.dyndns.net | shokuba.dyndns.co.jp という構成になっていまして今現在は [root@jitaku.dyndns.com]# rpm -qa |grep freeswan freeswan-userland-2.01_2.4.20_8-0 freeswan-module-2.01_2.4.20_8-0 [root@jitaku.dyndns.com]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$ version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces="ipsec0=ppp0" klipsdebug=none plutodebug=none conn %default type=tunnel keyingtries=10 authby=rsasig keylife=1h pfs=yes conn jitaku-to-shokuba left=jjj.jjj.jjj.jjj leftsubnet=192.168.0.0/24 leftid=@jitaku.dyndns.com leftrsasigkey=0sAQPUbp…9VU9 leftnexthop=JJJ.JJJ.JJJ.JJJ right=sss.sss.sss.sss rightsubnet=192.168.2.0/24 rightid=@shokuba.dyndns.co.jp rightrsasigkey=0sAQN7m…S6IXIn rightnexthop=SSS.SSS.SSS.SSS auto=add conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore [root@jitaku.dyndns.com]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$ jjj.jjj.jjj.jjj sss.sss.sss.sss : PSK "xxxxxxxx" : RSA { # RSA 2192 bits jitaku.dyndns.com Mon Sep 8 16:30:37 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQPUbp…pA9VU9 Modulus: 0xd46e…0f5553d PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x2367c…a52775 Prime1: 0xeb9059…f6ec48d3 Prime2: 0xe6dc806…3c22a1faf Exponent1: 0x9d0ae6…f9f2db37 Exponent2: 0x99e85…2c1c151f Coefficient: 0xbda1bd9…8ffef5d6b } [root@shokuba.dyndns.co.jp]# rpm -qa |grep freeswan freeswan-userland-2.01_2.4.20_8-0 freeswan-module-2.01_2.4.20_8-0 [root@shokuba.dyndns.co.jp]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$ version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces="ipsec0=ppp0" klipsdebug=none plutodebug=none conn %default type=tunnel keyingtries=0 authby=rsasig keylife=1h pfs=yes conn jitaku-to-shokuba left=sss.sss.sss.sss leftsubnet=192.168.2.0/24 leftid=@shokuba.dyndns.co.jp leftrsasigkey=0sAQN7m1v82…plU5S6IXIn leftnexthop=SSS.SSS.SSS.SSS right=jjj.jjj.jjj.jjj rightsubnet=192.168.0.0/24 rightid=@jitaku.dyndns.com rightrsasigkey=0sAQPUbp…pA9VU9 rightnexthop=JJJ.JJJ.JJJ.JJJ auto=add conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore [root@shokuba.dyndns.co.jp]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$ sss.sss.sss.sss jjj.jjj.jjj.jjj : PSK "xxxxxxxx" : RSA { # RSA 2192 bits shokuba.dyndns.co.jp Thu Sep 4 21:06:29 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQN7m1…lU5S6IXIn Modulus: 0x7b9b5bf…4ba217227 PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x1499e4aa…a942fe407 Prime1: 0xd49903…905e9559b Prime2: 0x94d76bb…3b18c465 Exponent1: 0x8dbb57ab…0ae9b8e67 Exponent2: 0x633a47c…2765d843 Coefficient: 0x245402…d45dc3fd3 と設定してから [root@jitaku.dyndns.com]# service ipsec start [root@shokuba.dyndns.co.jp]# service ipsec start [root@jitaku.dyndns.com]# ipsec auto --up jitaku-to-shokuba としてjitaku.dyndns.com⇔shokuba.dyndns.co.jp にVPNが構築出来ました。この状況下で 次に新たにdaigaku.dyndns.netを追加して jitaku.dyndns.com / \ shokuba.dyndns.co.jp─daigaku.dyndns.net のVPNも追加構築したいのです。その為に先ず jitaku.dyndns.com⇔daigaku.dyndns.net を構築しようとjitaku.dyndns.comの/etc/ipsec.confにて「conn jitaku-to-daigaku」セクションを加筆して [root@jitaku.dyndns.com]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$ version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces="ipsec0=ppp0" klipsdebug=none plutodebug=none conn %default type=tunnel keyingtries=10 authby=rsasig keylife=1h pfs=yes conn jitaku-to-shokuba left=jjj.jjj.jjj.jjj leftsubnet=192.168.0.0/24 leftid=@jitaku.dyndns.com leftrsasigkey=0sAQPUbp…9VU9 leftnexthop=JJJ.JJJ.JJJ.JJJ right=sss.sss.sss.sss rightsubnet=192.168.2.0/24 rightid=@shokuba.dyndns.co.jp rightrsasigkey=0sAQN7m…S6IXIn rightnexthop=SSS.SSS.SSS.SSS auto=add conn jitaku-to-daigaku left=jjj.jjj.jjj.jjj leftsubnet=192.168.0.0/24 leftid=@jitaku.dyndns.com leftrsasigkey=0sAQPUbp…A9VU9 leftnexthop=JJJ.JJJ.JJJ.JJJ right=ddd.ddd.ddd.ddd rightsubnet=192.168.3.0/24 rightid=@daigaku.dyndns.net rightrsasigkey=0sAQOa…UjSRYiap rightnexthop=DDD.DDD.DDD.DDD auto=add conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore [root@daigaku.dyndns.net]# rpm -qa | grep freeswan freeswan-module-2.05_2.4.20_8-0 freeswan-userland-2.05_2.4.20_8-0 [root@daigaku.dyndns.net]# cat /etc/ipsec.conf | grep -v ^# | grep -v ^$ version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces="ipsec0=ppp0" klipsdebug=none plutodebug=none conn %default type=tunnel keyingtries=10 authby=rsasig keylife=1h pfs=yes conn jitaku-to-daigaku left=ddd.ddd.ddd.ddd leftsubnet=192.168.3.0/24 leftid=@daigaku.dyndns.net leftrsasigkey=0sAQOa+…jSRYiap leftnexthop=DDD.DDD.DDD.DDD right=jjj.jjj.jjj.jjj rightsubnet=192.168.1.0/24 rightid=@jitaku.dyndns.com rightrsasigkey=0sAQPUbp…pd0UpA9VU9 rightnexthop=JJJ.JJJ.JJJ.JJJ auto=add conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore [root@daigaku.dyndns.net]# cat /etc/ipsec.secrets | grep -v ^# | grep -v ^$ ddd.ddd.ddd.ddd jjj.jjj.jjj.jjj : PSK "xxxxxxxx" : RSA { # RSA 2048 bits daigaku.dyndns.net Wed Mar 31 23:43:59 2004 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOa+…jSRYiap Modulus: 0x9afb716…226a9 PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x19d492…a17bf6e3 Prime1: 0xdf26012…0570545 Prime2: 0xb1cc65…8235815 Exponent1: 0x94c400…03a0383 Exponent2: 0x768843…56ce563 Coefficient: 0x75af19…5897052 } までは記述できたのですがroot@jitaku.dyndns.comの/etc/ipsec.secretsを jjj.jjj.jjj.jjj ddd.ddd.ddd.ddd : PSK "xxxxxxxx" : RSA { # RSA 2192 bits jitaku.dyndns.com Mon Sep 8 16:30:37 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQPUbp…pA9VU9 Modulus: 0xd46e…0f5553d PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x2367c…a52775 Prime1: 0xeb9059…f6ec48d3 Prime2: 0xe6dc806…3c22a1faf Exponent1: 0x9d0ae6…f9f2db37 Exponent2: 0x99e85…2c1c151f Coefficient: 0xbda1bd9…8ffef5d6b } と書き直して [root@jitaku.dyndns.com]# service ipsec start [root@daigaku.dyndns.net]# service ipsec start [root@jitaku.dyndns.com]# ipsec auto --up jitaku-to-daigaku とすると jitaku.dyndns.com⇔daigaku.dyndns.net のVPNが構築できるかもしれませんが折角接続出来てた jitaku.dyndns.com⇔shokuba.dyndns.co.jp が切断されてしまいますよね。 どう記述すればいいのでしょうか? |
|
投稿日時: 2004-04-25 16:36
解決できました。
各/etc/ipsec.secretsの1行目 ddd.ddd.ddd.ddd jjj.jjj.jjj.jjj : PSK "xxxxxxxx" を取っ払って 上手くいきました。 どうもお騒がせ致しました。 |
1