Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual page 71

Chapter 6. Virtual Private Networks
A unique name to identify the IPsec connection and distinguish it from other devices or connections
•
(for example,
ipsec0
A fixed encryption key or one automatically generated by
•
A pre-shared authentication key that is used to initiate the connection and exchange encryption keys
•
during the session
For example, suppose Workstation A and Workstation B want to connect to each other through an
IPsec tunnel. They want to connect using a pre-shared key with the value of
agree to let
racoon
host users decide to name their connections
The following is the
name to identify the connection in this example is ipsec0, so the resulting file is named
/etc/sysconfig/network-scripts/ifcfg-ipsec0
DST=X.X.X.X
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
Workstation A would replace X.X.X.X with the IP address of Workstation B, while Workstation
B replaces X.X.X.X with the IP address of Workstation A. The connection is set to initiate upon
boot-up (
ONBOOT=yes
The following
/etc/sysconfig/network-scripts/keys-ipsec0
workstations use to authenticate each other. The contents of this file should be identical on both
workstations and only the root user should be able to read or write this file.
IKE_PSK=foobarbaz
Important
To change the
keys-ipsec0
following command after creating the file:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0
To change the authentication key at any time, edit the
keys must be identical for proper connectivity.
The
/etc/racoon/racoon.conf
"/etc/racoon/X.X.X.X.conf"
when the IPsec tunnel is activated. For Workstation A, the X.X.X.X in the
Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical
file when IPsec connection is activated.
racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
)
automatically generate and share an authentication key between each host. Both
file for host-to-host IPsec connection for Workstation A. The unique
ifcfg
) and uses the pre-shared key method of authentication (
is the
file so that only the root user can read or edit the file, perform the
file
statement. This statement (and the file it references) is generated
racoon
.
ipsec0
.
pre-shared
keys-ipsec0
should be identical
and the users
foobarbaz
IKE_METHOD=PSK
key file
that
file on both workstations. Both
except for the
statement is
include
59
).
(called
both
include