Red Hat ENTERPRISE LINUX 3 Reference Manual page 124

106
8.2.2. IPsec Interfaces
With Red Hat Enterprise Linux it is possible to connect to other hosts or networks using a secure IP
connection, known as IPsec. For instructions on setting up IPsec using the Network Administration
Tool (
redhat-config-network
Enterprise Linux System Administration Guide. For instructions on setting up IPsec manually, refer to
the chapter titled Virtual Private Networks in the Red Hat Enterprise Linux Security Guide.
The following is the
name to identify the connection in this example is
/etc/sysconfig/network-scripts/ifcfg-ipsec1
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X
In the example above, X.X.X.X is the publicly routable IP address of the destination IPsec router.
Below is a listing of the configurable parameters for an IPsec interface:
•
DST= address
This is used for both host-to-host and network-to-network IPsec configurations.
• DSTNET= network
work. This is only used for network-to-network IPsec configurations.
• SRC= address
setting is optional and is only used for host-to-host IPsec configurations.
• SRCNET= network
This is only used for network-to-network IPsec configurations.
• TYPE= interface-type
Refer to
/usr/share/doc/initscripts- version-number /sysconfig.txt
version-number
parameters if using manual key encryption with IPsec.
If is used to automatically manage key encryption, the following options are required:
racoon
• IKE_METHOD= encryption-method
, or
X509 GSSAPI
specified, the
IKE_CERTFILE
• IKE_PSK= shared-key
shared keys) method.
• IKE_CERTFILE= cert-file
host.
• IKE_PEER_CERTFILE= cert-file
for the remote host.
• IKE_DNSSEC= answer
host's X.509 certificate via DNS. If a
rameter.
For more information about the encryption algorithms available for IPsec, refer to the
page. For more information about
) refer to the chapter titled Network Configuration in the Red Hat
file for a network-to-network IPsec connection for LAN A. The unique
ifcfg
, where
address
, where
network
, where
address
, where
network
, where
with the version of the
. If is specified, the
PSK
parameter must also be set.
, where shared-key is the shared, secret value for the PSK (pre-
, where
, where
answer
IKE_PEER_CERTFILE
racoon
ipsec1
.
is the IP address of the IPsec destination host or router.
is the network address of the IPsec destination net-
is the IP address of the IPsec source host or router. This
is the network address of the IPsec source network.
interface-type is
initscripts
, where
encryption-method
parameter must also be set. If
IKE_PSK
cert-file
, where
cert-file
is . The
yes
, refer to the
racoon
Chapter 8. Network Interfaces
, so the resulting file is named
.
IPSEC
package installed) for configuration
is a valid X.509 certificate file for the
is a valid X.509 certificate file
daemon retrieves the remote
racoon
is specified, do not include this pa-
and
racoon.conf
(replace
is either ,
PSK
is
X509
man
setkey
man pages.