Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual page 72

Chapter 6. Virtual Private Networks
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"
The following is the specific configuration for the connection to the remote network. The file is named
X.X.X.X.conf (replace X.X.X.X with the IP address of the remote IPsec router). Note that this file
is automatically generated once the IPsec tunnel is activated and should not be edited directly.
;
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. As root at a shell
prompt, enable IP forwarding:
1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.
2. Execute the following command to enable the change:
sysctl -p /etc/sysctl.conf
To start the IPsec connection, either reboot the IPsec routers or execute the following command as
root on each router:
/sbin/ifup ipsec0
The connections are activated, and both LAN A and B are able to communicate with each other.
The routes are created automatically via the initialization script called by running ifup on the IPsec
connection. To show a list of routes for the network, run the following command:
/sbin/ip route list
To test the IPsec connection, run the tcpdump utility on the externally-routable device (eth0 in this
example) to view the network packets being transfered between the hosts (or networks) and verify
60