IPSec : racoon

Configuration du PC1 pour une authentification par certificat

Il faut modifier le fichier « /etc/racoon/setkey.conf » du PC1 comme il suit :

#!/usr/sbin/setkey -f
# On efface les politiques de sécurité
# Flush the Security Association Database (SAD)
# And the Security Policy Database (SPD)
flush;
spdflush;

# Politiques de sécurité
spdadd 192.168.238.130 192.168.238.131 any -P out ipsec

esp/transport//require
ah/transport//require;

spdadd 192.168.238.131 192.168.238.130 any -P in ipsec

esp/transport//require
ah/transport//require;

Il faut modifier le fichier de configuration de /etc/racoon/racoon.conf :

path certificate “/etc/racoon/certs”;
remote 192.168.238.131 {
exchange_mode main;
certificate_type x509 “IPSECcert.pem” “IPSECkey.pem”;
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

Configuration du PC2 pour une authentification par certificat

Il faut modifier le fichier « /etc/racoon/setkey.conf » du PC2 comme il suit :

#!/usr/sbin/setkey -f
# On efface les politiques de sécurité
# Flush the Security Association Database (SAD)
# And the Security Policy Database (SPD)
flush;
spdflush;
# Security policies
spdadd 192.168.238.130 192.168.238.131 any -P in ipsec

esp/transport//require
ah/transport//require;

spdadd 192.168.238.131 192.168.238.130 any -P out ipsec

esp/transport//require
ah/transport//require;

Il faut modifier le fichier de configuration de /etc/racoon/racoon.conf :

path certificate “/etc/racoon/certs”;
remote 192.168.238.130 {
exchange_mode main;
certificate_type x509 “IPSECcert.pem” “IPSECkey.pem”;
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

On redémarre la machine…

On peut alors tester :

Attention le premier Ping ne fonctionne jamais car il sert à initialiser l’échange des clés, la seconde sera la bonne !

Sur PC2

tcpdump -i eth1 host 192.168.238.131 and 192.168.238.130 > /dev/pts/0
ping 192.168.238.130

Sur PC1

tcpdump -i eth1 host 192.168.238.130 and 192.168.238.131 > /dev/pts/0
ping 192.168.238.131

Résultats

PC1:~# ping 192.168.238.131
PING 192.168.238.131 (192.168.238.131) 56(84) bytes of data.
19:38:13.422427 IP 192.168.238.130 > 192.168.238.131: AH(spi=0×0582a70f,seq=0×35): ESP(spi=0×0635e817,seq=0×35), length 100
64 bytes from 192.168.238.131: icmp_seq=1 ttl=64 time=2.23 ms
19:38:13.424239 IP 192.168.238.131 > 192.168.238.130: AH(spi=0×06ba7da2,seq=0×35): ESP(spi=0×04669426,seq=0×35), length 100
19:38:14.425512 IP 192.168.238.130 > 192.168.238.131: AH(spi=0×0582a70f,seq=0×36): ESP(spi=0×0635e817,seq=0×36), length 100

PC2:~# ping 192.168.238.130
PING 192.168.238.130 (192.168.238.130) 56(84) bytes of data.
19:37:21.561815 IP 192.168.238.131 > 192.168.238.130: AH(spi=0×06ba7da2,seq=0×30): ESP(spi=0×04669426,seq=0×30), length 100
64 bytes from 192.168.238.130: icmp_seq=1 ttl=64 time=3.89 ms
19:37:21.565499 IP 192.168.238.130 > 192.168.238.131: AH(spi=0×0582a70f,seq=0×30): ESP(spi=0×0635e817,seq=0×30), length 100
19:37:22.562545 IP 192.168.238.131 > 192.168.238.130: AH(spi=0×06ba7da2,seq=0×31): ESP(spi=0×04669426,seq=0×31), length 100