Нужно сделать такой Ipsec не талько на виндовых клиентах, но и на юниксовых!
Теперь вопрос!
Нужно ли стаивть на юникс-клиентых сам racoon, если да, то как его там конфигурировать?
з,ы, Ключи раздаются по х,509
Код: Выделить всё
confusing.
path include "/usr/local/etc/racoon" ;
path certificate "/usr/local/etc/racoon/cert" ;
log debug4;
these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp 192.168.10.2 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
certificate_type x509 "ipsec-server.crt" "ipsec-server.key";
peers_certfile "ipsec-client.crt";
passive on;
generate_policy on;
nonce_size 16;
lifetime time 60 min; # sec,min,hour
initial_contact on;
#support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des, des ;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate ;
}