From: Dan W. <dw...@ol...> - 2008-09-22 06:20:02
|
Hi, I have a working configuration between two systems using transport mode. Each system is using kerberos to key the negotiations and I've verified that pings are encrypted with a network sniffer. Both systems have nearly identical configuration: /etc/racoon/racoon.conf: listen { adminsock disabled; } remote anonymous { exchange_mode aggressive,main; proposal_check claim; generate_policy on; nat_traversal off; #dpd_delay 20; #ike_frag on; proposal { encryption_algorithm aes; #hash_algorithm md5; hash_algorithm sha1; #authentication_method hybrid_rsa_server; authentication_method gssapi_krb; dh_group 2; gss_id "host/host1.example.com"; } } sainfo anonymous { #pfs_group 2; pfs_group 1; #lifetime time 1 hour; encryption_algorithm aes; #authentication_algorithm hmac_md5; authentication_algorithm hmac_sha1; compression_algorithm deflate; } and my /etc/ipsec-tools.conf: #!/usr/sbin/setkey -f flush; spdflush; spdadd 2610:b8::xx:xx:xx:1 2610:b8::xx:xx:xx:2 any -P out ipsec esp/transport//require; spdadd 2610:b8::xx:xx:xx:2 2610:b8::xx:xx:xx:1 any -P in ipsec esp/transport//require; This config has mostly been patched together from online examples. One host (say ...xx:1) is an ISP server, and I want to optionally offer IPsec to clients upon request... that is, if a client were to configure their own /etc/ipsec-tools.conf script like above, then the server would set up the appropriate associations, on demand, without having to manually configure an ipsec-tools.conf with entries for each client. Is this possible, and if so can anyone direct me to documentation on how to configure it? Thank You, - Dan |