ipsec.secrets Reference » History » Version 11
Tobias Brunner, 26.10.2011 16:54
1 | 11 | Tobias Brunner | {{title(ipsec.secrets Reference)}} |
---|---|---|---|
2 | 11 | Tobias Brunner | |
3 | 7 | Andreas Steffen | h1. ipsec.secrets |
4 | 7 | Andreas Steffen | |
5 | 7 | Andreas Steffen | |
6 | 7 | Andreas Steffen | strongSwan's _/etc/ipsec.secrets_ file contains an unlimited number of the following |
7 | 1 | Martin Willi | types of secrets: |
8 | 1 | Martin Willi | |
9 | 7 | Andreas Steffen | * [[RsaSecret|RSA]] defines an RSA private key |
10 | 7 | Andreas Steffen | * [[EcDsaSecret|ECDSA]] defines an ECDSA private key |
11 | 7 | Andreas Steffen | * [[PskSecret|PSK]] defines a pre-shared key |
12 | 7 | Andreas Steffen | * [[EapSecret|EAP]] defines EAP credentials |
13 | 7 | Andreas Steffen | * [[XauthSecret|XAUTH]] defines XAUTH credentials |
14 | 7 | Andreas Steffen | * [[PinSecret|PIN]] defines a smartcard PIN |
15 | 5 | Martin Willi | |
16 | 10 | Tobias Brunner | Whitespace at the end of a line is ignored. At the start of a line or after whitespace, # and the following text up to the end of the line is treated as a comment. |
17 | 10 | Tobias Brunner | |
18 | 10 | Tobias Brunner | An *include* directive causes the contents of the named file to be processed before continuing with the current file. The filename can contain wildcards, so every file with a matching name is processed. Includes may be nested to a modest depth (10, currently). If the filename doesn't start with a /, the directory containing the current file is prepended to the name. |
19 | 10 | Tobias Brunner | |
20 | 10 | Tobias Brunner | h2. ID selectors |
21 | 10 | Tobias Brunner | |
22 | 10 | Tobias Brunner | Each secret can be preceded by a list of optional ID selectors. The two parts are separated by a colon (:) that is surrounded by whitespace. If no ID selectors are specified the line must start with a colon. |
23 | 10 | Tobias Brunner | |
24 | 10 | Tobias Brunner | A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, %any or %any6 (other kinds may come). An IP address may be written in the familiar dotted quad form or as a domain name to be looked up when the file is loaded. In many cases it is a bad idea to use domain names because the name server may not be running or may be insecure. To denote a Fully Qualified Domain Name (as opposed to an IP address denoted by its domain name), precede the name with an at sign (@). |
25 | 10 | Tobias Brunner | |
26 | 10 | Tobias Brunner | Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a _Road Warrior_ connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4 and %any6 will match a the peer's IP address if IPV6. Currently, the obsolete notation 0.0.0.0 may be used in place of %any. |
27 | 10 | Tobias Brunner | |
28 | 10 | Tobias Brunner | When using IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address. |
29 | 10 | Tobias Brunner | |
30 | 10 | Tobias Brunner | To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is used. An entry with no selectors will match any host and peer. More specifically, an entry with one selector will match a host and peer if the selector matches the host's ID (the peer isn't considered). Still more specifically, an entry with multiple selectors will match a host and peer if the host ID and peer ID each match one of the selectors. If the key is for an asymmetric authentication technique (i.e. a public key system such as RSA), an entry with multiple selectors will match a host and peer even if only the host ID matches a selector (it is presumed that the selectors are all identities of the host). It is acceptable for two entries to be the best match as long as they agree about the secret or private key. |
31 | 10 | Tobias Brunner | |
32 | 10 | Tobias Brunner | Authentication by preshared secret requires that both systems find the identical secret (the secret is not actually transmitted by the IKE protocol). If both the host and peer appear in the selector list, the same entry will be suitable for both systems so verbatim copying between systems can be used. This naturally extends to larger groups sharing the same secret. Thus multiple-selector entries are best for PSK authentication. |
33 | 10 | Tobias Brunner | |
34 | 10 | Tobias Brunner | Authentication by public key systems such as RSA requires that each host have its own private key. A host could reasonably use a different private keys for different interfaces and for different peers. But it would not be normal to share entries between systems. Thus thus no-selector and one-selector forms of entry often make sense for public key authentication. |
35 | 10 | Tobias Brunner | |
36 | 7 | Andreas Steffen | |
37 | 7 | Andreas Steffen | h2. Example |
38 | 7 | Andreas Steffen | |
39 | 7 | Andreas Steffen | <pre> |
40 | 5 | Martin Willi | # /etc/ipsec.secrets - strongSwan IPsec secrets file |
41 | 5 | Martin Willi | |
42 | 5 | Martin Willi | 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" |
43 | 5 | Martin Willi | |
44 | 5 | Martin Willi | : RSA moonKey.pem |
45 | 5 | Martin Willi | |
46 | 9 | Tobias Brunner | alice@strongswan.org : EAP "x3.dEhgN" |
47 | 1 | Martin Willi | |
48 | 9 | Tobias Brunner | carol : XAUTH "4iChxLT3" |
49 | 9 | Tobias Brunner | |
50 | 9 | Tobias Brunner | dave : XAUTH "ryftzG4A" |
51 | 8 | Tobias Brunner | |
52 | 8 | Tobias Brunner | # get secrets from other files |
53 | 8 | Tobias Brunner | include ipsec.*.secrets |
54 | 7 | Andreas Steffen | </pre> |