Project

General

Profile

ipsec.secrets Reference » History » Version 11

Tobias Brunner, 26.10.2011 16:54

1 11 Tobias Brunner
{{title(ipsec.secrets Reference)}}
2 11 Tobias Brunner
3 7 Andreas Steffen
h1. ipsec.secrets
4 7 Andreas Steffen
5 7 Andreas Steffen
6 7 Andreas Steffen
strongSwan's _/etc/ipsec.secrets_ file contains an unlimited number of the following
7 1 Martin Willi
types of secrets:
8 1 Martin Willi
9 7 Andreas Steffen
* [[RsaSecret|RSA]] defines an RSA private key
10 7 Andreas Steffen
* [[EcDsaSecret|ECDSA]] defines an ECDSA private key
11 7 Andreas Steffen
* [[PskSecret|PSK]] defines a pre-shared key
12 7 Andreas Steffen
* [[EapSecret|EAP]] defines EAP credentials
13 7 Andreas Steffen
* [[XauthSecret|XAUTH]] defines XAUTH credentials
14 7 Andreas Steffen
* [[PinSecret|PIN]] defines a smartcard PIN
15 5 Martin Willi
16 10 Tobias Brunner
Whitespace  at  the end of a line is ignored. At the start of a line or after whitespace, # and the following text up to the end of the line is treated as a comment.
17 10 Tobias Brunner
18 10 Tobias Brunner
An  *include*  directive causes the contents of the named file to be processed before continuing with the current file.  The filename  can contain wildcards, so every file with a matching name is processed.  Includes may be nested to a modest depth  (10,  currently).  If  the  filename  doesn't start with a /, the directory containing the current file is prepended to the name.
19 10 Tobias Brunner
20 10 Tobias Brunner
h2. ID selectors
21 10 Tobias Brunner
22 10 Tobias Brunner
Each secret can be preceded by a list of optional ID selectors. The two parts are separated by a colon (:) that is surrounded by whitespace. If no ID selectors are specified the line must start with a colon.
23 10 Tobias Brunner
24 10 Tobias Brunner
A  selector is an IP address, a Fully Qualified Domain Name, user@FQDN, %any or %any6 (other kinds may come).  An IP address may be written  in  the  familiar dotted quad form or as a domain name to be looked up when the file is loaded.  In many cases it is a bad idea to use domain names because  the  name  server  may  not be running or may be insecure.  To denote a Fully Qualified Domain Name  (as  opposed  to  an  IP  address denoted by its domain name), precede the name with an at sign (@).
25 10 Tobias Brunner
26 10 Tobias Brunner
Matching  IDs with selectors is fairly straightforward: they have to be equal.  In the case of a _Road Warrior_ connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4  and  %any6  will  match  a  the peer's IP address if IPV6.  Currently, the obsolete notation 0.0.0.0 may be used in place of %any.
27 10 Tobias Brunner
28 10 Tobias Brunner
When using IKEv1 an additional complexity arises in the case of  authentication by  preshared  secret:  the  responder  will need to look up the secret before the Peer's ID payload has been decoded, so the ID used  will  be  the IP address.
29 10 Tobias Brunner
30 10 Tobias Brunner
To  authenticate  a  connection  between two hosts, the entry that most  specifically matches the host and peer IDs is used.  An entry  with  no   selectors  will  match  any host and peer.  More specifically, an entry  with one selector will match a host and peer if  the  selector  matches  the host's ID (the peer isn't considered).  Still more specifically, an entry with multiple selectors will match a host and peer if the host ID  and  peer  ID  each  match  one of the selectors.  If the key is for an asymmetric authentication technique (i.e. a public key system  such  as RSA),  an entry with multiple selectors will match a host and peer even if only the host ID matches a selector (it is presumed that the  selectors are all identities of the host).  It is acceptable for two entries to be the best match as long as they agree about the secret or  private key.
31 10 Tobias Brunner
32 10 Tobias Brunner
Authentication  by preshared secret requires that both systems find the identical secret (the secret is not actually  transmitted  by  the  IKE  protocol).   If both the host and peer appear in the selector list, the  same entry will be  suitable  for  both  systems  so  verbatim  copying   between  systems  can be used.  This naturally extends to larger groups sharing the same secret.  Thus multiple-selector entries are  best  for  PSK authentication.
33 10 Tobias Brunner
34 10 Tobias Brunner
Authentication  by  public  key  systems such as RSA requires that each host have its own private key.  A host could reasonably use a different  private  keys for different interfaces and for different peers.  But it would not be normal to share entries between systems.   Thus  thus  no-selector  and  one-selector  forms of entry often make sense for public key authentication.
35 10 Tobias Brunner
36 7 Andreas Steffen
37 7 Andreas Steffen
h2. Example
38 7 Andreas Steffen
39 7 Andreas Steffen
<pre>
40 5 Martin Willi
# /etc/ipsec.secrets - strongSwan IPsec secrets file
41 5 Martin Willi
42 5 Martin Willi
192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
43 5 Martin Willi
44 5 Martin Willi
: RSA moonKey.pem
45 5 Martin Willi
46 9 Tobias Brunner
alice@strongswan.org : EAP "x3.dEhgN"
47 1 Martin Willi
48 9 Tobias Brunner
carol : XAUTH "4iChxLT3"
49 9 Tobias Brunner
50 9 Tobias Brunner
dave  : XAUTH "ryftzG4A"
51 8 Tobias Brunner
52 8 Tobias Brunner
# get secrets from other files
53 8 Tobias Brunner
include ipsec.*.secrets
54 7 Andreas Steffen
</pre>