ipsec.secrets Reference » History » Version 15

Andreas Steffen, 29.11.2014 12:40
Added link to BLISS keys

1 11 Tobias Brunner
{{title(ipsec.secrets Reference)}}
2 11 Tobias Brunner
3 7 Andreas Steffen
h1. ipsec.secrets
4 7 Andreas Steffen
5 7 Andreas Steffen
6 7 Andreas Steffen
strongSwan's _/etc/ipsec.secrets_ file contains an unlimited number of the following
7 1 Martin Willi
types of secrets:
8 1 Martin Willi
9 7 Andreas Steffen
* [[RsaSecret|RSA]] defines an RSA private key
10 7 Andreas Steffen
* [[EcDsaSecret|ECDSA]] defines an ECDSA private key
11 15 Andreas Steffen
* [[Bliss|BLISS]] defines a BLISS Private key (since [[5.2.2]])
12 14 Tobias Brunner
* [[P12Secret|P12]] defines a PKCS#12 container (since [[5.1.0]])
13 7 Andreas Steffen
* [[PskSecret|PSK]] defines a pre-shared key
14 7 Andreas Steffen
* [[EapSecret|EAP]] defines EAP credentials
15 13 Tobias Brunner
* [[NTLMSecret|NTLM]] defines NTLM credentials
16 7 Andreas Steffen
* [[XauthSecret|XAUTH]] defines XAUTH credentials
17 7 Andreas Steffen
* [[PinSecret|PIN]] defines a smartcard PIN
18 5 Martin Willi
19 10 Tobias Brunner
Whitespace  at  the end of a line is ignored. At the start of a line or after whitespace, # and the following text up to the end of the line is treated as a comment.
20 10 Tobias Brunner
21 10 Tobias Brunner
An  *include*  directive causes the contents of the named file to be processed before continuing with the current file.  The filename  can contain wildcards, so every file with a matching name is processed.  Includes may be nested to a modest depth  (10,  currently).  If  the  filename  doesn't start with a /, the directory containing the current file is prepended to the name.
22 10 Tobias Brunner
23 10 Tobias Brunner
h2. ID selectors
24 10 Tobias Brunner
25 10 Tobias Brunner
Each secret can be preceded by a list of optional ID selectors. The two parts are separated by a colon (:) that is surrounded by whitespace. If no ID selectors are specified the line must start with a colon.
26 10 Tobias Brunner
27 10 Tobias Brunner
A  selector is an IP address, a Fully Qualified Domain Name, user@FQDN, %any or %any6 (other kinds may come).  An IP address may be written  in  the  familiar dotted quad form or as a domain name to be looked up when the file is loaded.  In many cases it is a bad idea to use domain names because  the  name  server  may  not be running or may be insecure.  To denote a Fully Qualified Domain Name  (as  opposed  to  an  IP  address denoted by its domain name), precede the name with an at sign (@).
28 10 Tobias Brunner
29 10 Tobias Brunner
Matching  IDs with selectors is fairly straightforward: they have to be equal.  In the case of a _Road Warrior_ connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4  and  %any6  will  match  a  the peer's IP address if IPV6.  Currently, the obsolete notation may be used in place of %any.
30 10 Tobias Brunner
31 10 Tobias Brunner
When using IKEv1 an additional complexity arises in the case of  authentication by  preshared  secret:  the  responder  will need to look up the secret before the Peer's ID payload has been decoded, so the ID used  will  be  the IP address.
32 10 Tobias Brunner
33 10 Tobias Brunner
To  authenticate  a  connection  between two hosts, the entry that most  specifically matches the host and peer IDs is used.  An entry  with  no   selectors  will  match  any host and peer.  More specifically, an entry  with one selector will match a host and peer if  the  selector  matches  the host's ID (the peer isn't considered).  Still more specifically, an entry with multiple selectors will match a host and peer if the host ID  and  peer  ID  each  match  one of the selectors.  If the key is for an asymmetric authentication technique (i.e. a public key system  such  as RSA),  an entry with multiple selectors will match a host and peer even if only the host ID matches a selector (it is presumed that the  selectors are all identities of the host).  It is acceptable for two entries to be the best match as long as they agree about the secret or  private key.
34 10 Tobias Brunner
35 10 Tobias Brunner
Authentication  by preshared secret requires that both systems find the identical secret (the secret is not actually  transmitted  by  the  IKE  protocol).   If both the host and peer appear in the selector list, the  same entry will be  suitable  for  both  systems  so  verbatim  copying   between  systems  can be used.  This naturally extends to larger groups sharing the same secret.  Thus multiple-selector entries are  best  for  PSK authentication.
36 10 Tobias Brunner
37 12 Brian Pruss
Authentication  by  public  key  systems such as RSA requires that each host have its own private key.  A host could reasonably use a different  private  keys for different interfaces and for different peers.  But it would not be normal to share entries between systems.   Thus  no-selector  and  one-selector  forms of entry often make sense for public key authentication.
38 10 Tobias Brunner
39 7 Andreas Steffen
40 7 Andreas Steffen
h2. Example
41 7 Andreas Steffen
42 7 Andreas Steffen
43 5 Martin Willi
# /etc/ipsec.secrets - strongSwan IPsec secrets file
44 5 Martin Willi
45 5 Martin Willi %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
46 5 Martin Willi
47 5 Martin Willi
: RSA moonKey.pem
48 5 Martin Willi
49 9 Tobias Brunner : EAP "x3.dEhgN"
50 1 Martin Willi
51 9 Tobias Brunner
carol : XAUTH "4iChxLT3"
52 9 Tobias Brunner
53 9 Tobias Brunner
dave  : XAUTH "ryftzG4A"
54 8 Tobias Brunner
55 8 Tobias Brunner
# get secrets from other files
56 8 Tobias Brunner
include ipsec.*.secrets
57 7 Andreas Steffen