ipsec.secrets Reference » History » Version 18

Tobias Brunner, 23.03.2016 10:08

1 11 Tobias Brunner
{{title(ipsec.secrets Reference)}}
2 11 Tobias Brunner
3 7 Andreas Steffen
h1. ipsec.secrets
4 7 Andreas Steffen
5 7 Andreas Steffen
6 7 Andreas Steffen
strongSwan's _/etc/ipsec.secrets_ file contains an unlimited number of the following
7 1 Martin Willi
types of secrets:
8 1 Martin Willi
9 7 Andreas Steffen
* [[RsaSecret|RSA]] defines an RSA private key
10 7 Andreas Steffen
* [[EcDsaSecret|ECDSA]] defines an ECDSA private key
11 16 Andreas Steffen
* [[BlissSecret|BLISS]] defines a BLISS Private key (since [[5.2.2]])
12 14 Tobias Brunner
* [[P12Secret|P12]] defines a PKCS#12 container (since [[5.1.0]])
13 7 Andreas Steffen
* [[PskSecret|PSK]] defines a pre-shared key
14 7 Andreas Steffen
* [[EapSecret|EAP]] defines EAP credentials
15 13 Tobias Brunner
* [[NTLMSecret|NTLM]] defines NTLM credentials
16 7 Andreas Steffen
* [[XauthSecret|XAUTH]] defines XAUTH credentials
17 7 Andreas Steffen
* [[PinSecret|PIN]] defines a smartcard PIN
18 5 Martin Willi
19 10 Tobias Brunner
Whitespace  at  the end of a line is ignored. At the start of a line or after whitespace, # and the following text up to the end of the line is treated as a comment.
20 10 Tobias Brunner
21 10 Tobias Brunner
An  *include*  directive causes the contents of the named file to be processed before continuing with the current file.  The filename  can contain wildcards, so every file with a matching name is processed.  Includes may be nested to a modest depth  (10,  currently).  If  the  filename  doesn't start with a /, the directory containing the current file is prepended to the name.
22 10 Tobias Brunner
23 10 Tobias Brunner
h2. ID selectors
24 10 Tobias Brunner
25 10 Tobias Brunner
Each secret can be preceded by a list of optional ID selectors. The two parts are separated by a colon (:) that is surrounded by whitespace. If no ID selectors are specified the line must start with a colon.
26 10 Tobias Brunner
27 18 Tobias Brunner
A  selector is an IP address, a Fully Qualified Domain Name, user@FQDN, %any or %any6. Since version:5.4.0 IPv4 and IPv6 subnets in CIDR notation and address ranges (two addresses separated by a @-@ without any spaces) may also be used as selectors. Refer to [[IdentityParsing]] for details on how identities are parsed.
28 10 Tobias Brunner
29 18 Tobias Brunner
Matching IDs with selectors is fairly straightforward: they have to be equal.  In the case of a _Road Warrior_ connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4  and  %any6  will  match  a  the peer's IP address if IPv6.  Currently, the obsolete notation may be used in place of %any.
30 10 Tobias Brunner
31 10 Tobias Brunner
When using IKEv1 an additional complexity arises in the case of  authentication by  preshared  secret:  the  responder  will need to look up the secret before the Peer's ID payload has been decoded, so the ID used  will  be  the IP address.
32 10 Tobias Brunner
33 10 Tobias Brunner
To  authenticate  a  connection  between two hosts, the entry that most  specifically matches the host and peer IDs is used.  An entry  with  no   selectors  will  match  any host and peer.  More specifically, an entry  with one selector will match a host and peer if  the  selector  matches  the host's ID (the peer isn't considered).  Still more specifically, an entry with multiple selectors will match a host and peer if the host ID  and  peer  ID  each  match  one of the selectors.  If the key is for an asymmetric authentication technique (i.e. a public key system  such  as RSA),  an entry with multiple selectors will match a host and peer even if only the host ID matches a selector (it is presumed that the  selectors are all identities of the host).  It is acceptable for two entries to be the best match as long as they agree about the secret or  private key.
34 10 Tobias Brunner
35 10 Tobias Brunner
Authentication  by preshared secret requires that both systems find the identical secret (the secret is not actually  transmitted  by  the  IKE  protocol).   If both the host and peer appear in the selector list, the  same entry will be  suitable  for  both  systems  so  verbatim  copying   between  systems  can be used.  This naturally extends to larger groups sharing the same secret.  Thus multiple-selector entries are  best  for  PSK authentication.
36 10 Tobias Brunner
37 12 Brian Pruss
Authentication  by  public  key  systems such as RSA requires that each host have its own private key.  A host could reasonably use a different  private  keys for different interfaces and for different peers.  But it would not be normal to share entries between systems.   Thus  no-selector  and  one-selector  forms of entry often make sense for public key authentication.
38 10 Tobias Brunner
39 7 Andreas Steffen
h2. Example
40 7 Andreas Steffen
41 7 Andreas Steffen
42 5 Martin Willi
# /etc/ipsec.secrets - strongSwan IPsec secrets file
43 1 Martin Willi
44 17 Tobias Brunner : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
45 5 Martin Willi
46 5 Martin Willi
: RSA moonKey.pem
47 5 Martin Willi
48 9 Tobias Brunner : EAP "x3.dEhgN"
49 1 Martin Willi
50 9 Tobias Brunner
carol : XAUTH "4iChxLT3"
51 9 Tobias Brunner
52 9 Tobias Brunner
dave  : XAUTH "ryftzG4A"
53 8 Tobias Brunner
54 8 Tobias Brunner
# get secrets from other files
55 8 Tobias Brunner
include ipsec.*.secrets
56 7 Andreas Steffen