16.2.2. IPsec Interfaces
The following example shows the
ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec1, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec1.
TYPE=IPsec ONBOOT=yes IKE_METHOD=PSK SRCNET=192.168.1.0/24 DSTNET=192.168.2.0/24 DST=X.X.X.X
In the example above, X.X.X.X is the publicly routable
IP address of the destination IPsec router.
Below is a listing of the configurable parameters for an IPsec interface:
-
DST=<address> - where <address> is the
IPaddress of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations. -
DSTNET=<network> - where <network> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
-
SRC=<address> - where <address> is the
IPaddress of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations. -
SRCNET=<network> - where <network> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
-
TYPE=<interface-type> - where <interface-type> is
IPSEC. Both applications are part of theipsec-toolspackage.
If manual key encryption with IPsec is being used, refer to
/usr/share/doc/initscripts-<version-number>/sysconfig.txt (replace <version-number> with the version of the initscripts package installed) for configuration parameters.
The
racoon IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If racoon is used to automatically manage key encryption, the following options are required:
-
IKE_METHOD=<encryption-method> - where <encryption-method> is either
PSK,X509, orGSSAPI. IfPSKis specified, theIKE_PSKparameter must also be set. IfX509is specified, theIKE_CERTFILEparameter must also be set. -
IKE_PSK=<shared-key> - where <shared-key> is the shared, secret value for the PSK (preshared keys) method.
-
IKE_CERTFILE=<cert-file> - where <cert-file> is a valid
X.509certificate file for the host. -
IKE_PEER_CERTFILE=<cert-file> - where <cert-file> is a valid
X.509certificate file for the remote host. -
IKE_DNSSEC=<answer> - where <answer> is
yes. Theracoondaemon retrieves the remote host'sX.509certificate via DNS. If aIKE_PEER_CERTFILEis specified, do not include this parameter.
For more information about the encryption algorithms available for IPsec, refer to the
setkey man page. For more information about racoon, refer to the racoon and racoon.conf man pages.
