Cleaned configuration files in PT-TLS client scenario
This commit is contained in:
parent
d7ae0b254d
commit
03d673620d
|
@ -1,23 +1,3 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
eap_identity=carol
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
||||
# the PT-TLS client reads its configuration via the command line
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol : EAP "Ar3etTnp"
|
||||
# the PT-TLS client loads its secrets via the command line
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
/* strongSwan SQLite database */
|
||||
|
||||
/* configuration is read from the command line */
|
||||
/* credentials are read from the command line */
|
|
@ -1,23 +1,3 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
eap_identity=dave
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
||||
# the PT-TLS client reads its configuration via the command line
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave : EAP "W7R0g3do"
|
||||
# the PT-TLS client loads its secrets via the command line
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
/* strongSwan SQLite database */
|
||||
|
||||
/* configuration is read from the command line */
|
||||
/* credentials are read from the command line */
|
|
@ -1,33 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
eap_identity=%any
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -1,32 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow RADIUS protocol with alice
|
||||
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -1,14 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
#server = PH_IP6_ALICE
|
||||
server = PH_IP_ALICE
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
}
|
|
@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
|
|||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave alice"
|
||||
IPSECHOSTS="carol dave alice"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue