Dell EqualLogic PS6610E EqualLogic Group Manager Administrator s Guide PS Seri - Page 90
Example 3: Tunnel Mode Between Linux Hosts Using, Authentication, NOTE:
View all Dell EqualLogic PS6610E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 90 highlights
NOTE: strongSwan allows you to specify properties that apply to all connections (conn %default). The auto=route directive tells strongSwan to install an IPsec security policy into the host's security policy database for every defined connection. If this directive were not present here, it would need to appear in the configuration for every connection. keyexchange=ikev1 is necessary because by default it will use/expect IKE version 1 for the key exchange algorithm. If you try to connect from the strongSwan side, strongSwan defaults to IKEv2 if this parameter is missing. Because IKEv1 is expected, the result is a failure to connect. The converse is not true; if the connection is initiated from the PS side, then strongSwan accepts either IKEv1 or IKEv2. Two more "connections" are defined, one for each of the IP addresses on the array. The names are used by strongSwan to keep track of the connections. For example, you can ask for the status of a specific connection by name, shut down a connection by name, and so on. Connection names must be unique from one another. For example, you cannot have two connections named kirt5eth0. type=tunnel tells strongSwan that tunnel-mode IPsec is to be used for the connection. The alternative is transport mode (type=transport). This mode must be consistent with the array's configuration; that is, you need to configure the array side to also use transport or tunnel mode. authby=psk means that strongSwan expects to use pre-shared keys for authentication. In this example, it was implemented as a per-connection configuration item, but it could also be specified for the default connection, meaning that all connections would use pre-shared keys. The array's configuration must also use pre-shared keys. Here is the ipsec.secrets file: # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : PSK "my_shared_key" # 10.124.65.39 %any : PSK "my_shared_key" # 10.124.65.38 %any : PSK "my_shared_key" NOTE: This file defines a single pre-shared key that can be used for any connection defined in ipsec.conf. In the commented-out examples, connection-specific pre-shared keys are provided; %any represents any IP address on the strongSwan side. Using %any is easier than specifying that host's IP address (which if done incorrectly results in a failure to establish a connection). Example 3: Tunnel Mode (Between Linux Hosts) Using Certificate-Based Authentication In Figure 12. Tunnel Mode Between Linux Hosts Using Certificate-Based Authentication, an IPsec connection is established between Linux hosts running strongSwan and the PS Series group. The IPv4 and IPv6 traffic is protected using certificates. Either IKEv1 or IKEv2 can be used in this configuration. This particular example uses IKEv2. 90 About Group-Level Security