Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Update sample config file to higher security settings
details: https://anonhg.NetBSD.org/src/rev/dc96439cfe08
branches: trunk
changeset: 580823:dc96439cfe08
user: manu <manu%NetBSD.org@localhost>
date: Tue May 10 10:22:03 2005 +0000
description:
Update sample config file to higher security settings
diffstat:
crypto/dist/ipsec-tools/ChangeLog | 7 ++++
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README | 12 ++------
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf | 6 ++--
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/phase1-down.sh | 15 ----------
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf | 10 +++---
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius | 10 +++---
lib/libipsec/package_version.h | 4 +-
7 files changed, 25 insertions(+), 39 deletions(-)
diffs (168 lines):
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/ChangeLog
--- a/crypto/dist/ipsec-tools/ChangeLog Tue May 10 09:54:43 2005 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog Tue May 10 10:22:03 2005 +0000
@@ -1,5 +1,12 @@
2005-05-10 Emmanuel Dreyfus <manu%netbsd.org@localhost>
+ * src/racoon/samples/roadwarrior/client/racoon.conf
+ src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
+ src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
+ src/racoon/samples/roadwarrior/README: update config files to
+ higher security settings. Remove now useless phase 1 down
+ script on server side.
+
* src/racoon/ipsec_doi.c: check for lifebyte in proposals
* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README Tue May 10 09:54:43 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README Tue May 10 10:22:03 2005 +0000
@@ -23,20 +23,14 @@
to be used for the RADIUS server are configured in /etc/radius.conf,
see radius.conf(5).
-Both config files use the server/phase1-down.sh script, which is
-used to work around a bug in raccon with flushing automatically
-generated SAD and SPD entries. This script will not be needed
-anymore when this problem will be fixed.
-
Both configurations can be used with the Cisco VPN client if it
is set up to use hybrid authentication (aka mutual group authentication,
available in Cisco VPN client version 4.0.5 and above). The group
password configured in the Cisco VPN client is not used by racoon.
-After you have installed /etc/racoon/racoon.conf and
-/etc/racoon/phase1-down.sh, you will also have to install a server
-certificate and key in /etc/openssl/certs/server.crt and
-/etc/openssl/certs/server.key
+After you have installed /etc/racoon/racoon.conf, you will also have
+to install a server certificate and key in /etc/openssl/certs/server.crt
+and /etc/openssl/certs/server.key
Client setup
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf Tue May 10 09:54:43 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf Tue May 10 10:22:03 2005 +0000
@@ -16,7 +16,7 @@
script "/etc/racoon/phase1-down.sh" phase1_down;
passive off;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_client;
dh_group 2;
@@ -26,8 +26,8 @@
sainfo anonymous {
pfs_group 2;
- lifetime time 12 hour ;
- encryption_algorithm 3des, cast128, blowfish 448;
+ lifetime time 1 hour;
+ encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/phase1-down.sh
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/phase1-down.sh Tue May 10 09:54:43 2005 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-
-# Correctly flush automatically generated SAD and SPD entries
-# This should go away the day racoon will properly do the job.
-
-echo "
-deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
-deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
-spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
- -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
-spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}/32[any] any
- -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
-"|setkey -c
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf Tue May 10 09:54:43 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf Tue May 10 10:22:03 2005 +0000
@@ -8,14 +8,13 @@
exchange_mode aggressive;
certificate_type x509 "server.crt" "server.key";
my_identifier asn1dn;
- proposal_check obey;
+ proposal_check claim;
generate_policy on;
nat_traversal on;
dpd_delay 20;
ike_frag on;
- script "/etc/racoon/phase1-down.sh" phase1_down;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group 2;
@@ -30,12 +29,13 @@
dns4 10.0.12.1;
wins4 10.0.12.1;
banner "/etc/racoon/motd";
+ pfs_group 2;
}
sainfo anonymous {
pfs_group 2;
- lifetime time 12 hour;
- encryption_algorithm 3des, cast128, blowfish 448;
+ lifetime time 1 hour;
+ encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
diff -r 4f3579a06e48 -r dc96439cfe08 crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius Tue May 10 09:54:43 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius Tue May 10 10:22:03 2005 +0000
@@ -8,14 +8,13 @@
exchange_mode aggressive;
certificate_type x509 "server.crt" "server.key";
my_identifier asn1dn;
- proposal_check obey;
+ proposal_check claim;
generate_policy on;
nat_traversal on;
dpd_delay 20;
ike_frag on;
- script "/etc/racoon/phase1-down.sh" phase1_down;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group 2;
@@ -30,12 +29,13 @@
dns4 10.0.12.1;
wins4 10.0.12.1;
banner "/etc/racoon/motd";
+ pfs_group 2;
}
sainfo anonymous {
pfs_group 2;
- lifetime time 12 hour;
- encryption_algorithm 3des, cast128, blowfish 448;
+ lifetime time 1 hour;
+ encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
diff -r 4f3579a06e48 -r dc96439cfe08 lib/libipsec/package_version.h
--- a/lib/libipsec/package_version.h Tue May 10 09:54:43 2005 +0000
+++ b/lib/libipsec/package_version.h Tue May 10 10:22:03 2005 +0000
@@ -1,5 +1,5 @@
#define TOP_PACKAGE "ipsec-tools"
#define TOP_PACKAGE_NAME "ipsec-tools"
-#define TOP_PACKAGE_VERSION "0.6-nb200500507"
-#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050507"
+#define TOP_PACKAGE_VERSION "0.6-nb20050510"
+#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050510"
#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"
Home |
Main Index |
Thread Index |
Old Index