Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- side A
- Instalar el strongswan-pki
- cd /etc/ipsec.d/
- # clave y cert de la CA
- ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca_key.pem
- ipsec pki --self --ca --lifetime 3650 --in private/ca_key.pem --type rsa --dn "C=CH, O=strongSwan, CN=Root CA" --outform pem > cacerts/ca_cert.pem
- # clave y cert del client1
- ipsec pki --gen --type rsa --size 2048 --outform pem > private/client1Key.pem
- chmod 600 private/client1Key.pem
- ipsec pki --pub --in private/client1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/ca_cert.pem --cakey private/ca_key.pem --dn "C=CH, O=strongSwan, CN=device1" --san device1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/client1Cert.pem
- # clave y cert del client2
- ipsec pki --gen --type rsa --size 2048 --outform pem > private/client2Key.pem
- chmod 600 private/client2Key.pem
- ipsec pki --pub --in private/client2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/ca_cert.pem --cakey private/ca_key.pem --dn "C=CH, O=strongSwan, CN=device2" --san device2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/client2Cert.pem
- ############################ Side A:
- config setup
- charondebug="all"
- uniqueids=yes
- strictcrlpolicy=no
- conn %default
- conn tunnel #
- left=10.0.0.10
- leftsubnet=192.168.10.0/24
- right=10.0.0.20
- rightsubnet=192.168.20.0/24
- ike=aes256-sha2_256-modp1024!
- esp=aes256-sha2_256!
- keyingtries=0
- ikelifetime=1h
- lifetime=8h
- dpddelay=30
- dpdtimeout=120
- dpdaction=restart
- #authby=secret
- auto=start
- keyexchange=ikev2
- type=tunnel
- leftcert=client1Cert.pem
- rightcert=client2Cert.pem
- leftid="C=CH, O=strongSwan, CN=device1"
- rightid="C=CH, O=strongSwan, CN=device2"
- # en el /etc/ipsec.secrets
- : RSA client1Key.pem
- ############################ Side B:
- config setup
- charondebug="all"
- uniqueids=yes
- strictcrlpolicy=no
- conn %default
- conn tunnel #
- left=10.0.0.10
- leftsubnet=192.168.10.0/24
- right=10.0.0.20
- rightsubnet=192.168.20.0/24
- ike=aes256-sha2_256-modp1024!
- esp=aes256-sha2_256!
- keyingtries=0
- ikelifetime=1h
- lifetime=8h
- dpddelay=30
- dpdtimeout=120
- dpdaction=restart
- #authby=secret
- auto=start
- keyexchange=ikev2
- type=tunnel
- leftcert=client1Cert.pem
- rightcert=client2Cert.pem
- leftid="C=CH, O=strongSwan, CN=device1"
- rightid="C=CH, O=strongSwan, CN=device2"
- # en el /etc/ipsec.secrets
- : RSA client2Key.pem
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
