Re: [Leaf-user] DCD, ipsec & leftrsasig only in /etc/ipsec.secrets ???

Sat, 26 Jan 2002 15:03:57 -0800 

> > ``On the left gateway, we can omit leftrsasig. That gateway uses the
> > private key stored in ipsec.secrets(5) and has no need for its own
> > public key.''
> >
> > When I do that, I get this:
> >
> > # ipsec auto --add trout-bluetrout
> > ipsec_auto: fatal error in "trout-bluetrout": connection has no
> > "leftrsasigkey" parameter specified
> >
> > What am I doing wrong?
>
> Anybody know anything about this?

I always include both RSA public keys in the ipsec.conf file.

I put the local infomation (incluuding leftid, and leftrsasig) in a "conn
%default" section, then add multiple tunnel definitions with the "include"
feature of ipsec.conf.  All included tunnel descriptions come from
/etc/ipsec/, and are configured with only the "right side" information.  I
also used unresolved FQDN's for the system ID's, so they don't change if
IP's get re-assigned (also, some systems are dynamic).

This way, if details on a remote system change, I only have to edit two
files...the local ipsec.conf file on the system that changed, and the
/etc/ipsec/<system>.conf file, which can then be rsync'd to all the other
remote VPN gateways.

An example:

</etc/ipsec.conf>
conn %default
        type=tunnel
        auto=start
        [EMAIL PROTECTED]
        left=216.171.153.130
        leftnexthop=216.171.153.129
        leftsubnet=10.34.1.0/24
        #leftfirewall=yes
        keyexchange=ike
        authby=rsasig
        leftrsasigkey=0x01036...
        # key lifetime (before automatic rekeying)
        keylife=8h
        # how persistent to be in (re)keying negotiations (0 means very)
        keyingtries=0

include ipsec/SanAntonio.conf

include ipsec/SanFrancisco.conf

</etc/ipsec/SanAntonio.conf>
conn SanAntonio
        [EMAIL PROTECTED]
        right=207.235.86.252
        rightnexthop=207.235.86.1
        rightsubnet=10.28.0.0/19
        rightrsasigkey=0x0103c...

</etc/ipsec/SanFrancisco.conf>
conn SanFrancisco
        [EMAIL PROTECTED]
        right=66.88.8.234
        rightnexthop=66.88.8.233
        rightsubnet=10.31.0.0/21
        rightrsasigkey=0x01039...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to