{"id":150,"date":"2010-04-17T23:32:14","date_gmt":"2010-04-18T08:32:14","guid":{"rendered":"\/blog\/?p=150"},"modified":"2023-09-21T09:39:19","modified_gmt":"2023-09-21T00:39:19","slug":"openbsd-ipsec-vpn","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=150","title":{"rendered":"OpenBSD IPSec VPN"},"content":{"rendered":"\n

#############<\/SPAN>
# IPsec VPN #<\/SPAN>
#############<\/SPAN><\/FONT><\/P>\n

Scenariu:<\/FONT><\/SPAN><\/P>\n

Code:<\/FONT><\/SPAN><\/P>\n

        A.B.C.D                             X.Y.Z.T<\/SPAN>
[ Gateway A ] ---------- { INTERNET } ---------- [ Gateway B ]<\/SPAN>
         |                                               |<\/SPAN>
         | 192.168.0.1                                   | 192.168.1.1<\/SPAN>
         |                                               |<\/SPAN>
         |                                               |<\/SPAN>
      ( LAN A )                                      ( LAN B )<\/SPAN>
  192.168.0.0\/24                                  192.168.1.1\/24<\/SPAN><\/FONT><\/P>\n

 <\/P>\n


Gateway A = FreeBSD sau OpenBSD<\/SPAN>
Gateway B = FreeBSD sau OpenBSD<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

*************************************<\/SPAN>
* Creare tunel intre LAN A si LAN B *<\/SPAN>
*************************************<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway A +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Manual:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ifconfig gif0 tunnel A.B.C.D X.Y.Z.T mtu 1500<\/SPAN>
ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255<\/SPAN>
route add -net 192.168.1.0\/24 192.168.1.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Automat:<\/FONT><\/SPAN><\/P>\n

In rc.conf se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
gifconfig_gif0=\"A.B.C.D X.Y.Z.T mtu 1500\"<\/SPAN>
ifconfig_gif0=\"inet 192.168.0.1 192.168.1.1 netmask 0xffffffff\"<\/SPAN>
static_routes=\"vpn\"<\/SPAN>
route_vpn=\"192.168.1.0 192.168.1.1 netmask 0xffffff00\"<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Manual:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ifconfig gif0 tunnel A.B.C.D X.Y.Z.T mtu 1500<\/SPAN>
ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255<\/SPAN>
route add -net 192.168.1.0\/24 192.168.1.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Automat:<\/FONT><\/SPAN><\/P>\n

Se creaza in \/etc fisierul hostname.gif0 si se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
up create<\/SPAN>
up tunnel A.B.C.D X.Y.Z.T mtu 1500<\/SPAN>
up inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255<\/SPAN>
!\/sbin\/route add -net 192.168.1.0\/24 192.168.1.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n


+++++++++++++<\/SPAN>
+ Gateway B +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Manual:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ifconfig gif0 tunnel X.Y.Z.T A.B.C.D mtu 1500<\/SPAN>
ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255<\/SPAN>
route add -net 192.168.0.0\/24 192.168.0.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Automat:<\/FONT><\/SPAN><\/P>\n

In rc.conf se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
gifconfig_gif0=\"X.Y.Z.T A.B.C.D mtu 1500\"<\/SPAN>
ifconfig_gif0=\"inet 192.168.1.1 192.168.0.1 netmask 0xffffffff\"<\/SPAN>
static_routes=\"vpn\"<\/SPAN>
route_vpn=\"192.168.0.0 192.168.0.1 netmask 0xffffff00\"<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Manual:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ifconfig gif0 tunnel X.Y.Z.T A.B.C.D mtu 1500<\/SPAN>
ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255<\/SPAN>
route add -net 192.168.0.0\/24 192.168.0.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Automat:<\/FONT><\/SPAN><\/P>\n

Se creaza in \/etc fisierul hostname.gif0 si se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
up create<\/SPAN>
up tunnel X.Y.Z.T A.B.C.D mtu 1500<\/SPAN>
up inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255<\/SPAN>
!\/sbin\/route add -net 192.168.0.0\/24 192.168.0.1<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

 <\/P>\n

*************************************<\/SPAN>
*(2) IPsec cu schimb manual de chei *<\/SPAN>
*************************************<\/SPAN><\/FONT><\/P>\n

Algoritmul de criptare a traficului este 3DES iar cel de autentificare a gateway-urilor intre ele<\/SPAN>
este SHA1.<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway A +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se creaza in \/etc fisierul ipsec.conf si se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cheile de autentificare si criptare intre cele doua gateway-uri<\/SPAN>
add A.B.C.D X.Y.Z.T esp 0x1000 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;<\/SPAN>
add X.Y.Z.T A.B.C.D esp 0x1001 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;<\/SPAN><\/FONT><\/P>\n

# criptare IPsec a traficului LAN A - LAN B<\/SPAN>
# any inseamna criptare oricarui trafic ( tcp, udp, etc)<\/SPAN>
spdadd 192.168.0.0\/24 192.168.1.0\/24 any -P out ipsec esp\/tunnel\/A.B.C.D-X.Y.Z.T\/require;<\/SPAN>
spdadd 192.168.1.0\/24 192.168.0.0\/24 any -P in ipsec esp\/tunnel\/X.Y.Z.T-A.B.C.D\/require;<\/SPAN><\/FONT><\/P>\n

# criptare IPsec a traficului Gateway A - Gateway B<\/SPAN>
# any inseamna criptare oricarui trafic ( tcp, udp, etc)<\/SPAN>
spdadd A.B.C.D X.Y.Z.T any -P out ipsec esp\/tunnel\/A.B.C.D-X.Y.Z.T\/require;<\/SPAN>
spdadd X.Y.Z.T A.B.C.D any -P in ipsec esp\/tunnel\/X.Y.Z.T-A.B.C.D\/require;<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

CHEIE_CRIPTARE este un string format din 48 de litere si cifre (3DES foloseste o cheie pe 192 de biti = 48 * 4 biti)<\/SPAN>
CHEIE_AUTENTIFICARE este un string format din 40 de litere si cifre (SHA1 foloseste o cheie pe 160 de biti = 40 * 4 biti)<\/SPAN><\/FONT><\/P>\n

Ambele string-uri trebuie sa fie identice pe cele doua gateway-uri.<\/SPAN>
\"0x\" este folosit pentru compatibilitatea cu OpenBSD care foloseste cheile in sistem hexa decimal.<\/SPAN><\/FONT><\/P>\n

Pentru generarea cheilor se poate folosi openssl.<\/FONT><\/SPAN><\/P>\n

Generare CHEIE_CRIPTARE:<\/SPAN>
Code:<\/SPAN>
# openssl rand 24 | hexdump -e '24\/1 \"%02x\"'<\/SPAN><\/FONT><\/P>\n


Generare CHEIE_AUTENTIFICARE:<\/SPAN>
Code:<\/SPAN>
# openssl rand 20 | hexdump -e '20\/1 \"%02x\"'<\/SPAN><\/FONT><\/P>\n


Se adauga in \/etc\/rc.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ipsec_enable=\"YES\"<\/SPAN>
ipsec_file=\"\/etc\/ipsec.conf\"<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se creaza directorul ipsec in \/etc in care se vor crea cheile de autentificare si criptare<\/SPAN>
si script-ul de creare a SAD-urilor si SPD-urilor.<\/SPAN><\/FONT><\/P>\n

Code:<\/SPAN>
# mkdir \/etc\/ipsec<\/SPAN>
# chown root.wheel \/etc\/ipsec<\/SPAN>
# cd \/etc\/ipsec<\/SPAN>
# touch ipsec<\/SPAN>
# chmod 500 ipsec<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

In fisierul ipsec se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
\/sbin\/ipsecadm new esp -src A.B.C.D -dst X.Y.Z.T -forcetunnel -spi 1000 -enc 3des -auth sha1 \\<\/SPAN>
                                 -keyfile \/etc\/ipsec\/enc_key \\<\/SPAN>
                                 -authkeyfile \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm new esp -src X.Y.Z.T -dst A.B.C.D -forcetunnel -spi 1001 -enc 3des -auth sha1 \\<\/SPAN>
                                 -keyfile \/etc\/ipsec\/enc_key \\<\/SPAN>
                                 -authkeyfile \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm flow -transport esp -src A.B.C.D -dst X.Y.Z.T -bypass -out -addr A.B.C.D\/32 X.Y.Z.T\/32<\/SPAN>
\/sbin\/ipsecadm flow -transport esp -src A.B.C.D -dst X.Y.Z.T -bypass -in -addr X.Y.Z.T\/32 A.B.C.D\/32<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr A.B.C.D\/32 X.Y.Z.T\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr X.Y.Z.T\/32 A.B.C.D\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr A.B.C.D\/32 192.168.1.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr 192.168.1.0\/24 A.B.C.D\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr 192.168.0.0\/24 X.Y.Z.T\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr X.Y.Z.T\/32 192.168.0.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr 192.168.0.0\/24 192.168.1.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr 192.168.1.0\/24 192.168.0.0\/24<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Se genereaza cheile.<\/FONT><\/SPAN><\/P>\n

Generare cheie criptare:<\/SPAN>
Code:<\/SPAN>
# openssl rand 24 | hexdump -e '24\/1 \"%02x\"' > \/etc\/ipsec\/enc_key<\/SPAN><\/FONT><\/P>\n


Generare cheie autentificare:<\/SPAN>
Code:<\/SPAN>
# openssl rand 20 | hexdump -e '20\/1 \"%02x\"' > \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n


Se seteaza permisiunile:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# chown root.wheel \/etc\/ipsec\/enc_key<\/SPAN>
# chown root.wheel \/etc\/ipsec\/auth_key<\/SPAN>
# chmod 600 \/etc\/ipsec\/enc_key<\/SPAN>
# chmod 600 \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Observatie !<\/FONT><\/SPAN><\/P>\n

Ca alternativa OpenBSD pune la dispozitie un script (\/usr\/share\/ipsec\/rc.vpn) ce seteaza la rulare SAD-urile si SPD-urile.<\/SPAN>
Acest script trebuie modificat conform nevoilor si va inlocui script-ul \/etc\/ipsec\/ipsec creat anterior.<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway B +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se creaza in \/etc fisierul ipsec.conf si se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cheile de autentificare si criptare intre cele doua gateway-uri<\/SPAN>
add A.B.C.D X.Y.Z.T esp 0x1000 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;<\/SPAN>
add X.Y.Z.T A.B.C.D esp 0x1001 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;<\/SPAN><\/FONT><\/P>\n

# criptare IPsec a traficului LAN B - LAN A<\/SPAN>
# any inseamna criptare oricarui trafic ( tcp, udp, etc)<\/SPAN>
spdadd 192.168.1.0\/24 192.168.0.0\/24 any -P out ipsec esp\/tunnel\/X.Y.Z.T-A.B.C.D\/require;<\/SPAN>
spdadd 192.168.0.0\/24 192.168.1.0\/24 any -P in ipsec esp\/tunnel\/A.B.C.D-X.Y.Z.T\/require;<\/SPAN><\/FONT><\/P>\n

# criptare IPsec a traficului Gateway B - Gateway A<\/SPAN>
# any inseamna criptare oricarui trafic ( tcp, udp, etc)<\/SPAN>
spdadd X.Y.Z.T A.B.C.D any -P out ipsec esp\/tunnel\/X.Y.Z.T-A.B.C.D\/require;<\/SPAN>
spdadd A.B.C.D X.Y.Z.T any -P in ipsec esp\/tunnel\/A.B.C.D-X.Y.Z.T\/require;<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Se adauga in \/etc\/rc.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
ipsec_enable=\"YES\"<\/SPAN>
ipsec_file=\"\/etc\/ipsec.conf\"<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

CHEIE_CRIPTARE si CHEIE_AUTENTIFICARE trebuie sa coincida cu cele de pe Gateway A.<\/FONT><\/SPAN><\/P>\n

0x1000 si 0x1001 reprezinta parametri SPI si trebuie sa coincida cu cei de pe Gateway A pentru<\/SPAN>
aceeasi directie a treficului (de ex. 0x1000 pentru Gateway A - Gateway B si 0x1001 invers).<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se creaza directorul ipsec in \/etc si fiserele ipsec, enc_key si auth_key.<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# mkdir \/etc\/ipsec<\/SPAN>
# chown root.wheel \/etc\/ipsec<\/SPAN>
# cd \/etc\/ipsec<\/SPAN>
# touch ipsec enc_key auth_key<\/SPAN>
# chmod 500 ipsec<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

In fisierul ipsec se adauga:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
\/sbin\/ipsecadm new esp -src X.Y.Z.T -dst A.B.C.D -forcetunnel -spi 1001 -enc 3des -auth sha1 \\<\/SPAN>
                              -keyfile \/etc\/ipsec\/enc_key \\<\/SPAN>
                              -authkeyfile \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm new esp -src A.B.C.D -dst X.Y.Z.T -forcetunnel -spi 1000 -enc 3des -auth sha1 \\<\/SPAN>
                              -keyfile \/etc\/ipsec\/enc_key \\<\/SPAN>
                              -authkeyfile \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm flow -transport esp -src X.Y.Z.T -dst A.B.C.D -bypass -out -addr X.Y.Z.T\/32 A.B.C.D\/32<\/SPAN>
\/sbin\/ipsecadm flow -transport esp -src X.Y.Z.T -dst A.B.C.D -bypass -in -addr A.B.C.D\/32 X.Y.Z.T\/32<\/SPAN><\/FONT><\/P>\n

\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr X.Y.Z.T\/32 A.B.C.D\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr A.B.C.D\/32 X.Y.Z.T\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr X.Y.Z.T\/32 192.168.0.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr 192.168.0.0\/24 X.Y.Z.T\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr 192.168.1.0\/24 A.B.C.D\/32<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr A.B.C.D\/32 192.168.1.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr 192.168.1.0\/24 192.168.0.0\/24<\/SPAN>
\/sbin\/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr 192.168.0.0\/24 192.168.1.0\/24<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

In enc_key si auth_key se adauga cheile create pe Gateway A.<\/FONT><\/SPAN><\/P>\n

Se seteaza permisiunile:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# chown root.wheel \/etc\/ipsec\/enc_key<\/SPAN>
# chown root.wheel \/etc\/ipsec\/auth_key<\/SPAN>
# chmod 600 \/etc\/ipsec\/enc_key<\/SPAN>
# chmod 600 \/etc\/ipsec\/auth_key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Observatie !<\/FONT><\/SPAN><\/P>\n

Ca alternativa OpenBSD pune la dispozitie un script (\/usr\/share\/ipsec\/rc.vpn) ce seteaza la rulare SAD-urile si SPD-urile.<\/SPAN>
Acest script trebuie modificat conform nevoilor si va inlocui script-ul \/etc\/ipsec\/ipsec creat anterior.<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

**************************************************************<\/SPAN>
* IPsec cu schimb automat de chei folosind daemon-ul isakmpd *<\/SPAN>
* cu autentificare pe baza de password *<\/SPAN>
**************************************************************<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway A +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Instalam isakmpd din port-uri:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/usr\/ports\/security\/isakmpd<\/SPAN>
# make install clean<\/SPAN>
# cd \/usr\/local\/etc\/<\/SPAN>
# mkdir isakmpd<\/SPAN>
# cd isakmpd<\/SPAN>
# touch isakmpd.conf isakmpd.policy<\/SPAN>
# chmod 600 isakmpd.conf isakmpd.policy<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Fisierul de configurare este \/usr\/local\/etc\/isakmpd\/isakmpd.conf.<\/SPAN>
Fisierul ce stabileste autentificarea intre gateway-uri este \/usr\/local\/etc\/isakmpd\/isakmpd.policy.<\/SPAN><\/FONT><\/P>\n

isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[General]<\/SPAN>
Listen-on=              A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
X.Y.Z.T=           ISAKMP-peer-GatewayB<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANA-LANB,IPsec-GatewayA-GatewayB<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayB]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                X.Y.Z.T<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Authentication=         password<\/SPAN><\/FONT><\/P>\n

[IPsec-LANA-LANB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANA<\/SPAN>
Remote-ID=              LANB<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayA-GatewayB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayA<\/SPAN>
Remote-ID=              GatewayB<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
KeyNote-Version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"passphrase:password\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)<\/SPAN>
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi<\/SPAN>
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.<\/SPAN><\/FONT><\/P>\n

In rc.conf trebuie modificat ipsec_enable=\"YES\" in ipsec_enable=\"NO\" deoarece<\/SPAN>
isakmpd seteaza automat atat SAD-urile cat si SPD-urile.<\/SPAN><\/FONT><\/P>\n

Cream un script de pornire pentru isakmpd:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/usr\/local\/etc\/rc.d<\/SPAN>
# touch isakmpd.sh<\/SPAN>
# chown root:wheel isakmpd.sh<\/SPAN>
# chmod 500 isakmpd.sh<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

In isakmpd.sh adaugam:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
#!\/bin\/sh<\/SPAN>
# start<\/SPAN>
isakmpd_enable=${isakmpd_enable-\"NO\"}<\/SPAN>
isakmpd_flags=${isakmpd_flags-\"-c \/usr\/local\/etc\/isakmpd\/isakmpd.conf\"}<\/SPAN>
isakmpd_pidfile=${isakmpd_pidfile-\"\/var\/run\/utility.pid\"}<\/SPAN><\/FONT><\/P>\n

. \/etc\/rc.subr<\/FONT><\/SPAN><\/P>\n

name=\"isakmpd\"<\/SPAN>
rcvar=`set_rcvar`<\/SPAN>
command=\"\/usr\/local\/sbin\/isakmpd\"<\/SPAN><\/FONT><\/P>\n

load_rc_config $name<\/FONT><\/SPAN><\/P>\n

pidfile=\"${isakmpd_pidfile}\"<\/FONT><\/SPAN><\/P>\n

start_cmd=\"echo \\\"Starting ${name}.\\\"; \/usr\/bin\/nice -5 ${command} ${isakmpd_flags} ${command_args}\"<\/FONT><\/SPAN><\/P>\n

run_rc_command \"$1\"<\/SPAN>
# end<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Pentru a fi pornit la start-up e necesar sa adaugam in rc.conf isakmpd_enable=\"YES\".<\/FONT><\/SPAN><\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

OpenBSD vine cu isakmpd instalat default.<\/FONT><\/SPAN><\/P>\n

Fisierul de configurare este \/etc\/isakmpd\/isakmpd.conf.<\/SPAN>
Fisierul ce stabileste autentificarea intre gateway-uri este \/etc\/isakmpd\/isakmpd.policy.<\/SPAN><\/FONT><\/P>\n

isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[General]<\/SPAN>
Listen-on=              A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
X.Y.Z.T=           ISAKMP-peer-GatewayB<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANA-LANB,IPsec-GatewayA-GatewayB<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayB]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                X.Y.Z.T<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Authentication=         password<\/SPAN><\/FONT><\/P>\n

[IPsec-LANA-LANB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANA<\/SPAN>
Remote-ID=              LANB<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayA-GatewayB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayA<\/SPAN>
Remote-ID=              GatewayB<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
KeyNote-Version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"passphrase:password\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)<\/SPAN>
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi<\/SPAN>
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway B +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Instalam isakmpd din port-uri:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/usr\/ports\/security\/isakmpd<\/SPAN>
# make install clean<\/SPAN>
# cd \/usr\/local\/etc\/<\/SPAN>
# mkdir isakmpd<\/SPAN>
# cd isakmpd<\/SPAN>
# touch isakmpd.conf isakmpd.policy<\/SPAN>
# chmod 600 isakmpd.conf isakmpd.policy<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Fisierul de configurare este \/usr\/local\/etc\/isakmpd\/isakmpd.conf.<\/SPAN>
Fisierul ce stabileste autentificarea intre gateway-uri este \/usr\/local\/etc\/isakmpd\/isakmpd.policy.<\/SPAN><\/FONT><\/P>\n

isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[General]<\/SPAN>
Listen-on=              X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
A.B.C.D=           ISAKMP-peer-GatewayA<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANB-LANA,IPsec-GatewayB-GatewayA<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayA]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                A.B.C.D<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Authentication=         password<\/SPAN><\/FONT><\/P>\n

[IPsec-LANB-LANA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANB<\/SPAN>
Remote-ID=              LANA<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayB-GatewayA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayB<\/SPAN>
Remote-ID=              GatewayA<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
KeyNote-Version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"passphrase:password\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)<\/SPAN>
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi<\/SPAN>
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.<\/SPAN><\/FONT><\/P>\n

In rc.conf trebuie modificat ipsec_enable=\"YES\" in ipsec_enable=\"NO\" deoarece<\/SPAN>
isakmpd seteaza automat atat SAD-urile cat si SPD-urile.<\/SPAN><\/FONT><\/P>\n

Cream un script de pornire pentru isakmpd:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/usr\/local\/etc\/rc.d<\/SPAN>
# touch isakmpd.sh<\/SPAN>
# chown root:wheel isakmpd.sh<\/SPAN>
# chmod 500 isakmpd.sh<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

In isakmpd.sh adaugam:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
#!\/bin\/sh<\/SPAN>
# start<\/SPAN>
isakmpd_enable=${isakmpd_enable-\"NO\"}<\/SPAN>
isakmpd_flags=${isakmpd_flags-\"-c \/usr\/local\/etc\/isakmpd\/isakmpd.conf\"}<\/SPAN>
isakmpd_pidfile=${isakmpd_pidfile-\"\/var\/run\/utility.pid\"}<\/SPAN><\/FONT><\/P>\n

. \/etc\/rc.subr<\/FONT><\/SPAN><\/P>\n

name=\"isakmpd\"<\/SPAN>
rcvar=`set_rcvar`<\/SPAN>
command=\"\/usr\/local\/sbin\/isakmpd\"<\/SPAN><\/FONT><\/P>\n

load_rc_config $name<\/FONT><\/SPAN><\/P>\n

pidfile=\"${isakmpd_pidfile}\"<\/FONT><\/SPAN><\/P>\n

start_cmd=\"echo \\\"Starting ${name}.\\\"; \/usr\/bin\/nice -5 ${command} ${isakmpd_flags} ${command_args}\"<\/FONT><\/SPAN><\/P>\n

run_rc_command \"$1\"<\/SPAN>
# end<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Pentru a fi pornit la start-up e necesar sa adaugam in rc.conf isakmpd_enable=\"YES\".<\/FONT><\/SPAN><\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

OpenBSD vine cu isakmpd instalat default.<\/FONT><\/SPAN><\/P>\n

Fisierul de configurare este \/etc\/isakmpd\/isakmpd.conf.<\/SPAN>
Fisierul ce stabileste autentificarea intre gateway-uri este \/etc\/isakmpd\/isakmpd.policy.<\/SPAN><\/FONT><\/P>\n

isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[General]<\/SPAN>
Listen-on=              X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
A.B.C.D=           ISAKMP-peer-GatewayA<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANB-LANA,IPsec-GatewayB-GatewayA<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayA]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                A.B.C.D<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Authentication=         password<\/SPAN><\/FONT><\/P>\n

[IPsec-LANB-LANA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANB<\/SPAN>
Remote-ID=              LANA<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayB-GatewayA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayB<\/SPAN>
Remote-ID=              GatewayA<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
KeyNote-Version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"passphrase:password\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Atentie !!!<\/FONT><\/SPAN><\/P>\n

password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)<\/SPAN>
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi<\/SPAN>
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

**************************************************************<\/SPAN>
* IPsec cu schimb automat de chei folosind daemon-ul isakmpd *<\/SPAN>
* cu autentificare pe baza de certificate x509 *<\/SPAN>
**************************************************************<\/SPAN><\/FONT><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway A +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Devenim Certificate Authority:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/etc\/ssl<\/SPAN><\/FONT><\/P>\n


Generam cheia privata cu care vom semna certificatul:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/ca.key 2048<\/SPAN><\/FONT><\/P>\n


Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/ca.key -out ca.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in ca.csr -signkey private\/ca.key -extfile x509v3.cnf -extensions x509v3_CA -out ca.crt<\/SPAN><\/FONT><\/P>\n


Code:<\/SPAN>
# cd \/usr\/local\/etc\/isakmpd<\/SPAN><\/FONT><\/P>\n


Generam cheia privata:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/local.key 2048<\/SPAN>
# chmod 400 private\/local.key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/local.key -out private\/A.B.C.D.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509 pentru Gateway A:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in private\/A.B.C.D.csr -CA \/etc\/ssl\/ca.crt -CAkey \/etc\/ssl\/private\/ca.key -CAcreateserial -out \\<\/SPAN>
certs\/A.B.C.D.crt<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Patch-uim certificatul:<\/SPAN>
Code:<\/SPAN>
# certpatch -i A.B.C.D -k \/etc\/ssl\/private\/ca.key certs\/A.B.C.D.crt certs\/A.B.C.D.crt<\/SPAN><\/FONT><\/P>\n


Copiem ca.crt in \/usr\/local\/etc\/isakmpd\/ca<\/SPAN>
Code:<\/SPAN>
# cp -p \/etc\/ssl\/ca.crt ca\/<\/SPAN><\/FONT><\/P>\n


isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[X509-certificates]<\/SPAN>
CA-directory=           \/usr\/local\/etc\/isakmpd\/ca\/<\/SPAN>
Cert-directory=         \/usr\/local\/etc\/isakmpd\/certs\/<\/SPAN>
Private-key=            \/usr\/local\/etc\/isakmpd\/private\/local.key<\/SPAN><\/FONT><\/P>\n

[General]<\/SPAN>
Listen-on=              A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
X.Y.Z.T=           ISAKMP-peer-GatewayB<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANA-LANB,IPsec-GatewayA-GatewayB<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayB]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                X.Y.Z.T<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Local-ID=      GatewayA-ID<\/SPAN>
Remote-ID=      GatewayB-ID<\/SPAN><\/FONT><\/P>\n

[GatewayA-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[IPsec-LANA-LANB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANA<\/SPAN>
Remote-ID=              LANB<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayA-GatewayB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayA<\/SPAN>
Remote-ID=              GatewayB<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA-RSA_SIG<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
Keynote-version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"DN:xxx\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

unde xxx este inlocuit cu output-ul comenzii:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -in \/usr\/local\/etc\/isakmpd\/ca\/ca.crt -noout -subject<\/SPAN><\/FONT><\/P>\n


Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.<\/FONT><\/SPAN><\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Devenim Certificate Authority:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/etc\/ssl<\/SPAN><\/FONT><\/P>\n


Generam cheia privata cu care vom semna certificatul:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/ca.key 2048<\/SPAN><\/FONT><\/P>\n


Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/ca.key -out ca.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in ca.csr -signkey private\/ca.key -extfile x509v3.cnf -extensions x509v3_CA -out ca.crt<\/SPAN><\/FONT><\/P>\n


Code:<\/SPAN>
# cd \/etc\/isakmpd<\/SPAN><\/FONT><\/P>\n


Generam cheia privata:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/local.key 2048<\/SPAN>
# chmod 400 private\/local.key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/local.key -out private\/A.B.C.D.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509 pentru Gateway A:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in private\/A.B.C.D.csr -CA \/etc\/ssl\/ca.crt -CAkey \/etc\/ssl\/private\/ca.key -CAcreateserial -out \\<\/SPAN>
certs\/A.B.C.D.crt<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Patch-uim certificatul:<\/SPAN>
Code:<\/SPAN>
# certpatch -i A.B.C.D -k \/etc\/ssl\/private\/ca.key certs\/A.B.C.D.crt certs\/A.B.C.D.crt<\/SPAN><\/FONT><\/P>\n


Copiem ca.crt in \/etc\/isakmpd\/ca<\/SPAN>
Code:<\/SPAN>
# cp -p \/etc\/ssl\/ca.crt ca\/<\/SPAN><\/FONT><\/P>\n


isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[X509-certificates]<\/SPAN>
CA-directory=           \/usr\/local\/etc\/isakmpd\/ca\/<\/SPAN>
Cert-directory=         \/usr\/local\/etc\/isakmpd\/certs\/<\/SPAN>
Private-key=            \/usr\/local\/etc\/isakmpd\/private\/local.key<\/SPAN><\/FONT><\/P>\n

[General]<\/SPAN>
Listen-on=              A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
X.Y.Z.T=           ISAKMP-peer-GatewayB<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANA-LANB,IPsec-GatewayA-GatewayB<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayB]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                X.Y.Z.T<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Local-ID=      GatewayA-ID<\/SPAN>
Remote-ID=      GatewayB-ID<\/SPAN><\/FONT><\/P>\n

[GatewayA-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[IPsec-LANA-LANB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANA<\/SPAN>
Remote-ID=              LANB<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayA-GatewayB]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayB<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayA<\/SPAN>
Remote-ID=              GatewayB<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA-RSA_SIG<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
Keynote-version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"DN:xxx\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

unde xxx este inlocuit cu output-ul comenzii:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -in \/etc\/isakmpd\/ca\/ca.crt -noout -subject<\/SPAN><\/FONT><\/P>\n


Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.<\/FONT><\/SPAN><\/P>\n


+++++++++++++<\/SPAN>
+ Gateway B +<\/SPAN>
+++++++++++++<\/SPAN><\/FONT><\/P>\n

-------<\/SPAN>
FreeBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se copiaza \/etc\/ssl\/ca.crt si \/etc\/ssl\/private\/local.key de pe Gateway A in \/etc\/ssl\/ si respectiv \/etc\/ssl\/private.<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/usr\/local\/etc\/isakmpd<\/SPAN><\/FONT><\/P>\n


Generam cheia privata:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/local.key 2048<\/SPAN>
# chmod 400 private\/local.key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/local.key -out private\/X.Y.Z.T.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509 pentru Gateway B:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in private\/X.Y.Z.T.csr -CA \/etc\/ssl\/ca.crt -CAkey \/etc\/ssl\/private\/ca.key -CAcreateserial -out \\<\/SPAN>
certs\/X.Y.Z.T.crt<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Patch-uim certificatul:<\/SPAN>
Code:<\/SPAN>
# certpatch -i X.Y.Z.T -k \/etc\/ssl\/private\/ca.key certs\/X.Y.Z.T.crt certs\/X.Y.Z.T.crt<\/SPAN><\/FONT><\/P>\n


Copiem ca.crt in \/usr\/local\/etc\/isakmpd\/ca<\/SPAN>
Code:<\/SPAN>
# cp -p \/etc\/ssl\/ca.crt ca\/<\/SPAN><\/FONT><\/P>\n


isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[X509-certificates]<\/SPAN>
CA-directory=           \/usr\/local\/etc\/isakmpd\/ca\/<\/SPAN>
Cert-directory=         \/usr\/local\/etc\/isakmpd\/certs\/<\/SPAN>
Private-key=            \/usr\/local\/etc\/isakmpd\/private\/local.key<\/SPAN><\/FONT><\/P>\n

[General]<\/SPAN>
Listen-on=              X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
A.B.C.D=           ISAKMP-peer-GatewayA<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANB-LANA,IPsec-GatewayB-GatewayA<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayA]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                A.B.C.D<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Local-ID=      GatewayB-ID<\/SPAN>
Remote-ID=      GatewayA-ID<\/SPAN><\/FONT><\/P>\n

[GatewayB-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      A.B.C.D<\/SPAN><\/FONT><\/P>\n

[IPsec-LANB-LANA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANB<\/SPAN>
Remote-ID=              LANA<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayB-GatewayA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayB<\/SPAN>
Remote-ID=              GatewayA<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA-RSA_SIG<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
Keynote-version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"DN:xxx\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

unde xxx este inlocuit cu output-ul comenzii:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -in \/usr\/local\/etc\/isakmpd\/ca\/ca.crt -noout -subject<\/SPAN><\/FONT><\/P>\n


Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.<\/FONT><\/SPAN><\/P>\n

-------<\/SPAN>
OpenBSD<\/SPAN>
-------<\/SPAN><\/FONT><\/P>\n

Se copiaza \/etc\/ssl\/ca.crt si \/etc\/ssl\/private\/local.key de pe Gateway A in \/etc\/ssl\/ si respectiv \/etc\/ssl\/private.<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
# cd \/etc\/isakmpd<\/SPAN><\/FONT><\/P>\n


Generam cheia privata:<\/SPAN>
Code:<\/SPAN>
# openssl genrsa -out private\/local.key 2048<\/SPAN>
# chmod 400 private\/local.key<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Cream certification request:<\/SPAN>
Code:<\/SPAN>
# openssl req -new -key private\/local.key -out private\/X.Y.Z.T.csr<\/SPAN><\/FONT><\/P>\n


Cream certificatul x509 pentru Gateway B:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -req -days 730 -in private\/X.Y.Z.T.csr -CA \/etc\/ssl\/ca.crt -CAkey \/etc\/ssl\/private\/ca.key -CAcreateserial -out \\<\/SPAN>
certs\/X.Y.Z.T.crt<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

Patch-uim certificatul:<\/SPAN>
Code:<\/SPAN>
# certpatch -i X.Y.Z.T -k \/etc\/ssl\/private\/ca.key certs\/X.Y.Z.T.crt certs\/X.Y.Z.T.crt<\/SPAN><\/FONT><\/P>\n


Copiem ca.crt in \/etc\/isakmpd\/ca<\/SPAN>
Code:<\/SPAN>
# cp -p \/etc\/ssl\/ca.crt ca\/<\/SPAN><\/FONT><\/P>\n


isakmpd.conf:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
[X509-certificates]<\/SPAN>
CA-directory=           \/usr\/local\/etc\/isakmpd\/ca\/<\/SPAN>
Cert-directory=         \/usr\/local\/etc\/isakmpd\/certs\/<\/SPAN>
Private-key=            \/usr\/local\/etc\/isakmpd\/private\/local.key<\/SPAN><\/FONT><\/P>\n

[General]<\/SPAN>
Listen-on=              X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[Phase 1]<\/SPAN>
A.B.C.D=           ISAKMP-peer-GatewayA<\/SPAN><\/FONT><\/P>\n

[Phase 2]<\/SPAN>
Connections=            IPsec-LANB-LANA,IPsec-GatewayB-GatewayA<\/SPAN><\/FONT><\/P>\n

[ISAKMP-peer-GatewayA]<\/SPAN>
Phase=                  1<\/SPAN>
Address=                A.B.C.D<\/SPAN>
Configuration=          Default-main-mode<\/SPAN>
Local-ID=      GatewayB-ID<\/SPAN>
Remote-ID=      GatewayA-ID<\/SPAN><\/FONT><\/P>\n

[GatewayB-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA-ID]<\/SPAN>
ID-Type=      IPV4_ADDR<\/SPAN>
Address=      A.B.C.D<\/SPAN><\/FONT><\/P>\n

[IPsec-LANB-LANA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               LANB<\/SPAN>
Remote-ID=              LANA<\/SPAN><\/FONT><\/P>\n

[LANB]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.1.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[LANA]<\/SPAN>
ID-type=                IPV4_ADDR_SUBNET<\/SPAN>
Network=                192.168.0.0<\/SPAN>
Netmask=                255.255.255.0<\/SPAN><\/FONT><\/P>\n

[IPsec-GatewayB-GatewayA]<\/SPAN>
Phase=                  2<\/SPAN>
ISAKMP-peer=            ISAKMP-peer-GatewayA<\/SPAN>
Configuration=          Default-quick-mode<\/SPAN>
Local-ID=               GatewayB<\/SPAN>
Remote-ID=              GatewayA<\/SPAN><\/FONT><\/P>\n

[GatewayB]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                X.Y.Z.T<\/SPAN><\/FONT><\/P>\n

[GatewayA]<\/SPAN>
ID-type=                IPV4_ADDR<\/SPAN>
Address=                A.B.C.D<\/SPAN><\/FONT><\/P>\n

[Default-main-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          ID_PROT<\/SPAN>
Transforms=             3DES-SHA-RSA_SIG<\/SPAN><\/FONT><\/P>\n

[Default-quick-mode]<\/SPAN>
DOI=                    IPSEC<\/SPAN>
EXCHANGE_TYPE=          QUICK_MODE<\/SPAN>
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

isakmpd.policy:<\/FONT><\/SPAN><\/P>\n

Code:<\/SPAN>
Keynote-version: 2<\/SPAN>
Authorizer: \"POLICY\"<\/SPAN>
Licensees: \"DN:xxx\"<\/SPAN>
Conditions: app_domain == \"IPsec policy\" &&<\/SPAN>
            esp_present == \"yes\" &&<\/SPAN>
            esp_enc_alg == \"3des\" &&<\/SPAN>
            esp_auth_alg == \"hmac-sha\" -> \"true\";<\/SPAN><\/FONT><\/P>\n

 <\/P>\n

unde xxx este inlocuit cu output-ul comenzii:<\/SPAN>
Code:<\/SPAN>
# openssl x509 -in \/etc\/isakmpd\/ca\/ca.crt -noout -subject<\/SPAN><\/FONT><\/P>\n","protected":false},"excerpt":{"rendered":"

############## IPsec VPN ############## Scenariu: Code:         A.B.C.D                             X.Y.Z.T[ Gateway A ] ———- { INTERNET } ———- [ Gateway B ]         |                           […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39],"tags":[],"class_list":["post-150","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=150"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/150\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}