25.8. 配置 RSA 私钥密钥
回顾一下,目前 FreeSWAN 软件有两种密钥
预共享密钥
RSA 私钥。
您需要为*每个*网关创建一个单独的 RSA 密钥。每个网关都有自己的私钥ipsec.secrets文件,公钥放在leftrsasigkey和rightrsasigkeyconn 描述中的参数,位于ipsec.conf文件中,这两个网关都需要用到。
为*每个*网关创建一个单独的 RSA 密钥
在第一个网关上,即deep,使用以下命令
[root@deep] /# cd / [root@deep] /# ipsec rsasigkey --verbose 1024 > deep-keys
computing primes and modulus... getting 64 random bytes from /dev/random looking for a prime starting there found it after 30 tries getting 64 random bytes from /dev/random looking for a prime starting there found it after 230 tries swapping primes so p is the larger computing (p-1)*(q-1)... computing d... computing exp1, exp1, coeff... output...
在第二个网关上,即mail,使用以下命令
[root@mail /]# cd / [root@mail /]# ipsec rsasigkey --verbose 1024 > mail-keys
rsasigkey 实用程序生成一个 1024 位签名的 RSA 公钥和私钥对,并将其放入文件deep-keys. mail-keys对于第二个网关上的第二个命令。私钥可以原样插入到ipsec.secrets文件中,公钥插入到ipsec.conf文件中。computing primes and modulus... getting 64 random bytes from /dev/random looking for a prime starting there found it after 30 tries getting 64 random bytes from /dev/random looking for a prime starting there found it after 230 tries swapping primes so p is the larger computing (p-1)*(q-1)... computing d... computing exp1, exp1, coeff... output...
: 如果没有足够的熵可用,rsasigkey 实用程序可能会暂停几秒钟。您可能需要进行一些虚假活动,例如随机鼠标移动。临时的 RSA。deep-keys和mail-keys文件应在您完成操作后立即删除。不要忘记删除 deep-keys 和 mail-keys RSA 文件。修改您的/etc/ipsec.conf文件,以便在*每个*网关中使用 RSA 公钥
编辑您的原始ipsec.conf文件,vi/etc/ipsec.conf并在您的文件的 conn 描述中添加以下与 RSA 相关的参数ipsec.conf文件,在两个网关上
# sample connection conn deep-mail left=208.164.186.1 leftsubnet=192.168.1.0/24 leftnexthop=205.151.222.250 right=208.164.186.2 rightsubnet=192.168.1.0/24 rightnexthop=205.151.222.251 keyingtries=0 auth=ah authby=rsasig
leftrsasigkey=<Public key of deep> 
rightrsasigkey=<Public key of mail> 
auto=start
- 此参数指定两个安全网关应如何相互验证身份。默认值是用于共享密钥的 secret。由于我们已决定使用 RSA 数字签名,因此我们必须为 RSA 指定 rsasig。
- 此参数指定左侧参与者的 RSA 签名身份验证公钥。在我们的示例中,left 是 208.164.186.1,代表 deep.openna.com,因此我们必须在此行放置 deep 的 RSA 公钥。
- 此参数指定右侧参与者的 RSA 签名身份验证公钥。在我们的示例中,right 是 208.164.186.2,代表 mail.openna.com,因此我们必须在此行放置 mail 的 RSA 公钥。
您可以在名为以下名称的 RSA 密钥文件中检索 deep 的公钥deep-keys,以及在名为以下名称的 RSA 密钥文件中检索 mail 的公钥mail-keys,这是我们在上面步骤中创建的文件。这些文件看起来像这样:网关 deep 的 RSA 密钥 (deep-keys)
[root@deep] /# cd / [root@deep] /# vi deep-keys
# 1024 bits, Fri Feb 4 05:05:19 2000 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0x010395daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361 Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325
网关 mail 的 RSA 密钥 -mail-keys:
[root@mail /]# cd / [root@mail /]# vi mail-keys
# 1024 bits, Fri Feb 4 04:46:59 2000 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0x01037631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf Modulus: 0x7631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x4ecbd014ab3944a5b08381e2de7cfadde242f4b03490f50d737812fd8459dd3803d003e84c5faf0f84ea0bf07693a64e35637c2a08dff5f721a324b1747db09f62c871d5e11711251b845ae76753d4ef967c494b0def4f5d0762f65da603bc04c41b4c6cab4c413a72c633b608267ae2889c162a3d5bc07ee083b1c6e038400b Prime1: 0xc7f7cc8feaaac65039c39333b878bffd8f95b0dc22995c553402a5b287f341012253e9f25b83983c936f6ca512926bebee3d5403bf9f4557206c6bbfd9aac899 Prime2: 0x975015cb603ac1d488dc876132d8bc83079435d2d3395c03d5386b5c004eadd4d7b01b3d86aad0a2275d2d6b791a2abe50d7740b7725679811a32ca22db97637 Exponent1: 0x854fddb5471c84357bd7b777d0507ffe5fb92092c1bb92e37801c3cc5aa22b5616e29bf6e7ad1028624a486e0c619d47f428e2ad2a6a2e3a159d9d2a911c85bb Exponent2: 0x64e00e87957c81385b3daf9621e5d302050d7937377b92ad38d04792aadf1e8de52012290471e06c1a3e1e47a61171d435e4f807a4c39a6561177316c9264ecf Coefficient: 0x6f087591becddc210c2ee0480e30beeb25615a3615203cd3cef65e5a1d476fd9602ca0ef10d9b858edb22db42c975fb71883a470b43433a7be57df7ace4a0a3f提取 deep 和 mail 的公共 RSA 密钥文件并复制到您的ipsec.conf文件中,如下所示。您可以通过以注释掉的句子开头的行找到与公钥相关的行#pubkey=行。
# sample connection conn deep-mail left=208.164.186.1 leftsubnet=192.168.1.0/24 leftnexthop=205.151.222.250 right=208.164.186.2 rightsubnet=192.168.1.0/24 rightnexthop=205.151.222.251 keyingtries=0 auth=ah authby=rsasig leftrsasigkey=0x010395daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f rightrsasigkey=0x01037631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf auto=start
: 不要忘记,在本例中,Theleftrsasigkey=参数包含 deep 的公钥
Therightrsasigkey=参数包含 mail 的公钥。
修改您的/etc/ipsec.secrets文件,以便在*每个*网关中使用 RSA 私钥:编辑您的原始ipsec.secrets文件,vi/etc/ipsec.secrets并在两个网关上添加用于身份验证的 RSA 私钥:ipsec.secrets网关 deep 的文件
[root@deep] /# vi /etc/ipsec.secrets
您必须更改您的原始ipsec.secrets文件,如上所示,使其在两个网关上看起来像以下内容。重要的是要注意,两个网关上的私钥是不同的,deep和mail。deep的私钥来自 RSA 密钥文件deep-keys,而mail的私钥来自 RSA 密钥文件mail-keys208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
208.164.186.1 208.164.186.2: RSA { Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361 Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325 }Theipsec.secrets网关 mail 的文件
[root@mail ]/# vi /etc/ipsec.secrets
通过 RSA 签名进行身份验证需要每个主机都有自己的私钥。条目的密钥部分可能以指示密钥类型的令牌开头。RSA 表示 RSA 私钥,PSK -默认情况下表示预共享密钥。由于 PSK 是默认值,我们必须指定 RSA,以便我们能够在此文件中使用 RSA 私钥ipsec.secrets。超级用户root应该拥有文件ipsec.secrets,并且其权限应设置为阻止其他人访问。208.164.186.1 208.164.186.2: RSA { Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361 Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325 }