SPD: Security Policy Database

SAD: Security Association Database

ISAKMP: Internet Security Association and Key Management Protocol

"...but Vint could never sell the CATENET name, just had too many... letters in it.
Uh, the military likes three-letter acronyms, so it became TCP/IP, and, y'know, it won."

(Van Jacobson)

isakmpd(8)/ipsec(8): pre-shared key, identifikace IP adresou

isakmpd(8): RSA klíče, identifikace IP adresou

ipsec(8): RSA klíče, identifikace IP adresou

isakmpd(8): RSA klíče, identifikace FQDN

isakmpd(8): X.509 PKI

Více flows!



IKEv2: PKI commands

iked in /etc/iked/private, strongSwan in /etc/ipsec.d/private.

IKEv2 - volný pohyb po lokální síti

K zamyšlení: Které proměnné ovládá klient? Jak do nich dostane řetězec "; rm -rf /; echo"?

# cat > /etc/ipsec.d/updown.sh
POLICY_ADD="/usr/bin/sudo /bin/ip xfrm policy add"

case "${PLUTO_VERB}" in
	if [ "${PLUTO_CONNECTION}" = "vpn-mynetwork" ]; then
		logger $PLUTO_VERB adding xfrm allow policies for $PLUTO_CONNECTION at $PLUTO_PEER
		${POLICY_ADD} src "${PLUTO_MY_CLIENT}" dst "${PLUTO_MY_CLIENT}" dir in action allow
		${POLICY_ADD} src "${PLUTO_MY_CLIENT}" dst "${PLUTO_MY_CLIENT}" dir out action allow

# vi /etc/ipsec.conf
conn vpn-mynetwork
	# inspirace z /usr/libexec/ipsec/_updown

# visudo
ipsec ALL=(root) NOPASSWD: /bin/ip
# vi /etc/ipsec.conf
flow esp from MUJ_ROZSAH to MUJ_ROZSAH type bypass