3.238.204.167@hermano.com.br:~$ ls ./tutoriais/ipsec/transporte_win_linux

..   00-leia.txt  

3.238.204.167@hermano.com.br:~$ cat ./tutoriais/ipsec/transporte_win_linux/00-leia.txt


--------------------------------------------------------------------------------
Configuracao de IPSEC modo transporte e chave simetrica - Windows e Linux
Autor: Hermano Pereira (www.hermano.com.br)
Tutorial criado em Julho/2009

Cenario: Estacao Linux com Servidor Windows, comunicacao IPSEC (pre-shared-key)

Maquina I - Linux - 192.168.11.97

Maquina II - Windows - 10.2.2.76 (Servico Telnet - TCP 23)

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

; MAQUINA I: IPSEC + Linux

; Instalar ipsec-tools e racoon

# apt-get install ipsec-tools racoon

; Configurando IPSEC-TOOLS:

; Maquina I

; IP 192.168.11.97

maq1# vi /etc/ipsec-tools.conf

flush;
spdflush;

spdadd 192.168.11.97 10.2.2.76[23] tcp -P out ipsec esp/transport//require ah/transport//require;
spdadd 10.2.2.76[23] 192.168.11.97 tcp -P in ipsec esp/transport//require ah/transport//require;

; Aplicar

maq1# setkey -f /etc/ipsec-tools.conf

; ou simplesmente reiniciar o servico:

maq1# /etc/init.d/setkey restart

; Verificando Politicas:

maq1# setkey -D -P

; Configurar racoon para ativar criptografia:

maq1# vi /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

listen
{
        isakmp 192.168.11.97;
}

remote 10.2.2.76
{
exchange_mode main;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal_check obey;
}


sainfo address 10.2.2.76 [23] tcp address 192.168.11.97 tcp
{
pfs_group 2;
lifetime time 24 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

sainfo address 192.168.11.97 tcp address 10.2.2.76 [23] tcp
{
pfs_group 2;
lifetime time 24 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

; Preencher 'pre-shared-key':

maq1# vi /etc/racoon/psk.txt


10.2.2.76 preencherachaveaqui


; Configurar e ...:

maq1# vi /etc/default/racoon

CONFIG_MODE=""
RACOON_ARGS=""

; Reiniciar racoon:

maq1# /etc/init.d/racoon restart

; Verificar servicos:

maq1# setkey -D -P

maq1# tail -f /var/log/syslog | grep racoon

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

; MAQUINA II: IPSEC + Windows

; No Windows, acesse o servico 'IP Security Policies'

-> Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> IP Security Policies on Local Machine

; Clique com o botao direito sobre  'IP Security Policies on Local Machine' e:

-> Create IP Security Policy -> Next

; preencha:

Name:
ipsec_tutorial
Description:

-> Next ->

; desmarque:

( ) Active the default response rule

-> Next -> Finish ->

; Duplo clique:

-> ipsec_tutorial

; Adicionar um novo 'IP Security Rules':

-> Add ... -> Next ->

; Deixar marcado 'This rule does not specify a tunnel':

-> Next ->

; Deixar marcado 'All network connection':

-> Next ->

; Selecionar 'Use this string to protect the key exchange (preshared key)' e preencher:

preencherachaveaqui

-> Next ->

; Criar um novo 'IP Filter list':

-> Add... ->

Name:
filter_ipsec_tutorial

; Adicionar filtro:

-> Add... -> Next ->

; Selecione 'Source Address': 'My IP Address'

-> Next ->

; Selecione 'Destination Address': 'A specific IP Address' e preencha:

IP Address:
192.168.11.97

-> Next ->

; Selecione 'Protocol type': TCP.

-> Next ->

; Selecione 'From this port' e preencha:

23

; Selecione 'To any port'.

-> Next -> Finish -> Close

; Selecione 'filter_ipsec_tutorial'

-> Next

; Adicione um novo filter action:

-> Add... -> Next ->

; Preencha:

Name:
action_filter_ipsec_tutorial
Description:

-> Next ->

; Selecione 'Negotiate Security';

-> Next ->

; Selecione 'Do not communicate with computers that do not support IPSEC'

-> Next ->

; Selecione 'Custom' e cliquem em 'Settings' e preencha:

(x) Data and address integrity without encryption (AH)

Integrity algorithm: SHA1

(x) Data integrity and encryption (ESP)

Integrity algorithm: SHA1

Encryption algorithm: 3DES

-> Next -> Finish ->

; Selecione 'action_filter_ipsec_tutorial'

-> Next -> Finish ->

-> Close ->

; Ultimo ajuste, ativar Session Key:

; Duplo clique em:

ipsec_tutorial

; Duplo clique em:

filter_ipsec_tutorial

; Selecione a aba 'Filter Action',

; Duplo clique em:

action_filter_ipsec_tutorial

; Marcar e desmarcar:

( ) Accept unsecured communication, but always responding using IPSEC.

( ) Allow unsecured communication with non IPSEC-aware computer.

(x) Session Key Perfect Forward Secrecy.

-> Ok -> Close -> Close ->

; Para ativar o IPSEC, clique com o direito sobre 'ipsec_tutorial' e depois clique
; em 'assign'.

--------------------------------------------------------------------------------

Referencias:

http://www.office.xerox.com/support/dctips/dc06cc0390.pdf

http://www.ipsec-howto.org/x299.html

3.238.204.167@hermano.com.br:~$ clear_