The file ipsec.secrets
stores the secrets used by the pluto daemon to authenticate communication between both gateways. Two different kinds of secrets can be configured in this file, which
are preshared secrets and RSA private keys. You must check the modes and permissions of this file to be sure that the super-user root
owns the file, and its permissions are set to block all
access by others.
An example secret is supplied in the ipsec.secrets
file by default. You should change it by creating your own. With automatic keying you may have a shared secret up to 256 bits, which is
then used during the key exchanges to make sure a man in the middle attack does not occur.
To create a new shared secret, use the following commands:
[root@deep] /# ipsec ranbits 256 > temp
New, random keys are created with the ranbits(8) utility in the file named temp.
The ranbits utility may pause for a few seconds if not enough entropy is available immediately.
Dont forget to delete the temporary file as soon as you are done with it.
Now that our new shared secret key has been created in the temp
file, we must put it in the /etc/ipsec.secrets
file. When editing the ipsec.secrets
file, you should see something like the following appearing in your text editor. Each line has the IP addresses of the two gateways plus the secret. It should look something like this:
# This file holds shared secrets which are currently the only inter-Pluto # authentication mechanism. See ipsec_pluto(8) manpage. Each secret is # (oversimplifying slightly) for one pair of negotiating hosts. # The shared secrets are arbitrary character strings and should be both # long and hard to guess. # Note that all secrets must now be enclosed in quotes, even if they have # no white space inside them. 10.0.0.1 11.0.0.1 "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu V2WjjRRnulmlkmU1Run5VSnnRT"
Edit the ipsec.secrets file, vi /etc/ipsec.secrets
and change the default secrets keys:
10.0.0.1 11.0.0.1 " jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu V2WjjRRnulmlkmU1Run5VSnnRT "
To read:
208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
Where 208.164.186.1
and 208.164.186.2
are the IP addresses of the two gateways and "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
note that the quotes are required is the shared secret we have generated above with the command ipsec ranbits 256 > temp
in the temp
file.
The files ipsec.conf
and ipsec.secrets
must be copied to the second gateway machine so as to be identical on both ends. The only exception to this is the ipsec.conf
file, which
must have in it a section labeled by the line config setup with the correct interface settings for the second gateway, if they differ from the first. The ipsec.secrets
file, contrary to the RSA private key,
should absolutely have the same-shared secrets on the two gateways.
The file /etc/ipsec.secrets
should have permissions rw-------
(600) and be owned by the super-user root.
The file /etc/ipsec.conf
is installed
with permissions rw-r--r
(644) and must be owned also by root.