/etc/examples/sysctl.conf /etc/ ras# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets ras# vi /etc/rc.conf.local iked_flags="" ras# vi /etc/pf.conf pass in log on smsc0 proto udp from any to 192.168.11.254 port {isakmp, ipsec-nat-t} pass in log on enc0 4
CA passphrase: Generating RSA private key, 2048 bit long modulus .........+++++ ................................................................................................ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ... 6
State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [m-asama@ginzado.co.jp]: Signature ok subject=/C=JP/ST=Niigata/L=Sanjo/O=Ginzado/OU=BT/CN=VPN CA/emailAddress=m-asama@ginzado.co.jp Getting Private key Using configuration from /etc/ssl/vpn/ca-revoke-ssl.cnf ras# ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl 7
RSA private key, 2048 bit long modulus ..............................................................................+++++ ..................................+++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: ... 8
[ras.my.domain]: Email Address [m-asama@ginzado.co.jp]: Using configuration from /etc/ssl/vpn/ras.my.domain-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:'Niigata' localityName :ASN.1 12:'Sanjo' organizationName :ASN.1 12:'Ginzado' organizationalUnitName:ASN.1 12:'BT' commonName :ASN.1 12:'ras.my.domain' emailAddress :IA5STRING:'m-asama@ginzado.co.jp' Certificate is to be certified until Feb 5 04:51:16 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated ras# ikectl ca vpn certificate ras.my.domain install writing RSA key 9
3FTQPOEFS͕νϟϨϯδΛૹͬͯ*OJUJBUPS͕ਖ਼͍͠ϨεϙϯεΛฦͤ Εೝূޭ w *OJUJBUPS͔ΒΈͨ3FTQPOEFSͷೝূ w 3FTQPOEFS*,&@4"@*/*5ͳͲͷ༰Λൿີ伴Ͱॺ໊͠*OJUJBUPSʹ ૹΔ w *OJUJBUPS$"ͷެ։伴Ͱݕূ͢Δ͜ͱͰ3FTQPOEFSΛೝূ ଟ 30
͜ͷ߹طଘͷ$IJME4"Λ৽͍͠*,&4"ʹඥ͚Δ w $IJME4"ͷߋ৽ w *,&4"ΑΓසൟʹΔ w Λߦ͏Μ͚ͩͲ͜Ε͕·ͨઈΊΜͲ͍ ओʹύέοτফࣦΤϥʔରԠ w *OJUJBUPS3FTQPOEFSͷͲͪΒ$3&"5&@$)*-%@4"Λ։࢝͢Δ͜ͱ ͕Ͱ͖ͯͦΕ͕ಉ࣌ʹى͖ͨ࣌Ͳ͏͢Δ͔ͱ͔ߟ͑ͳ͍ͱ͚ͳ͍ 32
ࠓճͷྫͰ3FTQPOEFSͷઃఆ্54Jͱ54S͕ڞʹʹઃ ఆ͞Ε͍ͯΔ͕࣮ࡍʹ54JΛೝূͨ࣌͠Ͱ*OJUJBUPSʹׂΓͯͨΞ υϨεͷΈʹڱΊ͍ͯΔ 33 ras# ipsecctl -s flow flow esp in from 192.168.11.246 to 0.0.0.0/0 peer 203.0.113.85 \ srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type use flow esp out from 0.0.0.0/0 to 192.168.11.246 peer 203.0.113.85 srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type require flow esp out from ::/0 to ::/0 type deny
େੲ&41҉߸Խ͢Δ͚ͩͰશੑอূͤͣશੑΛ୲อͨ͠ ͍࣌")ͱΈ߹ΘͤΔͱ͍͏Ϟϊ͚ͩͬͨͲ&41Ͱશੑอ ূͰ͖ΔΑ͏ʹͳͬͯ")શ͘ͱݴ͍͍ͬͯ΄ͲΘΕͳ͔ͬͨ w ηΩϡϦςΟతʹશੑΛνΣοΫ͠ͳ͍҉߸Խྑ͘ͳ͍Β͍͠ w *1$PNQϖΠϩʔυΛѹॖ͢ΔͨΊͷϞϊ 36