28
2019
03
14:53:34

ipsec.secrets Reference

https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets


PSK Secret

A preshared secret is most conveniently represented as a sequence of characters, which is delimited by double-quote characters ("). The sequence cannot contain newline or double-quote characters.
Alternatively, preshared secrets can be represented as hexadecimal or Base64 encoded binary values. A character sequence beginning with 0x is interpreted as sequence hexadecimal digits. Similarly, a character sequence beginning with 0s is interpreted as Base64 encoded binary data.

Notation

<id selectors> ] : PSK <secret>

mples" style="color: rgb(138, 0, 32); word-wrap: break-word; font-weight: bold; font-family: Verdana, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">

Examples

@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

@moon.strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

@sun.strongswan.org : PSK "This is a strong password" 

carol@strongswan.org : PSK "0sFpZAZqEN6Ti9sqt4ZP5EWcqx" 

: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL


XAUTH Secret

The format of XAUTH secrets is the same as that of PSK secrets.

XAUTH secrets are IKEv1 only.

Notation

strongSwan < 4.4.0

: XAUTH <username> "<password>"

strongSwan >= 4.4.0

<servername> ] <username> : XAUTH "<password>"

Examples

carol : XAUTH "4iChxLT3" 

dave@strongswan.org  : XAUTH "ryftzG4A"



EAP Secret

The format of EAP secrets is the same as that of PSK secrets.

EAP secrets are IKEv2 only.

Notation

<user id> : EAP <secret>

Examples

carol : EAP "Ar3etTnp01qlpOgb" 

dave@strongswan.org : EAP "UgaM65Va"




# vim /etc/strongswan/ipsec.secrets 

Bash
: RSA server.pem    
: PSK "12345678a"    
: XAUTH "12345678b"    
test %any : EAP "12345678c"
  • 将上面的12345678a单词更改为你需要的PSK认证方式的密钥;

  • 将上面的12345678b单词更改为你需要的XAUTH认证方式的密码,该认证方式的用户名是随意的;

  • 将上面的 test 改为自己想要的登录名, 12345678c改为自己想要的密码,可以添加多行,得到多个用户,这即是使用IKEv2的用户名+密码认证方式的登录凭据。

Bash
: PSK "12345678a" 相当于:%any %any : PSK "12345678a"

    遵循:“主机 对等点 : 方法 <本机证书/协议密码> <本机证书密码>”的格式。以 :为分界,分别从左到右填充,除了各类密码缺失以 null (空格) 补位,其它都用 %any 补位(密码怎么可能是 %any)。

比如我的配置就是如下这样:

Bash
: RSA server.key
: PSK "123456a"
%any test  : XAUTH "123456"
%any test  : EAP "123456"




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/443.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: