search for: certificate_typ

...k.txt"; path certificate "/etc/certs"; remote anonymous { exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; lifetime time 2 min; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim certificate_type x509 "slave1.public" "slave1.private"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 2 min; e...

...l/etc/racoon/certs"; listen { isakmp 192.168.2.10; strict_address; } remote 192.168.2.11 { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "mad.public" "mad.private"; peers_certfile x509 "laptop.public"; send_cert on; send_cr on; verify_cert on; lifetime time 300 sec; passive off; proposal_check strict; nonce_size 256; proposal...

...e (no passphrase, so that racoon can read the key) and host-a.public and likewise for host-b, just the way ifup-ipsec script expects them to be. After doing "ifup IPSecToHostB" on host-a, and "ifup IPSecToHostA" on host-b, the generated racoon configuration looks good (long certificate_type line might get wrapped around by my mail client, but it is a single line in the configuration file). This is store in /etc/racoon/192.168.1.100.conf, which is included from racoon.conf. remote 192.168.1.100 { exchange_mode aggressive, main; my_identifier asn1dn; peer...

.../racoon/racoon.sock" "root" "nobody" 0660; >>> isakmp 172.28.45.4 [500]; >>> isakmp_natt 172.28.45.4 [4500]; >>> } >>> >>> remote anonymous { >>> exchange_mode aggressive; >>> certificate_type x509 "gwenc.crt" "gwenc.key"; >>> my_identifier asn1dn; >>> proposal_check claim; >>> generate_policy on; >>> nat_traversal on; >>> dpd_delay 20; >>> ike_frag on; >&gt...

...dfile "/var/run/racoon.pid"; #log debug; listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500]; } remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes;...

...192.168.1.1/require ah/tunnel/192.168.1.2-192.168.1.1/require; spdadd 0.0.0.0/0 192.168.1.2/32 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/require ah/tunnel/192.168.1.1-192.168.1.2/require; Racoon.conf remote 192.168.1.1 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "Memphis.public" "Memphis.private"; peers_certfile "Zeus.public"; proposal{ encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; #I don''t understand this option } } sainfo anonymous { pfs_group modp1024; #I...

...ate chain used for signing.pem cert certificate.pem key privatekey.pem crl-verify crl.pem OpenLDAP appears similar to OpenVPN with (appears not to support CRLs): TLSCACertificatePath TLSCertificateFile TLSCertificateKeyFile Racoon wants (appears not to support CRLs): certificate_type x509 certfile keyfile ca_type x509 ca.pem But the man page doesn't talk about where the chain goes. So it appears one should generate the following file formats to satisfy all the software out there: 1. cert standalone (OpenVPN, Racoon, OpenLDAP, Postfix, Apache 2.4.7 and earlier) 2. cer...

...ipv4 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/racoon/racoon.conf (dynamically generated): path certificate "/etc/racoon/certs"; > > listen > { > isakmp 5.6.7.8; > } > > remote 1.2.3.4 > { > exchange_mode main; > certificate_type x509 "sandy.pem" "sandy_key.pem"; > verify_cert on; > my_identifier asn1dn ; > peers_identifier asn1dn ; > verify_identifier on ; > lifetime time 24 hour ; > proposal { > encryption_algorithm blowfish; > hash_algor...

..."log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; remote anonymous { exchange_mode main,aggressive,base; #exchange_mode main,base; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "bsd.public" "bsd.priv" ; lifetime time 24 hour ; # sec,min,hour #initial_contact off ; #passive on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasi...