3.133.160.239@hermano.com.br:~$

3.133.160.239@hermano.com.br:~$ cat ./tutoriais/ipsec/transporte_win_linux/00-leia.txt

--------------------------------------------------------------------------------
Configuracao de IPSEC modo transporte e chave simetrica - Windows e Linux
Autor: Hermano Pereira (www.hermano.com.br)
Tutorial criado em Julho/2009

Cenario: Estacao Linux com Servidor Windows, comunicacao IPSEC (pre-shared-key)

Maquina I - Linux - 192.168.11.97

Maquina II - Windows - 10.2.2.76 (Servico Telnet - TCP 23)

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

; MAQUINA I: IPSEC + Linux

; Instalar ipsec-tools e racoon

# apt-get install ipsec-tools racoon

; Configurando IPSEC-TOOLS: 

; Maquina I 

; IP 192.168.11.97 

maq1# vi /etc/ipsec-tools.conf 

	flush; 
	spdflush; 

	spdadd 192.168.11.97 10.2.2.76[23] tcp -P out ipsec esp/transport//require ah/transport//require; 
	spdadd 10.2.2.76[23] 192.168.11.97 tcp -P in ipsec esp/transport//require ah/transport//require; 

; Aplicar 

maq1# setkey -f /etc/ipsec-tools.conf 

; ou simplesmente reiniciar o servico:

maq1# /etc/init.d/setkey restart

; Verificando Politicas: 

maq1# setkey -D -P 

; Configurar racoon para ativar criptografia:

maq1# vi /etc/racoon/racoon.conf

	path pre_shared_key "/etc/racoon/psk.txt"; 

	listen 
	{ 
	        isakmp 192.168.11.97;
	} 

	remote 10.2.2.76
	{ 
		exchange_mode main;
		lifetime time 24 hour; 
		proposal { 
			encryption_algorithm 3des; 
			hash_algorithm sha1; 
			authentication_method pre_shared_key; 
			dh_group 2; 
		} 
		proposal_check obey; 
	} 


	sainfo address 10.2.2.76 [23] tcp address 192.168.11.97 tcp 
	{ 
		pfs_group 2; 
		lifetime time 24 hour; 
		encryption_algorithm 3des; 
		authentication_algorithm hmac_sha1; 
		compression_algorithm deflate; 
	} 

	sainfo address 192.168.11.97 tcp address 10.2.2.76 [23] tcp 
	{ 
		pfs_group 2; 
		lifetime time 24 hour; 
		encryption_algorithm 3des; 
		authentication_algorithm hmac_sha1; 
		compression_algorithm deflate; 
	} 

; Preencher 'pre-shared-key':

maq1# vi /etc/racoon/psk.txt

	
	10.2.2.76	preencherachaveaqui


; Configurar e ...:

maq1# vi /etc/default/racoon

	CONFIG_MODE=""
	RACOON_ARGS=""

; Reiniciar racoon:

maq1# /etc/init.d/racoon restart

; Verificar servicos:

maq1# setkey -D -P 

maq1# tail -f /var/log/syslog | grep racoon 

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

; MAQUINA II: IPSEC + Windows

; No Windows, acesse o servico 'IP Security Policies'

-> Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> IP Security Policies on Local Machine

; Clique com o botao direito sobre  'IP Security Policies on Local Machine' e:

-> Create IP Security Policy -> Next 

; preencha:

	Name: 
		ipsec_tutorial
	Description:

-> Next -> 

; desmarque:

	( ) Active the default response rule

-> Next -> Finish -> 

; Duplo clique:

-> ipsec_tutorial

; Adicionar um novo 'IP Security Rules':

-> Add ... -> Next -> 

; Deixar marcado 'This rule does not specify a tunnel':

-> Next -> 

; Deixar marcado 'All network connection':

-> Next -> 

; Selecionar 'Use this string to protect the key exchange (preshared key)' e preencher: 

	preencherachaveaqui

-> Next -> 

; Criar um novo 'IP Filter list':

-> Add... -> 

	Name:
		filter_ipsec_tutorial

; Adicionar filtro:

-> Add... -> Next -> 

; Selecione 'Source Address': 'My IP Address'

-> Next -> 
	
; Selecione 'Destination Address': 'A specific IP Address' e preencha:

	IP Address: 
		192.168.11.97

-> Next -> 

; Selecione 'Protocol type': 	TCP.

-> Next -> 

; Selecione 'From this port' e preencha:

		23

; Selecione 'To any port'.		

-> Next -> Finish -> Close

; Selecione 'filter_ipsec_tutorial' 

-> Next 

; Adicione um novo filter action:

-> Add... -> Next -> 

; Preencha:

	Name:
		action_filter_ipsec_tutorial
	Description:

-> Next -> 

; Selecione 'Negotiate Security';

-> Next -> 

; Selecione 'Do not communicate with computers that do not support IPSEC'

-> Next -> 

; Selecione 'Custom' e cliquem em 'Settings' e preencha:

	(x) Data and address integrity without encryption (AH)

		Integrity algorithm: SHA1

	(x) Data integrity and encryption (ESP)

		Integrity algorithm: SHA1

		Encryption algorithm: 3DES

-> Next -> Finish -> 

; Selecione 'action_filter_ipsec_tutorial'

-> Next -> Finish -> 

-> Close -> 

; Ultimo ajuste, ativar Session Key:

; Duplo clique em:

	ipsec_tutorial

; Duplo clique em:

	filter_ipsec_tutorial

; Selecione a aba 'Filter Action',

; Duplo clique em:

	action_filter_ipsec_tutorial

; Marcar e desmarcar:

	( ) Accept unsecured communication, but always responding using IPSEC.

	( ) Allow unsecured communication with non IPSEC-aware computer.

	(x) Session Key Perfect Forward Secrecy.

-> Ok -> Close -> Close -> 
	
; Para ativar o IPSEC, clique com o direito sobre 'ipsec_tutorial' e depois clique
; em 'assign'.

--------------------------------------------------------------------------------

Referencias:

http://www.office.xerox.com/support/dctips/dc06cc0390.pdf

http://www.ipsec-howto.org/x299.html