{"id":968,"date":"2018-07-10T11:48:45","date_gmt":"2018-07-10T02:48:45","guid":{"rendered":"https:\/\/fsck.jp\/?p=968"},"modified":"2019-10-21T11:16:30","modified_gmt":"2019-10-21T02:16:30","slug":"x-509-%e8%a8%bc%e6%98%8e%e6%9b%b8%e3%81%ab%e3%82%88%e3%82%8b-ipsec-%e8%aa%8d%e8%a8%bc-libreswan","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=968","title":{"rendered":"X.509 \u8a3c\u660e\u66f8\u306b\u3088\u308b IPsec \u8a8d\u8a3c (libreswan)"},"content":{"rendered":"\n

libreswan \u3092\u4f7f\u3063\u3066\u3001IPsec \u306e X.509 \u8a3c\u660e\u66f8\u8a8d\u8a3c\u3092\u691c\u8a3c\u3059\u308b\u3002<\/p>\n\n\n\n

\u691c\u8a3c\u74b0\u5883\u306f\u524d\u56de\u8a18\u4e8b<\/a>\u3068\u540c\u69d8\u3067\u3001\u4ee5\u4e0b\u306e\u56f3\u306e\u901a\u308a\u3067\u3042\u308b\u3002 <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

vpn1\u3001vpn2\u3001host1\u3001host2\u3001router1 OS \u306f\u5168\u3066 Ubuntu 18.04 \u3067\u3042\u308b\u3002<\/p>\n\n\n\n

1. \u8a3c\u660e\u66f8\u306e\u7528\u610f<\/h2>\n\n\n\n

libreswan \u3067\u8a3c\u660e\u66f8\u3092\u6271\u3046\u5834\u5408\u3001NSS Tools<\/a> \u306e\u6d41\u5100\u306b\u5f93\u3063\u3066\u7ba1\u7406\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002strongswan \u306e\u3088\u3046\u306b\u30d5\u30a1\u30a4\u30eb\u30d9\u30fc\u30b9\u3067\u306e\u8a3c\u660e\u66f8\u7ba1\u7406\u306f\u3067\u304d\u306a\u3044\u3088\u3046\u306a\u306e\u3067\u3001\u5c11\u3057\u4e0d\u4fbf\u3067\u3042\u308b\u3002<\/p>\n\n\n\n

vpn1 \u5074\u306e NSS Tools \u3067\u30aa\u30ec\u30aa\u30ec CA \u3092\u4f5c\u3063\u3066\u3001vpn1\u30fbvpn2 \u4e21\u65b9\u306e\u8a3c\u660e\u66f8\u3092\u3053\u3053\u3067\u4f5c\u6210\u3059\u308b\u3053\u3068\u306b\u3059\u308b\u3002\u3042\u3068\u3067\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u3066 vpn2 \u3078\u6301\u3063\u3066\u3044\u304f\u3002<\/p>\n\n\n\n

1.1 \u521d\u671f\u5316<\/h3>\n\n\n\n

\u6700\u521d\u306b\u3001NSS \u30e9\u30a4\u30d6\u30e9\u30ea\u306e\u8a3c\u660e\u66f8\u30b9\u30c8\u30a2\u3092\u4e21\u30b5\u30fc\u30d0\u3067\u521d\u671f\u5316\u3059\u308b\u3002Ubuntu \u306e\u5834\u5408\u306f\u6a19\u6e96\u306e\u30d1\u30b9\u304c \/var\/lib\/ipsec\/nss \u306b\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n\n\n\n

user@vpn1:~$ sudo rm -f \/var\/lib\/ipsec\/nss\/*.db
\nuser@vpn1:~$ sudo ipsec initnss
\nuser@vpn2:~$ sudo rm -f \/var\/lib\/ipsec\/nss\/*.db
\nuser@vpn2:~$ sudo ipsec initnss<\/code><\/p>\n\n\n\n

1.2 CA\u9375\u30fb\u8a3c\u660e\u66f8\u306e\u4f5c\u6210<\/h3>\n\n\n\n

\u6b21\u306b\u3001vpn1 \u4e0a\u3067 CA \u9375\u3068\u8a3c\u660e\u66f8\u306e\u30bb\u30c3\u30c8\u3092\u4f5c\u6210\u3059\u308b\u3002\u4ee5\u4e0b\u306e\u3088\u3046\u306b certutil \u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3059\u308b\u3002<\/p>\n\n\n\n

user@vpn1:~$ sudo certutil -S -k rsa -n ca -s \"CN=ca.example.com\" -v 120 -t \"CT,C,C\" -x -d sql:\/var\/lib\/ipsec\/nss<\/code>

\n\nA random seed must be generated that will be used in the
\ncreation of your key. One of the easiest ways to create a
\nrandom seed is to use the timing of keystrokes on a keyboard. <\/code>

\n\nTo begin, type keys on the keyboard until this progress meter
\nis full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!<\/code>

\n\nContinue typing until the progress meter is full:<\/code>

\n\n|***************************************************************|<\/code>

\n\nFinished. Press enter to continue:<\/code>

\n\nGenerating key. This may take a few moments\u2026<\/code><\/p>\n\n\n\n

\u9014\u4e2d\u3067\u3001\u4e71\u6570\u306e\u7a2e\u3068\u3057\u3066\u30ad\u30fc\u30dc\u30fc\u30c9\u304b\u3089\u306e\u5165\u529b\u3092\u6c42\u3081\u3089\u308c\u308b\u306e\u3067\u3001\u9069\u5f53\u306b\u30e9\u30f3\u30c0\u30e0\u5165\u529b\u3059\u308b\u3002<\/p>\n\n\n\n

\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u30aa\u30d7\u30b7\u30e7\u30f3\u306b\u3064\u3044\u3066\u306f\u3001\u305d\u308c\u305e\u308c\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u610f\u5473\u304c\u3042\u308b\u3002
\n-S<\/code> \u306f\u9375\u30fb\u8a3c\u660e\u66f8\u306e\u751f\u6210\u3068\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u767b\u9332\u3092\u6307\u793a\u3059\u308b\u3002
\n-k<\/code> \u306f\u9375\u306e\u30bf\u30a4\u30d7\u3092\u6307\u5b9a\u3059\u308b\u3002\u3053\u3053\u3067\u306f RSA \u3092\u4f7f\u3046\u3002
\n-n<\/code> \u306f\u3001\u3053\u306e\u9375\/\u8a3c\u660e\u66f8\u306e NSS \u30b9\u30c8\u30a2\u5185\u3067\u306e\u30cb\u30c3\u30af\u30cd\u30fc\u30e0\u3092\u6307\u5b9a\u3059\u308b\u3002
\n-s<\/code> \u306f\u3001CA \u306e CN (\u30b3\u30e2\u30f3\u30cd\u30fc\u30e0) \u3092\u6307\u5b9a\u3059\u308b\u3002\u9069\u5f53\u306b\u6c7a\u3081\u3066\u3088\u3044\u3002
\n-v<\/code> \u306f\u3001\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9650\u3092\u6307\u5b9a\u3059\u308b\u3002(\u5358\u4f4d: \u6708)
\n-t \"CT,C,C\"<\/code> \u306f\u3001\u8a3c\u660e\u66f8\u306e\u4fe1\u983c\u5c5e\u6027\u3092\u6307\u5b9a\u3059\u308b\u3002
\n3\u3064\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u6700\u521d\u306f SSL\u30012\u756a\u76ee\u306f\u30e1\u30fc\u30eb\u30013\u756a\u76ee\u306f\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u7f72\u540d\u306e\u7528\u9014\u3092\u8868\u3059\u3002
\nC \u306f CA\u3001T \u306f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a8d\u8a3c\u8a3c\u660e\u66f8\u767a\u884c\u306e\u305f\u3081\u306e CA \u3092\u8868\u3059\u3002
\nIPsec \u306e\u8a8d\u8a3c\u4ee5\u5916\u306b\u3053\u306e CA \u3092\u4f7f\u3046\u3053\u3068\u304c\u306a\u3051\u308c\u3070\u3001C,,<\/code> \u3060\u3051\u3067\u3082\u826f\u3044\u3002
\n-x<\/code> \u306f\u3001\u81ea\u5df1\u7f72\u540d\u8a3c\u660e\u66f8\u306b\u3059\u308b\u3053\u3068\u3092\u6307\u5b9a\u3059\u308b\u3002
\n-d sql:\/var\/lib\/ipsec\/nss<\/code> \u306f\u3001\u8a3c\u660e\u66f8\u30b9\u30c8\u30a2\u306e\u30d1\u30b9\u3092\u8868\u3059\u3002sql: \u3092\u4ed8\u3051\u3066\u304a\u304b\u306a\u3044\u3068 libreswan \u304b\u3089\u5229\u7528\u3067\u304d\u306a\u3044\u306e\u3067\u6ce8\u610f\u3002<\/p>\n\n\n\n

1.3 \u30db\u30b9\u30c8\u9375\u30fb\u8a3c\u660e\u66f8\u306e\u4f5c\u6210<\/h3>\n\n\n\n

\u6b21\u306b\u3001vpn1 \u306e\u30db\u30b9\u30c8\u9375\/\u8a3c\u660e\u66f8\u30bb\u30c3\u30c8\u3092\u4f5c\u308b\u3002\u9014\u4e2d\u3067\u30ad\u30fc\u30dc\u30fc\u30c9\u304b\u3089\u306e\u5165\u529b\u3092\u6c42\u3081\u3089\u308c\u308b\u306e\u306f\u5148\u307b\u3069\u3068\u540c\u69d8\u3067\u3042\u308b\u3002
\nuser@vpn1:~$ sudo certutil -S -k rsa -c ca -n vpn1 -s \"CN=vpn1.example.com\" -v 60 -t \"u,u,u\" -d sql:\/var\/lib\/ipsec\/nss<\/code><\/p>\n\n\n\n

\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u30aa\u30d7\u30b7\u30e7\u30f3\u306b\u3064\u3044\u3066\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002
\n-c<\/code> \u3067\u3001\u5148\u307b\u3069\u4f5c\u6210\u3057\u305f CA \u9375 (\u30cb\u30c3\u30af\u30cd\u30fc\u30e0\u304c “ca”) \u3067\u306e\u7f72\u540d\u3092\u6307\u5b9a\u3059\u308b\u3002
\n-n<\/code> \u306f\u3001\u3053\u306e\u9375\/\u8a3c\u660e\u66f8\u306e NSS \u30b9\u30c8\u30a2\u5185\u3067\u306e\u30cb\u30c3\u30af\u30cd\u30fc\u30e0\u3092\u6307\u5b9a\u3059\u308b\u3002\u3042\u3068\u3067\u3053\u308c\u3092\u5229\u7528\u3059\u308b\u3002
\n-s<\/code> \u306f\u3001\u8a3c\u660e\u66f8\u306e CN (\u30b3\u30e2\u30f3\u30cd\u30fc\u30e0) \u3092\u6307\u5b9a\u3059\u308b\u3002\u3053\u3053\u3067\u306f vpn1 \u306e FQDN \u306b\u3057\u3066\u304a\u304f\u3002
\n-t \"u,u,u\"<\/code> \u306f\u3001\u8a3c\u660e\u66f8\u306e\u4fe1\u983c\u5c5e\u6027\u3092\u6307\u5b9a\u3059\u308b\u3002u \u306f\u30e6\u30fc\u30b6\u8a3c\u660e\u66f8\u3092\u8868\u3059\u3002<\/p>\n\n\n\n

\u3055\u3089\u306b\u3001\u540c\u3058\u4f5c\u308a\u65b9\u3067 vpn2 \u7528\u306e\u9375\u30fb\u8a3c\u660e\u66f8\u3092\u4f5c\u308b\u3002\u540c\u69d8\u306b\u3001\u30e9\u30f3\u30c0\u30e0\u30ad\u30fc\u5165\u529b\u304c\u6c42\u3081\u3089\u308c\u308b\u3002
\nuser@vpn1:~$ sudo certutil -S -k rsa -c ca -n vpn2 -s \"CN=vpn2.example.com\" -v 60 -t \"u,u,u\" -d sql:\/var\/lib\/ipsec\/nss<\/code><\/p>\n\n\n\n

\u3053\u3053\u307e\u3067\u3067 CA \u3068 vpn1 \u3068 vpn2 \u306e 3\u30bb\u30c3\u30c8\u306e\u9375\u30fb\u8a3c\u660e\u66f8\u304c\u4f5c\u6210\u3067\u304d\u305f\u3002<\/p>\n\n\n\n

1.4 vpn2 \u7528\u306e\u9375\u3068\u8a3c\u660e\u66f8\u3092\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u30fb\u30a4\u30f3\u30dd\u30fc\u30c8<\/h3>\n\n\n\n

vpn2 \u306e\u9375\u30fb\u8a3c\u660e\u66f8\u3068\u3001CA \u8a3c\u660e\u66f8\u3092\u30d5\u30a1\u30a4\u30eb\u3078\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u3066\u3001vpn2 \u3078\u6301\u3063\u3066\u3044\u304f\u3002\u9375\u3092\u542b\u3080\u30d5\u30a1\u30a4\u30eb\u306f PEM \u5f62\u5f0f\u3067\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3059\u308b\u65b9\u6cd5\u304c\u7121\u3044\u306e\u3067\u3001PKCS#12 \u5f62\u5f0f\u3067\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3059\u308b\u3002
\nuser@vpn1:~$ sudo certutil -L -n ca -a -d sql:\/var\/lib\/ipsec\/nss > ca.pem
\nuser@vpn1:~$ sudo pk12util -n vpn2 -o vpn2.p12 -d sql:\/var\/lib\/ipsec\/nss
\nEnter password for PKCS12 file: password (\u9069\u5f53\u306b\u6c7a\u3081\u305f PKCS#12 \u30d5\u30a1\u30a4\u30eb\u7528\u30d1\u30b9\u30ef\u30fc\u30c9)
\nRe-enter password: password (\u518d\u5ea6\u5165\u529b)
\npk12util: PKCS12 EXPORT SUCCESSFUL
\nuser@vpn1:~$ sudo chown user vpn2.p12<\/code><\/p>\n\n\n\n

\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092 vpn2 \u3078\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b3\u30d4\u30fc\u3059\u308b\u3002
\nuser@vpn1:~$ scp ca.pem vpn2.p12 vpn2:
\nuser@vpn1:~$ rm ca.pem vpn2.p12<\/code><\/p>\n\n\n\n

vpn2 \u5074\u3067\u30a4\u30f3\u30dd\u30fc\u30c8\u3059\u308b\u3002
\nuser@vpn2:~$ sudo certutil -A -a -i ca.pem -n ca -t 'CT,,' -d sql:\/var\/lib\/ipsec\/nss
\nuser@vpn2:~$ sudo pk12util -i vpn2.p12 -d sql:\/var\/lib\/ipsec\/nss
\nEnter password for PKCS12 file: password (\u5148\u307b\u3069\u6c7a\u3081\u305f\u30d1\u30b9\u30ef\u30fc\u30c9)
\npk12util: PKCS12 IMPORT SUCCESSFUL
\nuser@vpn2:~$ rm ca.pem vpn2.p12<\/code><\/p>\n\n\n\n

2. libreswan \u306e\u8a2d\u5b9a<\/h2>\n\n\n\n

2.1 vpn1 \u5074<\/h3>\n\n\n\n

vpn1 \u306e libreswan \u8a2d\u5b9a\u3092\u7de8\u96c6\u3059\u308b\u3002<\/p>\n\n\n\n

user@vpn1:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.conf<\/code><\/p>\n\n\n\n

conn linux-to-linux\n\tauthby=rsasig\n\tauto=add\n\tdpdaction=clear\n\tleftcert=vpn1\n\tleftid=\"CN=vpn1.example.com\"\n\tleft=198.51.100.100\n\tleftsubnet=10.0.1.0\/24\n\trightid=\"CN=vpn2.example.com\"\n\tright=203.0.113.100\n\trightsubnet=10.0.2.0\/24<\/pre>\n\n\n\n
leftcert \u306b vpn1 \u3092\u6307\u5b9a\u3059\u308b\u3002\u3053\u308c\u306f vpn1 \u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3057\u305f\u6642\u306e\u30cb\u30c3\u30af\u30cd\u30fc\u30e0\u3092\u6307\u5b9a\u3057\u3066\u3044\u308b\u3002<\/p>\n\n\n\n
leftid\u3001rightid \u306f\u3001\u305d\u308c\u305e\u308c\u306e\u7aef\u70b9\u306e Peer ID \u3067\u3042\u308b\u3002\u8a3c\u660e\u66f8\u306e CN \u30d5\u30a3\u30fc\u30eb\u30c9\u3092\u30c0\u30d6\u30eb\u30af\u30a9\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u3067\u56f2\u3063\u3066\u6307\u5b9a\u3059\u308b\u3002<\/p>\n\n\n\n
2.2 vpn2 \u5074<\/h3>\n\n\n\n
vpn2 \u306e\u65b9\u3082\u540c\u69d8\u306b\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n\n\n\n
user@vpn2:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.conf<\/code><\/p>\n\n\n\n
conn linux-to-linux\n\tauthby=rsasig\n\tauto=start\n\tdpdaction=restart\n\tleftcert=vpn2\n\tleftid=\"CN=vpn2.example.com\"\n\tleft=203.0.113.100\n\tleftsubnet=10.0.2.0\/24\n\trightid=\"CN=vpn1.example.com\"\n\tright=198.51.100.100\n\trightsubnet=10.0.1.0\/24<\/pre>\n\n\n\n
2.3 \u518d\u8d77\u52d5<\/h3>\n\n\n\n
\u30c7\u30fc\u30e2\u30f3\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002
\nuser@vpn1:~$ sudo systemctl restart ipsec
\nuser@vpn2:~$ sudo systemctl restart ipsec<\/code><\/p>\n\n\n\n
2.4 \u78ba\u8a8d<\/h3>\n\n\n\n
\u63a5\u7d9a\u72b6\u614b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/p>\n\n\n\n
user@vpn1:~$ sudo ip xfrm state
\nsrc 203.0.113.100 dst 198.51.100.100
\n        proto esp spi 0xc8f7a785 reqid 16389 mode tunnel
\n        replay-window 32 flag af-unspec
\n        auth-trunc hmac(sha1) 0xed85061c48c4fbc2dcce034191fb5a5a7c12d9e3 96
\n        enc cbc(aes) 0x7e39a613f56f3cb06b022561c0a8e65b
\n        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
\nsrc 198.51.100.100 dst 203.0.113.100
\n        proto esp spi 0x90027aeb reqid 16389 mode tunnel
\n        replay-window 32 flag af-unspec
\n        auth-trunc hmac(sha1) 0xf3fa1c2609590b83e4c9c95b1ad38d80492f267a 96
\n        enc cbc(aes) 0x9e039bf741f7a4c7a9e1920d241fae65
\n        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<\/code><\/p>\n\n\n\n
\u53c2\u8003:
\nHOWTO: Using NSS with libreswan<\/a>
\ncertutil\u306b\u3088\u308b\u8a3c\u660e\u66f8\u7ba1\u7406 [Fedora14]<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
libreswan \u3092\u4f7f\u3063\u3066\u3001IPsec \u306e X.509 \u8a3c\u660e\u66f8\u8a8d\u8a3c\u3092\u691c\u8a3c\u3059\u308b\u3002 \u691c\u8a3c\u74b0\u5883\u306f\u524d\u56de\u8a18\u4e8b\u3068\u540c\u69d8\u3067\u3001\u4ee5\u4e0b\u306e\u56f3\u306e\u901a\u308a\u3067\u3042\u308b\u3002 vpn1\u3001vpn2\u3001host1\u3001host2\u3001router1 OS \u306f\u5168\u3066 Ubuntu […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,9,15,12,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/968"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=968"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/968\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}