IPSEC.SECRETS
NAME
ipsec.secrets - IKE/IPsec认证所使用到的密钥信息
DESCRIPTION
ipsec.secrets包含了预密钥、RSA签名、X509数字证书,这些信息被
ipsec_pluto(8)使用。当前一共有5种密钥:预共享密钥、RSA私钥、X509证书口令、XAUTH认证口令。
这个文件内容格式由块序列和include组成。例如:
# sample /etc/ipsec.secrets file for 10.1.0.1
10.1.0.1 10.2.0.1: PSK "secret shared by two hosts"
# sample roadwarrior%any gateway.corp.com: PSK "shared secret with many roadwarriors"
# sample server for roadwarriorsmyip %any : PSK "shared secret with many roadwarriors"
# an entry may be split across lines,# but indentation matterswww.xs4all.nl @www.kremvax.ru10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5 systems"
# an RSA private key.# note that the lines are too wide for a# man page, so ... has been substituted for# the truncated part@my.com: rsa {Modulus: 0syXpo/6waam&opts=&page=ZhSs8Lt6jnBzu3C4grtt...PublicExponent: 0sAw==PrivateExponent: 0shlGbVR1m8Z&opts=&page=7rhzSyenCaBN...Prime1: 0s8njV7WTxzVzRz7AP&opts=&page=0OraDxmEAt1BL5l...Prime2: 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...Exponent1: 0soaXj85ihM5M2inVf/NfHmtLutVz4r...Exponent2: 0sjdAL9VFizF&opts=&page=BKU4ohguJFzOd55OG6...Coefficient: 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...}
# An X.509 pem encoded private key file with (optional) passphrase: RSA vpnserverKey.pem "<optional passphrase>"
# An X.509 pem encoded private key file locked with a passphrase# Note: the %prompt keyword means someone has to actually enter the passphrase# at load time - usually via ipsec_whack(8): RSA vpnserverKey.pem %prompt
# XAUTH password, used with leftxauthusername=username@username : XAUTH "password"
include ipsec.*.secrets # get secrets from other files
此文件只在启动时加载。如果文件在启动后被修改,那么应该告诉pluto重新加载,使用命令
ipsec secrets
或
ipsec auto --rereadsecrets
。