25.7. The /etc/ipsec.secrets file

The file ipsec.secrets stores the secrets used by the pluto daemon to authenticate communication between both gateways. Two different kinds of secrets can be configured in this file, which are preshared secrets and RSA private keys. You must check the modes and permissions of this file to be sure that the super-user root owns the file, and its permissions are set to block all access by others.

  1. An example secret is supplied in the ipsec.secrets file by default. You should change it by creating your own. With automatic keying you may have a shared secret up to 256 bits, which is then used during the key exchanges to make sure a man in the middle attack does not occur. To create a new shared secret, use the following commands:

    
[root@deep] /# ipsec ranbits 256  > temp
    
    New, random keys are created with the ranbits(8) utility in the file named temp. The ranbits utility may pause for a few seconds if not enough entropy is available immediately.

    Caution

    Dont forget to delete the temporary file as soon as you are done with it.

  2. Now that our new shared secret key has been created in the temp file, we must put it in the /etc/ipsec.secrets file. When editing the ipsec.secrets file, you should see something like the following appearing in your text editor. Each line has the IP addresses of the two gateways plus the secret. It should look something like this:

    
# This file holds shared secrets which are currently the only inter-Pluto
    # authentication mechanism.  See ipsec_pluto(8) manpage.  Each secret is
    # (oversimplifying slightly) for one pair of negotiating hosts.
    
    # The shared secrets are arbitrary character strings and should be both
    # long and hard to guess.
    
    # Note that all secrets must now be enclosed in quotes, even if they have
    # no white space inside them.
    
    10.0.0.1 11.0.0.1         "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
    V2WjjRRnulmlkmU1Run5VSnnRT"
    
    

    1. Edit the ipsec.secrets file, vi /etc/ipsec.secrets and change the default secrets keys:

      
10.0.0.1 11.0.0.1  " jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
      V2WjjRRnulmlkmU1Run5VSnnRT "
      
      To read:
      
208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
      
      Where 208.164.186.1 and 208.164.186.2 are the IP addresses of the two gateways and "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed" note that the quotes are required is the shared secret we have generated above with the command ipsec ranbits 256 > temp in the temp file.

  3. The files ipsec.conf and ipsec.secrets must be copied to the second gateway machine so as to be identical on both ends. The only exception to this is the ipsec.conf file, which must have in it a section labeled by the line config setup with the correct interface settings for the second gateway, if they differ from the first. The ipsec.secrets file, contrary to the RSA private key, should absolutely have the same-shared secrets on the two gateways.

Important: The file /etc/ipsec.secrets should have permissions rw------- (600) and be owned by the super-user root. The file /etc/ipsec.conf is installed with permissions rw-r--r (644) and must be owned also by root.