Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
71727374757677787980
Chapter 2. Securing Your Network
68
/etc/ipsec.d/cert*.db - Certificate database files. The old default NSS database file is
cert8.db. From Red Hat Enterprise Linux 6 onwards, NSS sqlite databases are used in the
cert9.db file.
/etc/ipsec.d/key*.db - Key database files. The old default NSS database file is key3.db.
From Red Hat Enterprise Linux 6 onwards, NSS sqlite databases are used in the key4.db file.
/etc/ipsec.d/cacerts - Location for Certificate Authority (CA) certificates.
/etc/ipsec.d/certs - Location for user certificates. Not needed when using NSS.
/etc/ipsec.d/policies - Groups policies. Policies can be defined as block, clear, clear-or-
private, private, private-or-clear.
/etc/ipsec.d/nsspassword - NSS password file. This file does not exist by default, and is
required if the NSS database in use is created with a password.
Configuration Parameters
This section lists some of the configuration options available, mostly written to /etc/ipsec.conf.
protostack - defines which protocol stack is used. The default option in Red Hat Enterprise Linux
6 is netkey. Other valid values are auto, klips and mast.
nat_traversal - defines if NAT workaround for connections is accepted. Default is no.
dumpdir - defines the location for core dump files.
nhelpers - When using NSS, defines the number of threads used for cryptographic operations.
When not using NSS, defines the number of processes used for cryptographic operations.
virtual_private - subnets allowed for the client connection. Ranges that may exist behind a
NAT router through which a client connects.
plutorestartoncrash - set to yes by default.
plutostderr - path for pluto error log. Points to syslog location by default.
connaddrfamily - can be set to either ipv4 or ipv6.
Further details about Openswan configuration can be found in the ipsec.conf(5) manual page.
2.4.2.3. Commands
This section explains and gives examples of some of the commands used for Openswan.
Note
As shown in the following example, using service ipsec start/stop is the recommended
method of changing the state of the ipsec service. This is also the recommended technique for
starting and stopping all other services in Red Hat Enterprise Linux 6.
Starting and Stopping Openswan:
ipsec setup start/stop
service ipsec start/stop