You installed IPsec and it seems to be working.
How do you know? I describe a method for experimentally verifying
@@ -27,12 +27,12 @@
Encrypted data is uniformly distributed, ie, has maximal entropy
- per symbol. encrypted data is uniformly distributed, i.e., has maximal entropy
+ per symbol; Raw, uncompressed data is typically redundant, i.e., has
+ raw, uncompressed data is typically redundant, i.e., has
sub-maximal entropy.
@@ -40,16 +40,17 @@
Suppose you could measure the entropy of the data to- and from- your network interface. Then you could see the difference between unencrypted data and encrypted data. This would be true even if some of the data - in "encrypted mode" was not encrypted ---as the outermost IP header must + in "encrypted mode" was not encrypted---as the outermost IP header must be, if the packet is to be routable.
Ueli Maurer's "Universal Statistical Test for Random Bit Generators" - ("MUST") quickly measures the entropy of a sample. It uses a - compression-like algorithm. The code is given below for a variant which measures successive - (~quarter megabyte) chunks of a file.
+ (MUST) + quickly measures the entropy of a sample. It uses a + compression-like algorithm. The code is given below for a variant which measures successive + (~quarter megabyte) chunks of a file.This experiment shows that IPsec does seem to be distributing the payload data uniformly, as encryption should. However, the - experiment described here cannot detect many possible flaws in a + experiment described here cannotdetect many possible flaws in a system (none of which do I have any evidence for). These include poor key generation or exchange, data or keys being visible to others, use of weak algorithms, kernel subversion, etc. Study the source; know the code.
-Internet Protocol security extensions to IP v 4; required for IP v6. A +
Internet Protocol security extensions to IPv4; required for IPv6. A protocol for negotiating encryption and authentication at the IP (host-to-host) level. SSL secures only one application socket; SSH secures only a login; PGP secures only a specified file or @@ -119,50 +120,35 @@ Expected value for L=8 is 7.1836656
Starting from the BSD 3.0 stable release,
+Most of the modern versions of FreeBSD have IPsec support + in their base source. So you'll probably will need to + include IPSEC option in your kernel config + and, after kernel rebuild and reinstall, configure IPsec + connections using setkey command.
-install IPsec v0.04, rebuild, reinstall
-run the administration tools (e.g, ipsecadm) and distribute - keys (or use Photuris for key exchange)
-set the routes (rt) up appropriately
-You may want to make an "ipsec_setup" script containing the - ipsecadm and rt commands which establish your IPsec - tunnel. You can run this script automatically at boottime from your - /etc/rc.local The ipsec_setup script will have to contain at - least two ipsecadm commands and one rt command to be - useful.
+A comprehensive guide on running IPsec on FreeBSD is + provided in FreeBSD + Handbook.
This needs to be present in the kernel config file in order to run - IPsec. After adding it, run config, etc. and rebuild and +
This needs to be present in the kernel config file in order to be able + to capture network data with tcpdump. + Be sure to run config after adding this, and rebuild and reinstall.
-# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be -# aware of the legal and administrative consequences of enabling this -# option. Heh heh. The number of devices determines the maximum number of -# simultaneous BPF clients programs runnable. -pseudo-device bpfilter 2 #Berkeley packet filter - -# IPSEC -options IPSEC -options "MD5" -pseudo-device enc 1+
device bpf +
You can find the same code at + this link.
+