os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Prep work for IPsec chapter.

Browse source 
Add additional definitions to intro. Still need to define SA and SAD.
Still need to setup test environment to verify tech setup.
This section does not yet mention setkey.
More commits to come.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-22 19:43:18 +00:00
parent a44b33c9ad
commit 1feff8b3ea
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44630
1 changed files with 76 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

178
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -61,7 +61,7 @@
</listitem>
<listitem>
<para>How to configure IPsec and create a
<para>How to configure <acronym>IPsec</acronym> and create a
<acronym>VPN</acronym>.</para>
</listitem>
@ -1993,23 +1993,13 @@ Connection closed by foreign host.</screen>
<sect1 xml:id="ipsec">
<info>
<title><acronym>VPN</acronym> over IPsec</title>
<title><acronym>VPN</acronym> over <acronym>IPsec</acronym></title>
<authorgroup>
<author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname><affiliation>
<address><email>nik@FreeBSD.org</email></address>
</affiliation><contrib>Written by </contrib></author>
</authorgroup>
</info>
<indexterm>
<primary>IPsec</primary>
</indexterm>
<sect2>
<info>
<title>Understanding IPsec</title>
<authorgroup>
<author><personname><firstname>Hiten
M.</firstname><surname>Pandya</surname></personname><affiliation>
@ -2018,57 +2008,66 @@ Connection closed by foreign host.</screen>
</authorgroup>
</info>
<para>This section demonstrates the process of setting up IPsec.
It assumes familiarity with the concepts of building a custom
kernel (see <xref linkend="kernelconfig"/>).</para>
<indexterm>
<primary><acronym>IPsec</acronym></primary>
</indexterm>
<para><emphasis>IPsec</emphasis> is a protocol which sits on
<para>Internet Protocol Security (<acronym>IPsec</acronym>) is a set of protocols which sit on
top of the Internet Protocol (<acronym>IP</acronym>) layer.
It allows two or more hosts to communicate in a secure manner.
The &os; IPsec <quote>network stack</quote> is based on the
<link xlink:href="http://www.kame.net/">KAME</link>
implementation, which has support for both IPv4 and
IPv6.</para>
It allows two or more hosts to communicate in a secure manner
by authenticating and encrypting each <acronym>IP</acronym> packet of a communication session.
The &os; <acronym>IPsec</acronym> network stack is based on the
<link xlink:href="http://www.kame.net/">http://www.kame.net/</link>
implementation and supports both <acronym>IPv4</acronym> and
<acronym>IPv6</acronym> sessions.</para>
<indexterm>
<primary>IPsec</primary>
<primary><acronym>IPsec</acronym></primary>
<secondary>ESP</secondary>
</indexterm>
<indexterm>
<primary>IPsec</primary>
<primary><acronym>IPsec</acronym></primary>
<secondary>AH</secondary>
</indexterm>
<para>IPsec consists of two sub-protocols:</para>
<para><acronym>IPsec</acronym> is comprised of the following sub-protocols:</para>
<itemizedlist>
<listitem>
<para><emphasis>Encapsulated Security Payload
<acronym>ESP</acronym>)</emphasis>: this protocol
protects the IP packet data from third party interference
(<acronym>ESP</acronym>)</emphasis>: this protocol
protects the <acronym>IP</acronym> packet data from third party interference
by encrypting the contents using symmetric cryptography
algorithms such as Blowfish and 3DES.</para>
algorithms such as Blowfish and <acronym>3DES</acronym>.</para>
</listitem>
<listitem>
<para><emphasis>Authentication Header
(<acronym>AH</acronym>)</emphasis>: this protocol
protects the IP packet header from third party
(<acronym>AH</acronym>)</emphasis>): this protocol
protects the <acronym>IP</acronym> packet header from third party
interference and spoofing by computing a cryptographic
checksum and hashing the IP packet header fields with a
checksum and hashing the <acronym>IP </acronym> packet header fields with a
secure hashing function. This is then followed by an
additional header that contains the hash, to allow the
information in the packet to be authenticated.</para>
</listitem>
<listitem>
<para><emphasis>IP Payload Compression Protocol
(<acronym>IPComp</acronym></emphasis>): this protocol
tries to increase communication performance by compressing
the <acronym>IP </acronym> payload in order ro reduce the
amount of data sent.</para>
</listitem>
</itemizedlist>
<para><acronym>ESP</acronym> and <acronym>AH</acronym> can
<para>These protocols can
either be used together or separately, depending on the
environment.</para>
<indexterm>
<primary>VPN</primary>
<primary><acronym>VPN</acronym></primary>
</indexterm>
<indexterm>
@ -2076,17 +2075,18 @@ Connection closed by foreign host.</screen>
<see>VPN</see>
</indexterm>
<para>IPsec can either be used to directly encrypt the traffic
between two hosts using <emphasis>Transport Mode</emphasis> or
to build <quote>virtual tunnels</quote> using
<emphasis>Tunnel Mode</emphasis>. The latter mode is more
commonly known as a <emphasis>Virtual Private Network
(<acronym>VPN</acronym>)</emphasis>. Consult &man.ipsec.4;
for detailed information on the IPsec subsystem in
<para><acronym>IPsec</acronym> supports two modes of operation.
The first mode, <firstterm>Transport Mode</firstterm>,
protects communications between two hosts. The second mode,
<firstterm>Tunnel Mode</firstterm>, is used to build virtual tunnels,
commonly known as Virtual Private Networks
(<acronym>VPN</acronym>s). Consult &man.ipsec.4;
for detailed information on the <acronym>IPsec</acronym> subsystem in
&os;.</para>
<para>To add IPsec support to the kernel, add the following
options to the custom kernel configuration file:</para>
<para>To add <acronym>IPsec</acronym> support to the kernel, add the following
options to the custom kernel configuration file and rebuild
the kernel using the instructions in <xref linkend="kernelconfig"/>:</para>
<indexterm>
<primary>kernel options</primary>
@ -2101,56 +2101,49 @@ device crypto</screen>
<secondary>IPSEC_DEBUG</secondary>
</indexterm>
<para>If IPsec debugging support is desired, the following
<para>If <acronym>IPsec</acronym> debugging support is desired, the following
kernel option should also be added:</para>
<screen>options IPSEC_DEBUG #debug for IP security</screen>
</sect2>
<sect2>
<title><acronym>VPN</acronym> Between a Home and Corporate
Network</title>
<indexterm>
<primary>VPN</primary>
<secondary>creating</secondary>
</indexterm>
<para>There is no standard for what constitutes a
<acronym>VPN</acronym>. <acronym>VPN</acronym>s can be
implemented using a number of different technologies, each
of which has their own strengths and weaknesses. This
section presents the strategies used for implementing a
<acronym>VPN</acronym> for the following scenario:</para>
<para>This rest of this chapter demonstrates the process of
setting up an <acronym>IPsec</acronym> <acronym>VPN</acronym>
between a home network and a corporate
network. In the example scenario:</para>
<itemizedlist>
<listitem>
<para>There are at least two sites where each site is using
IP internally.</para>
</listitem>
<listitem>
<para>Both sites are connected to the Internet through a
gateway that is running &os;.</para>
</listitem>
<listitem>
<para>The gateway on each network has at least one public
IP address.</para>
<para>The gateway on each network has at least one external
<acronym>IP</acronym> address. In this example, the corporate <acronym>LAN</acronym>'s
external <acronym>IP</acronym> address is <systemitem
class="ipaddress">172.16.5.4</systemitem> and the home
<acronym>LAN</acronym>'s external <acronym>IP</acronym>
address is <systemitem
class="ipaddress">192.168.1.12</systemitem>.</para>
</listitem>
<listitem>
<para>The internal addresses of the two networks can be
either public or private IP addresses. However, the
either public or private <acronym>IP</acronym> addresses. However, the
address space must not collide. For example, both
networks cannot use <systemitem
class="ipaddress">192.168.1.x</systemitem>.</para>
class="ipaddress">192.168.1.x</systemitem>. In this
example, the corporate <acronym>LAN</acronym>'s
internal <acronym>IP</acronym> address is <systemitem
class="ipaddress">10.246.38.1</systemitem> and the home
<acronym>LAN</acronym>'s internal <acronym>IP</acronym>
address is <systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
</listitem>
</itemizedlist>
<sect3>
<sect2>
<info>
<title>Configuring IPsec on &os;</title>
<title>Configuring a <acronym>VPN</acronym> on &os;</title>
<authorgroup>
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><affiliation>
@ -2173,36 +2166,21 @@ device crypto</screen>
addresses of the internal and external interfaces of the two
gateways:</para>
<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput>
&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput>
&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
<screen>&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput></screen>
<para>Verify the setup on each gateway, using
<command>ifconfig</command>. Here is the output from Gateway 1:</para>
<screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
<para>In this example, the corporate <acronym>LAN</acronym>'s
external <acronym>IP</acronym> address is <systemitem
class="ipaddress">172.16.5.4</systemitem> and its internal
<acronym>IP</acronym> address is <systemitem
class="ipaddress">10.246.38.1</systemitem>. The home
<acronym>LAN</acronym>'s external <acronym>IP</acronym>
address is <systemitem
class="ipaddress">192.168.1.12</systemitem> and its
internal private <acronym>IP</acronym> address is
<systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
<para>If this is confusing, review the following example
output from &man.ifconfig.8;:</para>
<programlisting>Gateway 1:
gif0: flags=8051 mtu 1280
<programlisting>gif0: flags=8051 mtu 1280
tunnel inet 172.16.5.4 --&gt; 192.168.1.12
inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
inet 10.246.38.1 --&gt; 10.0.0.5 netmask 0xffffff00
inet 10.246.38.1 --&gt; 10.0.0.5 netmask 0xffffff00</programlisting>
Gateway 2:
<para>Here is the output from Gateway 2:</para>
gif0: flags=8051 mtu 1280
<programlisting>gif0: flags=8051 mtu 1280
tunnel inet 192.168.1.12 --&gt; 172.16.5.4
inet 10.0.0.5 --&gt; 10.246.38.1 netmask 0xffffff00
inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
@ -2235,16 +2213,13 @@ round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting>
receive <acronym>ICMP</acronym> packets from the privately
configured addresses. Next, both gateways must be told how
to route packets in order to correctly send traffic from
either network. The following command will achieve this
either network. The following commands will achieve this
goal:</para>
<screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput></screen>
<screen>&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput></screen>
<screen>&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput></screen>
<screen>&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
<screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput>
&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput>
&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput>
&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
<para>At this point, internal machines should be reachable
from each gateway as well as from machines behind the
@ -2432,7 +2407,6 @@ pass out quick on gif0 from any to any</programlisting>
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"</programlisting>
</sect3>
</sect2>
</sect1>