diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml index a4a4acd839..23a58f4f74 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -61,7 +61,7 @@ - How to configure IPsec and create a + How to configure IPsec and create a VPN. @@ -1993,23 +1993,13 @@ Connection closed by foreign host. - <acronym>VPN</acronym> over IPsec + <acronym>VPN</acronym> over <acronym>IPsec</acronym> NikClayton
nik@FreeBSD.org
Written by - - - - IPsec - - - - - Understanding IPsec - Hiten M.Pandya @@ -2018,57 +2008,66 @@ Connection closed by foreign host. - This section demonstrates the process of setting up IPsec. - It assumes familiarity with the concepts of building a custom - kernel (see ). + + IPsec + - IPsec is a protocol which sits on + Internet Protocol Security (IPsec) is a set of protocols which sit on top of the Internet Protocol (IP) layer. - It allows two or more hosts to communicate in a secure manner. - The &os; IPsec network stack is based on the - KAME - implementation, which has support for both IPv4 and - IPv6. + It allows two or more hosts to communicate in a secure manner + by authenticating and encrypting each IP packet of a communication session. + The &os; IPsec network stack is based on the + http://www.kame.net/ + implementation and supports both IPv4 and + IPv6 sessions. - IPsec + IPsec ESP - IPsec + IPsec AH - IPsec consists of two sub-protocols: + IPsec is comprised of the following sub-protocols: Encapsulated Security Payload - ESP): this protocol - protects the IP packet data from third party interference + (ESP): this protocol + protects the IP packet data from third party interference by encrypting the contents using symmetric cryptography - algorithms such as Blowfish and 3DES. + algorithms such as Blowfish and 3DES. Authentication Header - (AH): this protocol - protects the IP packet header from third party + (AH)): this protocol + protects the IP packet header from third party interference and spoofing by computing a cryptographic - checksum and hashing the IP packet header fields with a + checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated. + + + IP Payload Compression Protocol + (IPComp): this protocol + tries to increase communication performance by compressing + the IP payload in order ro reduce the + amount of data sent. + - ESP and AH can + These protocols can either be used together or separately, depending on the environment. - VPN + VPN @@ -2076,17 +2075,18 @@ Connection closed by foreign host. VPN - IPsec can either be used to directly encrypt the traffic - between two hosts using Transport Mode or - to build virtual tunnels using - Tunnel Mode. The latter mode is more - commonly known as a Virtual Private Network - (VPN). Consult &man.ipsec.4; - for detailed information on the IPsec subsystem in + IPsec supports two modes of operation. + The first mode, Transport Mode, + protects communications between two hosts. The second mode, + Tunnel Mode, is used to build virtual tunnels, + commonly known as Virtual Private Networks + (VPNs). Consult &man.ipsec.4; + for detailed information on the IPsec subsystem in &os;. - To add IPsec support to the kernel, add the following - options to the custom kernel configuration file: + To add IPsec support to the kernel, add the following + options to the custom kernel configuration file and rebuild + the kernel using the instructions in : kernel options @@ -2101,56 +2101,49 @@ device crypto IPSEC_DEBUG - If IPsec debugging support is desired, the following + If IPsec debugging support is desired, the following kernel option should also be added: options IPSEC_DEBUG #debug for IP security - - - <acronym>VPN</acronym> Between a Home and Corporate - Network - - - VPN - creating - - - There is no standard for what constitutes a - VPN. VPNs can be - implemented using a number of different technologies, each - of which has their own strengths and weaknesses. This - section presents the strategies used for implementing a - VPN for the following scenario: + This rest of this chapter demonstrates the process of + setting up an IPsec VPN + between a home network and a corporate + network. In the example scenario: - - There are at least two sites where each site is using - IP internally. - - Both sites are connected to the Internet through a gateway that is running &os;. - The gateway on each network has at least one public - IP address. + The gateway on each network has at least one external + IP address. In this example, the corporate LAN's + external IP address is 172.16.5.4 and the home + LAN's external IP + address is 192.168.1.12. The internal addresses of the two networks can be - either public or private IP addresses. However, the + either public or private IP addresses. However, the address space must not collide. For example, both networks cannot use 192.168.1.x. + class="ipaddress">192.168.1.x. In this + example, the corporate LAN's + internal IP address is 10.246.38.1 and the home + LAN's internal IP + address is 10.0.0.5. - + - Configuring IPsec on &os; + Configuring a <acronym>VPN</acronym> on &os; TomRhodes @@ -2173,36 +2166,21 @@ device crypto addresses of the internal and external interfaces of the two gateways: - &prompt.root; ifconfig gif0 create + &prompt.root; ifconfig gif0 create +&prompt.root; ifconfig gif0 internal1 internal2 +&prompt.root; ifconfig gif0 tunnel external1 external2 - &prompt.root; ifconfig gif0 internal1 internal2 + Verify the setup on each gateway, using + ifconfig. Here is the output from Gateway 1: - &prompt.root; ifconfig gif0 tunnel external1 external2 - - In this example, the corporate LAN's - external IP address is 172.16.5.4 and its internal - IP address is 10.246.38.1. The home - LAN's external IP - address is 192.168.1.12 and its - internal private IP address is - 10.0.0.5. - - If this is confusing, review the following example - output from &man.ifconfig.8;: - - Gateway 1: - -gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 172.16.5.4 --> 192.168.1.12 inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6 -inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 +inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 -Gateway 2: + Here is the output from Gateway 2: -gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.12 --> 172.16.5.4 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4 @@ -2235,16 +2213,13 @@ round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms receive ICMP packets from the privately configured addresses. Next, both gateways must be told how to route packets in order to correctly send traffic from - either network. The following command will achieve this + either network. The following commands will achieve this goal: - &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 - - &prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 - - &prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 - - &prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 + &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 +&prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 +&prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 +&prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 At this point, internal machines should be reachable from each gateway as well as from machines behind the @@ -2432,7 +2407,6 @@ pass out quick on gif0 from any to any ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_enable="yes" -