os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial import, synchronized with English 1.18

Browse source
This commit is contained in:
Andrey Zakhvatov 2004-01-18 12:57:16 +00:00
parent c5c82644c0
commit 6430f27d65
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=19719
1 changed files with 454 additions and 0 deletions

454
ru_RU.KOI8-R/articles/checkpoint/article.sgml Normal file
View file

@ -0,0 +1,454 @@
<!--
The FreeBSD Russian Documentation Project
$FreeBSDru: frdp/doc/ru_RU.KOI8-R/articles/checkpoint/article.sgml,v 1.2 2004/01/10 08:44:33 andy Exp $
Original revision: 1.18
-->
<!-- Copyright (c) 2001 The FreeBSD Documentation Project
Redistribution and use in source (SGML DocBook) and 'compiled' forms
(SGML, HTML, PDF, PostScript, RTF and so forth) with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code (SGML DocBook) must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
converted to PDF, PostScript, RTF and other formats) must reproduce
the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials
provided with the distribution.
THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
%man;
<!ENTITY legalnotice SYSTEM "../../share/sgml/legalnotice.sgml">
<!ENTITY % trademarks PUBLIC "-//FreeBSD//ENTITIES DocBook Trademark Entities//EN">
%trademarks;
]>
<article>
<articleinfo>
<title>éÎÔÅÇÒÁÃÉÑ FreeBSD IPsec É Check Point <trademark
class='registered'>VPN-1</trademark>/<trademark
class='registered'>Firewall-1</trademark></title>
<authorgroup>
<author>
<firstname>Jon</firstname>
<surname>Orbeton</surname>
<affiliation>
<address><email>jono@securityreports.com</email></address>
</affiliation>
</author>
<author>
<firstname>Matt</firstname>
<surname>Hite</surname>
<affiliation>
<address><email>mhite@hotmail.com</email></address>
</affiliation>
</author>
</authorgroup>
<pubdate>$FreeBSD$</pubdate>
<copyright>
<year>2001, 2002, 2003</year>
<holder role="mailto:jono@securityreports.com">Jon Orbeton</holder>
</copyright>
&legalnotice;
<legalnotice id="trademarks" role="trademarks">
&tm-attrib.freebsd;
&tm-attrib.check-point;
&tm-attrib.general;
</legalnotice>
<abstract>
<para>÷ ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÏÐÉÓÙ×ÁÅÔÓÑ, ËÁË ÎÁÓÔÒÏÉÔØ
<acronym>VPN</acronym>-ÔÕÎÎÅÌÉÒÏ×ÁÎÉÅ ÍÅÖÄÕ FreeBSD É
<trademark class='registered'>VPN-1</trademark>/
<trademark class='registered'>Firewall-1</trademark> ËÏÍÐÁÎÉÉ
Check Point. ÷ ÄÒÕÇÉÈ ÉÍÅÀÝÉÈÓÑ ÐÕÂÌÉËÁÃÉÑÈ ÄÁ£ÔÓÑ ÔÁËÁÑ ÉÎÆÏÒÍÁÃÉÑ,
ÎÏ × ÎÅÊ ÎÅ ÓÏÄÅÒÖÁÔÓÑ ÉÎÓÔÒÕËÃÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ VPN-1/Firewall-1 É
ÅÇÏ ÉÎÔÅÇÒÁÃÉÉ Ó FreeBSD. ïÎÉ ÐÅÒÅÞÉÓÌÅÎÙ × ÚÁ×ÅÒÛÁÀÝÅÊ ÞÁÓÔÉ ÜÔÏÊ
ÒÁÂÏÔÙ ÄÌÑ ÄÁÌØÎÅÊÛÅÇÏ ÉÚÕÞÅÎÉÑ.</para>
</abstract>
</articleinfo>
<sect1 id="prerequisites">
<title>éÓÈÏÄÎÙÅ ÄÁÎÎÙÅ</title>
<para>äÁÌÅÅ ÐÏËÁÚÁÎÁ ÓÈÅÍÁ ÒÁÓÐÏÌÏÖÅÎÉÑ ÍÁÛÉÎ É ÓÅÔÅÊ, Ï ËÏÔÏÒÙÈ ÉÄ£Ô ÒÅÞØ
× ÜÔÏÍ ÄÏËÕÍÅÎÔÅ.</para>
<mediaobject>
<imageobject>
<imagedata fileref="networks">
</imageobject>
<textobject>
<literallayout class="monospaced"> ÷ÎÅÛÎÉÊ ÉÎÔÅÒÆÅÊÓ ÷ÎÅÛÎÉÊ ÉÎÔÅÒÆÅÊÓ
208.229.100.6 216.218.197.2
| |
+--&gt; Firewall-1 &lt;--&gt; Internet &lt;--&gt; FreeBSD GW &lt;--+
| |
óÅÔÉ ÐÏÄ ÚÁÝÉÔÏÊ FW-1 ÷ÎÕÔÒÅÎÎÉÅ ÓÅÔÉ
199.208.192.0/24 192.168.10.0/24</literallayout>
</textobject>
<textobject>
<phrase>óÅÔØ FW-1 É ÓÅÔØ FreeBSD</phrase>
</textobject>
</mediaobject>
<para>ûÌÀÚ <acronym>GW</acronym> ÎÁ ÏÓÎÏ×Å FreeBSD ×ÙÓÔÕÐÁÅÔ × ËÁÞÅÓÔ×Å
ÍÅÖÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ É <acronym>NAT</acronym>-ÕÓÔÒÏÊÓÔ×Á ÄÌÑ
<quote>×ÎÕÔÒÅÎÎÉÈ ÓÅÔÅÊ.</quote></para>
<para>ñÄÒÏ FreeBSD ÄÏÌÖÎÏ ÂÙÔØ ÐÏÓÔÒÏÅÎÏ Ó ÐÏÄÄÅÒÖËÏÊ IPsec. äÌÑ ×ËÌÀÞÅÎÉÑ
IPsec × ×ÁÛÅÍ ÑÄÒÅ ÉÓÐÏÌØÚÕÊÔÅ ÓÌÅÄÕÀÝÉÅ ÐÁÒÁÍÅÔÒÙ ÑÄÒÁ:</para>
<programlisting>options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG</programlisting>
<para>äÌÑ ÐÏÌÕÞÅÎÉÑ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÐÏÓÔÒÏÅÎÉÀ ÎÅÓÔÁÎÄÁÒÔÎÏÇÏ ÑÄÒÁ,
ÏÂÒÁÔÉÔÅÓØ Ë <ulink
url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html">
òÕËÏ×ÏÄÓÔ×Õ ÐÏ FreeBSD</ulink>. ðÏÖÁÌÕÊÓÔÁ, ÚÁÍÅÔØÔÅ, ÞÔÏ ÍÅÖÄÕ ÈÏÓÔÁÍÉ
<trademark class='registered'>Firewall-1</trademark> É
<acronym>GW</acronym> Ó FreeBSD ÄÏÌÖÎÙ ÂÙÔØ ÒÁÚÒÅÛÅÎÙ ÓÏÅÄÉÎÅÎÉÑ
<acronym>IP</acronym> protocol&nbsp;50 (<acronym>ESP</acronym>) É
<acronym>UDP</acronym> port&nbsp;<literal>500</literal>.</para>
<para>ëÒÏÍÅ ÔÏÇÏ, ÄÌÑ ÐÏÄÄÅÒÖËÉ ÏÂÍÅÎÁ ËÌÀÞÁÍÉ ÄÏÌÖÅÎ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ
ÐÁËÅÔ <application>racoon</application>.
<application>Racoon</application> Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ ËÏÌÌÅËÃÉÉ ÐÏÒÔÏ×
FreeBSD É ÎÁÈÏÄÉÔÓÑ × ÐÁËÁÄÖÅ <filename
role="package">security/racoon</filename>. æÁÊÌ ËÏÎÆÉÇÕÒÁÃÉÉ
<application>racoon</application> ÂÕÄÅÔ ÏÐÉÓÁÎ ÎÉÖÅ × ÜÔÏÍ
ÄÏËÕÍÅÎÔÅ.</para>
</sect1>
<sect1 id="object">
<title>îÁÓÔÒÏÊËÁ ÓÅÔÅ×ÙÈ ÏÂßÅËÔÏ× × Firewall-1</title>
<para>îÁÞÎÉÔÅ Ó ÎÁÓÔÒÏÊËÉ ÐÏÌÉÔÉËÉ Firewall-1. ïÔËÒÏÊÔÅ ÒÅÄÁËÔÏÒ ÐÏÌÉÔÉË
Policy Editor ÎÁ ÓÅÒ×ÅÒÅ ÕÐÒÁ×ÌÅÎÉÑ Firewall-1 É ÓÏÚÄÁÊÔÅ ÎÏ×ÙÊ ÓÅÔÅ×ÏÊ
ÏÂßÅËÔ (Network Object) ÔÉÐÁ <quote>Workstation</quote>, ËÏÔÏÒÙÊ ÂÕÄÅÔ
ÐÒÅÄÓÔÁ×ÌÑÔØ ÍÁÛÉÎÕ <acronym>GW</acronym> Ó FreeBSD.</para>
<programlisting>General Tab:
Set name and IP address
VPN Tab:
Encryption Schemes Defined: IKE ---&gt; Edit
IKE Properties:
Key Negotiation Encryption Methods: 3DES
Authentication Method:
Pre-Shared Secret ---&gt; Edit</programlisting>
<para>÷ÙÂÅÒÉÔÅ Firewall Object É ÕÓÔÁÎÏ×ÉÔÅ ÚÁÒÁÎÅÅ ÉÚ×ÅÓÔÎÙÊ ÐÁÒÏÌØ. (îÅ
ÉÓÐÏÌØÚÕÊÔÅ ÅÇÏ ÉÚ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ.)</para>
<programlisting>Support Aggressive Mode: Checked
Supports Subnets: Checked</programlisting>
<para>ðÏÓÌÅ ÕÓÔÁÎÏ×ËÉ ÉÚ×ÅÓÔÎÏÇÏ ÐÁÒÏÌÑ × ÏÐÒÅÄÅÌÅÎÉÉ ÓÅÔÅ×ÏÇÏ ÏÂßÅËÔÁ
Firewall-1, ÕËÁÖÉÔÅ ÜÔÏÔ ÐÁÒÏÌØ × ÆÁÊÌÅ
<filename>/usr/local/etc/racoon/psk.txt</filename> × ÓÉÓÔÅÍÅ FreeBSD ÎÁ
<acronym>GW</acronym>. æÏÒÍÁÔ ÆÁÊÌÁ <filename>psk.txt</filename>
ÔÁËÏ×:</para>
<programlisting>208.229.100.6 rUac0wtoo?</programlisting>
</sect1>
<sect1 id="rulecfg">
<title>ëÏÎÆÉÇÕÒÁÃÉÑ VPN-ÐÒÁ×ÉÌÁ × Firewall-1</title>
<para>ôÅÐÅÒØ ÓÏÚÄÁÊÔÅ × Firewall-1 ÐÒÁ×ÉÌÏ, ×ËÌÀÞÁÀÝÅÅ ÛÉÆÒÏ×ÁÎÉÅ ÍÅÖÄÕ
ÍÁÛÉÎÏÊ <acronym>GW</acronym> Ó FreeBSD É ÓÅÔØÀ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1.
÷ ÜÔÏÍ ÐÒÁ×ÉÌÅ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÄÁÎÙ ÓÅÔÅ×ÙÅ ÓÅÒ×ÉÓÙ, ÒÁÚÒÅÛ£ÎÎÙÅ Ë ÒÁÂÏÔÅ
ÞÅÒÅÚ <acronym>VPN</acronym>.</para>
<programlisting>Source | Destination | Service | Action | Track
------------------------------------------------------------------------
FreeBSD GW | FW-1 Protected Net | VPN services | Encrypt | Long
FW-1 Protected Net| FreeBSD GW | | |</programlisting>
<para><quote>VPN-ÓÅÒ×ÉÓÁÍÉ</quote> Ñ×ÌÑÀÔÓÑ ÌÀÂÙÅ ÓÅÒ×ÉÓÙ (ÔÏ ÅÓÔØ
<command>telnet</command>, <acronym>SSH</acronym>,
<acronym>NTP</acronym> É ÔÁË ÄÁÌÅÅ), Ë ËÏÔÏÒÙÍ ÒÁÚÒÅۣΠÄÏÓÔÕÐ ÕÄÁÌ£ÎÎÏÍÕ
ÈÏÓÔÕ ÞÅÒÅÚ <acronym>VPN</acronym>. âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ×ËÌÀÞÅÎÉÉ
ÓÅÒ×ÉÓÏ×; ÈÏÓÔÙ, ÐÏÄËÌÀÞÁÅÍÙÅ ÞÅÒÅÚ <acronym>VPN</acronym>, ÐÒÏÄÏÌÖÁÀÔ
ÐÒÅÄÓÔÁ×ÌÑÔØ ÐÏÔÅÎÃÉÁÌØÎÕÀ ÏÐÁÓÎÏÓÔØ. ûÉÆÒÏ×ÁÎÉÅ ÔÒÁÆÉËÁ ÍÅÖÄÕ Ä×ÕÍÑ
ÓÅÔÑÍÉ ÄÁ£Ô ÓÌÁÂÕÀ ÚÁÝÉÔÕ, ÅÓÌÉ ÌÀÂÏÊ ÉÚ ÈÏÓÔÏ× ÎÁ ÏÂÅÉÈ ÓÔÏÒÏÎÁÈ ÔÕÎÎÅÌÑ
ÂÙÌ ×ÚÌÏÍÁÎ.</para>
<para>ðÏÓÌÅ ÎÁÓÔÒÏÊËÉ ÐÒÁ×ÉÌÁ ÛÉÆÒÏ×ÁÎÉÑ ÄÁÎÎÙÈ ÍÅÖÄÕ ÍÁÛÉÎÏÊ
<acronym>GW</acronym> Ó FreeBSD É ÓÅÔØÀ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1,
ÐÒÏÓÍÏÔÒÉÔÅ ÎÁÓÔÒÏÊËÉ <quote>Action Encrypt</quote>.</para>
<programlisting>Encryption Schemes Defined: IKE ---&gt; Edit
Transform: Encryption + Data Integrity (ESP)
Encryption Algorithm: 3DES
Data Integrity: MD5
Allowed Peer Gateway: Any or Firewall Object
Use Perfect Forward Secrecy: Checked</programlisting>
<para>éÓÐÏÌØÚÏ×ÁÎÉÅ ÔÅÈÎÏÌÏÇÉÉ Perfect Forward Secrecy
(<acronym>PFS</acronym>) Ñ×ÌÑÅÔÓÑ ÎÅÏÂÑÚÁÔÅÌØÎÙÍ. ÷ËÌÀÞÅÎÉÅ
<acronym>PFS</acronym> ÄÏÂÁ×ÉÔ ÅÝ£ ÏÄÉÎ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ ÎÁ ÕÒÏ×ÎÅ
ÛÉÆÒÏ×ÁÎÉÑ ÄÁÎÎÙÈ, ÏÄÎÁËÏ ÐÒÉ×ÅÄ£Ô Ë Õ×ÅÌÉÞÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ
<acronym>CPU</acronym>. åÓÌÉ <acronym>PFS</acronym> ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ,
ÔÏ ×ÙËÌÀÞÉÔÅ ÆÌÁÇ ×ÙÛÅ É ÚÁËÏÍÍÅÎÔÉÒÕÊÔÅ ÓÔÒÏÞËÕ
<literal>pfs_group&nbsp;1</literal> × ÆÁÊÌÅ
<filename>racoon.conf</filename> ÎÁ ÍÁÛÉÎÅ <acronym>GW</acronym> Ó
FreeBSD. ðÒÉÍÅÒ ÆÁÊÌÁ <filename>racoon.conf</filename> ÄÁÎ × ÜÔÏÍ
ÄÁÌØÛÅ.</para>
</sect1>
<sect1 id="policy">
<title>ëÏÎÆÉÇÕÒÁÃÉÑ ÐÏÌÉÔÉËÉ <acronym>VPN</acronym> ×Ï FreeBSD</title>
<para>îÁ ÜÔÏÍ ÜÔÁÐÅ ÄÏÌÖÎÁ ÂÙÔØ ÚÁÄÁÎÁ ÐÏÌÉÔÉËÁ <acronym>VPN</acronym> ÎÁ
ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD. üÔÕ ÆÕÎËÃÉÀ ×ÙÐÏÌÎÑÅÔ ÕÔÉÌÉÔÁ
&man.setkey.8;.</para>
<para>îÉÖÅ ÄÁ£ÔÓÑ ÐÒÉÍÅÒ ÓËÒÉÐÔÁ ËÏÍÁÎÄÎÏÇÏ ÐÒÏÃÅÓÓÏÒÁ, ËÏÔÏÒÙÊ ÓÂÒÁÓÙ×ÁÅÔ
&man.setkey.8; É ÄÏÂÁ×ÌÑÅÔ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÐÏÌÉÔÉËÉ
<acronym>VPN</acronym>.</para>
<programlisting>#
# /etc/vpn1-ipsec.sh
#
# IP addresses
#
# External Interface External Interface
# 208.229.100.6 216.218.197.2
# | |
# +--&gt; Firewall-1 &lt;--&gt; Internet &lt;--&gt; FreeBSD GW &lt;--+
# | |
# FW-1 Protected Nets Internal Nets
# 199.208.192.0/24 192.168.10.0/24
#
# Flush the policy
#
setkey -FP
setkey -F
#
# Configure the Policy
#
setkey -c &lt;&lt; END
spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec
esp/tunnel/216.218.197.2-208.229.100.6/require;
spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec
esp/tunnel/208.229.100.6-216.218.197.2/require;
END
#</programlisting>
<para>÷ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÙ &man.setkey.8;:</para>
<screen>&prompt.root; <userinput>sh /etc/vpn1-ipsec.sh</userinput></screen>
</sect1>
<sect1 id="racoon">
<title>ëÏÎÆÉÇÕÒÁÃÉÑ <application>Racoon</application> ×Ï FreeBSD</title>
<para>äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÓÏÇÌÁÓÏ×ÁÎÉÑ ËÌÀÞÅÊ IPsec ÎÁ ÍÁÛÉÎÅ
<acronym>GW</acronym> Ó FreeBSD, ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ É ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÔØ
ÐÏÒÔ <filename role="package">security/racoon</filename>.</para>
<para>äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÆÁÊÌ ËÏÎÆÉÇÕÒÁÃÉÉ <application>racoon</application>,
ËÏÔÏÒÙÊ ÐÏÄÈÏÄÉÔ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ÐÒÉÍÅÒÁÍÉ, ÏÐÉÓÁÎÎÙÍÉ × ÜÔÏÍ
ÄÏËÕÍÅÎÔÅ. ðÏÖÁÌÕÊÓÔÁ, ÐÅÒÅÄ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ × ÒÅÁÌØÎÏÊ ÜËÓÐÌÕÁÔÁÃÉÉ
ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÐÏÌÎÏÓÔØÀ ÐÏÎÉÍÁÅÔÅ ÅÇÏ ÎÁÚÎÁÞÅÎÉÅ.</para>
<programlisting># racoon.conf for use with Check Point VPN-1/Firewall-1
#
# search this file for pre_shared_key with various ID key.
#
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
#
# "padding" defines some parameter of padding. You should not touch these.
#
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
#isakmp 0.0.0.0 [500];
#admin [7002]; # administrative port by kmpstat.
#strict_address; # required all addresses must be bound.
}
#
# Specification of default various timers.
#
timer
{
#
# These values can be changed per remote node.
#
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
#
# timer for waiting to complete each phase.
#
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main; # For Firewall-1 Aggressive mode
#my_identifier address;
#my_identifier user_fqdn "";
#my_identifier address "";
#peers_identifier address "";
#certificate_type x509 "" "";
nonce_size 16;
lifetime time 10 min; # sec,min,hour
lifetime byte 5 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 10 min;
lifetime byte 50000 KB;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}</programlisting>
<para>ðÒÏ×ÅÒØÔÅ, ÞÔÏ ÆÁÊÌ
<filename>/usr/local/etc/racoon/psk.txt</filename> ÓÏÄÅÒÖÉÔ ÔÏÔ ÖÅ ÓÁÍÙÊ
ÚÁÒÁÎÅÅ ÉÚ×ÅÓÔÎÙÊ ÐÁÒÏÌØ, ÞÔÏ ÎÁÓÔÒÁÉ×ÁÌÓÑ ÐÒÉ ÐÏÍÏÝÉ ÒÁÚÄÅÌÁ
<quote>îÁÓÔÒÏÊËÁ ÓÅÔÅ×ÙÈ ÏÂßÅËÔÏ× × Firewall-1</quote> ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ,
É ÉÍÅÅÔ ÒÅÖÉÍ ÄÏÓÔÕÐÁ <literal>600</literal>.</para>
<screen>&prompt.root; <userinput>chmod 600 /usr/local/etc/racoon/psk.txt</userinput></screen>
</sect1>
<sect1 id="startingvpn">
<title>úÁÐÕÓË <acronym>VPN</acronym> × ÒÁÂÏÔÕ</title>
<para>ôÅÐÅÒØ ×Ù ÇÏÔÏ×Ù Ë ÚÁÐÕÓËÕ <application>racoon</application> É
ÔÅÓÔÉÒÏ×ÁÎÉÀ ÔÕÎÎÅÌÑ <acronym>VPN</acronym>. äÌÑ ÃÅÌÅÊ ÏÔÌÁÄËÉ ÏÔËÒÏÊÔÅ
Log Viewer ÎÁ Firewall-1 É ÚÁÄÁÊÔÅ ÆÉÌØÔÒ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ×ÙÄÅÌÅÎÉÑ
ÚÁÐÉÓÅÊ, ÏÔÎÏÓÑÝÉÈÓÑ Ë ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD. ÷ÁÍ ÍÏÖÅÔ
ÔÁËÖÅ ÐÒÉÇÏÄÉÔØÓÑ ÐÒÏÓÍÏÔÒ ÖÕÒÎÁÌÁ <application>racoon</application> ÐÒÉ
ÐÏÍÏÝÉ ËÏÍÁÎÄÙ &man.tail.1;:</para>
<screen>&prompt.root; <userinput>tail -f /var/log/racoon.log</userinput></screen>
<para>úÁÐÕÓÔÉÔÅ <application>racoon</application> ÐÏÓÒÅÄÓÔ×ÏÍ ÓÌÅÄÕÀÝÅÊ
ËÏÍÁÎÄÙ:</para>
<screen>&prompt.root; <userinput>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</userinput></screen>
<para>ðÏÓÌÅ ÚÁÐÕÓËÁ <application>racoon</application> ×ÙÐÏÌÎÉÔÅ ÐÏÄËÌÀÞÅÎÉÅ
ÐÏ &man.telnet.1; Ë ÈÏÓÔÕ × ÓÅÔÉ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1.</para>
<screen>&prompt.root; <userinput>telnet -s 192.168.10.3 199.208.192.66 22</userinput></screen>
<para>ðÏ ÜÔÏÊ ËÏÍÁÎÄÅ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÐÙÔËÁ ÐÏÄËÌÀÞÅÎÉÑ Ë &man.ssh.1;-ÐÏÒÔÕ
ÍÁÛÉÎÙ <hostid role="ipaddr">199.208.192.66</hostid>, ÔÏÊ, ÞÔÏ ÎÁÈÏÄÉÔÓÑ
× ÓÅÔÉ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1. ðÁÒÁÍÅÔÒ <option>-s</option> ÚÁÄÁ£Ô
ÉÓÐÏÌÌØÚÕÅÍÙÊ ÉÎÔÅÒÆÅÊÓ × ÉÓÈÏÄÑÝÅÍ ÓÏÅÄÉÎÅÎÉÉ. üÔÏ, × ÞÁÓÔÎÏÓÔÉ, ×ÁÖÎÏ
ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÎÁ ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD ÔÅÈÎÏÌÏÇÉÊ
<acronym>NAT</acronym> É <acronym>IPFW</acronym>. éÓÐÏÌØÚÏ×ÁÎÉÅ
<literal>-s</literal> É Ñ×ÎÏÅ ÚÁÄÁÎÉÅ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ ÎÅ ÐÏÚ×ÏÌÉÔ
<acronym>NAT</acronym> ÐÏÄÍÅÎÑÔØ ÐÁËÅÔÙ ÐÅÒÅÄ ÔÕÎÎÅÌÉÒÏ×ÁÎÉÅÍ.</para>
<para>ðÒÉ ÕÓÐÅÛÎÏÍ ÏÂÍÅÎÅ ËÌÀÞÁÍÉ <application>racoon</application> ×ÙÄÁÓÔ
× ÆÁÊÌ ÐÒÏÔÏËÏÌÁ <filename>racoon.log</filename> ÓÌÅÄÕÀÝÅÅ:</para>
<programlisting>pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2</programlisting>
<para>ðÏÓÌÅ ÔÏÇÏ, ËÁË ÏÂÍÅÎ ËÌÀÞÁÍÉ ÂÕÄÅÔ ÚÁ×ÅÒۣΠ(ÞÔÏ ÚÁÎÉÍÁÅÔ ÎÅÓËÏÌØËÏ
ÓÅËÕÎÄ), ÂÕÄÅÔ ×ÙÄÁÎÁ ÚÁÓÔÁ×ËÁ &man.ssh.1;. åÓÌÉ ×Ó£ ÐÒÏÛÌÏ ÎÏÒÍÁÌØÎÏ,
× ÓÒÅÄÓÔ×Å Log Viewer ÎÁ Firewall-1 ÂÕÄÅÔ ÚÁÆÉËÓÉÒÏ×ÁÎÏ Ä×Á ÓÏÏÂÝÅÎÉÑ
<quote>Key Install</quote>.</para>
<programlisting>Action | Source | Dest. | Info.
Key Install | 216.218.197.2 | 208.229.100.6 | IKE Log: Phase 1 (aggressive) completion.
Key Install | 216.218.197.2 | 208.229.100.6 | scheme: IKE methods</programlisting>
<para>÷ ÉÎÆÏÒÍÁÃÉÏÎÎÏÊ ËÏÌÏÎËÅ ÐÏÄÒÏÂÎÙÊ ÐÒÏÔÏËÏÌ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ
ÔÁË:</para>
<programlisting>IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id:
scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host:</programlisting>
</sect1>
<sect1 id="References">
<title>óÓÙÌËÉ</title>
<itemizedlist>
<listitem>
<para><ulink url="http://www.FreeBSD.org/handbook/ipsec.html">
òÕËÏ×ÏÄÓÔ×Ï FreeBSD: IPsec</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.kame.net">ðÒÏÅËÔ KAME</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.x-itec.de/projects/tuts/ipsec-howto.txt">
ëÒÁÔËÉÊ HOWTO ÐÏ FreeBSD IPsec </ulink></para>
</listitem>
</itemizedlist>
</sect1>
</article>