os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Whitespace cleanup. Mostly to ensure that two spaces separate

Browse source 
sentences and text is wrapped under 78 columns when possible.
Translators please ignore this change.
This commit is contained in:
Giorgos Keramidas 2003-01-22 17:39:50 +00:00
parent cf8d46bc93
commit b193421338
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=15769
1 changed files with 105 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

206
en_US.ISO8859-1/articles/checkpoint/article.sgml
View file

@ -42,22 +42,22 @@
<authorgroup>
<author>
<firstname>Jon</firstname>
<surname>Orbeton</surname>
<firstname>Jon</firstname>
<surname>Orbeton</surname>
<affiliation>
<address><email>jono@securityreports.com</email></address>
</affiliation>
<affiliation>
<address><email>jono@securityreports.com</email></address>
</affiliation>
</author>
<author>
<firstname>Matt</firstname>
<surname>Hite</surname>
<firstname>Matt</firstname>
<surname>Hite</surname>
<affiliation>
<address><email>mhite@hotmail.com</email></address>
</affiliation>
</author>
<affiliation>
<address><email>mhite@hotmail.com</email></address>
</affiliation>
</author>
</authorgroup>
<pubdate>$FreeBSD$</pubdate>
@ -68,22 +68,22 @@
</copyright>
&legalnotice;
<abstract>
<para>This document explains how to configure a
<acronym>VPN</acronym> tunnel between FreeBSD and Checkpoint's
VPN-1/Firewall-1. Other documents provide similar information,
but do not contain instructions specific to VPN-1/Firewall-1
and its integration with FreeBSD. These documents are
listed at the conclusion of this paper for further reference.</para>
<para>This document explains how to configure a <acronym>VPN</acronym>
tunnel between FreeBSD and Checkpoint's VPN-1/Firewall-1. Other
documents provide similar information, but do not contain instructions
specific to VPN-1/Firewall-1 and its integration with FreeBSD. These
documents are listed at the conclusion of this paper for further
reference.</para>
</abstract>
</articleinfo>
<sect1 id="prerequisites">
<title>Prerequisites</title>
<para>The following is a diagram of the machines and networks
referenced in this document.</para>
<para>The following is a diagram of the machines and networks referenced
in this document.</para>
<programlisting>External Interface External Interface
208.229.100.6 216.218.197.2
@ -96,35 +96,33 @@ FW-1 Protected Nets Internal Nets
<para>The FreeBSD gateway <acronym>GW</acronym> serves as a firewall and
<acronym>NAT</acronym> device for <quote>internal nets.</quote></para>
<para>The FreeBSD kernel must be compiled to support IPSec.
Use the following kernel options to enable IPSec support in your
kernel:</para>
<para>The FreeBSD kernel must be compiled to support IPSec. Use the
following kernel options to enable IPSec support in your kernel:</para>
<programlisting>options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG</programlisting>
<para>For instructions on building a custom kernel, refer to the
<ulink url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html">
FreeBSD handbook</ulink>. Please note that <acronym>IP</acronym>
<ulink url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html">FreeBSD
handbook</ulink>. Please note that <acronym>IP</acronym>
protocol&nbsp;50 (<acronym>ESP</acronym>) and <acronym>UDP</acronym>
port&nbsp;<literal>500</literal> must be open between the Firewall-1
host and the FreeBSD <acronym>GW</acronym>.</para>
<para>Also, <application>racoon</application> must be installed to
support key exchange. <application>Racoon</application> is part
of the FreeBSD ports collection in
<filename role="package">security/racoon</filename>. The
<application>racoon</application> configuration file will be
covered later in this document.</para>
<para>Also, <application>racoon</application> must be installed to support
key exchange. <application>Racoon</application> is part of the FreeBSD
ports collection in <filename role="package">security/racoon</filename>.
The <application>racoon</application> configuration file will be covered
later in this document.</para>
</sect1>
<sect1 id="object">
<title>Firewall-1 Network Object Configuration</title>
<para>Begin by configuring the Firewall-1 Policy. Open the
Policy Editor on the Firewall-1 Management server and create
a new <quote>Workstation</quote> Network Object representing FreeBSD
<para>Begin by configuring the Firewall-1 Policy. Open the Policy Editor
on the Firewall-1 Management server and create a new
<quote>Workstation</quote> Network Object representing FreeBSD
<acronym>GW</acronym>.</para>
<programlisting>General Tab:
@ -144,11 +142,12 @@ Authentication Method:
<programlisting>Support Aggressive Mode: Checked
Supports Subnets: Checked</programlisting>
<para>After setting the pre-shared secret in the Firewall-1 Network
Object definition, place this secret in the
<para>After setting the pre-shared secret in the Firewall-1 Network Object
definition, place this secret in the
<filename>/usr/local/etc/racoon/psk.txt</filename> file on FreeBSD
<acronym>GW</acronym>. The format for <filename>psk.txt</filename> is:</para>
<acronym>GW</acronym>. The format for <filename>psk.txt</filename>
is:</para>
<programlisting>208.229.100.6 rUac0wtoo?</programlisting>
@ -157,8 +156,8 @@ Supports Subnets: Checked</programlisting>
<sect1 id="rulecfg">
<title>Firewall-1 VPN Rule Configuration</title>
<para>Next, create a Firewall-1 rule enabling encryption between
the FreeBSD <acronym>GW</acronym> and the Firewall-1 protected network.
<para>Next, create a Firewall-1 rule enabling encryption between the
FreeBSD <acronym>GW</acronym> and the Firewall-1 protected network.
In this rule, the network services permitted through the
<acronym>VPN</acronym> must be defined.</para>
@ -169,16 +168,16 @@ FW-1 Protected Net| FreeBSD GW | | |</programlistin
<para><quote>VPN services</quote> are any services (i.e.
<command>telnet</command>, <acronym>SSH</acronym>,
<acronym>NTP</acronym>, etc.) which remote hosts are permitted to
access through the <acronym>VPN</acronym>. Use caution when
permitting services; hosts connecting through a <acronym>VPN</acronym>
still represent a potential security risk. Encrypting the traffic
between the two networks offers little protection if a host on either
side of the tunnel has been compromised.</para>
<acronym>NTP</acronym>, etc.) which remote hosts are permitted to access
through the <acronym>VPN</acronym>. Use caution when permitting
services; hosts connecting through a <acronym>VPN</acronym> still
represent a potential security risk. Encrypting the traffic between the
two networks offers little protection if a host on either side of the
tunnel has been compromised.</para>
<para>Once the rule specifying data encryption between the FreeBSD
<acronym>GW</acronym> and the Firewall-1 protected network has
been configured, review the <quote>Action Encrypt</quote> settings.</para>
<acronym>GW</acronym> and the Firewall-1 protected network has been
configured, review the <quote>Action Encrypt</quote> settings.</para>
<programlisting>Encryption Schemes Defined: IKE ---&gt; Edit
Transform: Encryption + Data Integrity (ESP)
@ -188,13 +187,14 @@ Allowed Peer Gateway: Any or Firewall Object
Use Perfect Forward Secrecy: Checked</programlisting>
<para>The use of Perfect Forward Secrecy (<acronym>PFS</acronym>) is
optional. Enabling <acronym>PFS</acronym> will add another layer of
optional. Enabling <acronym>PFS</acronym> will add another layer of
encryption security, but does come at the cost of increased
<acronym>CPU</acronym> overhead. If <acronym>PFS</acronym> is not
used, uncheck the box above and comment out the <literal>pfs_group&nbsp;1</literal>
line in the <filename>racoon.conf</filename> file on FreeBSD
<acronym>GW</acronym>. An example <filename>racoon.conf</filename>
file is provided later in this document.</para>
<acronym>CPU</acronym> overhead. If <acronym>PFS</acronym> is not used,
uncheck the box above and comment out the
<literal>pfs_group&nbsp;1</literal> line in the
<filename>racoon.conf</filename> file on FreeBSD <acronym>GW</acronym>.
An example <filename>racoon.conf</filename> file is provided later in
this document.</para>
</sect1>
@ -202,8 +202,8 @@ Use Perfect Forward Secrecy: Checked</programlisting>
<title>FreeBSD <acronym>VPN</acronym> Policy Configuration</title>
<para>At this point, the <acronym>VPN</acronym> policy on FreeBSD
<acronym>GW</acronym> must be defined. The
&man.setkey.8; tool performs this function.</para>
<acronym>GW</acronym> must be defined. The &man.setkey.8; tool performs
this function.</para>
<para>Below is an example shell script which will flush &man.setkey.8; and
add your <acronym>VPN</acronym> policy rules.</para>
@ -245,12 +245,14 @@ END
<title>FreeBSD <application>Racoon</application> Configuration</title>
<para>To facilitate the negotiation of IPSec keys on the FreeBSD
<acronym>GW</acronym>, the <filename role="package">security/racoon</filename> port must
be installed and configured.</para>
<acronym>GW</acronym>, the
<filename role="package">security/racoon</filename> port must be
installed and configured.</para>
<para>The following is a <application>racoon</application> configuration file suitable for use with
the examples outlined in this document. Please make sure you fully
understand this file before using it in a production environment.</para>
<para>The following is a <application>racoon</application> configuration
file suitable for use with the examples outlined in this document.
Please make sure you fully understand this file before using it in a
production environment.</para>
<programlisting># racoon.conf for use with Checkpoint VPN-1/Firewall-1
#
@ -329,23 +331,24 @@ END
compression_algorithm deflate ;
}</programlisting>
<para>Ensure that the <filename>/usr/local/etc/racoon/psk.txt</filename> file
contains the pre-shared secret configured in the <quote>Firewall-1 Network Object
Configuration</quote> section of this document and has mode <literal>600</literal>
permissions.</para>
<para>Ensure that the <filename>/usr/local/etc/racoon/psk.txt</filename>
file contains the pre-shared secret configured in the <quote>Firewall-1
Network Object Configuration</quote> section of this document and has
mode <literal>600</literal> permissions.</para>
<screen>&prompt.root; <userinput>chmod 600 /usr/local/etc/racoon/psk.txt</userinput></screen>
</sect1>
</sect1>
<sect1 id="startingvpn">
<title>Starting the <acronym>VPN</acronym></title>
<sect1 id="startingvpn">
<title>Starting the <acronym>VPN</acronym></title>
<para>You are now ready to launch <application>racoon</application> and test
the <acronym>VPN</acronym> tunnel. For debugging purposes, open the
Firewall-1 Log Viewer and define a log filter to isolate entries pertaining
to FreeBSD <acronym>GW</acronym>. You may also find it helpful to
&man.tail.1; the <application>racoon</application> log:</para>
<para>You are now ready to launch <application>racoon</application> and
test the <acronym>VPN</acronym> tunnel. For debugging purposes, open
the Firewall-1 Log Viewer and define a log filter to isolate entries
pertaining to FreeBSD <acronym>GW</acronym>. You may also find it
helpful to &man.tail.1; the <application>racoon</application>
log:</para>
<screen>&prompt.root; <userinput>tail -f /var/log/racoon.log</userinput></screen>
@ -354,30 +357,32 @@ END
<screen>&prompt.root; <userinput>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</userinput></screen>
<para>Once <application>racoon</application> has been launched, &man.telnet.1;
to a host on the Firewall-1 protected network.</para>
<para>Once <application>racoon</application> has been launched,
&man.telnet.1; to a host on the Firewall-1 protected network.</para>
<screen>&prompt.root; <userinput>telnet -s 192.168.10.3 199.208.192.66 22</userinput></screen>
<para>This command attempts to connect to the &man.ssh.1;
port on <hostid role="ipaddr">199.208.192.66</hostid>, a machine in the Firewall-1 protected network. The
<option>-s</option> switch indicates the source interface of the outbound
connection. This is particularly important when running
<acronym>NAT</acronym> and <acronym>IPFW</acronym> on FreeBSD
<acronym>GW</acronym>. Using <literal>-s</literal> and specifying an
explicit source address prevents <acronym>NAT</acronym> from mangling the
packet prior to tunneling.</para>
<para>This command attempts to connect to the &man.ssh.1; port on <hostid
role="ipaddr">199.208.192.66</hostid>, a machine in the Firewall-1
protected network. The <option>-s</option> switch indicates the source
interface of the outbound connection. This is particularly important
when running <acronym>NAT</acronym> and <acronym>IPFW</acronym> on
FreeBSD <acronym>GW</acronym>. Using <literal>-s</literal> and
specifying an explicit source address prevents <acronym>NAT</acronym>
from mangling the packet prior to tunneling.</para>
<para>A successful <application>racoon</application> key exchange will
output the following to the <filename>racoon.log</filename> log file:</para>
output the following to the <filename>racoon.log</filename> log
file:</para>
<programlisting>pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2</programlisting>
<para>Once key exchange completes (which takes a few seconds), an &man.ssh.1;
banner will appear. If all went well, two <quote>Key Install</quote> messages will be logged
in the Firewall-1 Log Viewer.</para>
<para>Once key exchange completes (which takes a few seconds), an
&man.ssh.1; banner will appear. If all went well, two <quote>Key
Install</quote> messages will be logged in the Firewall-1 Log
Viewer.</para>
<programlisting>Action | Source | Dest. | Info.
Key Install | 216.218.197.2 | 208.229.100.6 | IKE Log: Phase 1 (aggressive) completion.
@ -392,21 +397,20 @@ scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for hos
<sect1 id="References">
<title>References</title>
<itemizedlist>
<listitem>
<para><ulink url="http://www.FreeBSD.org/handbook/ipsec.html">
The FreeBSD Handbook: IPSec</ulink></para>
</listitem>
<itemizedlist>
<listitem>
<para><ulink url="http://www.FreeBSD.org/handbook/ipsec.html">
The FreeBSD Handbook: IPSec</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.kame.net">KAME Project</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.x-itec.de/projects/tuts/ipsec-howto.txt">
FreeBSD IPSec mini-HOWTO</ulink></para>
</listitem>
</itemizedlist>
<listitem>
<para><ulink url="http://www.kame.net">KAME Project</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.x-itec.de/projects/tuts/ipsec-howto.txt">
FreeBSD IPSec mini-HOWTO</ulink></para>
</listitem>
</itemizedlist>
</sect1>
</article>