diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index f1638244b5..b1de80eee0 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -3175,7 +3175,7 @@ Network #2 [ Internal Hosts ] to appear to be from A.B.C.D, and it will have to be sent to W.X.Y.Z. This process is called - encapsulation. + encapsulation. Once this packet arrives at to see the configuration. For example, on the network #1 gateway, you would see this: - &prompt.root; gifconfig gif0 + &prompt.root; gifconfig gif0 gif0: flags=8011<UP,POINTTOPOINT,MULTICAST> mtu 1280 inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffffff physical address inet A.B.C.D --> W.X.Y.Z @@ -3252,7 +3252,7 @@ physical address inet A.B.C.D --> W.X.Y.Z on both machines, which you can examine with the command netstat -rn. This output is from the gateway host on network #1. - &prompt.root; netstat -rn + &prompt.root; netstat -rn Routing tables Internet: @@ -3491,8 +3491,8 @@ options IPSEC_ESP A.B.C.D secret That is, the public IP address of the remote end, and the - same secret key. psk.txt must be mode 0600 - (i.e., only read/write to root) before racoon will run. + same secret key. psk.txt must be mode 0600 + (i.e., only read/write to root) before racoon will run. You must run racoon on both gateway machines. You will also need to add some firewall rules to allow the IKE traffic, @@ -3578,7 +3578,7 @@ ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp - This encapsulation is carried out by the gif device. As + This encapsulation is carried out by the gif device. As you can see, the packet now has real IP addresses on the outside, and our original packet has been wrapped up as data inside the packet that will be put out on the Internet. @@ -3633,7 +3633,7 @@ spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/req Put these commands in a file (e.g., /etc/ipsec.conf) and then run - &prompt.root; setkey -f /etc/ipsec.conf + &prompt.root; setkey -f /etc/ipsec.conf tells &man.setkey.8; that we want to add a rule to the secure policy database. The rest of this @@ -3720,13 +3720,13 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D When they are received by the far end of the VPN they will first be decrypted (using the security associations that have - been negotiated by racoon). Then they will enter the gif + been negotiated by racoon). Then they will enter the gif interface, which will unwrap the second layer, until you are left with the innermost packet, which can then travel in to the inner network. You can check the security using the same &man.ping.8; test from - earlier. First, log in to the A.B.C.D gateway machine, and + earlier. First, log in to the A.B.C.D gateway machine, and run: tcpdump dst host 192.168.2.1 @@ -3995,7 +3995,7 @@ Your identification has been saved in /home/user/.ssh/identity. The option will create RSA keys for use by SSH protocol version 1. If you want to use RSA keys with the SSH protocol version 2, you have to use the - command . + command ssh-keygen -t rsa. If a passphrase is used in &man.ssh-keygen.1;, the user will be prompted for a password each time in order to use the private