From owner-svn-doc-head@FreeBSD.ORG Tue Apr 22 19:43:19 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4E6D663B; Tue, 22 Apr 2014 19:43:19 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E02F1306; Tue, 22 Apr 2014 19:43:19 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3MJhJwX099185; Tue, 22 Apr 2014 19:43:19 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3MJhJqo099184; Tue, 22 Apr 2014 19:43:19 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404221943.s3MJhJqo099184@svn.freebsd.org> From: Dru Lavigne Date: Tue, 22 Apr 2014 19:43:19 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44630 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2014 19:43:19 -0000 Author: dru Date: Tue Apr 22 19:43:18 2014 New Revision: 44630 URL: http://svnweb.freebsd.org/changeset/doc/44630 Log: Prep work for IPsec chapter. Add additional definitions to intro. Still need to define SA and SAD. Still need to setup test environment to verify tech setup. This section does not yet mention setkey. More commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 17:52:05 2014 (r44629) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 19:43:18 2014 (r44630) @@ -61,7 +61,7 @@ - How to configure IPsec and create a + How to configure IPsec and create a VPN. @@ -1993,23 +1993,13 @@ Connection closed by foreign host. - <acronym>VPN</acronym> over IPsec + <acronym>VPN</acronym> over <acronym>IPsec</acronym> NikClayton
nik@FreeBSD.org
Written by
-
- - - IPsec - - - - - Understanding IPsec - Hiten M.Pandya @@ -2018,57 +2008,66 @@ Connection closed by foreign host. - This section demonstrates the process of setting up IPsec. - It assumes familiarity with the concepts of building a custom - kernel (see ). + + IPsec + - IPsec is a protocol which sits on + Internet Protocol Security (IPsec) is a set of protocols which sit on top of the Internet Protocol (IP) layer. - It allows two or more hosts to communicate in a secure manner. - The &os; IPsec network stack is based on the - KAME - implementation, which has support for both IPv4 and - IPv6. + It allows two or more hosts to communicate in a secure manner + by authenticating and encrypting each IP packet of a communication session. + The &os; IPsec network stack is based on the + http://www.kame.net/ + implementation and supports both IPv4 and + IPv6 sessions. - IPsec + IPsec ESP - IPsec + IPsec AH - IPsec consists of two sub-protocols: + IPsec is comprised of the following sub-protocols: Encapsulated Security Payload - ESP): this protocol - protects the IP packet data from third party interference + (ESP): this protocol + protects the IP packet data from third party interference by encrypting the contents using symmetric cryptography - algorithms such as Blowfish and 3DES. + algorithms such as Blowfish and 3DES. Authentication Header - (AH): this protocol - protects the IP packet header from third party + (AH)): this protocol + protects the IP packet header from third party interference and spoofing by computing a cryptographic - checksum and hashing the IP packet header fields with a + checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated. + + + IP Payload Compression Protocol + (IPComp): this protocol + tries to increase communication performance by compressing + the IP payload in order ro reduce the + amount of data sent. + - ESP and AH can + These protocols can either be used together or separately, depending on the environment. - VPN + VPN @@ -2076,17 +2075,18 @@ Connection closed by foreign host.VPN - IPsec can either be used to directly encrypt the traffic - between two hosts using Transport Mode or - to build virtual tunnels using - Tunnel Mode. The latter mode is more - commonly known as a Virtual Private Network - (VPN). Consult &man.ipsec.4; - for detailed information on the IPsec subsystem in + IPsec supports two modes of operation. + The first mode, Transport Mode, + protects communications between two hosts. The second mode, + Tunnel Mode, is used to build virtual tunnels, + commonly known as Virtual Private Networks + (VPNs). Consult &man.ipsec.4; + for detailed information on the IPsec subsystem in &os;. - To add IPsec support to the kernel, add the following - options to the custom kernel configuration file: + To add IPsec support to the kernel, add the following + options to the custom kernel configuration file and rebuild + the kernel using the instructions in : kernel options @@ -2101,56 +2101,49 @@ device crypto IPSEC_DEBUG - If IPsec debugging support is desired, the following + If IPsec debugging support is desired, the following kernel option should also be added: options IPSEC_DEBUG #debug for IP security - - - - <acronym>VPN</acronym> Between a Home and Corporate - Network - - - VPN - creating - - There is no standard for what constitutes a - VPN. VPNs can be - implemented using a number of different technologies, each - of which has their own strengths and weaknesses. This - section presents the strategies used for implementing a - VPN for the following scenario: + This rest of this chapter demonstrates the process of + setting up an IPsec VPN + between a home network and a corporate + network. In the example scenario: - There are at least two sites where each site is using - IP internally. - - - Both sites are connected to the Internet through a gateway that is running &os;. - The gateway on each network has at least one public - IP address. + The gateway on each network has at least one external + IP address. In this example, the corporate LAN's + external IP address is 172.16.5.4 and the home + LAN's external IP + address is 192.168.1.12. The internal addresses of the two networks can be - either public or private IP addresses. However, the + either public or private IP addresses. However, the address space must not collide. For example, both networks cannot use 192.168.1.x. + class="ipaddress">192.168.1.x. In this + example, the corporate LAN's + internal IP address is 10.246.38.1 and the home + LAN's internal IP + address is 10.0.0.5. - + - Configuring IPsec on &os; + Configuring a <acronym>VPN</acronym> on &os; TomRhodes @@ -2173,36 +2166,21 @@ device crypto addresses of the internal and external interfaces of the two gateways: - &prompt.root; ifconfig gif0 create - - &prompt.root; ifconfig gif0 internal1 internal2 + &prompt.root; ifconfig gif0 create +&prompt.root; ifconfig gif0 internal1 internal2 +&prompt.root; ifconfig gif0 tunnel external1 external2 - &prompt.root; ifconfig gif0 tunnel external1 external2 + Verify the setup on each gateway, using + ifconfig. Here is the output from Gateway 1: - In this example, the corporate LAN's - external IP address is 172.16.5.4 and its internal - IP address is 10.246.38.1. The home - LAN's external IP - address is 192.168.1.12 and its - internal private IP address is - 10.0.0.5. - - If this is confusing, review the following example - output from &man.ifconfig.8;: - - Gateway 1: - -gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 172.16.5.4 --> 192.168.1.12 inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6 -inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 +inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 -Gateway 2: + Here is the output from Gateway 2: -gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.12 --> 172.16.5.4 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4 @@ -2235,16 +2213,13 @@ round-trip min/avg/max/stddev = 28.106/9 receive ICMP packets from the privately configured addresses. Next, both gateways must be told how to route packets in order to correctly send traffic from - either network. The following command will achieve this + either network. The following commands will achieve this goal: - &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 - - &prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 - - &prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 - - &prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 + &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 +&prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 +&prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 +&prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 At this point, internal machines should be reachable from each gateway as well as from machines behind the @@ -2432,7 +2407,6 @@ pass out quick on gif0 from any to any -