From owner-svn-doc-all@FreeBSD.ORG Tue Apr 22 20:03:45 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D732FC61; Tue, 22 Apr 2014 20:03:45 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B76D415CA; Tue, 22 Apr 2014 20:03:45 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3MK3jMA007560; Tue, 22 Apr 2014 20:03:45 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3MK3jZx007559; Tue, 22 Apr 2014 20:03:45 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404222003.s3MK3jZx007559@svn.freebsd.org> From: Dru Lavigne Date: Tue, 22 Apr 2014 20:03:45 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44631 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2014 20:03:46 -0000 Author: dru Date: Tue Apr 22 20:03:45 2014 New Revision: 44631 URL: http://svnweb.freebsd.org/changeset/doc/44631 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 19:43:18 2014 (r44630) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 20:03:45 2014 (r44631) @@ -1993,7 +1993,8 @@ Connection closed by foreign host. - <acronym>VPN</acronym> over <acronym>IPsec</acronym> + <acronym>VPN</acronym> over + <acronym>IPsec</acronym> NikClayton @@ -2012,183 +2013,190 @@ Connection closed by foreign host.IPsec - Internet Protocol Security (IPsec) is a set of protocols which sit on - top of the Internet Protocol (IP) layer. - It allows two or more hosts to communicate in a secure manner - by authenticating and encrypting each IP packet of a communication session. - The &os; IPsec network stack is based on the - http://www.kame.net/ - implementation and supports both IPv4 and - IPv6 sessions. + Internet Protocol Security (IPsec) is a + set of protocols which sit on top of the Internet Protocol + (IP) layer. It allows two or more hosts to + communicate in a secure manner by authenticating and encrypting + each IP packet of a communication session. + The &os; IPsec network stack is based on the + http://www.kame.net/ + implementation and supports both IPv4 and + IPv6 sessions. - - IPsec - ESP - - - - IPsec - AH - - - IPsec is comprised of the following sub-protocols: + + IPsec + ESP + - - - Encapsulated Security Payload - (ESP): this protocol - protects the IP packet data from third party interference - by encrypting the contents using symmetric cryptography - algorithms such as Blowfish and 3DES. - + + IPsec + AH + - - Authentication Header - (AH)): this protocol - protects the IP packet header from third party - interference and spoofing by computing a cryptographic - checksum and hashing the IP packet header fields with a - secure hashing function. This is then followed by an - additional header that contains the hash, to allow the - information in the packet to be authenticated. - + IPsec is comprised of the following + sub-protocols: - - IP Payload Compression Protocol - (IPComp): this protocol - tries to increase communication performance by compressing - the IP payload in order ro reduce the - amount of data sent. - - + + + Encapsulated Security Payload + (ESP): this protocol protects + the IP packet data from third party + interference by encrypting the contents using symmetric + cryptography algorithms such as Blowfish and + 3DES. + + + + Authentication Header + (AH)): this protocol protects + the IP packet header from third party + interference and spoofing by computing a cryptographic + checksum and hashing the IP packet + header fields with a secure hashing function. This is then + followed by an additional header that contains the hash, to + allow the information in the packet to be + authenticated. + + + + IP Payload Compression Protocol + (IPComp): this protocol tries + to increase communication performance by compressing the + IP payload in order ro reduce the + amount of data sent. + + - These protocols can - either be used together or separately, depending on the - environment. + These protocols can either be used together or separately, + depending on the environment. - - VPN - + + VPN + - - virtual private network - VPN - + + virtual private network + VPN + - IPsec supports two modes of operation. - The first mode, Transport Mode, - protects communications between two hosts. The second mode, - Tunnel Mode, is used to build virtual tunnels, - commonly known as Virtual Private Networks - (VPNs). Consult &man.ipsec.4; - for detailed information on the IPsec subsystem in - &os;. - - To add IPsec support to the kernel, add the following - options to the custom kernel configuration file and rebuild - the kernel using the instructions in : + IPsec supports two modes of operation. + The first mode, Transport Mode, protects + communications between two hosts. The second mode, + Tunnel Mode, is used to build virtual + tunnels, commonly known as Virtual Private Networks + (VPNs). Consult &man.ipsec.4; for detailed + information on the IPsec subsystem in + &os;. + + To add IPsec support to the kernel, add + the following options to the custom kernel configuration file + and rebuild the kernel using the instructions in : - - kernel options - IPSEC - + + kernel options + IPSEC + - options IPSEC #IP security + options IPSEC #IP security device crypto - - kernel options - IPSEC_DEBUG - - - If IPsec debugging support is desired, the following - kernel option should also be added: + + kernel options + IPSEC_DEBUG + - options IPSEC_DEBUG #debug for IP security + If IPsec debugging support is desired, + the following kernel option should also be added: - This rest of this chapter demonstrates the process of - setting up an IPsec VPN - between a home network and a corporate - network. In the example scenario: + options IPSEC_DEBUG #debug for IP security - - - Both sites are connected to the Internet through a - gateway that is running &os;. - - - - The gateway on each network has at least one external - IP address. In this example, the corporate LAN's - external IP address is This rest of this chapter demonstrates the process of + setting up an IPsec VPN + between a home network and a corporate network. In the example + scenario: + + + + Both sites are connected to the Internet through a + gateway that is running &os;. + + + + The gateway on each network has at least one external + IP address. In this example, the + corporate LAN's external + IP address is 172.16.5.4 and the home LAN's external IP address is 192.168.1.12. - + - - The internal addresses of the two networks can be - either public or private IP addresses. However, the - address space must not collide. For example, both - networks cannot use 192.168.1.x. In this - example, the corporate LAN's - internal IP address is + The internal addresses of the two networks can be either + public or private IP addresses. However, + the address space must not collide. For example, both + networks cannot use 192.168.1.x. In this + example, the corporate LAN's internal + IP address is 10.246.38.1 and the home LAN's internal IP - address is 10.0.0.5. - - + address is 10.0.0.5. + + - - - Configuring a <acronym>VPN</acronym> on &os; + + + Configuring a <acronym>VPN</acronym> on &os; TomRhodes
trhodes@FreeBSD.org
Written by - + - To begin, security/ipsec-tools - must be installed from the Ports Collection. This software - provides a number of applications which support the - configuration. - - The next requirement is to create two &man.gif.4; - pseudo-devices which will be used to tunnel packets and - allow both networks to communicate properly. As root, run the following - commands, replacing internal and - external with the real IP - addresses of the internal and external interfaces of the two - gateways: + To begin, security/ipsec-tools must be + installed from the Ports Collection. This software provides a + number of applications which support the configuration. + + The next requirement is to create two &man.gif.4; + pseudo-devices which will be used to tunnel packets and allow + both networks to communicate properly. As root, run the following + commands, replacing internal and + external with the real IP + addresses of the internal and external interfaces of the two + gateways: - &prompt.root; ifconfig gif0 create + &prompt.root; ifconfig gif0 create &prompt.root; ifconfig gif0 internal1 internal2 &prompt.root; ifconfig gif0 tunnel external1 external2 - Verify the setup on each gateway, using - ifconfig. Here is the output from Gateway 1: + Verify the setup on each gateway, using + ifconfig. Here is the output from Gateway + 1: - gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 172.16.5.4 --> 192.168.1.12 inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6 inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 - Here is the output from Gateway 2: + Here is the output from Gateway 2: - gif0: flags=8051 mtu 1280 + gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.12 --> 172.16.5.4 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4 - Once complete, both internal IP - addresses should be reachable using &man.ping.8;: + Once complete, both internal IP + addresses should be reachable using &man.ping.8;: - priv-net# ping 10.0.0.5 + priv-net# ping 10.0.0.5 PING 10.0.0.5 (10.0.0.5): 56 data bytes 64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms 64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms @@ -2209,23 +2217,23 @@ PING 10.246.38.1 (10.246.38.1): 56 data 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms - As expected, both sides have the ability to send and - receive ICMP packets from the privately - configured addresses. Next, both gateways must be told how - to route packets in order to correctly send traffic from - either network. The following commands will achieve this - goal: + As expected, both sides have the ability to send and + receive ICMP packets from the privately + configured addresses. Next, both gateways must be told how to + route packets in order to correctly send traffic from either + network. The following commands will achieve this + goal: - &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 + &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 &prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 &prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 &prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 - At this point, internal machines should be reachable - from each gateway as well as from machines behind the - gateways. Again, use &man.ping.8; to confirm: + At this point, internal machines should be reachable from + each gateway as well as from machines behind the gateways. + Again, use &man.ping.8; to confirm: - corp-net# ping 10.0.0.8 + corp-net# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8): 56 data bytes 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms @@ -2247,15 +2255,15 @@ PING 10.246.38.1 (10.246.38.107): 56 dat 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms - Setting up the tunnels is the easy part. Configuring a - secure link is a more in depth process. The following - configuration uses pre-shared (PSK) - RSA keys. Other than the - IP addresses, the - /usr/local/etc/racoon/racoon.conf on - both gateways will be identical and look similar to: + Setting up the tunnels is the easy part. Configuring a + secure link is a more in depth process. The following + configuration uses pre-shared (PSK) + RSA keys. Other than the + IP addresses, the + /usr/local/etc/racoon/racoon.conf on both + gateways will be identical and look similar to: - path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file + path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed @@ -2313,33 +2321,33 @@ sainfo (address 10.246.38.0/24 any addr compression_algorithm deflate; } - For descriptions of each available option, refer to the - manual page for racoon.conf. + For descriptions of each available option, refer to the + manual page for racoon.conf. - The Security Policy Database (SPD) - needs to be configured so that &os; and - racoon are able to encrypt and - decrypt network traffic between the hosts. - - This can be achieved with a shell script, similar to the - following, on the corporate gateway. This file will be used - during system initialization and should be saved as - /usr/local/etc/racoon/setkey.conf. + The Security Policy Database (SPD) + needs to be configured so that &os; and + racoon are able to encrypt and + decrypt network traffic between the hosts. + + This can be achieved with a shell script, similar to the + following, on the corporate gateway. This file will be used + during system initialization and should be saved as + /usr/local/etc/racoon/setkey.conf. - flush; + flush; spdflush; # To the home network spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use; spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use; - Once in place, racoon may be - started on both gateways using the following command: + Once in place, racoon may be + started on both gateways using the following command: - &prompt.root; /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log + &prompt.root; /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log - The output should be similar to the following: + The output should be similar to the following: - corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf + corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf Foreground mode. 2006-01-30 01:35:47: INFO: begin Identity Protection mode. 2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon @@ -2352,43 +2360,43 @@ Foreground mode. 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b) 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66) - To ensure the tunnel is working properly, switch to - another console and use &man.tcpdump.1; to view network - traffic using the following command. Replace - em0 with the network interface card as - required: - - &prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 - - Data similar to the following should appear on the - console. If not, there is an issue and debugging the - returned data will be required. + To ensure the tunnel is working properly, switch to + another console and use &man.tcpdump.1; to view network + traffic using the following command. Replace + em0 with the network interface card as + required: + + &prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 + + Data similar to the following should appear on the + console. If not, there is an issue and debugging the + returned data will be required. - 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa) + 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa) 01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb) 01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc) - At this point, both networks should be available and - seem to be part of the same network. Most likely both - networks are protected by a firewall. To allow traffic to - flow between them, rules need to be added to pass packets. - For the &man.ipfw.8; firewall, add the following lines to - the firewall configuration file: + At this point, both networks should be available and seem + to be part of the same network. Most likely both networks are + protected by a firewall. To allow traffic to flow between + them, rules need to be added to pass packets. For the + &man.ipfw.8; firewall, add the following lines to the firewall + configuration file: - ipfw add 00201 allow log esp from any to any + ipfw add 00201 allow log esp from any to any ipfw add 00202 allow log ah from any to any ipfw add 00203 allow log ipencap from any to any ipfw add 00204 allow log udp from any 500 to any - - The rule numbers may need to be altered depending on - the current host configuration. - + + The rule numbers may need to be altered depending on the + current host configuration. + - For users of &man.pf.4; or &man.ipf.8;, the following - rules should do the trick: + For users of &man.pf.4; or &man.ipf.8;, the following + rules should do the trick: - pass in quick proto esp from any to any + pass in quick proto esp from any to any pass in quick proto ah from any to any pass in quick proto ipencap from any to any pass in quick proto udp from any port = 500 to any port = 500 @@ -2399,11 +2407,11 @@ pass out quick proto ipencap from any to pass out quick proto udp from any port = 500 to any port = 500 pass out quick on gif0 from any to any - Finally, to allow the machine to start support for the - VPN during system initialization, add the - following lines to /etc/rc.conf: + Finally, to allow the machine to start support for the + VPN during system initialization, add the + following lines to /etc/rc.conf: - ipsec_enable="YES" + ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_enable="yes"