svn commit: r44630 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Tue Apr 22 19:43:19 UTC 2014
Author: dru
Date: Tue Apr 22 19:43:18 2014
New Revision: 44630
URL: http://svnweb.freebsd.org/changeset/doc/44630
Log:
Prep work for IPsec chapter.
Add additional definitions to intro. Still need to define SA and SAD.
Still need to setup test environment to verify tech setup.
This section does not yet mention setkey.
More commits to come.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 17:52:05 2014 (r44629)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Apr 22 19:43:18 2014 (r44630)
@@ -61,7 +61,7 @@
</listitem>
<listitem>
- <para>How to configure IPsec and create a
+ <para>How to configure <acronym>IPsec</acronym> and create a
<acronym>VPN</acronym>.</para>
</listitem>
@@ -1993,23 +1993,13 @@ Connection closed by foreign host.</scre
<sect1 xml:id="ipsec">
<info>
- <title><acronym>VPN</acronym> over IPsec</title>
+ <title><acronym>VPN</acronym> over <acronym>IPsec</acronym></title>
<authorgroup>
<author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname><affiliation>
<address><email>nik at FreeBSD.org</email></address>
</affiliation><contrib>Written by </contrib></author>
</authorgroup>
- </info>
-
- <indexterm>
- <primary>IPsec</primary>
- </indexterm>
-
- <sect2>
- <info>
- <title>Understanding IPsec</title>
-
<authorgroup>
<author><personname><firstname>Hiten
M.</firstname><surname>Pandya</surname></personname><affiliation>
@@ -2018,57 +2008,66 @@ Connection closed by foreign host.</scre
</authorgroup>
</info>
- <para>This section demonstrates the process of setting up IPsec.
- It assumes familiarity with the concepts of building a custom
- kernel (see <xref linkend="kernelconfig"/>).</para>
+ <indexterm>
+ <primary><acronym>IPsec</acronym></primary>
+ </indexterm>
- <para><emphasis>IPsec</emphasis> is a protocol which sits on
+ <para>Internet Protocol Security (<acronym>IPsec</acronym>) is a set of protocols which sit on
top of the Internet Protocol (<acronym>IP</acronym>) layer.
- It allows two or more hosts to communicate in a secure manner.
- The &os; IPsec <quote>network stack</quote> is based on the
- <link xlink:href="http://www.kame.net/">KAME</link>
- implementation, which has support for both IPv4 and
- IPv6.</para>
+ It allows two or more hosts to communicate in a secure manner
+ by authenticating and encrypting each <acronym>IP</acronym> packet of a communication session.
+ The &os; <acronym>IPsec</acronym> network stack is based on the
+ <link xlink:href="http://www.kame.net/">http://www.kame.net/</link>
+ implementation and supports both <acronym>IPv4</acronym> and
+ <acronym>IPv6</acronym> sessions.</para>
<indexterm>
- <primary>IPsec</primary>
+ <primary><acronym>IPsec</acronym></primary>
<secondary>ESP</secondary>
</indexterm>
<indexterm>
- <primary>IPsec</primary>
+ <primary><acronym>IPsec</acronym></primary>
<secondary>AH</secondary>
</indexterm>
- <para>IPsec consists of two sub-protocols:</para>
+ <para><acronym>IPsec</acronym> is comprised of the following sub-protocols:</para>
<itemizedlist>
<listitem>
<para><emphasis>Encapsulated Security Payload
- <acronym>ESP</acronym>)</emphasis>: this protocol
- protects the IP packet data from third party interference
+ (<acronym>ESP</acronym>)</emphasis>: this protocol
+ protects the <acronym>IP</acronym> packet data from third party interference
by encrypting the contents using symmetric cryptography
- algorithms such as Blowfish and 3DES.</para>
+ algorithms such as Blowfish and <acronym>3DES</acronym>.</para>
</listitem>
<listitem>
<para><emphasis>Authentication Header
- (<acronym>AH</acronym>)</emphasis>: this protocol
- protects the IP packet header from third party
+ (<acronym>AH</acronym>)</emphasis>): this protocol
+ protects the <acronym>IP</acronym> packet header from third party
interference and spoofing by computing a cryptographic
- checksum and hashing the IP packet header fields with a
+ checksum and hashing the <acronym>IP </acronym> packet header fields with a
secure hashing function. This is then followed by an
additional header that contains the hash, to allow the
information in the packet to be authenticated.</para>
</listitem>
+
+ <listitem>
+ <para><emphasis>IP Payload Compression Protocol
+ (<acronym>IPComp</acronym></emphasis>): this protocol
+ tries to increase communication performance by compressing
+ the <acronym>IP </acronym> payload in order ro reduce the
+ amount of data sent.</para>
+ </listitem>
</itemizedlist>
- <para><acronym>ESP</acronym> and <acronym>AH</acronym> can
+ <para>These protocols can
either be used together or separately, depending on the
environment.</para>
<indexterm>
- <primary>VPN</primary>
+ <primary><acronym>VPN</acronym></primary>
</indexterm>
<indexterm>
@@ -2076,17 +2075,18 @@ Connection closed by foreign host.</scre
<see>VPN</see>
</indexterm>
- <para>IPsec can either be used to directly encrypt the traffic
- between two hosts using <emphasis>Transport Mode</emphasis> or
- to build <quote>virtual tunnels</quote> using
- <emphasis>Tunnel Mode</emphasis>. The latter mode is more
- commonly known as a <emphasis>Virtual Private Network
- (<acronym>VPN</acronym>)</emphasis>. Consult &man.ipsec.4;
- for detailed information on the IPsec subsystem in
+ <para><acronym>IPsec</acronym> supports two modes of operation.
+ The first mode, <firstterm>Transport Mode</firstterm>,
+ protects communications between two hosts. The second mode,
+ <firstterm>Tunnel Mode</firstterm>, is used to build virtual tunnels,
+ commonly known as Virtual Private Networks
+ (<acronym>VPN</acronym>s). Consult &man.ipsec.4;
+ for detailed information on the <acronym>IPsec</acronym> subsystem in
&os;.</para>
- <para>To add IPsec support to the kernel, add the following
- options to the custom kernel configuration file:</para>
+ <para>To add <acronym>IPsec</acronym> support to the kernel, add the following
+ options to the custom kernel configuration file and rebuild
+ the kernel using the instructions in <xref linkend="kernelconfig"/>:</para>
<indexterm>
<primary>kernel options</primary>
@@ -2101,56 +2101,49 @@ device crypto</screen>
<secondary>IPSEC_DEBUG</secondary>
</indexterm>
- <para>If IPsec debugging support is desired, the following
+ <para>If <acronym>IPsec</acronym> debugging support is desired, the following
kernel option should also be added:</para>
<screen>options IPSEC_DEBUG #debug for IP security</screen>
- </sect2>
-
- <sect2>
- <title><acronym>VPN</acronym> Between a Home and Corporate
- Network</title>
-
- <indexterm>
- <primary>VPN</primary>
- <secondary>creating</secondary>
- </indexterm>
- <para>There is no standard for what constitutes a
- <acronym>VPN</acronym>. <acronym>VPN</acronym>s can be
- implemented using a number of different technologies, each
- of which has their own strengths and weaknesses. This
- section presents the strategies used for implementing a
- <acronym>VPN</acronym> for the following scenario:</para>
+ <para>This rest of this chapter demonstrates the process of
+ setting up an <acronym>IPsec</acronym> <acronym>VPN</acronym>
+ between a home network and a corporate
+ network. In the example scenario:</para>
<itemizedlist>
<listitem>
- <para>There are at least two sites where each site is using
- IP internally.</para>
- </listitem>
-
- <listitem>
<para>Both sites are connected to the Internet through a
gateway that is running &os;.</para>
</listitem>
<listitem>
- <para>The gateway on each network has at least one public
- IP address.</para>
+ <para>The gateway on each network has at least one external
+ <acronym>IP</acronym> address. In this example, the corporate <acronym>LAN</acronym>'s
+ external <acronym>IP</acronym> address is <systemitem
+ class="ipaddress">172.16.5.4</systemitem> and the home
+ <acronym>LAN</acronym>'s external <acronym>IP</acronym>
+ address is <systemitem
+ class="ipaddress">192.168.1.12</systemitem>.</para>
</listitem>
<listitem>
<para>The internal addresses of the two networks can be
- either public or private IP addresses. However, the
+ either public or private <acronym>IP</acronym> addresses. However, the
address space must not collide. For example, both
networks cannot use <systemitem
- class="ipaddress">192.168.1.x</systemitem>.</para>
+ class="ipaddress">192.168.1.x</systemitem>. In this
+ example, the corporate <acronym>LAN</acronym>'s
+ internal <acronym>IP</acronym> address is <systemitem
+ class="ipaddress">10.246.38.1</systemitem> and the home
+ <acronym>LAN</acronym>'s internal <acronym>IP</acronym>
+ address is <systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
</listitem>
</itemizedlist>
- <sect3>
+ <sect2>
<info>
- <title>Configuring IPsec on &os;</title>
+ <title>Configuring a <acronym>VPN</acronym> on &os;</title>
<authorgroup>
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><affiliation>
@@ -2173,36 +2166,21 @@ device crypto</screen>
addresses of the internal and external interfaces of the two
gateways:</para>
- <screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
-
- <screen>&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput></screen>
+ <screen>&prompt.root; <userinput>ifconfig gif0 create</userinput>
+&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput>
+&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
- <screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
+ <para>Verify the setup on each gateway, using
+ <command>ifconfig</command>. Here is the output from Gateway 1:</para>
- <para>In this example, the corporate <acronym>LAN</acronym>'s
- external <acronym>IP</acronym> address is <systemitem
- class="ipaddress">172.16.5.4</systemitem> and its internal
- <acronym>IP</acronym> address is <systemitem
- class="ipaddress">10.246.38.1</systemitem>. The home
- <acronym>LAN</acronym>'s external <acronym>IP</acronym>
- address is <systemitem
- class="ipaddress">192.168.1.12</systemitem> and its
- internal private <acronym>IP</acronym> address is
- <systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
-
- <para>If this is confusing, review the following example
- output from &man.ifconfig.8;:</para>
-
- <programlisting>Gateway 1:
-
-gif0: flags=8051 mtu 1280
+ <programlisting>gif0: flags=8051 mtu 1280
tunnel inet 172.16.5.4 --> 192.168.1.12
inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
-inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00
+inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00</programlisting>
-Gateway 2:
+ <para>Here is the output from Gateway 2:</para>
-gif0: flags=8051 mtu 1280
+ <programlisting>gif0: flags=8051 mtu 1280
tunnel inet 192.168.1.12 --> 172.16.5.4
inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
@@ -2235,16 +2213,13 @@ round-trip min/avg/max/stddev = 28.106/9
receive <acronym>ICMP</acronym> packets from the privately
configured addresses. Next, both gateways must be told how
to route packets in order to correctly send traffic from
- either network. The following command will achieve this
+ either network. The following commands will achieve this
goal:</para>
- <screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput></screen>
-
- <screen>&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput></screen>
-
- <screen>&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput></screen>
-
- <screen>&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
+ <screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
<para>At this point, internal machines should be reachable
from each gateway as well as from machines behind the
@@ -2432,7 +2407,6 @@ pass out quick on gif0 from any to any</
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"</programlisting>
- </sect3>
</sect2>
</sect1>
More information about the svn-doc-all
mailing list