[ Pobierz całość w formacie PDF ]
as well as installing a userland program, racoon, to handle the IKE
negotiations.
Compile a custom kernel with IPsec support:
options IPSEC #IP
security
options IPSEC_ESP #IP
security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for
IP security
Build and install the kernel. Reboot to verify it works.
racoon can be installed using the network section of the ports tree or can be
downloaded from ftp://ftp.kame.net/pub/kame/misc/. Install racoon per the
instructions provided with the distribution at http://www.kame.net/, and in
particular http://www.kame.net/newsletter/20001119/.
14.2.3 FreeBSD IPsec Client Configuration
On the station, first you should configure racoon. You will need to modify
this example racoon.conf to suit your needs:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt"
;
remote anonymous
{
exchange_mode aggressive,main;
my_identifier user_fqdn "user1@domain.com";
lifetime time 1 hour;
initial_contact on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method
pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
In your firewall configuration, be sure you allow IKE connections to your
machine. racoon needs to be configured to start at boot time. Save the
following script in /usr/local/etc/rc.d/racoon.sh:
#!/bin/sh
# This script will start racoon in FreeBSD
case "$1" in
start)
# start racoon
echo -n 'starting racoon'
/usr/local/sbin/racoon
;;
stop)
# Delete the MAC address from the ARP table
echo 'stopping racoon'
killall racoon
;;
*)
# Standard usage statement
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac
exit 0
Make sure the file is executable by performing
chmod 755 /usr/local/etc/rc.d/racoon.sh
The /usr/local/etc/racoon/psk.txt file contains your credentials. This file
must be readable only by root. If the permissions are not set correctly,
racoon will not function. For a shared-secret IPsec connection, the file
contains your identification (in this case your email address) and the secret.
For instance, you can setup a psk.txt as the following:
user1@domain.com supersecret
Finally, you must set up the security policy. This is done using the setkey
utility to add entries to the kernel SPD. Create the following client.spd that
can be loaded by setkey. For this setup, the station IP is 192.168.0.104
and the gateway is 192.168.0.1:
spdadd 192.168.0.104/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.0.104-192.168.
0.1/require ;
spdadd 0.0.0.0/0 192.168.0.104/32 any -P in ipsec
esp/tunnel/192.168.0.1-192.168
.0.104/require ;
The first entry creates a security policy that sends all traffic to the VPN
endpoint. The second entry creates a security policy that allows all traffic
back from the VPN endpoint. Note that in this configuration the client is
unable to talk to any hosts on the local subnet besides the VPN gateway. In a
wireless network where the client is a prime target for attack, this is a
probably a good thing for your workstation.
Load the SPD by running:
setkey -f client.spd
14.2.4 FreeBSD IPsec Gateway Configuration
For the gateway, racoon.conf is the same as the client side. This allows any
client to connect. The psk.txt file must contain all the identification and
shared secrets of all clients who may connect. For instance:
user1@domain.com supersecret
user2@domain.com evenmoresecret
user3@domain.com notsosecret
Again, make sure psk.txt is readable only by root. Start racoon and make
sure there are no errors. Finally, create a gateway.spd that creates SPD for
each client. Assume your clients are at 192.168.0.10[4-6]:
spdadd 0.0.0.0/0 192.168.0.104/32 any -P out ipsec
esp/tunnel/192.168.0.1-192.168
.0.104/require ;
spdadd 192.168.0.104/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.0.104-192.168.0.
1/require ;
spdadd 0.0.0.0/0 192.168.0.105/32 any -P in ipsec
esp/tunnel/192.168.0.1-192.168
.0.105/require ;
spdadd 192.168.0.105/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.0.105-192.168.
0.1/require ;
spdadd 0.0.0.0/0 192.168.0.106/32 any -P in ipsec
esp/tunnel/192.168.0.1-192.168
.0.106/require ;
spdadd 192.168.0.106/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.0.106-192.168.
0.1/require ;
Load the SPD by issuing setkey -f gateway.spd. Verify the SPD entries using
the spddump command in setkey. At this point, you should be able to ping a
wireless client from the gateway. It may take a packet or two for the VPN
negotiation to complete, but the connection should be solid after that. If you
are unable to ping, examine your syslog output for errors and warnings.
The SPD entries are stored in the kernel. If you have to
restart racoon due to a configuration change, the SPD
entries will still be loaded. The SPD entries are
completely controlled via the setkey command.
14.2.5 Linux IPsec Implementation
The most popular way of configuring IPsec connections under Linux is
using the FreeS/WAN package. FreeS/WAN is made up of two components
similar to the FreeBSD implementation. KerneL IP Security (KLIPS) is the
kernel level code that actually encrypts and decrypts the data as well as
managing the SPD. pluto is a userland daemon that controls IKE negotiation.
Unlike FreeBSD, both the kernel-level code and userland tools come from
outside the core kernel distribution.
The FreeS/WAN build process will build a new kernel and the required
management utilities. Download the latest FreeS/WAN source from
http://www.freeswan.org/ and untar the source tree in /usr/src. The
documentation that comes with FreeS/WAN is very extensive and can help
you tailor the installation to suit your needs. The kernel component can be
installed as either a kernel loadable module or statically compiled directly
into your kernel. In order to compile FreeS/WAN, you must have your
kernel source installed on your machine. During the compilation process, the
kernel configuration utility will launch. This is normal. Compile
FreeS/WAN using your kernel configuration method of choice (such the
menu-based or X11-based options). Once the compilation is complete,
install the kernel and userland tools per the FreeS/WAN documentation
(typically a make install will suffice).
FreeS/WAN configuration is controlled by two configuration files:
/etc/ipsec.conf and /etc/ipsec.secrets. The examples given in this section are
very limited in scope to a wireless network. The man pages for both files are
quite informative and useful for more complicated connection requirements.
An excellent resource for more information is the book Building Linux
Virtual Private Networks, by Oleg Kolesnikov and Brian Hatch.
14.2.6 Linux IPsec Client Configuration
[ Pobierz całość w formacie PDF ]
© 2009 ...coś się w niej zmieniło, zmieniło i zmieniało nadal. - Ceske - Sjezdovky .cz. Design downloaded from free website templates