summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2003-07-10 07:54:04 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2003-07-10 07:54:04 +0000
commit7fd21cb20202b7175a75758fc787af239d847e0d (patch)
tree45401e7ad73e0b575bdf73ace067d0c54f7be7a0
parentd95c47dac4e55dfbb96f0655805c9755bf7b345d (diff)
simplify and cleanup examples; we now only setup flows for
the internal networks, not for all possible gw-to-network combinations; with help from jmc@; ok deraadt@
-rw-r--r--share/man/man8/vpn.8276
1 files changed, 75 insertions, 201 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 6397000207d..991c9a37c63 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.67 2003/06/26 20:16:55 jmc Exp $
+.\" $OpenBSD: vpn.8,v 1.68 2003/07/10 07:54:03 markus Exp $
.\"
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -78,7 +78,6 @@ Make sure that the following options and devices are enabled in the kernel:
.Bd -literal
option CRYPTO # Cryptographic Framework
option IPSEC # IPSEC VPN
-#option KEY # KEY implied by IPSEC
pseudo-device enc 4 # Encapsulation device used by IPSEC
.Ed
.Pp
@@ -89,18 +88,18 @@ operations must be enabled using
Before doing either manual or automated keying, or performing
encryption (ESP) or authentication (AH) operations, ensure the appropriate
kernel operation has been enabled:
-.Bd -literal
- # sysctl -w net.inet.esp.enable=1
- # sysctl -w net.inet.ah.enable=1
+.Bd -literal -offset indent
+# sysctl -w net.inet.esp.enable=1
+# sysctl -w net.inet.ah.enable=1
.Ed
.Pp
The ESP and AH protocols default to 'on'.
.Pp
For security gateways, proper operation often also requires packet
forwarding to be enabled:
-.Bd -literal
- # sysctl -w net.inet.ip.forwarding=1
- # sysctl -w net.inet6.ip6.forwarding=1
+.Bd -literal -offset indent
+# sysctl -w net.inet.ip.forwarding=1
+# sysctl -w net.inet6.ip6.forwarding=1
.Ed
.Pp
Packet forwarding defaults to 'off'.
@@ -119,13 +118,13 @@ One practical method of generating them is by using the
.Xr random 4
device.
To produce 160 bits (20 bytes) of randomness, for example, do:
-.Bd -literal
- # openssl rand 20 | hexdump -e '20/1 "%02x"'
+.Bd -literal -offset indent
+# openssl rand 20 | hexdump -e '20/1 "%02x"'
.Ed
.Pp
or:
-.Bd -literal
- # openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges'
+.Bd -literal -offset indent
+# openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges'
.Ed
.Pp
Different cipher types may require different sized keys.
@@ -152,15 +151,15 @@ algorithms.
.Ss Creating Security Associations [manual keying]
Before the IPsec flows can be defined, two Security Associations (SAs)
must be defined on each end of the VPN, e.g.:
-.Bd -literal
- # ipsecadm new esp -spi SPI_AB -src A_EXTERNAL_IP \e
- -dst B_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \e
- -keyfile ENCRYPTION_KEY_FILE \e
- -authkeyfile AUTHENTICATION_KEY_FILE
- # ipsecadm new esp -spi SPI_BA -src B_EXTERNAL_IP \e
- -dst A_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \e
- -keyfile ENCRYPTION_KEY_FILE \e
- -authkeyfile AUTHENTICATION_KEY_FILE
+.Bd -literal -offset indent
+# ipsecadm new esp -spi $SPI_AB -src $GATEWAY_A \e
+ -dst $GATEWAY_B -forcetunnel -enc 3des -auth sha1 \e
+ -keyfile $ENCRYPTION_KEY_FILE \e
+ -authkeyfile $AUTHENTICATION_KEY_FILE
+# ipsecadm new esp -spi $SPI_BA -src $GATEWAY_B \e
+ -dst $GATEWAY_A -forcetunnel -enc 3des -auth sha1 \e
+ -keyfile $ENCRYPTION_KEY_FILE \e
+ -authkeyfile$ AUTHENTICATION_KEY_FILE
.Ed
.Pp
Note that the
@@ -181,77 +180,23 @@ routes with the
tool:
.Pp
On the security gateway of subnet A:
-.Bd -literal
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr A_EXTERNAL_IP 255.255.255.255
- B_EXTERNAL_IP 255.255.255.255
- -require -out -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- -require -out -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr A_EXTERNAL_IP 255.255.255.255
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- -require -out -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_EXTERNAL_IP 255.255.255.255
- -require -out -src A_EXTERNAL_IP
-
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr B_EXTERNAL_IP 255.255.255.255
- A_EXTERNAL_IP 255.255.255.255
- -require -in -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- -require -in -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr B_EXTERNAL_IP 255.255.255.255
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- -require -in -src A_EXTERNAL_IP
- # ipsecadm flow -dst B_EXTERNAL_IP -proto esp
- -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_EXTERNAL_IP 255.255.255.255
- -require -in -src A_EXTERNAL_IP
+.Bd -literal -offset indent
+# ipsecadm flow -out -require -proto esp \e
+ -src $GATEWAY_A -dst $GATEWAY_B \e
+ -addr $NETWORK_A $NETWORK_B \e
+# ipsecadm flow -in -require -proto esp \e
+ -src $GATEWAY_A -dst $GATEWAY_B \e
+ -addr $NETWORK_B $NETWORK_A \e
.Ed
.Pp
and on the security gateway of subnet B:
-.Bd -literal
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr B_EXTERNAL_IP 255.255.255.255
- A_EXTERNAL_IP 255.255.255.255
- -out -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- -out -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr B_EXTERNAL_IP 255.255.255.255
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- -out -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_EXTERNAL_IP 255.255.255.255
- -out -require -src B_EXTERNAL_IP
-
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr A_EXTERNAL_IP 255.255.255.255
- B_EXTERNAL_IP 255.255.255.255
- -in -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- -in -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr A_EXTERNAL_IP 255.255.255.255
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- -in -require -src B_EXTERNAL_IP
- # ipsecadm flow -dst A_EXTERNAL_IP -proto esp
- -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_EXTERNAL_IP 255.255.255.255
- -in -require -src B_EXTERNAL_IP
+.Bd -literal -offset indent
+# ipsecadm flow -out -require -proto esp \e
+ -src $GATEWAY_B -dst $GATEWAY_A \e
+ -addr $NETWORK_B $NETWORK_A \e
+# ipsecadm flow -in -require -proto esp \e
+ -src $GATEWAY_B -dst $GATEWAY_A \e
+ -addr $NETWORK_A $NETWORK_B \e
.Ed
.Ss Configure and run the keying daemon [automated keying]
Unless manual keying is used, both security gateways need to start
@@ -283,10 +228,10 @@ rules for a tunnel which uses encryption (the ESP IPsec protocol) and
.Xr isakmpd 8
on security gateway A might look like this:
.Bd -literal
-gatewA = "192.168.1.254/32"
-gatewB = "192.168.2.1/32"
-netA = "10.0.50.0/24"
-netB = "10.0.99.0/24"
+GATEWAY_A = "192.168.1.254/32"
+GATEWAY_B = "192.168.2.1/32"
+NETWORK_A = "10.0.50.0/24"
+NETWORK_B = "10.0.99.0/24"
# default deny
# ne0 is the only interface going to the outside.
@@ -294,16 +239,16 @@ block in log on { enc0, ne0 } all
block out log on { enc0, ne0 } all
# Passing in encrypted traffic from security gateways
-pass in proto esp from $gatewB to $gatewA
-pass out proto esp from $gatewA to $gatewB
+pass in proto esp from $GATEWAY_B to $GATEWAY_A
+pass out proto esp from $GATEWAY_A to $GATEWAY_B
# Passing in traffic from the designated subnets.
-pass in on enc0 from $netB to $netA
-pass out on enc0 from $netA to $netB
+pass in on enc0 from $NETWORK_B to $NETWORK_A
+pass out on enc0 from $NETWORK_A to $NETWORK_B
# Passing in isakmpd(8) traffic from the security gateways
-pass in on ne0 proto udp from $gatewB port = 500 to $gatewA port = 500
-pass out on ne0 proto udp from $gatewA port = 500 to $gatewB port = 500
+pass in on ne0 proto udp from $GATEWAY_B port = 500 to $GATEWAY_A port = 500
+pass out on ne0 proto udp from $GATEWAY_A port = 500 to $GATEWAY_B port = 500
.Ed
.Pp
If there are no other
@@ -329,126 +274,63 @@ Firewall configuration file
.Ss Manual keying
To create a manual keyed VPN between two class C networks using
3DES encryption and the following IP addresses:
-.Pp
.Bd -literal
- A_INTERNAL_IP = 10.0.50.1
- A_EXTERNAL_IP = 192.168.1.254
- B_EXTERNAL_IP = 192.168.2.1
- B_INTERNAL_IP = 10.0.99.1
+ GATEWAY_A = 192.168.1.254
+ NETWORK_A = 10.0.50.0/24
+ GATEWAY_B = 192.168.2.1
+ NETWORK_B = 10.0.99.0/24
.Ed
-.Pp
.Bl -enum
.It
Choose the shared secrets using a suitably random method.
The 3DES encryption key needs 192 bits (3x64), or 24 bytes.
The SHA-1 authentication key for needs 160 bits, or 20 bytes.
-.Pp
.Bd -literal
# openssl rand 24 | hexdump -e '24/1 "%02x"' > enc_key
# openssl rand 20 | hexdump -e '20/1 "%02x"' > auth_key
.Ed
-.Pp
.It
Create the Security Associations (on both endpoints):
-.Pp
.Bd -literal
-# /sbin/ipsecadm new esp -src 192.168.2.1 -dst 192.168.1.254 \e\
- -forcetunnel -spi 1000 -enc 3des -auth sha1 \e\
+# /sbin/ipsecadm new esp -src 192.168.2.1 -dst 192.168.1.254 \e
+ -forcetunnel -spi 1000 -enc 3des -auth sha1 \e
-keyfile enc_key -authkeyfile auth_key
-# /sbin/ipsecadm new esp -src 192.168.1.254 -dst 192.168.2.1 \e\
- -forcetunnel -spi 1001 -enc 3des -auth sha1 \e\
+# /sbin/ipsecadm new esp -src 192.168.1.254 -dst 192.168.2.1 \e
+ -forcetunnel -spi 1001 -enc 3des -auth sha1 \e
-keyfile enc_key -authkeyfile auth_key
.Ed
-.Pp
.It
-Create the IPsec flows on machine A (the first four are the
-outbound flows, the latter four are the ingress filters for the
+Create the IPsec flows on machine A (the fist is for
+outbound flows, the latter is the ingress filter for the
incoming security association):
-.Pp
.Bd -literal
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 192.168.1.254 255.255.255.255 \e\
- 192.168.2.1 255.255.255.255 -out \e\
- -require -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\
- -require -out -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 192.168.1.254 255.255.255.255 \e\
- 10.0.99.0 255.255.255.0 \e\
- -require -out -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\
- -require -out -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 192.168.2.1 255.255.255.255 \e\
- 192.168.1.254 255.255.255.255 \e\
- -require -in -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\
- -require -in -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 192.168.2.1 255.255.255.255 \e\
- 10.0.50.0 255.255.255.0 \e\
- -require -in -src 192.168.1.254
-
-# /sbin/ipsecadm flow -dst 192.168.2.1 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 \e\
- 192.168.1.254 255.255.255.255 \e\
- -require -in -src 192.168.1.254
+# ipsecadm flow -out -require -proto esp \e
+ -src 192.168.1.254 -dst 192.168.2.1 \e
+ -addr 10.0.50.0/24 10.0.99.0/24 \e
+# ipsecadm flow -in -require -proto esp \e
+ -src 192.168.1.254 -dst 192.168.2.1 \e
+ -addr 10.0.99.0/24 10.0.50.0/24 \e
.Ed
.It
-Create the ipsec flows on machine B:
+Create the matching IPsec flows on machine B:
.Bd -literal
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 192.168.2.1 255.255.255.255 \e\
- 192.168.1.254 255.255.255.255 \e\
- -require -out -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\
- -require -out -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 192.168.2.1 255.255.255.255 \e\
- 10.0.50.0 255.255.255.0 -require -out -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 192.168.1.254 255.255.255.255 \e\
- -require -out -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 192.168.1.254 255.255.255.255 \e\
- 192.168.2.1 255.255.255.255 -require -in -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\
- -require -in -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 192.168.1.254 255.255.255.255 \e\
- 10.0.99.0 255.255.255.0 -require -in -src 192.168.2.1
-
-# /sbin/ipsecadm flow -dst 192.168.1.254 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\
- -require -in -src 192.168.2.1
+# ipsecadm flow -out -require -proto esp \e
+ -src 192.168.1.254 -dst 192.168.2.1 \e
+ -addr 10.0.50.0/24 10.0.99.0/24 \e
+# ipsecadm flow -in -require -proto esp \e
+ -src 192.168.1.254 -dst 192.168.2.1 \e
+ -addr 10.0.99.0/24 10.0.50.0/24 \e
.Ed
.It
Configure the firewall rules on machine A
using the previously defined ruleset:
.Bd -literal
-gatewA = "192.168.1.254/32"
-gatewB = "192.168.2.1/32"
-netA = "10.0.50.0/24"
-netB = "10.0.99.0/24"
+GATEWAY_A = "192.168.1.254/32"
+GATEWAY_B = "192.168.2.1/32"
+NETWORK_A = "10.0.50.0/24"
+NETWORK_B = "10.0.99.0/24"
(rest of ruleset)
.Ed
@@ -456,10 +338,10 @@ netB = "10.0.99.0/24"
Configure the firewall rules on machine B, modifying the
definitions as appropriate:
.Bd -literal
-gatewB = "192.168.1.254/32"
-gatewA = "192.168.2.1/32"
-netB = "10.0.50.0/24"
-netA = "10.0.99.0/24"
+GATEWAY_B = "192.168.1.254/32"
+GATEWAY_A = "192.168.2.1/32"
+NETWORK_B = "10.0.50.0/24"
+NETWORK_A = "10.0.99.0/24"
(rest of ruleset)
.Ed
@@ -468,13 +350,11 @@ netA = "10.0.99.0/24"
To create a VPN between the same two C class networks as the example
above, using
.Xr isakmpd 8 :
-.Pp
.Bl -enum
.It
Create
.Pa /etc/isakmpd/isakmpd.conf
for machine A:
-.Pp
.Bd -literal
# Incoming phase 1 negotiations are multiplexed on the source IP
@@ -596,7 +476,6 @@ DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
.Ed
-.Pp
.It
Read through the configuration one more time.
The only real differences between the two files in this example are
@@ -616,7 +495,6 @@ be installed without any permissions for "group" or "other".
Create a simple
.Pa /etc/isakmpd/isakmpd.policy
file for machineA:
-.Pp
.Bd -literal
Keynote-version: 2
Authorizer: "POLICY"
@@ -624,12 +502,10 @@ Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
.Ed
-.Pp
.It
Create a simple
.Pa /etc/isakmpd/isakmpd.policy
file for machineB:
-.Pp
.Bd -literal
Keynote-version: 2
Authorizer: "POLICY"
@@ -637,7 +513,6 @@ Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
.Ed
-.Pp
.It
Configure the firewall rules on machines A and B:
.Pp
@@ -661,7 +536,6 @@ For machineB, add:
pass in proto udp from 192.168.1.254/32 to 193.127.2.1/32 port = 500
pass out proto udp from 192.168.2.1/32 to 193.127.1.254/32 port = 500
.Ed
-.Pp
.It
Start
.Xr isakmpd 8