src - OpenBSD base system

diff options


context:
space:
mode:

author	Jason McIntyre <jmc@cvs.openbsd.org>	2005-04-02 00:17:59 +0000
committer	Jason McIntyre <jmc@cvs.openbsd.org>	2005-04-02 00:17:59 +0000
commit	37a7a71a17a60552f2f7d7c7dff88b12c02a4078 (patch)
tree	b8d7a50f8df8cb791f509d5d131b16f97bbfc9ce /share/man/man8/vpn.8
parent	981410e3540ed08aeed411970ac7f4124f81021f (diff)

make this page look better;

Diffstat (limited to 'share/man/man8/vpn.8')

-rw-r--r--

share/man/man8/vpn.8

157

1 files changed, 82 insertions, 75 deletions

diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index d6e25844957..b8a29ef1c31 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8

@@ -1,4 +1,4 @@

-.\" $OpenBSD: vpn.8,v 1.76 2004/11/12 10:51:09 jmc Exp $

+.\" $OpenBSD: vpn.8,v 1.77 2005/04/02 00:17:58 jmc Exp $

.\"

@@ -51,7 +51,7 @@ Briefly, creating a VPN consists of the following steps:

.Pp

.Bl -enum -compact

.It

-Choose a key exchange method: manual keyed, or automated via

+Choose a key exchange method: manual keyed or automated via

.Xr isakmpd 8 .

.It

For manual keying, create the Security Associations (SA), one for

@@ -82,7 +82,8 @@ forwarding to be enabled using

# sysctl net.inet6.ip6.forwarding=1

.Ed

.Pp

-Packet forwarding defaults to 'off'.

+Packet forwarding defaults to

+.Sq off .

.Pp

For more permanent operation,

the appropriate option(s) should be enabled in your

@@ -101,15 +102,14 @@ To produce 160 bits (20 bytes) of randomness, for example, do:

.Bd -literal -offset indent

# openssl rand 20 | hexdump -e '20/1 "%02x"'

.Ed

-.Pp

or:

-.Bd -literal -offset indent

+.Bd -literal -offset indent -compact

# openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges'

.Ed

.Pp

Different cipher types may require different sized keys.

.Pp

-.Bl -column "Cipher" "Key Length" -offset indent -compact

+.Bl -column "CipherXX" "Key Length" -offset indent -compact

.It Em Cipher Key Length

.It Li DES Ta "56 bits"

.It Li 3DES Ta "168 bits"

@@ -130,7 +130,7 @@ This is because the most significant bit of each byte is ignored by both

algorithms.

.Ss Creating Security Associations [manual keying]

Before the IPsec flows can be defined, two Security Associations (SAs)

-must be defined on each end of the VPN, e.g.:

+must be defined on each end of the VPN e.g.:

.Bd -literal -offset indent

# ipsecadm new esp -spi $SPI_AB -src $GATEWAY_A \e

-dst $GATEWAY_B -forcetunnel -enc 3des -auth sha1 \e

@@ -143,7 +143,7 @@ must be defined on each end of the VPN, e.g.:

.Ed

.Pp

Note that the

-.Fl key

+.Fl keyfile

and

.Fl authkey

options may be used to specify the keys directly in the

@@ -169,7 +169,7 @@ On the security gateway of subnet A:

-addr $NETWORK_B $NETWORK_A

.Ed

.Pp

-and on the security gateway of subnet B:

+On the security gateway of subnet B:

.Bd -literal -offset indent

# ipsecadm flow -out -require -proto esp \e

-src $GATEWAY_B -dst $GATEWAY_A \e

@@ -185,7 +185,7 @@ the

key management daemon.

To make sure the daemon is properly configured

to provide the required security services (typically, encryption and

-authentication) start the daemon with debugging or verbose output.

+authentication), start the daemon with debugging or verbose output.

.Pp

.Xr isakmpd 8

implements security policy using the

@@ -207,7 +207,7 @@ The

rules for a tunnel which uses encryption (the ESP IPsec protocol) and

.Xr isakmpd 8

on security gateway A might look like this:

-.Bd -literal

+.Bd -literal -offset indent

GATEWAY_A = "192.168.1.254/32"

GATEWAY_B = "192.168.2.1/32"

NETWORK_A = "10.0.50.0/24"

@@ -230,8 +230,10 @@ pass in on enc0 from $NETWORK_B to $NETWORK_A

pass out on enc0 from $NETWORK_A to $NETWORK_B

# Passing in isakmpd(8) traffic from the security gateways

-pass in on ne0 proto udp from $GATEWAY_B port = 500 to $GATEWAY_A port = 500

-pass out on ne0 proto udp from $GATEWAY_A port = 500 to $GATEWAY_B port = 500

+pass in on ne0 proto udp from $GATEWAY_B port = 500 \e

+ to $GATEWAY_A port = 500

+pass out on ne0 proto udp from $GATEWAY_A port = 500 \e

+ to $GATEWAY_B port = 500

.Ed

.Pp

If there are no other

@@ -243,16 +245,6 @@ interface.

Note that it is strongly encouraged that instead of detailed PF

rules, the SPD (IPsec flow database) be utilized to specify security

policy, if only to avoid filtering conflicts.

-.Sh FILES

-.Bl -tag -width /etc/isakmpd/isakmpd.conf -compact

-.It Pa /usr/share/ipsec/rc.vpn

-Sample VPN configuration file

-.It Pa /etc/isakmpd/isakmpd.conf

-.Xr isakmpd 8

-configuration file

-.It Pa /etc/pf.conf

-Firewall configuration file

-.El

.Sh EXAMPLES

.Ss Manual keying

To create a manual keyed VPN between two class C networks using

@@ -268,47 +260,47 @@ To create a manual keyed VPN between two class C networks using

Choose the shared secrets using a suitably random method.

The 3DES encryption key needs 192 bits (3x64), or 24 bytes.

The SHA-1 authentication key for needs 160 bits, or 20 bytes.

-.Bd -literal

+.Bd -literal -offset indent

# openssl rand 24 | hexdump -e '24/1 "%02x"' > enc_key

# openssl rand 20 | hexdump -e '20/1 "%02x"' > auth_key

.Ed

.It

Create the Security Associations (on both endpoints):

-.Bd -literal

+.Bd -literal -offset indent

# /sbin/ipsecadm new esp -src 192.168.2.1 -dst 192.168.1.254 \e

- -forcetunnel -spi 1000 -enc 3des -auth sha1 \e

- -keyfile enc_key -authkeyfile auth_key

+ -forcetunnel -spi 1000 -enc 3des -auth sha1 \e

+ -keyfile enc_key -authkeyfile auth_key

# /sbin/ipsecadm new esp -src 192.168.1.254 -dst 192.168.2.1 \e

- -forcetunnel -spi 1001 -enc 3des -auth sha1 \e

- -keyfile enc_key -authkeyfile auth_key

+ -forcetunnel -spi 1001 -enc 3des -auth sha1 \e

+ -keyfile enc_key -authkeyfile auth_key

.Ed

.It

Create the IPsec flows on machine A (the first is for

outbound flows, the latter is the ingress filter for the

incoming security association):

-.Bd -literal

+.Bd -literal -offset indent

# ipsecadm flow -out -require -proto esp \e

- -src 192.168.1.254 -dst 192.168.2.1 \e

- -addr 10.0.50.0/24 10.0.99.0/24

+ -src 192.168.1.254 -dst 192.168.2.1 \e

+ -addr 10.0.50.0/24 10.0.99.0/24

# ipsecadm flow -in -require -proto esp \e

- -src 192.168.1.254 -dst 192.168.2.1 \e

- -addr 10.0.99.0/24 10.0.50.0/24

+ -src 192.168.1.254 -dst 192.168.2.1 \e

+ -addr 10.0.99.0/24 10.0.50.0/24

.Ed

.It

Create the matching IPsec flows on machine B:

-.Bd -literal

+.Bd -literal -offset indent

# ipsecadm flow -out -require -proto esp \e

- -src 192.168.1.254 -dst 192.168.2.1 \e

- -addr 10.0.50.0/24 10.0.99.0/24

+ -src 192.168.1.254 -dst 192.168.2.1 \e

+ -addr 10.0.50.0/24 10.0.99.0/24

# ipsecadm flow -in -require -proto esp \e

- -src 192.168.1.254 -dst 192.168.2.1 \e

- -addr 10.0.99.0/24 10.0.50.0/24

+ -src 192.168.1.254 -dst 192.168.2.1 \e

+ -addr 10.0.99.0/24 10.0.50.0/24

.Ed

.It

Configure the firewall rules on machine A

using the previously defined ruleset:

-.Bd -literal

+.Bd -literal -offset indent

GATEWAY_A = "192.168.1.254/32"

GATEWAY_B = "192.168.2.1/32"

NETWORK_A = "10.0.50.0/24"

@@ -319,7 +311,7 @@ NETWORK_B = "10.0.99.0/24"

.It

Configure the firewall rules on machine B, modifying the

definitions as appropriate:

-.Bd -literal

+.Bd -literal -offset indent

GATEWAY_B = "192.168.1.254/32"

GATEWAY_A = "192.168.2.1/32"

NETWORK_B = "10.0.50.0/24"

@@ -337,18 +329,19 @@ above, using

Create

.Pa /etc/isakmpd/isakmpd.conf

for machine A:

-.Bd -literal

-# Incoming phase 1 negotiations are multiplexed on the source IP

-# address. Phase 1 is used to set up a protected channel just

-# between the two gateway machines. This channel is then used for

-# the phase 2 negotiation traffic (i.e. encrypted & authenticated).

+.Bd -literal -offset indent

+# Incoming phase 1 negotiations are multiplexed on the

+# source IP address. Phase 1 is used to set up a protected

+# channel just between the two gateway machines.

+# This channel is then used for the phase 2 negotiation

+# traffic (i.e. encrypted & authenticated).

[Phase 1]

192.168.2.1= peer-machineB

-# 'Phase 2' defines which connections the daemon should establish.

-# These connections contain the actual "IPsec VPN" information.

+# 'Phase 2' defines which connections the daemon

+# should establish. These connections contain the actual

+# "IPsec VPN" information.

[Phase 2]

Connections= VPN-A-B

@@ -383,7 +376,8 @@ ID-type= IPV4_ADDR_SUBNET

Network= 10.0.99.0

Netmask= 255.255.255.0

-# Main and Quick Mode descriptions (as used by peers and connections)

+# Main and Quick Mode descriptions

+# (as used by peers and connections).

[Default-main-mode]

DOI= IPSEC

@@ -400,18 +394,19 @@ Suites= QM-ESP-3DES-SHA-SUITE

Create

.Pa /etc/isakmpd/isakmpd.conf

for machine B:

-.Bd -literal

-# Incoming phase 1 negotiations are multiplexed on the source IP

-# address. Phase 1 is used to set up a protected channel just

-# between the two gateway machines. This channel is then used for

-# the phase 2 negotiation traffic (i.e. encrypted & authenticated).

+.Bd -literal -offset indent

+# Incoming phase 1 negotiations are multiplexed on the

+# source IP address. Phase 1 is used to set up a

+# protected channel just between the two gateway machines.

+# This channel is then used for the phase 2 negotiation

+# traffic (i.e. encrypted & authenticated).

[Phase 1]

192.168.1.254= peer-machineA

-# 'Phase 2' defines which connections the daemon should establish.

-# These connections contain the actual "IPsec VPN" information.

+# 'Phase 2' defines which connections the daemon should

+# establish. These connections contain the actual

+# "IPsec VPN" information.

[Phase 2]

Connections= VPN-B-A

@@ -446,7 +441,8 @@ ID-type= IPV4_ADDR_SUBNET

Network= 10.0.99.0

Netmask= 255.255.255.0

-# Main and Quick Mode descriptions (as used by peers and connections)

+# Main and Quick Mode descriptions

+# (as used by peers and connections).

[Default-main-mode]

DOI= IPSEC

@@ -461,7 +457,7 @@ Suites= QM-ESP-3DES-SHA-SUITE

.It

Read through the configuration one more time.

The only real differences between the two files in this example are

-the IP-addresses, and ordering of Local- and Remote-ID for the VPN

+the IP addresses, and ordering of Local- and Remote-ID for the VPN

itself.

Note that the shared secret (the

.Em Authentication

@@ -469,9 +465,8 @@ tag) must match between machineA and machineB.

.Pp

Due to the shared secret information in the configuration file, it must

be installed without any permissions for "group" or "other".

-.Bd -literal -offset indent

-# chmod og-rwx /etc/isakmpd/isakmpd.conf

-.Ed

+.Pp

+.Dl # chmod og-rwx /etc/isakmpd/isakmpd.conf

.Pp

.It

Create a simple

@@ -506,31 +501,43 @@ control traffic, on

port 500.

.Pp

For machineA, add:

-.Bd -literal

+.Bd -literal -offset indent

# Permit ISAKMPD control traffic between A and B

-pass in proto udp from 192.168.2.1/32 to 192.168.1.254/32 port = 500

-pass out proto udp from 192.168.1.254/32 to 192.168.2.1/32 port = 500

+pass in proto udp from 192.168.2.1/32 to 192.168.1.254/32 \e

+ port = 500

+pass out proto udp from 192.168.1.254/32 to 192.168.2.1/32 \e

+ port = 500

.Ed

.Pp

For machineB, add:

-.Bd -literal

+.Bd -literal -offset indent

# Permit ISAKMPD control traffic between A and B

-pass in proto udp from 192.168.1.254/32 to 192.168.2.1/32 port = 500

-pass out proto udp from 192.168.2.1/32 to 192.168.1.254/32 port = 500

+pass in proto udp from 192.168.1.254/32 to 192.168.2.1/32 \e

+ port = 500

+pass out proto udp from 192.168.2.1/32 to 192.168.1.254/32 \e

+ port = 500

.Ed

.It

Start

.Xr isakmpd 8

.Pp

On both machines, run:

-.Bd -literal -offset indent

-# /sbin/isakmpd

-.Ed

+.Pp

+.Dl # /sbin/isakmpd

.Pp

To run with verbose debugging enabled, instead start with:

-.Bd -literal -offset indent

-# /sbin/isakmpd -d -DA=99

-.Ed

+.Pp

+.Dl # /sbin/isakmpd -d -DA=99

+.El

+.Sh FILES

+.Bl -tag -width "/etc/isakmpd/isakmpd.confXX" -compact

+.It Pa /usr/share/ipsec/rc.vpn

+Sample VPN configuration file.

+.It Pa /etc/isakmpd/isakmpd.conf

+.Xr isakmpd 8

+configuration file.

+.It Pa /etc/pf.conf

+Firewall configuration file.

.El

.Sh SEE ALSO

.Xr openssl 1 ,