summaryrefslogtreecommitdiff
path: root/share/man/man8
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-19 08:55:57 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-19 08:55:57 +0000
commit3fc14c1566eebff0d405ee4f3b5aff8859e3e8a8 (patch)
tree8768bc304a4abb4ccd416c6b4b56439be00b1792 /share/man/man8
parenta3d1841d860af817e87510d9873de40c40ac449c (diff)
document manual keying with ipsecctl
ok, tweaks jmc@
Diffstat (limited to 'share/man/man8')
-rw-r--r--share/man/man8/vpn.869
1 files changed, 65 insertions, 4 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 440e8dac31f..1ddd709ee12 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.104 2005/06/07 09:09:50 jmc Exp $
+.\" $OpenBSD: vpn.8,v 1.105 2005/08/19 08:55:56 hshoexer Exp $
.\"
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -136,6 +136,8 @@ There are currently two key exchange methods available:
.It
manual keying:
.Xr ipsecadm 8
+or
+.Xr ipsecctl 8
.It
automated keying:
.Xr isakmpd 8
@@ -215,6 +217,38 @@ command line.
However, another user could view the keys by using the
.Xr ps 1
command at the appropriate time (or use a program for doing so).
+.Pp
+Instead of
+.Xr ipsecadm 8 ,
+the
+.Xr ipsecctl 8
+utility can be used to define SAs.
+It uses a rule based syntax similar to
+.Xr pf.conf 5 .
+On gateway A add these lines to the file
+.Xr ipsec.conf 5 :
+.Bd -literal -offset indent
+esp from 192.168.1.13 to 192.168.1.15 spi 0xdeadbeef:0xbeefdead \e
+ authkey file "/path/to/gateA.auth:/path/to/gateB.auth" \e
+ enckey file "/path/to/gateA.enc:/path/to/gateB.enc"
+.Ed
+.Pp
+Similarly on gateway B add these lines to
+.Xr ipsec.conf 5 :
+.Bd -literal -offset indent
+esp from 192.168.1.15 to 192.168.1.13 spi 0xbeefdead:0xdeadbeef \e
+ authkey file "/path/to/gateB.auth:/path/to/gateA.auth" \e
+ enckey file "/path/to/gateB.enc:/path/to/gateA.enc"
+.Ed
+.Pp
+Note that when no authentication and encryption algorithms are defined,
+.Xr ipsecctl 8
+will automatically use HMAC-SHA2-256 for authentication and AES-128 in
+countermode for encryption.
+Therefore the authentication key needs to be 256 bits long; the encryption key
+128 bits.
+For details see
+.Xr ipsec.conf 5 .
.Ss Creating IPsec Flows [manual keying]
Both IPsec gateways need to configure
.Xr ipsec 4
@@ -244,6 +278,31 @@ On the security gateway of subnet B:
-src $GATEWAY_B -dst $GATEWAY_A \e
-addr $NETWORK_A $NETWORK_B
.Ed
+.Pp
+Again it is possible to use
+.Xr ipsecctl 8
+to define flows.
+On gateway A add this line to
+.Xr ipsec.conf 5 :
+.Bd -literal -offset indent
+flow esp from 10.0.50.0/24 to 10.0.99.0/24 peer 192.168.1.15
+.Ed
+.Pp
+And on gateway B this line:
+.Bd -literal -offset indent
+flow from 10.0.99.0/24 to 10.0.50.0/24 peer 192.168.1.13
+.Ed
+.Pp
+Note that
+.Xr ipsecctl 8
+will automatically use ESP in tunnel mode.
+For details see
+.Xr ipsec.conf 5 .
+.Pp
+To activate the SAs and flows, run this command on both gateways:
+.Bd -literal -offset indent
+# ipsecctl -f /etc/ipsec.conf
+.Ed
.Ss Configuring the Keying Daemon [automated keying]
Unless manual keying is used, both security gateways need to use the
.Xr isakmpd 8
@@ -475,18 +534,18 @@ ext_if="ne0"
# $ext_if is the only interface going to the outside.
block log on { enc0, $ext_if } all
-# Passing in encrypted traffic from security gateways
+# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
# Need to allow ipencap traffic on enc0.
pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A
-# Passing in traffic from the designated subnets.
+# Pass traffic to/from the designated subnets.
pass in on enc0 from $NETWORK_B to $NETWORK_A
pass out on enc0 from $NETWORK_A to $NETWORK_B
-# Passing in isakmpd(8) traffic from the security gateways
+# Pass isakmpd(8) traffic to/from the security gateways
pass in on $ext_if proto udp from $GATEWAY_B port = 500 \e
to $GATEWAY_A port = 500
pass out on $ext_if proto udp from $GATEWAY_A port = 500 \e
@@ -664,11 +723,13 @@ Sample VPN configuration file.
.Xr enc 4 ,
.Xr ipsec 4 ,
.Xr keynote 4 ,
+.Xr ipsec.conf 5 ,
.Xr isakmpd.conf 5 ,
.Xr isakmpd.policy 5 ,
.Xr pf.conf 5 ,
.Xr ifconfig 8 ,
.Xr ipsecadm 8 ,
+.Xr ipsecctl 8 ,
.Xr isakmpd 8 ,
.Xr pfctl 8 ,
.Xr ping 8 ,