summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--share/man/man8/vpn.8107
1 files changed, 62 insertions, 45 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 40bb6517e1f..c682308a1f1 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.41 2000/09/09 22:19:32 angelos Exp $
+.\" $OpenBSD: vpn.8,v 1.42 2000/09/27 04:45:47 angelos Exp $
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -103,13 +103,6 @@ sysctl -w net.inet.esp.enable=1
sysctl -w net.inet.ah.enable=1
.Ed
.Pp
-and
-.Bd -literal
-sysctl -w net.inet.ip.ipsec-acl=1
-.Ed
-.Pp
-if inbound packet verification is desired (strongly recommended).
-.Pp
For security gateways, enabling packet forwarding is often
required:
.Bd -literal
@@ -194,28 +187,36 @@ On the security gateway of subnet A:
ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_EXTERNAL_IP 255.255.255.255
B_EXTERNAL_IP 255.255.255.255
+ -require -out -src A_EXTERNAL_IP
ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
B_INTERNAL_NETWORK B_INTERNAL_NETMASK
+ -require -out -src A_EXTERNAL_IP
ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_EXTERNAL_IP 255.255.255.255
B_INTERNAL_NETWORK B_INTERNAL_NETMASK
+ -require -out -src A_EXTERNAL_IP
ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
B_EXTERNAL_IP 255.255.255.255
+ -require -out -src A_EXTERNAL_IP
-ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
+ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_EXTERNAL_IP 255.255.255.255
- A_EXTERNAL_IP 255.255.255.255 -ingress
+ A_EXTERNAL_IP 255.255.255.255
+ -require -in -src A_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK -ingress
+ A_INTERNAL_NETWORK A_INTERNAL_NETMASK
+ -require -in -src A_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_EXTERNAL_IP 255.255.255.255
- A_INTERNAL_NETWORK A_INTERNAL_NETMASK -ingress
+ A_INTERNAL_NETWORK A_INTERNAL_NETMASK
+ -require -in -src A_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
- A_EXTERNAL_IP 255.255.255.255 -ingress
+ A_EXTERNAL_IP 255.255.255.255
+ -require -in -src A_EXTERNAL_IP
.Ed
.Pp
and on the security gateway of subnet B:
@@ -223,28 +224,36 @@ and on the security gateway of subnet B:
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_EXTERNAL_IP 255.255.255.255
A_EXTERNAL_IP 255.255.255.255
+ -out -require -src B_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
A_INTERNAL_NETWORK A_INTERNAL_NETMASK
+ -out -require -src B_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_EXTERNAL_IP 255.255.255.255
A_INTERNAL_NETWORK A_INTERNAL_NETMASK
+ -out -require -src B_EXTERNAL_IP
ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp
-addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK
A_EXTERNAL_IP 255.255.255.255
+ -out -require -src B_EXTERNAL_IP
-ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
+ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_EXTERNAL_IP 255.255.255.255
- B_EXTERNAL_IP 255.255.255.255 -ingress
-ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
+ B_EXTERNAL_IP 255.255.255.255
+ -in -require -src B_EXTERNAL_IP
+ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK -ingress
-ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
+ B_INTERNAL_NETWORK B_INTERNAL_NETMASK
+ -in -require -src B_EXTERNAL_IP
+ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_EXTERNAL_IP 255.255.255.255
- B_INTERNAL_NETWORK B_INTERNAL_NETMASK -ingress
-ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp
+ B_INTERNAL_NETWORK B_INTERNAL_NETMASK
+ -in -require -src B_EXTERNAL_IP
+ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp
-addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK
- B_EXTERNAL_IP 255.255.255.255 -ingress
+ B_EXTERNAL_IP 255.255.255.255
+ -in -require -src B_EXTERNAL_IP
.Ed
.Pp
.Ss Configure and run the keying daemon [automated keying]
@@ -345,63 +354,71 @@ incoming security association):
.Bd -literal
# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
-addr 192.168.1.254 255.255.255.255 \e\
- 192.168.2.1 255.255.255.255
+ 192.168.2.1 255.255.255.255 -out -require -src 192.168.1.254
# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0
+ -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\
+ -require -out -src 192.168.1.254
# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
-addr 192.168.1.254 255.255.255.255 \e\
- 10.0.99.0 255.255.255.0
+ 10.0.99.0 255.255.255.0 -require -out -src 192.168.1.254
# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255
+ -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\
+ -require -out -src 192.168.1.254
-# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
+# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\
-addr 192.168.2.1 255.255.255.255 \e\
- 192.168.1.254 255.255.255.255 -ingress
+ 192.168.1.254 255.255.255.255 -require -in -src 192.168.1.254
-# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 -ingress
+# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\
+ -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\
+ -require -in -src 192.168.1.254
-# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
+# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\
-addr 192.168.2.1 255.255.255.255 \e\
- 10.0.50.0 255.255.255.0 -ingress
+ 10.0.50.0 255.255.255.0 -require -in -src 192.168.1.254
-# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
+# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\
-addr 10.0.99.0 255.255.255.0 \e\
- 192.168.1.254 255.255.255.255 -ingress
+ 192.168.1.254 255.255.255.255 -require -in -src 192.168.1.254
.Ed
.It
Create the ipsec flows on machine B:
.Bd -literal
# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
-addr 192.168.2.1 255.255.255.255 \e\
- 192.168.1.254 255.255.255.255
+ 192.168.1.254 255.255.255.255 \e\
+ -require -out -src 192.168.2.1
# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0
+ -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\
+ -require -out -src 192.168.2.1
# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
-addr 192.168.2.1 255.255.255.255 \e\
- 10.0.50.0 255.255.255.0
+ 10.0.50.0 255.255.255.0 -require -out -src 192.168.2.1
# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\
- -addr 10.0.99.0 255.255.255.0 192.168.1.254 255.255.255.255
+ -addr 10.0.99.0 255.255.255.0 192.168.1.254 255.255.255.255 \e\
+ -require -out -src 192.168.2.1
-# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
+# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\
-addr 192.168.1.254 255.255.255.255 \e\
- 192.168.2.1 255.255.255.255 -ingress
+ 192.168.2.1 255.255.255.255 -require -in -src 192.168.2.1
-# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 -ingress
+# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\
+ -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\
+ -require -in -src 192.168.2.1
-# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
+# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\
-addr 192.168.1.254 255.255.255.255 \e\
- 10.0.99.0 255.255.255.0 -ingress
+ 10.0.99.0 255.255.255.0 -require -in -src 192.168.2.1
-# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\
- -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 -ingress
+# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\
+ -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\
+ -require -in -src 192.168.2.1
.Ed
.It
Configure the firewall rules on machine A: