diff options
-rw-r--r-- | share/man/man8/vpn.8 | 107 |
1 files changed, 62 insertions, 45 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 40bb6517e1f..c682308a1f1 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.41 2000/09/09 22:19:32 angelos Exp $ +.\" $OpenBSD: vpn.8,v 1.42 2000/09/27 04:45:47 angelos Exp $ .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -103,13 +103,6 @@ sysctl -w net.inet.esp.enable=1 sysctl -w net.inet.ah.enable=1 .Ed .Pp -and -.Bd -literal -sysctl -w net.inet.ip.ipsec-acl=1 -.Ed -.Pp -if inbound packet verification is desired (strongly recommended). -.Pp For security gateways, enabling packet forwarding is often required: .Bd -literal @@ -194,28 +187,36 @@ On the security gateway of subnet A: ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_EXTERNAL_IP 255.255.255.255 B_EXTERNAL_IP 255.255.255.255 + -require -out -src A_EXTERNAL_IP ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK B_INTERNAL_NETWORK B_INTERNAL_NETMASK + -require -out -src A_EXTERNAL_IP ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_EXTERNAL_IP 255.255.255.255 B_INTERNAL_NETWORK B_INTERNAL_NETMASK + -require -out -src A_EXTERNAL_IP ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK B_EXTERNAL_IP 255.255.255.255 + -require -out -src A_EXTERNAL_IP -ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp +ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_EXTERNAL_IP 255.255.255.255 - A_EXTERNAL_IP 255.255.255.255 -ingress + A_EXTERNAL_IP 255.255.255.255 + -require -in -src A_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK - A_INTERNAL_NETWORK A_INTERNAL_NETMASK -ingress + A_INTERNAL_NETWORK A_INTERNAL_NETMASK + -require -in -src A_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_EXTERNAL_IP 255.255.255.255 - A_INTERNAL_NETWORK A_INTERNAL_NETMASK -ingress + A_INTERNAL_NETWORK A_INTERNAL_NETMASK + -require -in -src A_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK - A_EXTERNAL_IP 255.255.255.255 -ingress + A_EXTERNAL_IP 255.255.255.255 + -require -in -src A_EXTERNAL_IP .Ed .Pp and on the security gateway of subnet B: @@ -223,28 +224,36 @@ and on the security gateway of subnet B: ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_EXTERNAL_IP 255.255.255.255 A_EXTERNAL_IP 255.255.255.255 + -out -require -src B_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK A_INTERNAL_NETWORK A_INTERNAL_NETMASK + -out -require -src B_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_EXTERNAL_IP 255.255.255.255 A_INTERNAL_NETWORK A_INTERNAL_NETMASK + -out -require -src B_EXTERNAL_IP ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_BA -proto esp -addr B_INTERNAL_NETWORK B_INTERNAL_NETMASK A_EXTERNAL_IP 255.255.255.255 + -out -require -src B_EXTERNAL_IP -ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp +ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_EXTERNAL_IP 255.255.255.255 - B_EXTERNAL_IP 255.255.255.255 -ingress -ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp + B_EXTERNAL_IP 255.255.255.255 + -in -require -src B_EXTERNAL_IP +ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK - B_INTERNAL_NETWORK B_INTERNAL_NETMASK -ingress -ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp + B_INTERNAL_NETWORK B_INTERNAL_NETMASK + -in -require -src B_EXTERNAL_IP +ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_EXTERNAL_IP 255.255.255.255 - B_INTERNAL_NETWORK B_INTERNAL_NETMASK -ingress -ipsecadm flow -dst B_EXTERNAL_IP -spi SPI_AB -proto esp + B_INTERNAL_NETWORK B_INTERNAL_NETMASK + -in -require -src B_EXTERNAL_IP +ipsecadm flow -dst A_EXTERNAL_IP -spi SPI_AB -proto esp -addr A_INTERNAL_NETWORK A_INTERNAL_NETMASK - B_EXTERNAL_IP 255.255.255.255 -ingress + B_EXTERNAL_IP 255.255.255.255 + -in -require -src B_EXTERNAL_IP .Ed .Pp .Ss Configure and run the keying daemon [automated keying] @@ -345,63 +354,71 @@ incoming security association): .Bd -literal # /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ -addr 192.168.1.254 255.255.255.255 \e\ - 192.168.2.1 255.255.255.255 + 192.168.2.1 255.255.255.255 -out -require -src 192.168.1.254 # /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ - -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 + -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\ + -require -out -src 192.168.1.254 # /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ -addr 192.168.1.254 255.255.255.255 \e\ - 10.0.99.0 255.255.255.0 + 10.0.99.0 255.255.255.0 -require -out -src 192.168.1.254 # /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ - -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 + -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\ + -require -out -src 192.168.1.254 -# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ +# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\ -addr 192.168.2.1 255.255.255.255 \e\ - 192.168.1.254 255.255.255.255 -ingress + 192.168.1.254 255.255.255.255 -require -in -src 192.168.1.254 -# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ - -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 -ingress +# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\ + -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\ + -require -in -src 192.168.1.254 -# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ +# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\ -addr 192.168.2.1 255.255.255.255 \e\ - 10.0.50.0 255.255.255.0 -ingress + 10.0.50.0 255.255.255.0 -require -in -src 192.168.1.254 -# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ +# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1000 -proto esp \e\ -addr 10.0.99.0 255.255.255.0 \e\ - 192.168.1.254 255.255.255.255 -ingress + 192.168.1.254 255.255.255.255 -require -in -src 192.168.1.254 .Ed .It Create the ipsec flows on machine B: .Bd -literal # /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ -addr 192.168.2.1 255.255.255.255 \e\ - 192.168.1.254 255.255.255.255 + 192.168.1.254 255.255.255.255 \e\ + -require -out -src 192.168.2.1 # /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ - -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 + -addr 10.0.99.0 255.255.255.0 10.0.50.0 255.255.255.0 \e\ + -require -out -src 192.168.2.1 # /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ -addr 192.168.2.1 255.255.255.255 \e\ - 10.0.50.0 255.255.255.0 + 10.0.50.0 255.255.255.0 -require -out -src 192.168.2.1 # /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1000 -proto esp \e\ - -addr 10.0.99.0 255.255.255.0 192.168.1.254 255.255.255.255 + -addr 10.0.99.0 255.255.255.0 192.168.1.254 255.255.255.255 \e\ + -require -out -src 192.168.2.1 -# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ +# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\ -addr 192.168.1.254 255.255.255.255 \e\ - 192.168.2.1 255.255.255.255 -ingress + 192.168.2.1 255.255.255.255 -require -in -src 192.168.2.1 -# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ - -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 -ingress +# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\ + -addr 10.0.50.0 255.255.255.0 10.0.99.0 255.255.255.0 \e\ + -require -in -src 192.168.2.1 -# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ +# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\ -addr 192.168.1.254 255.255.255.255 \e\ - 10.0.99.0 255.255.255.0 -ingress + 10.0.99.0 255.255.255.0 -require -in -src 192.168.2.1 -# /sbin/ipsecadm flow -dst 192.168.2.1 -spi 1001 -proto esp \e\ - -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 -ingress +# /sbin/ipsecadm flow -dst 192.168.1.254 -spi 1001 -proto esp \e\ + -addr 10.0.50.0 255.255.255.0 192.168.2.1 255.255.255.255 \e\ + -require -in -src 192.168.2.1 .Ed .It Configure the firewall rules on machine A: |