summaryrefslogtreecommitdiff
path: root/sbin/ipsec/photurisd/README.howtouse
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipsec/photurisd/README.howtouse')
-rw-r--r--sbin/ipsec/photurisd/README.howtouse76
1 files changed, 76 insertions, 0 deletions
diff --git a/sbin/ipsec/photurisd/README.howtouse b/sbin/ipsec/photurisd/README.howtouse
new file mode 100644
index 00000000000..ba8b337a1c1
--- /dev/null
+++ b/sbin/ipsec/photurisd/README.howtouse
@@ -0,0 +1,76 @@
+
+ How to use Photuris with IPSec ?
+
+What is IPSec ?
+
+ IP Security is a framework providing authentication/integrity and
+ privacy to network traffic. Authenticated data can not be modified by
+ third parties and encryption conceals the content of packets.
+
+What has Photuris to do with IPSec ?
+
+ In order to transmit encrypted or authenticated data between two
+ hosts, those two hosts have to aggree on session keys which are used
+ as input for the encryption and authenication functions.
+
+ The Photuris protocol exchanges keys in such a way that no
+ eavesdropper will have knowledge of the session keys. It also allows
+ for frequent changes of the session keys, forward secrecy and party
+ privacy protection.
+
+How to get it working ?
+
+ Compiling the daemon
+
+ Get the Photuris sources and also the following libraries:
+ gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if
+ you like you can do the following steps afterwards:
+
+1. tar -xvzf Photuris-src.tar.gz
+2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
+3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
+4. cd Photuris
+5. make (edit the Makefile and remove -DDEBUG, if you dont want to see what
+ happens, or remove -DIPSEC if you dont want to actually setup encrypted
+ and authenticated connections within the kernel)
+6. start ./photurid on two hosts.
+7. ./startkey host1 (for example ./startkey 134.100.33.22)
+
+ If you compiled the photuris daemon with -DDEBUG you should see an
+ exchange of values now and finally the shared secret from which the
+ session keys are derived.
+
+ If you compiled the photuris daemon with -IPSEC and also have a kernel
+ with IPSEC compiled into it, you could start for example
+
+8. tcpdump proto 51 &
+9. telnet host1
+
+ and see the authenticated packets flowing between the two hosts. Look
+ at the output of
+
+10. cat /kern/ipsec
+11. netstat -rn
+
+ will show you some information also.
+
+ Enabling IPSEC in the OpenBSD kernel
+
+ Add the following two lines into your kernel config file:
+config IPSEC
+pseudo-device enc 4
+
+ Possible configuration
+
+ There are three files which can be configured locally.
+ * photuris.conf - contains the moduli for the Diffie-Hellmann
+ Keyexchange, the offered schemes and various timeouts.
+ * attributes.conf - the attributes which are offered to different
+ parties
+ * secrets.conf - the preconfigured symmetric secrets which should
+ hopefully soon be replaced by public keys.
+
+ _________________________________________________________________
+
+ If you have any questions write mail to
+ provos@physnet.uni-hamburg.de
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-03 12:21:43 +0000