summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/Makefile4
-rw-r--r--share/ipsec/Makefile12
-rw-r--r--share/ipsec/rc.vpn104
-rw-r--r--share/man/man4/bridge.46
-rw-r--r--share/man/man4/enc.49
-rw-r--r--share/man/man4/ipcomp.48
-rw-r--r--share/man/man4/ipsec.420
-rw-r--r--share/man/man4/tcp.45
-rw-r--r--share/man/man5/hostname.if.54
-rw-r--r--share/man/man8/Makefile4
-rw-r--r--share/man/man8/vpn.8734
11 files changed, 23 insertions, 887 deletions
diff --git a/share/Makefile b/share/Makefile
index 29f415a0cb0..8774a9e094e 100644
--- a/share/Makefile
+++ b/share/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.12 2005/08/08 05:53:01 espie Exp $
+# $OpenBSD: Makefile,v 1.13 2006/05/26 04:02:58 deraadt Exp $
-SUBDIR= dict doc ipsec lkm locale man misc mk tabset termtypes \
+SUBDIR= dict doc lkm locale man misc mk tabset termtypes \
tmac zoneinfo pf
.include <bsd.subdir.mk>
diff --git a/share/ipsec/Makefile b/share/ipsec/Makefile
deleted file mode 100644
index 782c0b45ea1..00000000000
--- a/share/ipsec/Makefile
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# $OpenBSD: Makefile,v 1.4 2002/09/06 22:06:29 deraadt Exp $
-#
-FILES= rc.vpn
-NOOBJ= noobj
-
-all clean cleandir depend lint tags:
-
-install:
- install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipsec
-
-.include <bsd.prog.mk>
diff --git a/share/ipsec/rc.vpn b/share/ipsec/rc.vpn
deleted file mode 100644
index cec9fb979b6..00000000000
--- a/share/ipsec/rc.vpn
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/bin/sh
-# $OpenBSD: rc.vpn,v 1.21 2004/02/25 08:42:38 jmc Exp $
-#
-# Richard Reiner, Ph.D., FSC Internet Corp.
-# rreiner@fscinternet.com
-# v0.81 / 26Jul98
-#
-# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
-# and Markus Friedl <markus@openbsd.org>
-#
-# rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
-# M remote networks. (N x M mesh)
-#
-# For this to work, you will need to have these enabled (in /etc/sysctl.conf):
-# 'sysctl net.inet.ip.forwarding=1' (IP packet routing)
-# 'sysctl net.inet.esp.enable=1' (IPsec ESP protocol)
-
-# XXX The configuration parameters should be moved to another file.
-
-# Uncomment to debug (and not execute) commands
-DEBUG=echo
-
-# Gateway addresses
-GW_LOCAL=192.168.254.254
-GW_REMOTE=192.168.1.2
-
-# Local and remote networks
-LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24"
-REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24"
-
-# Optional, use for manual keying only
-# Crypto options and keys, note that key/iv lengths need to correspond
-# to the selected encryption and authentication algorithms.
-ENC=3des
-AUTH=sha1
-SPI_OUT=1000
-SPI_IN=1001
-KEYFILE=/etc/esp-enc-key
-AUTHKEYFILE=/etc/esp-auth-key
-
-#############################################################################
-############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
-#############################################################################
-
-ipsecadm=/sbin/ipsecadm
-
-#
-# Sanity, be verbose about errors.
-# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
-#
-
-abort=0
-if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
- echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)"
- abort=1
-fi
-if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
- echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)"
- abort=1
-fi
-if [ ${abort} = 1 ]; then
- echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
- [ ! -n "${DEBUG}" ] && exit 0
-fi
-
-$DEBUG $ipsecadm flush
-
-#
-# Setup the manual SAs
-#
-
-if [ "$ENC" ]; then
- $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
- -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
- -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
-
- $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
- -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
- -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
-fi
-
-#
-# Setup the Flows, aka SPD
-#
-
-# add the gateways
-LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}"
-REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}"
-# but allow ESP in the clear
-BYPASS="$DEBUG ${ipsecadm} flow -transport esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -bypass"
-$BYPASS -out -addr ${GW_LOCAL}/32 ${GW_REMOTE}/32
-$BYPASS -in -addr ${GW_REMOTE}/32 ${GW_LOCAL}/32
-
-FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require"
-
-# each local net to each remote net
-for local_net in ${LOCAL_NETWORKS}; do
- for remote_net in ${REMOTE_NETWORKS}; do
- $FLOW -out -addr $local_net $remote_net
- $FLOW -in -addr $remote_net $local_net
- done
-done
-
-exit 0
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
index a4e2afcd39f..6cd93d2f77f 100644
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bridge.4,v 1.59 2006/05/09 19:03:04 jmc Exp $
+.\" $OpenBSD: bridge.4,v 1.60 2006/05/26 04:02:59 deraadt Exp $
.\"
.\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
.\" All rights reserved.
@@ -596,7 +596,7 @@ interface, the bridge will also perform transparent
.Xr ipsec 4
processing on the packets (encrypt or decrypt them), according to the
policies set with the
-.Xr ipsecadm 8
+.Xr ipsecctl 8
command by the administrator.
If appropriate security associations (SAs) do not exist, any key
management daemons such as
@@ -619,7 +619,7 @@ and certificates, to impersonate the protected host(s)).
.Xr pf 4 ,
.Xr bridgename.if 5 ,
.Xr brconfig 8 ,
-.Xr ipsecadm 8 ,
+.Xr ipsecctl 8 ,
.Xr isakmpd 8 ,
.Xr netstart 8
.Sh HISTORY
diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4
index cfbd8b2d9e7..b1b43f734ac 100644
--- a/share/man/man4/enc.4
+++ b/share/man/man4/enc.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: enc.4,v 1.20 2005/04/17 12:31:38 jmc Exp $
+.\" $OpenBSD: enc.4,v 1.21 2006/05/26 04:02:59 deraadt Exp $
.\"
.\" Copyright (c) 1999 Angelos D. Keromytis
.\" All rights reserved.
@@ -45,9 +45,6 @@ firewalls to filter
.Xr ipsec 4
traffic using
.Xr pf 4 .
-The
-.Xr vpn 8
-manpage shows an example of such a setup.
.Pp
The
.Nm
@@ -79,5 +76,5 @@ or all incoming packets after they have been similarly processed:
.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
-.Xr tcpdump 8 ,
-.Xr vpn 8
+.Xr tcpdump 8
+
diff --git a/share/man/man4/ipcomp.4 b/share/man/man4/ipcomp.4
index 1f53cf6673f..dd24bfbba52 100644
--- a/share/man/man4/ipcomp.4
+++ b/share/man/man4/ipcomp.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipcomp.4,v 1.12 2005/04/08 18:44:03 jmc Exp $
+.\" $OpenBSD: ipcomp.4,v 1.13 2006/05/26 04:02:59 deraadt Exp $
.\"
.\" Copyright (c) 2001 Jean-Jacques Bernard-Gundol <jj@wabbitt.org>
.\" All rights reserved.
@@ -68,10 +68,10 @@ Compression Parameter Index (CPI).
An IPCA is the pendant of the SA (Security Association) for IPsec.
.Pp
Currently, IPCA can be created using the
-.Xr ipsecadm 8
+.Xr ipsecctl 8
tool.
Using
-.Xr ipsecadm 8
+.Xr ipsecctl 8
it is also possible to create IPComp flows and SA/IPCA
bundles.
Such a bundle is used to create a combination of IPsec and IPComp
@@ -115,7 +115,7 @@ displays information about IPComp flows.
.Xr ip 4 ,
.Xr ipsec 4 ,
.Xr netintro 4 ,
-.Xr ipsecadm 8 ,
+.Xr ipsecctl 8 ,
.Xr sysctl 8
.Sh HISTORY
The
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
index cf30daf363d..7b8ba5eb670 100644
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.4,v 1.69 2005/12/12 11:56:47 jmc Exp $
+.\" $OpenBSD: ipsec.4,v 1.70 2006/05/26 04:02:59 deraadt Exp $
.\"
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -89,7 +89,7 @@ by replaying it verbatim cause the peer to think a new message
(withdrawal request) had been received.
WARNING: as per the standard's specification, replay protection is not
performed when using manual-keyed IPsec (e.g. when using
-.Xr ipsecadm 8 ) .
+.Xr ipsecctl 8 ) .
.El
.Ss IPsec Protocols
IPsec provides these services using two new protocols:
@@ -155,9 +155,7 @@ using the information in the other end's SA.
The only issue remaining is to ensure that both ends have matching SAs.
This may be done manually, or automatically using a key management daemon.
.Pp
-Further information on manual SA establishment is described in both
-.Xr ipsecadm 8
-and
+Further information on manual SA establishment is described in
.Xr ipsecctl 8 .
Information on automated key management may be found in
.Xr isakmpd 8 .
@@ -191,8 +189,6 @@ An SA will contain information specifying
whether it is a tunnel or transport mode SA,
and for tunnels it will contain values to fill in into the outer IP header.
.Pp
-Further information on setting up VPNs is described in
-.Xr vpn 8 .
.Ss Lifetimes
The SA also holds a couple of other parameters, especially useful for
automatic keying, called lifetimes, which puts a limit on how much we can
@@ -258,11 +254,9 @@ it is processed by the PF/NAT code.
Unless PF drops the packet, it will then be IPsec-processed, even if the
packet has been modified by NAT.
.Pp
-Security Associations can be set up manually with the
-.Xr ipsecadm 8
-and
+Security Associations can be set up manually with
.Xr ipsecctl 8
-utilities, or automatically with the
+or automatically with the
.Xr isakmpd 8
key management daemon.
.Ss Additional Variables
@@ -391,11 +385,9 @@ flag (look for ``tdb'' and ``xform'' allocations).
.Xr options 4 ,
.Xr tcp 4 ,
.Xr udp 4 ,
-.Xr ipsecadm 8 ,
.Xr ipsecctl 8 ,
.Xr isakmpd 8 ,
-.Xr sysctl 8 ,
-.Xr vpn 8
+.Xr sysctl 8
.Sh HISTORY
The IPsec protocol design process was started in 1992 by
John Ioannidis, Phil Karn, and William Allen Simpson.
diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4
index f25973bf097..dda2d606aa7 100644
--- a/share/man/man4/tcp.4
+++ b/share/man/man4/tcp.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tcp.4,v 1.17 2005/07/10 08:30:51 hshoexer Exp $
+.\" $OpenBSD: tcp.4,v 1.18 2006/05/26 04:02:59 deraadt Exp $
.\" $NetBSD: tcp.4,v 1.3 1994/11/30 16:22:35 jtc Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
@@ -141,8 +141,6 @@ Use TCP MD5 signatures per RFC 2385.
This requires
.Em Security Associations
to be set up, which can be done using
-.Xr ipsecadm 8
-or
.Xr ipsecctl 8 .
When a listening socket has
.Em TCP_MD5SIG
@@ -210,7 +208,6 @@ exists.
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr netintro 4 ,
-.Xr ipsecadm 8 ,
.Xr ipsecctl 8
.Sh HISTORY
The
diff --git a/share/man/man5/hostname.if.5 b/share/man/man5/hostname.if.5
index 96c4eaa8cb4..461770ebc94 100644
--- a/share/man/man5/hostname.if.5
+++ b/share/man/man5/hostname.if.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: hostname.if.5,v 1.44 2006/05/23 13:38:49 jmc Exp $
+.\" $OpenBSD: hostname.if.5,v 1.45 2006/05/26 04:02:59 deraadt Exp $
.\" $NetBSD: hosts.5,v 1.4 1994/11/30 19:31:20 jtc Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
@@ -310,7 +310,7 @@ add fxp0
add ep1
-learn fxp0
#
-!ipsecadm flush
+!ipsecctl -F
#
static fxp0 8:0:20:1e:2f:2b
up # and finally enable it
diff --git a/share/man/man8/Makefile b/share/man/man8/Makefile
index 4fec628e94e..7177802b5d4 100644
--- a/share/man/man8/Makefile
+++ b/share/man/man8/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.58 2006/05/09 21:25:30 deraadt Exp $
+# $OpenBSD: Makefile,v 1.59 2006/05/26 04:02:59 deraadt Exp $
# $NetBSD: Makefile,v 1.13 1996/03/28 21:36:40 mark Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
@@ -8,7 +8,7 @@ MAN= afterboot.8 boot_config.8 compat_aout.8 compat_bsdos.8 \
compat_svr4.8 compat_ultrix.8 crash.8 daily.8 dhcp.8 \
diskless.8 genassym.sh.8 intro.8 netstart.8 rc.8 \
rc.conf.8 rc.shutdown.8 release.8 security.8 ssl.8 \
- starttls.8 sticky.8 update.8 vpn.8 yp.8
+ starttls.8 sticky.8 update.8 yp.8
MLINKS+=boot_config.8 UKC.8
MLINKS+=daily.8 weekly.8 daily.8 monthly.8
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
deleted file mode 100644
index 3ba0852d0e1..00000000000
--- a/share/man/man8/vpn.8
+++ /dev/null
@@ -1,734 +0,0 @@
-.\" $OpenBSD: vpn.8,v 1.109 2006/05/02 21:14:43 jmc Exp $
-.\"
-.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\" must display the following acknowledgement:
-.\" This product includes software developed by Niels Provos.
-.\" 4. The name of the author may not be used to endorse or promote products
-.\" derived from this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Manual page, using -mandoc macros
-.\"
-.Dd February 9, 1999
-.Dt VPN 8
-.Os
-.Sh NAME
-.Nm vpn
-.Nd configuring the system for virtual private networks
-.Sh DESCRIPTION
-A Virtual Private Network (VPN)
-is used to securely connect two or more subnets over the internet.
-For each subnet there is a security gateway which is
-linked via a cryptographically secured tunnel to the security gateway of
-the other subnet.
-.Xr ipsec 4
-is used to provide the necessary network-layer cryptographic services.
-This document describes the configuration process for setting up a VPN.
-.Pp
-Briefly, creating a VPN consists of the following steps:
-.Pp
-.Bl -enum -compact
-.It
-Enable packet forwarding.
-.It
-Choose a key exchange method: manual or automated.
-.It
-For manual keying, generate the keys.
-.It
-For manual keying, create the Security Associations (SA).
-.It
-For manual keying, create the appropriate IPsec flows.
-.It
-For automated keying, configure the keying daemon.
-.It
-Configure firewall rules appropriately.
-.It
-Enable the packet filter.
-.It
-For automated keying, start the keying daemon.
-.It
-Test the setup.
-.El
-.Ss About this page
-It is recommended that a test setup be created before attempting to
-deploy a VPN on the internet.
-The examples in this page can be done using two machines
-directly connected to each other,
-and a little imagination.
-The IP address of each machine represents a gateway address;
-the alias (see below) is simply a hook into a fictitious network.
-.Pp
-The following steps are only necessary
-if the VPN is being set up as a test VPN,
-on an internal LAN.
-.Pp
-The VPN can be represented using two machines (A and B).
-An alias should be added to each machine,
-to give it the appearance of being in another network.
-.Pp
-On machine A:
-.Bd -literal -offset indent
-# ifconfig ne0 192.168.1.13 description "Machine A"
-# ifconfig ne0 alias 10.0.50.1
-.Ed
-.Pp
-On machine B:
-.Bd -literal -offset indent
-# ifconfig bge0 192.168.1.15 description "Machine B"
-# ifconfig bge0 alias 10.0.99.1
-.Ed
-.Pp
-For all other (non-test) cases,
-.Xr ifconfig 8
-should be used to configure machines as normal.
-.Pp
-Additionally, the GATEWAY_* and NETWORK_* variables used in the
-following sections are defined below in
-.Sx Configuring Firewall Rules .
-Please see that section for the correct values for these variables.
-.Ss Enabling Packet Forwarding
-For security gateways, proper operation often requires packet
-forwarding to be enabled using
-.Xr sysctl 8 :
-.Bd -literal -offset indent
-# sysctl net.inet.ip.forwarding=1
-# sysctl net.inet6.ip6.forwarding=1
-.Ed
-.Pp
-Packet forwarding defaults to
-.Sq off .
-.Pp
-Additionally, if
-.Va net.inet.ip.forwarding
-is set to 2,
-IP forwarding is restricted to IPsec traffic only.
-These and other IPsec related options are documented in
-.Xr sysctl 3 .
-.Pp
-For more permanent operation,
-the appropriate option(s) can be enabled in
-.Xr sysctl.conf 5 .
-.Ss Choosing a Key Exchange Method
-There are currently two key exchange methods available:
-.Pp
-.Bl -bullet -compact
-.It
-manual keying:
-.Xr ipsecadm 8
-or
-.Xr ipsecctl 8
-.It
-automated keying:
-.Xr isakmpd 8
-.El
-.Ss Generating Manual Keys [manual keying]
-The shared secret symmetric keys used to create a VPN can
-be any hexadecimal value, so long as both sides of the connection use
-the same values.
-Since the security of the VPN is based on these keys
-being unguessable, it is very important that the keys be chosen using a
-strong random source.
-One practical method of generating them is by using the
-.Xr random 4
-device.
-To produce 160 bits (20 bytes) of randomness, for example, do:
-.Bd -literal -offset indent
-$ openssl rand 20 | hexdump -e '20/1 "%02x"'
-.Ed
-or:
-.Bd -literal -offset indent -compact
-$ openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges'
-.Ed
-.Pp
-Different cipher types may require different sized keys.
-.Pp
-.Bl -column "CipherXX" "Key Length" -offset indent -compact
-.It Em Cipher Key Length
-.It Li DES Ta "56 bits"
-.It Li 3DES Ta "168 bits"
-.It Li AES Ta "Variable (128 bits recommended)"
-.It Li BLF Ta "Variable (160 bits recommended)"
-.It Li CAST Ta "Variable (128 bits maximum and recommended)"
-.It Li SKIPJACK Ta "80 bits"
-.El
-.Pp
-Use of DES or SKIPJACK as an encryption algorithm is not recommended
-(except for backwards compatibility) due to their short key length.
-Furthermore, recent attacks on SKIPJACK have shown severe weaknesses
-in its structure.
-.Pp
-Note that DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes
-to form its 168-bit key.
-This is because the most significant bit of each byte is ignored by both
-algorithms.
-.Pp
-The following would create suitable keys for a 3DES encryption key
-and SHA-1 authentication key:
-.Bd -literal -offset indent
-$ openssl rand 24 | hexdump -e '24/1 "%02x"' \*(Gt enc_key
-$ openssl rand 20 | hexdump -e '20/1 "%02x"' \*(Gt auth_key
-.Ed
-.Pp
-The 3DES encryption key needs 192 bits (3x64), or 24 bytes.
-The SHA-1 authentication key needs 160 bits, or 20 bytes.
-.Ss Creating Security Associations [manual keying]
-Before the IPsec flows can be defined, two Security Associations (SAs)
-must be defined on each end of the VPN e.g.:
-.Bd -literal -offset indent
-# ipsecadm new esp -src $GATEWAY_A -dst $GATEWAY_B \e
- -spi $SPI_AB -forcetunnel -enc 3des -auth sha1 \e
- -keyfile $ENCRYPTION_KEY_FILE \e
- -authkeyfile $AUTHENTICATION_KEY_FILE
-
-# ipsecadm new esp -src $GATEWAY_B -dst $GATEWAY_A \e
- -spi $SPI_BA -forcetunnel -enc 3des -auth sha1 \e
- -keyfile $ENCRYPTION_KEY_FILE \e
- -authkeyfile $AUTHENTICATION_KEY_FILE
-.Ed
-.Pp
-Note that the
-.Fl key
-and
-.Fl authkey
-options may be used to specify the keys directly in the
-.Xr ipsecadm 8
-command line.
-However, another user could view the keys by using the
-.Xr ps 1
-command at the appropriate time (or use a program for doing so).
-.Pp
-Instead of
-.Xr ipsecadm 8 ,
-the
-.Xr ipsecctl 8
-utility can be used to define SAs.
-It uses a rule based syntax similar to
-.Xr pf.conf 5 .
-On gateway A add these lines to the file
-.Xr ipsec.conf 5 :
-.Bd -literal -offset indent
-esp from 192.168.1.13 to 192.168.1.15 spi 0xdeadbeef:0xbeefdead \e
- authkey file "/path/to/gateA.auth:/path/to/gateB.auth" \e
- enckey file "/path/to/gateA.enc:/path/to/gateB.enc"
-.Ed
-.Pp
-Similarly on gateway B add these lines to
-.Xr ipsec.conf 5 :
-.Bd -literal -offset indent
-esp from 192.168.1.15 to 192.168.1.13 spi 0xbeefdead:0xdeadbeef \e
- authkey file "/path/to/gateB.auth:/path/to/gateA.auth" \e
- enckey file "/path/to/gateB.enc:/path/to/gateA.enc"
-.Ed
-.Pp
-Note that when no authentication and encryption algorithms are defined,
-.Xr ipsecctl 8
-will automatically use HMAC-SHA2-256 for authentication and AES-128 in
-countermode for encryption.
-Therefore the authentication key needs to be 256 bits long; the encryption key
-160 bits.
-For details see
-.Xr ipsec.conf 5 .
-.Ss Creating IPsec Flows [manual keying]
-Both IPsec gateways need to configure
-.Xr ipsec 4
-routes (flows) with the
-.Xr ipsecadm 8
-tool.
-Two flows are created on each machine:
-the first is for outbound flows,
-the second is the ingress filter for the incoming security association.
-.Pp
-On the security gateway of subnet A:
-.Bd -literal -offset indent
-# ipsecadm flow -out -require -proto esp \e
- -src $GATEWAY_A -dst $GATEWAY_B \e
- -addr $NETWORK_A $NETWORK_B
-# ipsecadm flow -in -require -proto esp \e
- -src $GATEWAY_A -dst $GATEWAY_B \e
- -addr $NETWORK_B $NETWORK_A
-.Ed
-.Pp
-On the security gateway of subnet B:
-.Bd -literal -offset indent
-# ipsecadm flow -out -require -proto esp \e
- -src $GATEWAY_B -dst $GATEWAY_A \e
- -addr $NETWORK_B $NETWORK_A
-# ipsecadm flow -in -require -proto esp \e
- -src $GATEWAY_B -dst $GATEWAY_A \e
- -addr $NETWORK_A $NETWORK_B
-.Ed
-.Pp
-Again it is possible to use
-.Xr ipsecctl 8
-to define flows.
-On gateway A add this line to
-.Xr ipsec.conf 5 :
-.Bd -literal -offset indent
-flow esp from 10.0.50.0/24 to 10.0.99.0/24 peer 192.168.1.15
-.Ed
-.Pp
-And on gateway B this line:
-.Bd -literal -offset indent
-flow from 10.0.99.0/24 to 10.0.50.0/24 peer 192.168.1.13
-.Ed
-.Pp
-Note that
-.Xr ipsecctl 8
-will automatically use ESP in tunnel mode.
-For details see
-.Xr ipsec.conf 5 .
-.Pp
-To activate the SAs and flows, run this command on both gateways:
-.Bd -literal -offset indent
-# ipsecctl -f /etc/ipsec.conf
-.Ed
-.Ss Configuring the Keying Daemon [automated keying]
-Unless manual keying is used, both security gateways need to use the
-.Xr isakmpd 8
-key management daemon.
-.Xr isakmpd 8
-implements security policy using the
-.Em KeyNote
-trust management system.
-.Pp
-To create a VPN between the same two C class networks as the example
-above, using
-.Xr isakmpd 8 :
-.Bl -enum
-.It
-Create
-.Pa /etc/isakmpd/isakmpd.conf
-for machine A:
-.Bd -literal -offset indent
-# Filter incoming phase 1 negotiations so they are only
-# valid if negotiating with this local address.
-
-[General]
-Listen-On= 192.168.1.13
-
-# Incoming phase 1 negotiations are multiplexed on the
-# source IP address. Phase 1 is used to set up a protected
-# channel just between the two gateway machines.
-# This channel is then used for the phase 2 negotiation
-# traffic (i.e. encrypted & authenticated).
-
-[Phase 1]
-192.168.1.15= peer-machineB
-
-# 'Phase 2' defines which connections the daemon
-# should establish. These connections contain the actual
-# "IPsec VPN" information.
-
-[Phase 2]
-Connections= VPN-A-B
-
-# ISAKMP phase 1 peers (from [Phase 1])
-
-[peer-machineB]
-Phase= 1
-Address= 192.168.1.15
-Configuration= Default-main-mode
-Authentication= yoursharedsecret
-
-# IPSEC phase 2 connections (from [Phase 2])
-
-[VPN-A-B]
-Phase= 2
-ISAKMP-peer= peer-machineB
-Configuration= Default-quick-mode
-Local-ID= machineA-internal-network
-Remote-ID= machineB-internal-network
-
-# ID sections (as used in [VPN-A-B])
-
-[machineA-internal-network]
-ID-type= IPV4_ADDR_SUBNET
-Network= 10.0.50.0
-Netmask= 255.255.255.0
-
-[machineB-internal-network]
-ID-type= IPV4_ADDR_SUBNET
-Network= 10.0.99.0
-Netmask= 255.255.255.0
-
-# Main and Quick Mode descriptions
-# (as used by peers and connections).
-
-[Default-main-mode]
-EXCHANGE_TYPE= ID_PROT
-Transforms= 3DES-SHA,BLF-SHA
-
-[Default-quick-mode]
-EXCHANGE_TYPE= QUICK_MODE
-Suites= QM-ESP-3DES-SHA-SUITE
-.Ed
-.Pp
-.It
-Create
-.Pa /etc/isakmpd/isakmpd.conf
-for machine B:
-.Bd -literal -offset indent
-# Filter incoming phase 1 negotiations so they are only
-# valid if negotiating with this local address.
-
-[General]
-Listen-On= 192.168.1.15
-
-# Incoming phase 1 negotiations are multiplexed on the
-# source IP address. Phase 1 is used to set up a protected
-# channel just between the two gateway machines.
-# This channel is then used for the phase 2 negotiation
-# traffic (i.e. encrypted & authenticated).
-
-[Phase 1]
-192.168.1.13= peer-machineA
-
-# 'Phase 2' defines which connections the daemon
-# should establish. These connections contain the actual
-# "IPsec VPN" information.
-
-[Phase 2]
-Connections= VPN-B-A
-
-# ISAKMP phase 1 peers (from [Phase 1])
-
-[peer-machineA]
-Phase= 1
-Address= 192.168.1.13
-Configuration= Default-main-mode
-Authentication= yoursharedsecret
-
-# IPSEC phase 2 connections (from [Phase 2])
-
-[VPN-B-A]
-Phase= 2
-ISAKMP-peer= peer-machineA
-Configuration= Default-quick-mode
-Local-ID= machineB-internal-network
-Remote-ID= machineA-internal-network
-
-# ID sections (as used in [VPN-A-B])
-
-[machineA-internal-network]
-ID-type= IPV4_ADDR_SUBNET
-Network= 10.0.50.0
-Netmask= 255.255.255.0
-
-[machineB-internal-network]
-ID-type= IPV4_ADDR_SUBNET
-Network= 10.0.99.0
-Netmask= 255.255.255.0
-
-# Main and Quick Mode descriptions
-# (as used by peers and connections).
-
-[Default-main-mode]
-EXCHANGE_TYPE= ID_PROT
-Transforms= 3DES-SHA,BLF-SHA
-
-[Default-quick-mode]
-EXCHANGE_TYPE= QUICK_MODE
-Suites= QM-ESP-3DES-SHA-SUITE
-.Ed
-.It
-Read through the configuration one more time.
-The only real differences between the two files in this example are
-the IP addresses, and ordering of Local-ID and Remote-ID for the VPN
-itself.
-Note that the shared secret (the
-.Em Authentication
-tag) must match between machineA and machineB.
-.Pp
-Due to the sensitive information contained in the configuration file,
-it must be owned by root and installed without any permissions for
-"group" or "other".
-.Pp
-.Dl # chown root:wheel /etc/isakmpd/isakmpd.conf
-.Dl # chmod 0600 /etc/isakmpd/isakmpd.conf
-.It
-Create a simple
-.Pa /etc/isakmpd/isakmpd.policy
-file for both machine A and machine B (identical):
-.Bd -literal -offset indent
-Keynote-version: 2
-Authorizer: "POLICY"
-Conditions: app_domain == "IPsec policy" &&
- esp_present == "yes" &&
- esp_enc_alg != "null" -\*(Gt "true";
-.Ed
-.Pp
-Due to the sensitive information contained in the policy file,
-it must be owned by root and installed without any permissions for
-"group" or "other".
-.Pp
-.Dl # chown root:wheel /etc/isakmpd/isakmpd.policy
-.Dl # chmod 0600 /etc/isakmpd/isakmpd.policy
-.El
-.Ss Configuring Firewall Rules
-.Xr pf 4
-needs to be configured such that all packets from the outside are blocked
-by default.
-Only successfully IPsec-processed packets (those on the
-.Xr enc 4
-interface) or key management packets
-(for automated keying,
-UDP packets with source and destination ports of 500)
-should be allowed to pass.
-.Pp
-Additional filter rules may be present for other traffic,
-though care should be taken that other rules do not leak IPsec traffic.
-NAT rules can also be used on the
-.Xr enc 4
-interface.
-.Pp
-.Sy Note :
-The examples in this page describe a test setup on an internal LAN,
-using private (non-routable) IP addresses.
-In a typical setup,
-at least GATEWAY_A and GATEWAY_B would be configured using
-public (routable) IP addresses.
-NETWORK_A and NETWORK_B may or may not use public IP addresses,
-depending on the network.
-.Pp
-The
-.Xr pf.conf 5
-rules for a tunnel which uses encryption (the ESP IPsec protocol) and
-.Xr isakmpd 8
-on security gateway A might look like this:
-.Bd -literal -offset indent
-GATEWAY_A = "192.168.1.13"
-GATEWAY_B = "192.168.1.15"
-NETWORK_A = "10.0.50.0/24"
-NETWORK_B = "10.0.99.0/24"
-
-ext_if="ne0"
-
-# default deny
-# $ext_if is the only interface going to the outside.
-block log on { enc0, $ext_if } all
-
-# Pass encrypted traffic to/from security gateways
-pass in proto esp from $GATEWAY_B to $GATEWAY_A
-pass out proto esp from $GATEWAY_A to $GATEWAY_B
-
-# Need to allow ipencap traffic on enc0.
-pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A
-
-# Pass traffic to/from the designated subnets.
-pass in on enc0 from $NETWORK_B to $NETWORK_A
-pass out on enc0 from $NETWORK_A to $NETWORK_B
-
-# Pass isakmpd(8) traffic to/from the security gateways
-pass in on $ext_if proto udp from $GATEWAY_B port = 500 \e
- to $GATEWAY_A port = 500
-pass out on $ext_if proto udp from $GATEWAY_A port = 500 \e
- to $GATEWAY_B port = 500
-.Ed
-.Pp
-The
-.Xr pf.conf 5
-rules on security gateway B might look like this:
-.Bd -literal -offset indent
-GATEWAY_A = "192.168.1.13"
-GATEWAY_B = "192.168.1.15"
-NETWORK_A = "10.0.50.0/24"
-NETWORK_B = "10.0.99.0/24"
-
-ext_if="bge0"
-
-# default deny
-# $ext_if is the only interface going to the outside.
-block log on { enc0, $ext_if } all
-
-# Passing in encrypted traffic from security gateways
-pass in proto esp from $GATEWAY_A to $GATEWAY_B
-pass out proto esp from $GATEWAY_B to $GATEWAY_A
-
-# Need to allow ipencap traffic on enc0.
-pass in on enc0 proto ipencap from $GATEWAY_A to $GATEWAY_B
-
-# Passing in traffic from the designated subnets.
-pass in on enc0 from $NETWORK_A to $NETWORK_B
-pass out on enc0 from $NETWORK_B to $NETWORK_A
-
-# Passing in isakmpd(8) traffic from the security gateways
-pass in on $ext_if proto udp from $GATEWAY_A port = 500 \e
- to $GATEWAY_B port = 500
-pass out on $ext_if proto udp from $GATEWAY_B port = 500 \e
- to $GATEWAY_A port = 500
-.Ed
-.Ss Enabling the Packet Filter
-Enable the packet filter and load the ruleset:
-.Bd -literal -offset indent
-# pfctl -e
-# pfctl -f /etc/pf.conf
-.Ed
-.Ss Starting the Keying Daemon [automated keying]
-Start
-.Xr isakmpd 8
-.Pp
-On both machines, run:
-.Pp
-.Dl # /sbin/isakmpd
-.Pp
-To run with verbose debugging enabled, instead start with:
-.Pp
-.Dl # /sbin/isakmpd -d -DA=99
-.Ss Testing the Setup
-It is important to check the setup is working correctly.
-Remember that the following examples illustrate a test setup only,
-and therefore tests carried out on GATEWAY_A and NETWORK_A will be
-carried out on the same machine (Machine A).
-If this were a real setup, GATEWAY_A and a machine on NETWORK_A would be
-different machines.
-.Pp
-Using the test setup,
-first check the routing table shows the routes between the two gateways.
-.Pp
-On GATEWAY_A:
-.Bd -literal -offset 1n
-$ netstat -rn -f encap
-Routing tables
-
-Encap:
-Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
-10.0.99/24 0 10.0.50/24 0 0 192.168.1.15/50/use/in
-10.0.50/24 0 10.0.99/24 0 0 192.168.1.15/50/require/out
-.Ed
-.Pp
-This shows that anything with source address 10.0.99.0/24 (NETWORK_B)
-is routed to destination 10.0.50.0/24 (NETWORK_A),
-and vice versa.
-The opposite would be true if
-.Xr netstat 1
-were run on GATEWAY_B.
-.Pp
-Note that the routing table above is given for an automated keying session.
-SA information for a manual keying session would differ slightly: the
-.Dq Type
-field would be
-.Dq require
-for both directions.
-.Pp
-Next check that you can
-.Xr ping 8
-the networks:
-.Pp
-On NETWORK_A:
-.Pp
-.Dl $ ping -I 10.0.50.1 10.0.99.1
-.Pp
-Note the
-.Fl I
-option passed to
-.Xr ping 8 :
-this is necessary to specify a source address
-from the network.
-Check that the
-.Xr ping 8
-works from both NETWORK_A and NETWORK_B, changing the arguments as necessary.
-.Pp
-Check that the traffic between the two networks really is
-ESP encapsulated.
-On GATEWAY_A:
-.Pp
-.Dl # tcpdump -n -i ne0 esp
-.Pp
-On NETWORK_A:
-.Pp
-.Dl $ ping -I 10.0.50.1 10.0.99.1
-.Pp
-Check that
-.Xr tcpdump 8
-shows ESP packets whilst the ping is in progress.
-That shows that the traffic is IPsec encapsulated.
-.Pp
-If both networks are pingable,
-the routing tables look as described above,
-and
-.Xr tcpdump 8
-is working as described,
-it means the VPN is working correctly.
-However, it is also important to check that no IPsec traffic
-is being leaked,
-either by badly designed firewall rules
-or by a misconfigured VPN setup.
-.Pp
-On GATEWAY_A:
-.Pp
-.Dl "# tcpdump -n -i ne0 not esp and host 192.168.1.15"
-.Pp
-On NETWORK_A:
-.Pp
-.Dl $ ping -I 10.0.50.1 10.0.99.1
-.Pp
-This time
-.Xr tcpdump 8
-has been instructed to ignore ESP packets going to
-host 192.168.1.15 (GATEWAY_B),
-and no traffic should be seen whilst the ping is running.
-One exception to this is if the automated keying setup has been followed,
-in which case
-.Xr isakmpd 8
-key management packets on UDP port 500 may be seen.
-This is perfectly normal.
-If any traffic is being leaked
-i.e. the last ping detailed above is showing traffic,
-it is suggested that the administrator review the steps above,
-paying particular notice to the firewall configuration procedures.
-.Sh FILES
-.Bl -tag -width "/etc/isakmpd/isakmpd.policyXX" -compact
-.It Pa /etc/ipsec.conf
-.Xr ipsecctl 8
-configuration file.
-.It Pa /etc/isakmpd/isakmpd.conf
-.Xr isakmpd 8
-configuration file.
-.It Pa /etc/isakmpd/isakmpd.policy
-.Xr isakmpd 8
-policy file.
-.It Pa /etc/pf.conf
-Firewall configuration file.
-.It Pa /usr/share/ipsec/rc.vpn
-Sample VPN configuration file.
-.El
-.Sh SEE ALSO
-.Xr netstat 1 ,
-.Xr openssl 1 ,
-.Xr sysctl 3 ,
-.Xr enc 4 ,
-.Xr ipsec 4 ,
-.Xr keynote 4 ,
-.Xr ipsec.conf 5 ,
-.Xr isakmpd.conf 5 ,
-.Xr isakmpd.policy 5 ,
-.Xr pf.conf 5 ,
-.Xr ifconfig 8 ,
-.Xr ipsecadm 8 ,
-.Xr ipsecctl 8 ,
-.Xr isakmpd 8 ,
-.Xr pfctl 8 ,
-.Xr ping 8 ,
-.Xr sysctl 8 ,
-.Xr tcpdump 8