Ta Xrhsima Tutorials Toy Xrhstou Rikoudh Parousiazoyn....

Christos Ricudis ricudis at paiko.gr
Wed Oct 3 20:56:01 EEST 2001


Hello All!


                                       To 

                                  FreeSWAN/KAME 

                                    How-Not-To

                                      Meros 1

Mia apokleistikh paragwgh ths Christos Ricudis "Tutorials about things you'd
never want to know their existence, let aside learn" Productions. 

Edw kai liges meres prospa8w na ftiaksw ena stoixeiwdws leitourgiko IPSec
configuration metaksy enos linux ki enos FreeBSD. 

Exoume 2 mhxanhmata, ena FreeBSD laptop me IP 10.1.0.2 kai ena Linux me IP
10.1.0.1. To pio aplo IPSec configuration einai IPSec se transport mode metaksy
twn 2 sygkekrimenwn IP, se manual keying mode me pre-shared secrets. 

To IPSec documentation kai sto KAME kai sto FreeS/WAN einai aplws aisxro ean
den eisai IPSec guru. 

Sthn meria toy FreeBSD, ta pragmata einai 'apla'. Afou kanete compile ton
kernoula me IPSec support, ftiaxnete to parakatw configuration file : 

flush ;
spdflush ;
add 10.1.0.2 10.1.0.1 esp 10003 -E 3des-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ;
add 10.1.0.1 10.1.0.2 esp 10003 -E 3des-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ;
spdadd 10.1.0.2 10.1.0.1 any -P out ipsec esp/transport/10.1.0.2-
10.1.0.1/require ;
spdadd 10.1.0.1 10.1.0.2 any -P in ipsec esp/transport/10.1.0.1-
10.1.0.2/require ;

Ekteleite me setkey -f <config file> 

Ekshgoumai : 

Oi 2 prwtes grammes kanoyn flush to current IPSec configuration. 

Oi 2 epomenes dhmiourgoun ena Security Association entry metaksy twn 2
mhxanhmatwn. Ka8e SA isxyei gia mia katey8ynsh. Pros to paron xrhsimopoiw ESP
(payload encryption) kai oxi AH (header authentication) gia logous 'aplothtas'.


To 1003 einai to SPI (Security Parameter Index) poy xrhsimopoiei to ka8e SA.
Anti8etws apo oti 8a deite sta paradeigmata toy FreeBSD, gia thn periptwsh poy
to anti8eto akro einai Linux, 8a prepei na xrhsimopoihsete to idio SPI kai stis
2 katey8ynseis. Oi ypoloipoi parametroi dhlwnoyn encryption algorithm kai to
shared secret. O monos algori8mos poy yposthrizei to FreeS/WAN sto Linux einai
o 3des_cbc. Ntroph toys. Alhteia. Aisxos. Aisxroi ki oi dyo kyries kai kyrioi,
katoikoi ths Ellados. 

Oi teleytaies dyo grammes perigrafoyn ena Security Policy entry, poy dhlwnei to
policy poy xrhsimopoieitai gia to sygkekrimeno transport kai stis 2
katey8ynseis. 

To analogo configuration sthn pleyra toy linux (FreeS/WAN) einai to
/etc/ipsec.conf: 

# basic configuration
config setup
        interfaces="ipsec0=eth1:1"
        uniqueids=yes
        manualstart=paiko-transport
        plutoload=%search
        plutostart=%search
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=secret
conn paiko-transport
        # Left security gateway, subnet behind it, next hop toward right.
        type=transport
        left=10.1.0.1
        right=10.1.0.2
        spi=0x2713
        #leftespspi=0x2713 # 10003
        #rightespspi=0x2714 # 10004
        esp=3des
        leftespenckey=0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
        rightespenckey=0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
        auto=add

Ekshgoumai : 

O typos poy egrapse to FreeS/WAN prepei na exei paidika traymata proklh8enta
apo th xrhsh Fortran. Prosoxh, giati to ipsec.conf xrhsimopoiei to indention 
gia na xwrisei ta blocks, opote kratate ta blocks sas indented ("me ena tab
mprosta"). 

H prwth shmantikh dhlwsh einai h config setup/interfaces, h opoia dinei ena
association metaksy virtual IPSec interfaces kai twn kanonikwn interfaces toy
systhmatos. Sto example, 8elw na xrhsimopoihsw IPSec sto alias 1 toy eth1, alla
oxi sto eth1 sketo - wste na exw th dynatothta na kanw debug to connection apo
to allo, non-encrypted channel. 

Ta shmantika shmeia toy configuration briskontai sto conn paiko-transport
block. Edw blepoyme oti : 

0) To ena akro onomazetai "left" kai to allo akro onomazetai "right". Den kserw
an sas dieykolyne ayto ston prosanatolismo, emena me mperdepse pantws. 

1) Dhlwnoume oti to sygkekrimeno SA xrhsimopoiei transport mode, opws kai
parapanw. 

2) Dhlwnoume SPI gia to SA. Yparxoyn dyo epiloges. Eite xrhsimopoieite ena SPI
kai gia tis dyo katey8ynseis - ANTI8ETA apo oti leei to KAME documentation,
eite xrhsimopoieite ena ksexwristo SPI gia to "left" SA gia to "right" SA, opws
akribws to kanei kai to KAME, me tis parametrous "leftespspi" kai
"rightespspi". An to kanete, DEN 8a doulepsei, gia mh-profaneis logous, kai 8a
paideyeste 2 meres opws o ypofainomenos. 

Gia kapoio periergo logo, to FreeS/WAN yposthrizei dhlwseis ari8mwn mono sto
dekaeksadiko systhma, 0x2713 = 10003. 

3) Dhlwnoume pali encryption algorighms kai kleidia. To 3des-cbc xrhsimopoiei
kleidi 192 bit, dhladh eksi dekaeksadika psofia mosxaria (ka8e dekaeksadiko
pshfio antistoixei se 4 bits, ka8e psofio mosxari exei 32 bit, 6 psofia
mosxaria mas kanoyn 192 bit). 

Shkwnoyme to frees/wan configuration me thn entolh ipsec auto --add
paikotransport kai pingaroume me thn psyxh mas to ena akro apo to allo. 

Afou bebaiw8oume oti douleyei to transport mode, mporoume panw s'ayto to
transport na shkwsoume ena tunnel. To transport mode douleyei mono gia to
traffic metaksy dyo akrwn. 

Mesa apo ena tunnel, mporoume na metaferoume paketa tritwn, opws sthn periptwsh
dyo VPN gateways. 

Kanoume loipon tis parakatw epipleon dhlwseis sto KAME configiration : 

spdadd 1.1.1.0/27 1.1.2.0/27 any -P out ipsec esp/tunnel/10.1.0.2-
10.1.0.1/require ;
spdadd 1.1.2.0/27 1.1.1.0/27 any -P in ipsec esp/tunnel/10.1.0.1-
10.1.0.2/require ;

Blepoume oti dinoume ws source kai destination dyo networks ayth th fora, ek
twn opoiwn to 1.1.1.0/27 brisketai apo thn pleyra toy FreeBSD< KAI to
1.1.2.0/27 apo thn pleyra toy Linux. Blepoume oti sto SP entry dhlwnoume oti to
tunnel mesw toy opoioy pername, antistoixei sta endpoints toy transport poy
exoume dhlwsei prin. Den mporoume na kanoume ena tunnel to opoio perilambanei
ta 'akra' toy, gi ayto xreiazomaste ena transport KAI ena tunnel gia na
syndesoume 2 diktya. 

Sthn pleyra toy Linux, ta pragmata einai paromoia : 

<Edw o syggrafeas synhdeitopoiei oti DEN exei akoma teleiwsei to sxetiko
configuration, kai pa8ainei kardiakh prosbolh afhnontas to tutorial hmiteles.
Sthn epomenh zwh moy 8a sas steilw kai to part 2> 








 














--
Christos Ricudis

In God we trust.
All others must present a valid X.509 certificate.



More information about the Linux-greek-users mailing list