荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: georgehill (人生不定式), 信区: Linux
标 题: Simple Configuration Sample of IPsec/Racoon(转寄)
发信站: BBS 荔园晨风站 (Sat Sep 16 11:32:27 2000), 站内信件
【 以下文字转载自 georgehill 的信箱 】
【 原文由 georgehill.bbs@smth.org 所发表 】
发信人: hhuu (什么是水,就是water啊), 信区: FreeBSD
标 题: Simple Configuration Sample of IPsec/Racoon(转寄)
发信站: BBS 水木清华站 (Sat Sep 16 00:18:49 2000)
Simple Configuration Sample of IPsec/Racoon
Shoichi Sakane, KAME Project
$Id: index.html,v 1.3 2000-09-13 14:46:10+09 sakane Exp $
Japanese version is here.
Abstract
This document describes how to configure to establish IPsec-SA automatically on
KAME stack.
To understand configuration for several environment requires the reader to be
familiar with IPsec architecture. Because many items must be
specified in order to establish IPsec-SA automatically. This document gives
priority to run racoon, by giving simple example of the
environment, and by putting configuration items to a minimum.
The reader is required to know about IPsec architecture, but is not always
familiar with it.
Note that this document refers to racoon included in KAME snap 20000501 or
later. The kits before 20000501 are not suitable to them. Also
not KAME stable 20000425.
Introduction
If you want IPsec to communicate with somebody, It is required to establish the
Security Association(IPsec-SA) between you and the peer
before that. There are two way to establish it. One is by using manual
configuration. Another way is automated configuration. In our
implementation, we have a daemon named "racoon" for latter case.
Several parameters(Key) must be exchanged between you and peer in order to
establish the IPsec-SA. Racoon exchange them by using IKE.
IKE establish own SA by myself while exchanging Key, don't use IPsec-SA. There
are two phase in IKE. One is the phase to establish SA
for own communication (IKE-SA). Another is the phase to establish IPsec-SA. I
say Phase 1 and Phase 2 respectively. The initiator to begin
IKE proposes multiple parameters to the responder, and the responder choices
one of them or rejects them in each phases. Also racoon has
some parameter for the management of exchanging. So that there are many items
to configure racoon.
It is not easy for public users to understand all of them. This document
explains how to configure racoon briefly. The complex configuration
is not described. Also to use certificate is out of scope in this document.
Basic mechanism
Kernel maintains two database to use IPsec. One is the Security Policy
Database(SPD). Kernel refers to SPD in order to decide whether to
apply IPsec to a packet or not. Also SPD entries specify which/how IPsec-SA is
applied. Another one is the Security Association
Database(SAD). SAD entries contain Key of each IPsec-SA.
The following figure specifies a flow until kernel applies IPsec-SA to a
packet.
setkey racoon <-------(IKE)-------> somebody
| ^ | (5)
| | |(6)
|(1) +-----+ +---+
| (4)| |
v | v
+-----+ (2) | (3) +-----+
| SPD |<----- kernel ------>| SAD |
+-----+ | +-----+
|(7)
v
(1)The administrator sets a policy to SPD by using setkey.
(2)Kernel refers to SPD in order to make a decision of applying IPsec to a
packet.
(3)If IPsec is required, then kernel get the Key for IPsec-SA from SAD.
(4)If it is failed, then kernel send a request to get the Key to racoon.
(5)racoon exchange the Key by using IKE with the other to be established
IPsec-SA.
(6)racoon put the Key into SAD.
(7)Kernel can send a packet applied IPsec.
So that the administrator must configure SPD entries by using setkey command,
and must configure racoon. Also it must be required to run
racoon or else on the other side.
Starting racoon
It is required root privilege to start racoon. Because racoon use a port 500 of
UDP, also open /var/log/racoon.log as log file.
Racoon has a few options. This section explains only typical options.
-f configfile
Specify alternate configuration file.
/usr/local/v6/etc/racoon.conf as default.
-l logfile
Specify alternate log file.
/var/log/racoon.log as default.
-d dlevel
Set debugging level of hexadecimal.
As below, racoon outputs many information onto standard output and log
file.
# racoon -d 0xffffffff
Simple Configuration Sample of Racoon
The following description is the one of most simple configuration. This section
explains this sample step by step.
# cat case1.conf
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
identifier user_fqdn "sakane@kame.net" ;
identifier fqdn "mine.kame.net" ;
remote anonymous
{
exchange_mode aggressive ;
identifier user_fqdn ;
lifetime time 24 hour ;
lifetime byte 100 MB ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 12 hour ;
lifetime byte 50 MB ;
encryption_algorithm 3des, rc5, cast128, blowfish, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
path pre_shared_key directive specifies the file which is defined
pre-shared keys. This is used to authenticate the peer on phase 1. If
you don't use the pre-shared key authentication method, you don't need to
define it. The format is like hosts(4). For each key A single
line for each key must be present with the following
identifier1 key1
identifier2 key2
Items are separated by any number of blanks and/or tab characters.
identifier user_fqdn and identifier fqdn are specify the identifier which
is used the authentication of peer on phase 1. You can use
either IP4/6 address, User-FQDN and FQDN. There is no special different
between User-FQDN and FQDN. These must be closed
Double-Quotation. You can use any word because there is no strict check
for FQDN.
remote directive
remote directive specifies about Phase 1. anonymous means to match any
peer. You can limit exchanging each peer, but the document
does not describes it.
exchange_mode directive specifies the exchange mode on Phase 1 aggressive
means to exchange by aggressive mode. You can use
main as main mode and base as base mode. If a peer start to exchange by
the mode which is not specified here, racoon will reject it.
Although racoon can accept three mode, this document does not describe
this way.
identifier directive in remote specifies what own identifier is used. The
identifier will send to the peer, and the peer will use as one of
the information of authentication. In the case of above sample, identifier
in remote is user_fqdn, so "sakane@kame.net" defined in
identifier user_fqdn is applied.
lifetime time and lifetime byte specify the lifetime of IKE-SA. These are
by time and by bytes respectively. You can use sec, min and
hour as the unit of lifetime by time. And you can use B, KB, MB and TB as
the unit of lifetime by bytes.
proposal directive specifies a proposal on Phase 1. Although you can
specify multiple proposals, this is the out of scope in this
document.
encryption_algorithm directive specifies encryption algorithm on Phase 1.
racoon can use DES, 3DES, RC5, IDEA, CAST,
BLOWFISH as encryption algorithm. You must specify des, 3des, rc5, idea,
cast, blowfish respectively. You can specify one of them
in a proposal for Phase 1.
hash_algorithm directive specifies hash algorithm. racoon can use MD5 and
SHA1 as hash algorithm. You must specify md5 and sha1
respectively. You can specify one of them in a proposal for Phase 1.
authentication_method directive specifies the authentication method on
Phase 1. In the case of above sample, it means to use
Pre-shared Key as authentication method. Racoon can use RSA Signature
authentication method, but this is the out of scope in this
document.
dh_group directive specifies a group for Diffie-Hellman Key Exchange.
Racoon can use 1, 2 and 5 as this group. You must specify 1,
2 and 5 respectively.
sainfo directive
sainfo directive specifies some parameters about Phase 2. anonymous means
to match any peer. You can limit exchanging peer by each,
but the document does not describes it.
pfs_group directive specifies a group for Diffie-Hellman Key Exchange on
Phase 2. Racoon can use 1, 2 and 5 as this group. You
must specify 1, 2 and 5 respectively.
lifetime time and lifetime byte specify the lifetime of IPsec-SA. These
are by time and by bytes respectively. You can use sec, min
and hour as the unit of lifetime by time. And you can use B, KB, MB and TB
as the unit of lifetime by bytes.
encryption_algorithm directive specifies the proposal of encryption
algorithm for ESP. racoon can use DES, 3DES, RC5, CAST,
BLOWFISH, NULL as encryption algorithm for ESP. You must specify des, 3des,
rc5, cast, blowfish and null_enc respectively.
authentication_algorithm directive specifies the proposal of
authentication algorithm for both ESP and AH. racoon can use
HMAC-SHA1, HMAC-MD5 and Keyed-MD5 as authentication algorithm. You must
specify hmac_sha1, hmac_md5 and kpdk
respectively.
compression_algorithm directive specifies the proposal of compression
algorithm for IPCOMP. racoon can use DEFLATE at the
moment. You must specify deflate.
The above sample can accept to exchange both Phase 1 and Phase 2, only if you
specify appropriate Pre-shared Key before exchange. Racoon
can restrict to exchange with the peer each phases. But this document does not
describe the way.
Sample Configuration of SPD
Case 1
Security protocol is ESP. Encapsulation mode is Transport.
Host-A Host-B
fec0::1 ---------------------- fec0::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::1 fec0::2 any -P out ipsec
esp/transport//require ;
spdadd fec0::2 fec0::1 any -P in ipsec
esp/transport//require ;
EOF
Note that IP address and direction. First IP address means source of IP header.
Next IP address means destination of IP header. out means a
packet goes out. in means a packet comes in.
At Host-B:
# setkey -c <<EOF
spdadd fec0::2 fec0::1 any -P out ipsec
esp/transport//require ;
spdadd fec0::1 fec0::2 any -P in ipsec
esp/transport//require ;
EOF
Case 2
ESP Transport mode applied first and AH Transport mode next.
It means that kernel makes a packet to be [IP|AH|ESP|ULP].
Host-A Host-B
fec0::1 ---------------------- fec0::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::1 fec0::2 any -P out ipsec
esp/transport//require
ah/transport//require ;
spdadd fec0::2 fec0::1 any -P in ipsec
esp/transport//require
ah/transport//require ;
EOF
Note that the ordering of security protocol. In outgoing case defined out, it
specifies the sequence of security protocol which kernel apply to
the packet. In incoming case defined in, it specifies the sequence of security
protocol to be applied to the packet. The above case means that
ESP transport mode is first, and the next is AH transport mode.
At Host-B:
# setkey -c <<EOF
spdadd fec0::2 fec0::1 any -P out ipsec
esp/transport//require
ah/transport//require ;
spdadd fec0::1 fec0::2 any -P in ipsec
esp/transport//require
ah/transport//require ;
EOF
Note IP addresses as case 1.
Case 3
ESP Tunnel for VPN.
======= ESP =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
esp/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
esp/tunnel/172.16.0.2-172.16.0.1/require ;
Tunnel end points must be defined.
and at Gateway-B:
# setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
esp/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
esp/tunnel/172.16.0.1-172.16.0.2/require ;
Conclusion
This document describes how to configure to establish IPsec-SA automatically in
each typical IPsec environment with simple configuration
sample of racoon. This document explains basic mechanism to establish IPsec-SA
automatically. It is necessary to know many parameters if
you want complex configuration of racoon. But this document figures a outline
of establishing IPsec-SA automatically. The other document
will explain about detail configuration.
--
行列中 作不朽文章
谈笑间 论古今英雄
痴狂里 诉红尘情爱
来去时 不枉一生风流
--------- bbs.ntu.edu.tw
※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.161.33]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店