特殊:Badtitle/NS100:IPSecHowTo:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Oneleaf留言 | 贡献
New page: {{From|https://help.ubuntu.com/community/IPSecHowTo}} {{Languages|php5}} [mailto:[email protected] Matthew Caron] This howto is primarily taken from [http://www.ipsec-howto.org/x299.html...
 
Oneleaf留言 | 贡献
无编辑摘要
第1行: 第1行:
{{From|https://help.ubuntu.com/community/IPSecHowTo}}
{{From|https://help.ubuntu.com/community/IPSecHowTo}}
{{Languages|php5}}
{{Languages|UbuntuHelp:IPSecHowTo}}
[mailto:[email protected] Matthew Caron]
[mailto:[email protected] Matthew Caron]


第14行: 第14行:
2. Edit /etc/ipsec-tools.conf file. This file should be of the general form:
2. Edit /etc/ipsec-tools.conf file. This file should be of the general form:
<pre><nowiki>
<pre><nowiki>
#!/usr/sbin/setkey -f


# Configuration for 192.168.1.100


# Flush the SAD and SPD
flush;
flush;
spdflush;
spdflush;


# Attention: Use this keys only for testing purposes!
# Generate your own keys!


# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
         0xc0291ff014dccdd03874d9e8e4cdf3e6;
         0xc0291ff014dccdd03874d9e8e4cdf3e6;
第31行: 第25行:
         0x96358c90783bbfa3d7b196ceabe0536b;
         0x96358c90783bbfa3d7b196ceabe0536b;


# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
         0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
         0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
第37行: 第30行:
         0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
         0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;


# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
           esp/transport//require
           esp/transport//require
第48行: 第40行:
It is important to understand this, so let me break it down:
It is important to understand this, so let me break it down:
<pre><nowiki>
<pre><nowiki>
# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
         0xc0291ff014dccdd03874d9e8e4cdf3e6;
         0xc0291ff014dccdd03874d9e8e4cdf3e6;
第64行: 第55行:
Similarly, this section:
Similarly, this section:
<pre><nowiki>
<pre><nowiki>
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
         0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
         0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
第78行: 第68行:
So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section:
So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section:
<pre><nowiki>
<pre><nowiki>
# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
           esp/transport//require
           esp/transport//require
第89行: 第78行:
This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all '''outgoing''' communication to 192.168.2.100 and all '''incoming''' communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows:
This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all '''outgoing''' communication to 192.168.2.100 and all '''incoming''' communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows:
<pre><nowiki>
<pre><nowiki>
# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
           esp/transport//require
           esp/transport//require
第113行: 第101行:
</nowiki></pre>
</nowiki></pre>


CategoryDocumentation CategoryCleanup
[[category:CategoryDocumentation]] [[category:CategoryCleanup]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2007年5月14日 (一) 11:47的版本

{{#ifexist: :IPSecHowTo/zh | | {{#ifexist: IPSecHowTo/zh | | {{#ifeq: {{#titleparts:IPSecHowTo|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:IPSecHowTo|1|-1|}} | zh | | }}

Matthew Caron

This howto is primarily taken from IPSec - Linux Kernel 2.6 using KAME-tools; the native IPSec stack in the 2.6 kernel series.

This covers using manually-keyed connections, and is geared toward very small or primarily star toplogy networks (an NIS server and all it's clients, for example). Larger networks (if all the NIS clients want to talk to each other in an encrypted fashion) would benefit from the use of an automated keying agent, such as racoon. Discussion of such agents is outside the scope of this draft of this document (maybe later).

1. Install the tools:

sudo apt-get install ipsec-tools

2. Edit /etc/ipsec-tools.conf file. This file should be of the general form:



flush;
spdflush;


add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
        0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
        0x96358c90783bbfa3d7b196ceabe0536b;

add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
        0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
        0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
           esp/transport//require
           ah/transport//require;

It is important to understand this, so let me break it down:

add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
        0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
        0x96358c90783bbfa3d7b196ceabe0536b;

This section lists the 128 bit keys for the 192.168.2.100 and 192.168.1.100 connection. Each IP pair has 2 keys - one for each direction (in and out). Each pair of machines needs to know the this information. So, this means that, for each pair of IP's, you need to generate a new key (hence why this works for small networks, but anything major probably wants a daemon to handle this. Maybe if I feel ambitious, I'll set mine up to use it and update this with that info).

Also, note the number right after the 'ah' for each of these keys. This number needs to be unique for each 'add' statement. These keys are generated as follows:

dd if=/dev/random count=16 bs=1| xxd -ps

Don't forget to add the 0x in front of it.

Similarly, this section:

add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
        0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
        0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

This works just like the AH keys, except that they are longer. Again, the number after 'esp' must be unique. These keys are generated as follows:

dd if=/dev/random count=24 bs=1| xxd -ps

Again, don't forget to add the 0x in front of it.

So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section:

spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
           esp/transport//require
           ah/transport//require;

This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all outgoing communication to 192.168.2.100 and all incoming communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows:

spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P out ipsec
           esp/transport//require
           ah/transport//require;

3. Make the conf file not readable to the world:

sudo chmod 750 ipsec-tools.conf

Okay, do both sides of the connection have an ipsec-tools.conf? Everyone set? Good, now it gets easy.

4. It will be started at boot by default on systems, so you don't have to worry about that.

5. Also, starting it wouldn't hurt either (make sure to do this on both sides of the connection before trying to have them talk to each other; you could also reboot):

sudo /etc/init.d/setkey start