ipsec.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>VPN over IPsec</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="OpenSSL" href="openssl.html" />
<link rel="NEXT" title="OpenSSH" href="openssh.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="openssl.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="openssh.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="IPSEC" name="IPSEC">10.10. VPN over IPsec</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by</span> Nik Clayton.</i> 

<p>Creating a VPN between two networks, separated by the Internet, using FreeBSD
gateways.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN12547" name="AEN12547">10.10.1. Understanding IPsec</a></h2>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by</span> Hiten M. Pandya.</i> 

<p>This section will guide you through the process of setting up IPsec, and to use it in
an environment which consists of FreeBSD and <b class="APPLICATION"><span
class="TRADEMARK">Microsoft</span>&reg;&nbsp;<span class="TRADEMARK">Windows</span>&reg;
2000/XP</b> machines, to make them communicate securely. In order to set up IPsec, it is
necessary that you are familiar with the concepts of building a custom kernel (see <a
href="kernelconfig.html">Chapter 9</a>).</p>

<p><span class="emphasis"><i class="EMPHASIS">IPsec</i></span> is a protocol which sits
on top of the Internet Protocol (IP) layer. It allows two or more hosts to communicate in
a secure manner (hence the name). The FreeBSD IPsec ``network stack'' is based on the <a
href="http://www.kame.net/" target="_top">KAME</a> implementation, which has support for
both protocol families, IPv4 and IPv6.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> FreeBSD 5.X contains a ``hardware accelerated'' IPsec stack, known as
``Fast IPsec'', that was obtained from OpenBSD. It employs cryptographic hardware
(whenever possible) via the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">crypto</span>(4)</span> subsystem to optimize the performance of
IPsec. This subsystem is new, and does not support all the features that are available in
the KAME version of IPsec. However, in order to enable hardware-accelerated IPsec, the
following kernel option has to be added to your kernel configuration file:</p>

<pre class="SCREEN">
options      FAST_IPSEC  # new IPsec (cannot define w/ IPSEC)
       
</pre>

<p>Note, that it is not currently possible to use the ``Fast IPsec'' subsystem in lue
with the KAME implementation of IPsec. Consult the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">fast_ipsec</span>(4)</span> manual page for more information.</p>
</blockquote>
</div>

<p>IPsec consists of two sub-protocols:</p>

<ul>
<li>
<p><span class="emphasis"><i class="EMPHASIS">Encapsulated Security Payload
(ESP)</i></span>, protects the IP packet data from third party interference, by
encrypting the contents using symmetric cryptography algorithms (like Blowfish,
3DES).</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">Authentication Header (AH)</i></span>,
protects the IP packet header from third party interference and spoofing, by computing a
cryptographic checksum and hashing the IP packet header fields with a secure hashing
function. This is then followed by an additional header that contains the hash, to allow
the information in the packet to be authenticated.</p>
</li>
</ul>

<p><acronym class="ACRONYM">ESP</acronym> and <acronym class="ACRONYM">AH</acronym> can
either be used together or separately, depending on the environment.</p>

<p>IPsec can either be used to directly encrypt the traffic between two hosts (known as
<span class="emphasis"><i class="EMPHASIS">Transport Mode</i></span>); or to build
``virtual tunnels'' between two subnets, which could be used for secure communication
between two corporate networks (known as <span class="emphasis"><i
class="EMPHASIS">Tunnel Mode</i></span>). The latter is more commonly known as a <span
class="emphasis"><i class="EMPHASIS">Virtual Private Network (VPN)</i></span>. The <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ipsec</span>(4)</span> manual page
should be consulted for detailed information on the IPsec subsystem in FreeBSD.</p>

<p>To add IPsec support to your kernel, add the following options to your kernel
configuration file:</p>

<pre class="SCREEN">
options   IPSEC        #IP security
options   IPSEC_ESP    #IP security (crypto; define w/ IPSEC)
     
</pre>

<p>If IPsec debugging support is desired, the following kernel option should also be
added:</p>

<pre class="SCREEN">
options   IPSEC_DEBUG  #debug for IP security
     
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN12603" name="AEN12603">10.10.2. The Problem</a></h2>

<p>There's no standard for what constitutes a VPN. VPNs can be implemented using a number
of different technologies, each of which have their own strengths and weaknesses. This
article presents a number of scenarios, and strategies for implementing a VPN for each
scenario.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN12606" name="AEN12606">10.10.3. Scenario #1: Two networks,
connected to the Internet, to behave as one</a></h2>

<p>This is the scenario that caused me to first investigating VPNs. The premise is as
follows:</p>

<ul>
<li>
<p>You have at least two sites</p>
</li>

<li>
<p>Both sites are using IP internally</p>
</li>

<li>
<p>Both sites are connected to the Internet, through a gateway that is running
FreeBSD.</p>
</li>

<li>
<p>The gateway on each network has at least one public IP address.</p>
</li>

<li>
<p>The internal addresses of the two networks can be public or private IP addresses, it
doesn't matter. You can be running NAT on the gateway machine if necessary.</p>
</li>

<li>
<p>The internal IP addresses of the two networks <span class="emphasis"><i
class="EMPHASIS">do not collide</i></span>. While I expect it is theoretically possible
to use a combination of VPN technology and NAT to get this to work, I expect it to be a
configuration nightmare.</p>
</li>
</ul>

<p>If you find that you are trying to connect two networks, both of which, internally,
use the same private IP address range (e.g., both of them use <tt
class="HOSTID">192.168.1.x</tt>), then one of the networks will have to be
renumbered.</p>

<p>The network topology might look something like this:</p>

<p><img src="security/ipsec-network.png" align="CENTER" /></p>

<p>Notice the two public IP addresses. I'll use the letters to refer to them in the rest
of this article. Anywhere you see those letters in this article, replace them with your
own public IP addresses. Note also that internally, the two gateway machines have .1 IP
addresses, and that the two networks have different private IP addresses (<tt
class="HOSTID">192.168.1.x</tt> and <tt class="HOSTID">192.168.2.x</tt> respectively).
All the machines on the private networks have been configured to use the <tt
class="HOSTID">.1</tt> machine as their default gateway.</p>

<p>The intention is that, from a network point of view, each network should view the
machines on the other network as though they were directly attached the same router --
albeit a slightly slow router with an occasional tendency to drop packets.</p>

<p>This means that (for example), machine <tt class="HOSTID">192.168.1.20</tt> should be
able to run</p>

<pre class="PROGRAMLISTING">
ping 192.168.2.34
</pre>

<p>and have it work, transparently. <span class="TRADEMARK">Windows</span> machines
should be able to see the machines on the other network, browse file shares, and so on,
in exactly the same way that they can browse machines on the local network.</p>

<p>And the whole thing has to be secure. This means that traffic between the two networks
has to be encrypted.</p>

<p>Creating a VPN between these two networks is a multi-step process. The stages are as
follows:</p>

<ol type="1">
<li>
<p>Create a ``virtual'' network link between the two networks, across the Internet. Test
it, using tools like <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ping</span>(8)</span>, to make sure it works.</p>
</li>

<li>
<p>Apply security policies to ensure that traffic between the two networks is
transparently encrypted and decrypted as necessary. Test this, using tools like <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">tcpdump</span>(1)</span>, to ensure that
traffic is encrypted.</p>
</li>

<li>
<p>Configure additional software on the FreeBSD gateways, to allow <span
class="TRADEMARK">Windows</span> machines to see one another across the VPN.</p>
</li>
</ol>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN12658" name="AEN12658">10.10.3.1. Step 1: Creating and
testing a ``virtual'' network link</a></h3>

<p>Suppose that you were logged in to the gateway machine on network #1 (with public IP
address <tt class="HOSTID">A.B.C.D</tt>, private IP address <tt
class="HOSTID">192.168.1.1</tt>), and you ran <tt class="COMMAND">ping 192.168.2.1</tt>,
which is the private address of the machine with IP address <tt
class="HOSTID">W.X.Y.Z</tt>. What needs to happen in order for this to work?</p>

<ol type="1">
<li>
<p>The gateway machine needs to know how to reach <tt class="HOSTID">192.168.2.1</tt>. In
other words, it needs to have a route to <tt class="HOSTID">192.168.2.1</tt>.</p>
</li>

<li>
<p>Private IP addresses, such as those in the <tt class="HOSTID">192.168.x</tt> range are
not supposed to appear on the Internet at large. Instead, each packet you send to <tt
class="HOSTID">192.168.2.1</tt> will need to be wrapped up inside another packet. This
packet will need to appear to be from <tt class="HOSTID">A.B.C.D</tt>, and it will have
to be sent to <tt class="HOSTID">W.X.Y.Z</tt>. This process is called <i
class="FIRSTTERM">encapsulation</i>.</p>
</li>

<li>
<p>Once this packet arrives at <tt class="HOSTID">W.X.Y.Z</tt> it will need to
``unencapsulated'', and delivered to <tt class="HOSTID">192.168.2.1</tt>.</p>
</li>
</ol>

<p>You can think of this as requiring a ``tunnel'' between the two networks. The two
``tunnel mouths'' are the IP addresses <tt class="HOSTID">A.B.C.D</tt> and <tt
class="HOSTID">W.X.Y.Z</tt>, and the tunnel must be told the addresses of the private IP
addresses that will be allowed to pass through it. The tunnel is used to transfer traffic
with private IP addresses across the public Internet.</p>

<p>This tunnel is created by using the generic interface, or <tt
class="DEVICENAME">gif</tt> devices on FreeBSD. As you can imagine, the <tt
class="DEVICENAME">gif</tt> interface on each gateway host must be configured with four
IP addresses; two for the public IP addresses, and two for the private IP addresses.</p>

<p>Support for the gif device must be compiled in to the FreeBSD kernel on both machines.
You can do this by adding the line:</p>

<pre class="PROGRAMLISTING">
pseudo-device gif
</pre>

<p>to the kernel configuration files on both machines, and then compile, install, and
reboot as normal.</p>