rgb_setup.txt

网上下到的一个很详细介绍VPN基础知识的资料

SAID, this time for ESP-3DES-CBC.

	gonzales# ipsec spi --edst 192.168.2.100 --spi 0x105 --proto esp \
		    --esp 3des \
		    --enckey 0x663066306630313663066306630313226630663066303132

This tells the IPSEC layer that packets destined to be processed with
DA=192.168.2.100, SPI=0x105, proto=esp, should be processed with 
ESP-DES-CBC, use 0x6630663066306630 as the DES-CBC Initialization Vector,
and use 0x663066306630313266306630663031326630663066303132 as the 3DES
key (the 3DES parity bits are ignored, so this yields the 168-bit 3DES
key). 

Next, we also want to authenticate the resulting packet, so we
create another SAID, this time for the AH-HMAC-MD5 transform:

	gonzales# ipsec spi --edst 192.168.2.100 --spi 0x106 --proto ah \
			--ah hmac-md5 \
			--authkey 0x66306630663031326630663066303132

To see the picture so far, type:

	gonzales# cat /proc/net/ipsec-spi

you should have:

	tun0x103@192.168.2.100 IPIP_proto_: dir=out  flags=0x0  
		192.168.2.110 -> 192.168.2.100
	ah0x106@192.168.2.100 AH_proto_MD5_auth_:  dir=out  alen=16  win=0
	esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
		win=0  seq=0  bit=0x00000000  flags=0x0

Now comes the crucial step. What the original eroute add command did was to
establish that outgoing packets are to be processed with IP-in-IP
encapsulation first. Now, we need to "link" this transform (IPIP) to the ESP
transform and then the AH. We do that with the spigrp ("group SPIs")command:

	gonzales# ipsec spigrp 192.168.2.100 0x103 tun \
			192.168.2.100 0x105 esp \
			192.168.2.100 0x106 ah

To verify all this worked type:

	gonzales# cat /proc/net/ipsec-spigrp

should give you:

	tun0x103@192.168.2.100 esp0x105@192.168.2.100 ah0x106@192.168.2.100 


Now, on magellan, to receive and decode these packets, we need:

	magellan# ipsec spi --edst 192.168.2.100 --spi 0x105 --proto esp \
		    --esp 3des \
		    --enckey 0x663066306630313663066306630313226630663066303132
	magellan# ipsec spi --edst 192.168.2.100 --spi 0x106 --proto ah \
			--ah hmac-md5 \
			--authkey 0x66306630663031326630663066303132

since IP-in-IP does not need any special handling.  ESP and AH,
however, need the SAIDs to be established.  We use the same commands we
used for the outgoing packets on gonzales.

Typing:

	magellan# cat /proc/net/ipsec-spi 

should give us:

	ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=out  alen=16
		win=0  seq=0  bit=0x00000000  flags=0x0
	esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
		win=0  seq=0  bit=0x00000000  flags=0x0

On magellan, now, we have to send things up the opposite way. Here are the
commands to use:



	magellan# ipsec spi --edst 192.168.2.110 --spi 0x113 --proto tun \
			--ip4 --src 192.168.2.100 --dst 192.168.2.110
	magellan# ipsec spi --edst 192.168.2.110 --spi 0x115 --proto esp \
		    --esp 3des \
		    --enckey 0x663066306630313663066306630313226630663066303132
	magellan# ipsec spi --edst 192.168.2.110 --spi 0x116 --proto ah \
			--ah hmac-md5 \
			--authkey 0x66306630663031326630663066303132

	magellan# ipsec spigrp 192.168.2.110 0x113 tun \
			192.168.2.110 esp 0x115 \
			192.168.2.110 ah 0x116
	magellan# ipsec eroute --add --src 192.168.5.0/24 \
		   --dst 192.168.4.0/24 \
		   --edst 192.168.2.110 --spi 0x113 --proto tun
	magellan# route del 192.168.4.0 #(to clear any old routes)
	magellan# route add -net 192.168.4.0 netmask 255.255.255.0 dev ipsec0 \
			gw 192.168.2.110

Now, we also need to specify what will happen when gonzales receives
magellan's packets.

	gonzales# ipsec spi --edst 192.168.2.110 --spi 0x115 --proto esp \
		    --esp 3des \
		    --enckey 0x663066306630313663066306630313226630663066303132
	gonzales# ipsec spi --edst 192.168.2.110 --spi 0x116 --proto ah \
			--ah hmac-md5 \
			--authkey 0x66306630663031326630663066303132

To see the whole picture, type:

	gonzales# cat /proc/net/ipsec-spi

to get:

	tun0x103@192.168.2.100 IPIP_proto_:  dir=out  
		192.168.2.110 -> 192.168.2.100
	ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=out  alen=16
		win=0  seq=0  bit=0x00000000  flags=0x0
	esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
		win=0  seq=0  bit=0x00000000  flags=0x0
	ah0x116@192.168.2.110 AH_proto_MD5_auth_: dir=in  alen=16
		win=0  seq=0  bit=0x00000000  flags=0x0
	esp0x115@192.168.2.110 ESP_proto_3DES_encrypt_NO_auth_: dir=in
		win=0  seq=0  bit=0x00000000  flags=0x0

Type:

	magellan# cat /proc/net/ipsec-eroute 

to get:

	192.168.5.0/24 -> 192.168.4.0/24 => esp0x113@192.168.4.0

and type:

	magellan# cat /proc/net/ipsec-spi 

to get:

	tun0x113@192.168.2.110 IPIP_proto_:  dir=out  
		192.168.2.100 -> 192.168.2.110
	ah0x116@192.168.2.110 AH_proto_MD5_auth_: dir=out  alen=16
		win=0  seq=0  bit=0x00000000  flags=0x0
	esp0x115@192.168.2.110 ESP_proto_3DES_encrypt_NO_auth_: dir=out
		win=0  seq=0  bit=0x00000000  flags=0x0
	ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=in  alen=16
		win=0  seq=0  bit=0x00000000  flags=0x0
	esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=in
		win=0  seq=0  bit=0x00000000  flags=0x0

and type:

	magellan# cat /proc/net/ipsec-spigrp

to get:

	tun0x113@192.168.2.110 esp0x115@192.168.2.110 ah0x116@192.168.2.110 

If you ping ping5 from ping4, ICMP packets will leave ping4, reach
gonzales, get encapsulated in IPIP, encrypted with DES and authenticated
with HMAC-MD5, tunneled to magellan, get decapsulated, and then sent to ping5;
the return packets will follow the inverse path.

3.3  The whole routing picture.

For completeness, let us show part of the routing tables on all four machines:

gonzales# netstat -r -n
Kernel routing table
Destination     Gateway         Genmask         Flags Metric Ref Use    Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        3 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        2 ipsec0
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        2 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        4 lo
0.0.0.0         <firewall>      0.0.0.0         UG    0      0        0 eth0

magellan# netstat -r -n
Kernel routing table
Destination     Gateway         Genmask         Flags Metric Ref Use    Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        1 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        2 eth1
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        1 ipsec0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        1 lo
0.0.0.0         207.236.55.1    0.0.0.0         UG    0      0        0 eth2

ping4# netstat -r -n
Kernel routing table
Destination     Gateway         Genmask         Flags Metric Ref Use    Iface
192.168.5.0     192.168.4.110   255.255.255.0   UG    0      0        1 eth0
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        1 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        1 lo
0.0.0.0         192.168.4.110   0.0.0.0         UG    0      0        0 eth0

ping5# netstat -r -n
Kernel routing table
Destination     Gateway         Genmask         Flags Metric Ref Use    Iface
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        1 eth0
192.168.4.0     192.168.5.100   255.255.255.0   UG    0      0        1 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        1 lo
0.0.0.0         192.168.5.100   0.0.0.0         UG    0      0        0 eth0




	rgb, February 22, 1999

*
* $Log: rgb_setup.txt,v $
* Revision 1.6  1999/04/06 04:54:24  rgb
* Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
* patch shell fixes.
*
*