From nobody Sun Feb 06 17:35:03 2022 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3D42919B9BE3 for ; Sun, 6 Feb 2022 17:35:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JsGcm12dDz3Gfn; Sun, 6 Feb 2022 17:35:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644168904; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b6lDLZ2PBRAkbIXvFVE01k2vgrjJori76u9hfdQFWLQ=; b=YzycC88b74ggpW59JP2JTIMxaOqWYMOyLQKTgybkXs3zeQcJG97OTEo9dgceMAVqbocRJE UGOkP8DngqoPmVYLdk1xyoMT4mLXtCAEiAx/cdpTmK5fTL9ByRKMZPvxNzO6seQ3f0/Gzh 4WoMEEEfhCrB2lI4fGJtwBTMGrPYFXDzYj/NdwXsqbma8QEhcn+IabiKXzyLODmiJhuB+N x21rjw3loZ02+mYxUiYM/I+PwswGU/HVxPdBKCChXvijy4dMY9yp2QdH58/PakOKHQGVcC V/YEVaUME1VbzjJMm2TRfReXG/hFkATdvR/fCdyK9SOM713T13p/vpWEHOZ81g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 04F26169A2; Sun, 6 Feb 2022 17:35:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 216HZ3EI056111; Sun, 6 Feb 2022 17:35:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 216HZ3la056110; Sun, 6 Feb 2022 17:35:03 GMT (envelope-from git) Date: Sun, 6 Feb 2022 17:35:03 GMT Message-Id: <202202061735.216HZ3la056110@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: "Danilo G. Baio" Subject: git: 22ba0f6fe0 - main - handbook/security: Clarify information in IPSec setup List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dbaio X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 22ba0f6fe07f7eaf042a44c037af361dac5e15c9 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644168904; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b6lDLZ2PBRAkbIXvFVE01k2vgrjJori76u9hfdQFWLQ=; b=lWIHxzVAlMLMj5jd0WFTwGY+PJ773+nn0qHIwszCi+bsRYPYKNNCHMdavjDGgJPOxJquBy hWJShfyP66yPrHeeZrcApFyqU4uNhyAk2PqvdzJfHzANkCwDPhzN0fxgSbY9x+OMYWxlfc kYv3N5Vf75jO2eKzX/u5Q63hzuHvFJENOlSUpE6JuEoYAGkmxmT46QJ4EumkJHvAp6YfYX RW2L1z+sXHhV3lAc3v1bA4Q2diWsHWdws39ni0mzdV5Ea5JxuUdrWJAHMb/8mQ/Ga1DHIj ePCgn32omDEmVHDguBlbezUVXmOPSNQwvor39mUV1xEvxB1C/WDYIqTJnIKjuQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644168904; a=rsa-sha256; cv=none; b=QitqC4gM6ut+gcAGOTwfJe8kW4VVIVv5rutZgu+sWKNyDip44rJSCQ5vdgmef27nsuGd7F L0pjUY2y1APCgQi0Xh1kRB2OZAYzp4AuA+U2G62VLNIywUr+7wXT2vLwhvhnxouLjIXlDD 5BbzwlFGOEE+WED/urKJz6TMbcBF1Dinzi1H18LqfVDHIaSFx4dIDGkyfdsb6abGKukyFY o1+2sfZ2RRo+IcUn5BOKrAb9svGLcG0tD7tKgputXlJ3+bkotgxX9dt32HxUjwxioPmBgD zXQzEhzKFkcnabYE+G2NZzy3QvsOScl5zxV9bFyavA7MeqWoX0SqDY53GvFi0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by dbaio: URL: https://cgit.FreeBSD.org/doc/commit/?id=22ba0f6fe07f7eaf042a44c037af361dac5e15c9 commit 22ba0f6fe07f7eaf042a44c037af361dac5e15c9 Author: Ari Maniatis AuthorDate: 2022-02-03 05:33:53 +0000 Commit: Danilo G. Baio CommitDate: 2022-02-06 15:08:39 +0000 handbook/security: Clarify information in IPSec setup Reviewed by: dbaio Pull Request: https://github.com/freebsd/freebsd-doc/pull/55 --- .../content/en/books/handbook/security/_index.adoc | 67 ++++++++++++---------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc index 2725174d23..7cdfea38a9 100644 --- a/documentation/content/en/books/handbook/security/_index.adoc +++ b/documentation/content/en/books/handbook/security/_index.adoc @@ -1300,7 +1300,13 @@ In the example scenario: * Both sites are connected to the Internet through a gateway that is running FreeBSD. * The gateway on each network has at least one external IP address. In this example, the corporate LAN's external IP address is `172.16.5.4` and the home LAN's external IP address is `192.168.1.12`. -* The internal addresses of the two networks can be either public or private IP addresses. However, the address space must not collide. For example, both networks cannot use `192.168.1.x`. In this example, the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's internal IP address is `10.0.0.5`. +* The internal addresses of the two networks can be either public or private IP addresses. However, the address space must not overlap. In this example, the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's internal IP address is `10.0.0.5`. + +[.programlisting] +.... + corporate home +10.246.38.1/24 -- 172.16.5.4 <--> 192.168.1.12 -- 10.0.0.5/24 +.... === Configuring a VPN on FreeBSD @@ -1308,17 +1314,24 @@ To begin, package:security/ipsec-tools[] must be installed from the Ports Collec This software provides a number of applications which support the configuration. The next requirement is to create two man:gif[4] pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly. -As `root`, run the following commands, replacing _internal_ and _external_ with the real IP addresses of the internal and external interfaces of the two gateways: +As `root`, run the following command on each gateway: + +[source,shell] +.... +corp-gw# ifconfig gif0 create +corp-gw# ifconfig gif0 10.246.38.1 10.0.0.5 +corp-gw# ifconfig gif0 tunnel 172.16.5.4 192.168.1.12 +.... [source,shell] .... -# ifconfig gif0 create -# ifconfig gif0 internal1 internal2 -# ifconfig gif0 tunnel external1 external2 +home-gw# ifconfig gif0 create +home-gw# ifconfig gif0 10.0.0.5 10.246.38.1 +home-gw# ifconfig gif0 tunnel 192.168.1.12 172.16.5.4 .... -Verify the setup on each gateway, using `ifconfig`. -Here is the output from Gateway 1: +Verify the setup on each gateway, using `ifconfig gif0`. +Here is the output from the home gateway: [.programlisting] .... @@ -1328,7 +1341,7 @@ inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6 inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00 .... -Here is the output from Gateway 2: +Here is the output from the corporate gateway: [.programlisting] .... @@ -1342,7 +1355,7 @@ Once complete, both internal IP addresses should be reachable using man:ping[8]: [source,shell] .... -priv-net# ping 10.0.0.5 +home-gw# ping 10.0.0.5 PING 10.0.0.5 (10.0.0.5): 56 data bytes 64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms 64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms @@ -1352,7 +1365,7 @@ PING 10.0.0.5 (10.0.0.5): 56 data bytes 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms -corp-net# ping 10.246.38.1 +corp-gw# ping 10.246.38.1 PING 10.246.38.1 (10.246.38.1): 56 data bytes 64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms 64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms @@ -1365,48 +1378,44 @@ round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms .... As expected, both sides have the ability to send and receive ICMP packets from the privately configured addresses. -Next, both gateways must be told how to route packets in order to correctly send traffic from either network. +Next, both gateways must be told how to route packets in order to correctly send traffic from the networks behind each gateway. The following commands will achieve this goal: [source,shell] .... -corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 -corp-net# route add net 10.0.0.0: gateway 10.0.0.5 -priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 -priv-net# route add host 10.246.38.0: gateway 10.246.38.1 +corp-gw# route add 10.0.0.0 10.0.0.5 255.255.255.0 +corp-gw# route add net 10.0.0.0: gateway 10.0.0.5 +home-gw# route add 10.246.38.0 10.246.38.1 255.255.255.0 +home-gw# route add host 10.246.38.0: gateway 10.246.38.1 .... -At this point, internal machines should be reachable from each gateway as well as from machines behind the gateways. +Internal machines should be reachable from each gateway as well as from machines behind the gateways. Again, use man:ping[8] to confirm: [source,shell] .... -corp-net# ping 10.0.0.8 +corp-gw# ping -c 3 10.0.0.8 PING 10.0.0.8 (10.0.0.8): 56 data bytes 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms 64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms -64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms -64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms --- 10.0.0.8 ping statistics --- -5 packets transmitted, 5 packets received, 0% packet loss +3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms -priv-net# ping 10.246.38.107 +home-gw# ping -c 3 10.246.38.107 PING 10.246.38.1 (10.246.38.107): 56 data bytes 64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms 64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms 64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms -64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms -64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms --- 10.246.38.107 ping statistics --- -5 packets transmitted, 5 packets received, 0% packet loss +3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms .... -Setting up the tunnels is the easy part. Configuring a secure link is a more in depth process. -The following configuration uses pre-shared (PSK) RSA keys. -Other than the IP addresses, the [.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be identical and look similar to: +At this point, traffic is flowing between the networks encapsulated in a gif tunnel but without any encryption. +Next, use IPSec to encrypt traffic using pre-shared keys (PSK). +Other than the IP addresses, [.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be identical and look similar to: [.programlisting] .... @@ -1496,7 +1505,7 @@ The output should be similar to the following: [source,shell] .... -corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf +corp-gw# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf Foreground mode. 2006-01-30 01:35:47: INFO: begin Identity Protection mode. 2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon @@ -1515,7 +1524,7 @@ Replace `em0` with the network interface card as required: [source,shell] .... -# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 +corp-gw# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 .... Data similar to the following should appear on the console.