diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 863a67488..d9a91f69a 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -5,7 +5,7 @@ - IPSEC + IPsec @@ -58,25 +58,25 @@ - Shorewall does not configure IPSEC for - you -- it rather configures netfilter to accommodate your IPSEC + Shorewall does not configure IPsec for + you -- it rather configures netfilter to accommodate your IPsec configuration. The information in this article is only applicable if you plan to - have IPSEC end-points on the same system where Shorewall is used. + have IPsec end-points on the same system where Shorewall is used. While this article shows configuration of - IPSEC using ipsec-tools, Shorewall + IPsec using ipsec-tools, Shorewall configuration is exactly the same when using OpenSwan or FreeSwan. - When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and + When running a Linux kernel prior to 2.6.20, the Netfilter+IPsec and policy match support are broken when used with a bridge device. The problem was corrected in Kernel 2.6.20 as a result of the removal of deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See @@ -85,10 +85,10 @@
- Shorwall and Kernel 2.6 IPSEC + Shorwall and Kernel 2.6 IPsec This is not a HOWTO for Kernel 2.6 - IPSEC -- for that, please see http://www.ipsec-howto.org/. The 2.6 Linux Kernel introduced new facilities for defining @@ -107,7 +107,7 @@ traffic is verified against the SPD to ensure that no unencrypted traffic is accepted in violation of the administrator's policies. - There are three ways in which IPSEC traffic can interact with + There are three ways in which IPsec traffic can interact with Shorewall policies and rules: @@ -136,7 +136,7 @@ by normal rules and policies. Under the 2.4 Linux Kernel, the association of unencrypted traffic - and zones was made easy by the presence of IPSEC pseudo-interfaces with + and zones was made easy by the presence of IPsec pseudo-interfaces with names of the form ipsecN (e.g. ipsec0). Outgoing unencrypted traffic (case 1.) was sent through an In summary, Shorewall provides the facilities to replace the use of - ipsec pseudo-interfaces in zone and MASQUERADE/SNAT definition. + IPsec pseudo-interfaces in zone and MASQUERADE/SNAT definition. There are two cases to consider: @@ -226,15 +226,15 @@ ipsec-tools and racoon although the ipsec-tools project releases them as a single package. - For more information on IPSEC, Kernel 2.6 and Shorewall see For more information on IPsec, Kernel 2.6 and Shorewall see my presentation on the subject given at LinuxFest NW 2005. Be warned though that the presentation is based on Shorewall - 2.2 and there are some differences in the details of how IPSEC is + 2.2 and there are some differences in the details of how IPsec is configured.
- IPSec Gateway on the Firewall System + IPsec Gateway on the Firewall System Suppose that we have the following situation: @@ -248,7 +248,7 @@ - Open the firewall so that the IPSEC tunnel can be established + Open the firewall so that the IPsec tunnel can be established (allow the ESP protocol and UDP Port 500). @@ -257,7 +257,7 @@ - Opening the firewall for the IPSEC tunnel is accomplished by adding + Opening the firewall for the IPsec tunnel is accomplished by adding an entry to the /etc/shorewall/tunnels file. In /etc/shorewall/tunnels on system A, we need @@ -357,7 +357,7 @@ ACCEPT vpn:134.28.54.2 $FW below). Once you have these entries in place, restart Shorewall (type - shorewall restart); you are now ready to configure IPSEC. + shorewall restart); you are now ready to configure IPsec. For full encrypted connectivity in this configuration (between the subnets, between each subnet and the opposite gateway, and between the @@ -450,7 +450,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any } - If you have hosts that access the Internet through an IPSEC + If you have hosts that access the Internet through an IPsec tunnel, then it is a good idea to set the MSS value for traffic from those hosts explicitly in the /etc/shorewall/zones file. For example, if hosts @@ -467,8 +467,8 @@ sec ipsec mode=tunnel mss=1400 Note that CLAMPMSS=Yes in shorewall.conf - isn't effective with the 2.6 native IPSEC implementation because there - is no separate ipsec device with a lower mtu as there was under the + isn't effective with the 2.6 native IPsec implementation because there + is no separate IPsec device with a lower mtu as there was under the 2.4 and earlier kernels. @@ -556,7 +556,7 @@ vpn eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - On system A, here are the IPSEC files: + On system A, here are the IPsec files:
/etc/racoon/racoon.conf - System A: @@ -606,7 +606,7 @@ spdflush; running ipsec-tools (racoon) 0.5rc1 or later. On the mobile system (system B), it is not possible to create a - static IPSEC configuration because the IP address of the laptop's + static IPsec configuration because the IP address of the laptop's Internet connection isn't static. I have created an 'ipsecvpn' script and included in the tarball and in the RPM's documentation directory; this script can be used to start and stop the connection. @@ -620,7 +620,7 @@ spdflush; # INTERFACE=eth0 # -# Remote IPSEC Gateway +# Remote IPsec Gateway # GATEWAY=206.162.148.9 # @@ -675,10 +675,10 @@ RACOON=/usr/sbin/racoon you read it thoroughly and understand it. The setup described in this section is more complex because you are including an additional layer of tunneling. Again, make sure that you have read the previous section and it - is highly recommended to have the IPSEC-only configuration working + is highly recommended to have the IPsec-only configuration working first. - Additionally, this section assumes that you are running IPSEC, + Additionally, this section assumes that you are running IPsec, xl2tpd and pppd on the same system that is running shorewall. However, configuration of these additional services is beyond the scope of this document. @@ -698,7 +698,7 @@ RACOON=/usr/sbin/racoon MS Windows or Mac OS X) and you do not want them to have to install third party software in order to connect to the VPN (both MS Windows and Mac OS X include VPN clients which natively support L2TP over - IPSEC, but not plain IPSEC). + IPsec, but not plain IPsec). @@ -805,7 +805,7 @@ all all REJECT info #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) SECTION ESTABLISHED -# Prevent IPSEC bypass by hosts behind a NAT gateway +# Prevent IPsec bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW REJECT $FW net udp - 1701 # l2tp over the IPsec VPN @@ -824,7 +824,7 @@ HTTPS(ACCEPT) l2tp $FW In today's wireless world, it is often the case that individual hosts in a network need to establish secure connections with the other - hosts in that network. In that case, IPSEC transport mode is an + hosts in that network. In that case, IPsec transport mode is an appropriate solution. Here's an example using @@ -914,7 +914,7 @@ loc eth0:192.168.20.0/24 It is worth noting that although loc is a sub-zone of net, because loc - is an IPSEC-only zone it does not need to be defined before + is an IPsec-only zone it does not need to be defined before net in /etc/shorewall/zones. @@ -938,7 +938,7 @@ all all REJECT info
IPCOMP - If your IPSEC tunnel or transport mode connection fails to work with + If your IPsec tunnel or transport mode connection fails to work with Shorewall started and you see log messages like the following when you try to use the connection, the problem is that ip compression is being used.Feb 18 23:43:52 vpngw kernel: Shorewall:#TYPE ZONE GATEWAY GATEWAY # ZONE ipip vpn 0.0.0.0/0The - above assumes that the name of your IPSEC vpn zone is + above assumes that the name of your IPsec vpn zone is vpn.
- IPSEC and <trademark>Windows</trademark> XP + IPsec and <trademark>Windows</trademark> XP - I have successfully configured my work laptop to use IPSEC with + I have successfully configured my work laptop to use IPsec with X.509 certificates for wireless IP communication when it is undocked at home. I looked at dozens of sites and the one I found most helpful was vpn 0.0.0.0/0 - openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless" + openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless" I was prompted for a password to associate with the certificate. This password is entered on the Windows system during import. @@ -999,7 +999,7 @@ ipip vpn 0.0.0.0/0 - "IPSEC Cert for Home Wireless" is the friendly name for the + "IPsec Cert for Home Wireless" is the friendly name for the certificate. @@ -1007,7 +1007,7 @@ ipip vpn 0.0.0.0/0I started to write an article about how to do this, complete with graphics captured from my laptop. I gave up. I had captured 12 images and hadn't really started yet. The Windows interface for configuring - IPSEC is the worst GUI that I have ever used. What can be displayed on + IPsec is the worst GUI that I have ever used. What can be displayed on one split Emacs screen (racoon.conf plus setkey.conf) takes 20+ different dialog boxes on Windows XP!!!