extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 11:41:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Correct capitalization of 'IPsec' in the IPsec-2.6 document

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-06-29 15:35:23 -07:00
parent 0414166d6d
commit 37248c9698
1 changed files with 36 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
docs/IPSEC-2.6.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>IPSEC</title> <title>IPsec</title>
<authorgroup> <authorgroup>
<author> <author>
@ -58,25 +58,25 @@
</caution> </caution>
<important> <important>
<para><emphasis role="bold">Shorewall does not configure IPSEC for <para><emphasis role="bold">Shorewall does not configure IPsec for
you</emphasis> -- it rather configures netfilter to accommodate your IPSEC you</emphasis> -- it rather configures netfilter to accommodate your IPsec
configuration.</para> configuration.</para>
</important> </important>
<important> <important>
<para>The information in this article is only applicable if you plan to <para>The information in this article is only applicable if you plan to
have IPSEC end-points on the same system where Shorewall is used.</para> have IPsec end-points on the same system where Shorewall is used.</para>
</important> </important>
<important> <important>
<para>While this <emphasis role="bold">article shows configuration of <para>While this <emphasis role="bold">article shows configuration of
IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall IPsec using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
configuration is exactly the same when using OpenSwan</emphasis> or configuration is exactly the same when using OpenSwan</emphasis> or
FreeSwan.</para> FreeSwan.</para>
</important> </important>
<warning> <warning>
<para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and <para>When running a Linux kernel prior to 2.6.20, the Netfilter+IPsec and
policy match support are broken when used with a bridge device. The policy match support are broken when used with a bridge device. The
problem was corrected in Kernel 2.6.20 as a result of the removal of problem was corrected in Kernel 2.6.20 as a result of the removal of
deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
@ -85,10 +85,10 @@
</warning> </warning>
<section id="Overview"> <section id="Overview">
<title>Shorwall and Kernel 2.6 IPSEC</title> <title>Shorwall and Kernel 2.6 IPsec</title>
<para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6 <para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
IPSEC -- for that, please see <ulink IPsec -- for that, please see <ulink
url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para> url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
<para>The 2.6 Linux Kernel introduced new facilities for defining <para>The 2.6 Linux Kernel introduced new facilities for defining
@ -107,7 +107,7 @@
traffic is verified against the SPD to ensure that no unencrypted traffic traffic is verified against the SPD to ensure that no unencrypted traffic
is accepted in violation of the administrator's policies.</para> is accepted in violation of the administrator's policies.</para>
<para>There are three ways in which IPSEC traffic can interact with <para>There are three ways in which IPsec traffic can interact with
Shorewall policies and rules:</para> Shorewall policies and rules:</para>
<orderedlist> <orderedlist>
@ -136,7 +136,7 @@
by normal rules and policies.</para> by normal rules and policies.</para>
<para>Under the 2.4 Linux Kernel, the association of unencrypted traffic <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
and zones was made easy by the presence of IPSEC pseudo-interfaces with and zones was made easy by the presence of IPsec pseudo-interfaces with
names of the form <filename class="devicefile">ipsecN</filename> (e.g. names of the form <filename class="devicefile">ipsecN</filename> (e.g.
<filename class="devicefile">ipsec0</filename>). Outgoing unencrypted <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
traffic (case 1.) was sent through an <filename traffic (case 1.) was sent through an <filename
@ -175,7 +175,7 @@
</orderedlist> </orderedlist>
<para>In summary, Shorewall provides the facilities to replace the use of <para>In summary, Shorewall provides the facilities to replace the use of
ipsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para> IPsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para>
<para>There are two cases to consider:</para> <para>There are two cases to consider:</para>
@ -226,15 +226,15 @@
ipsec-tools and racoon although the ipsec-tools project releases them as a ipsec-tools and racoon although the ipsec-tools project releases them as a
single package.</para> single package.</para>
<para>For more information on IPSEC, Kernel 2.6 and Shorewall see <ulink <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
2005</ulink>. Be warned though that the presentation is based on Shorewall 2005</ulink>. Be warned though that the presentation is based on Shorewall
2.2 and there are some differences in the details of how IPSEC is 2.2 and there are some differences in the details of how IPsec is
configured.</para> configured.</para>
</section> </section>
<section id="GwFw"> <section id="GwFw">
<title>IPSec Gateway on the Firewall System</title> <title>IPsec Gateway on the Firewall System</title>
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
@ -248,7 +248,7 @@
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>Open the firewall so that the IPSEC tunnel can be established <para>Open the firewall so that the IPsec tunnel can be established
(allow the ESP protocol and UDP Port 500).</para> (allow the ESP protocol and UDP Port 500).</para>
</listitem> </listitem>
@ -257,7 +257,7 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Opening the firewall for the IPSEC tunnel is accomplished by adding <para>Opening the firewall for the IPsec tunnel is accomplished by adding
an entry to the <filename>/etc/shorewall/tunnels</filename> file.</para> an entry to the <filename>/etc/shorewall/tunnels</filename> file.</para>
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
@ -357,7 +357,7 @@ ACCEPT vpn:134.28.54.2 $FW</programlisting>
below).</para> below).</para>
<para>Once you have these entries in place, restart Shorewall (type <para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure IPSEC.</para> shorewall restart); you are now ready to configure IPsec.</para>
<para>For full encrypted connectivity in this configuration (between the <para>For full encrypted connectivity in this configuration (between the
subnets, between each subnet and the opposite gateway, and between the subnets, between each subnet and the opposite gateway, and between the
@ -450,7 +450,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
}</programlisting> }</programlisting>
<warning> <warning>
<para>If you have hosts that access the Internet through an IPSEC <para>If you have hosts that access the Internet through an IPsec
tunnel, then it is a good idea to set the MSS value for traffic from tunnel, then it is a good idea to set the MSS value for traffic from
those hosts explicitly in the those hosts explicitly in the
<filename>/etc/shorewall/zones</filename> file. For example, if hosts <filename>/etc/shorewall/zones</filename> file. For example, if hosts
@ -467,8 +467,8 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
adjusted.</para> adjusted.</para>
<para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename> <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
isn't effective with the 2.6 native IPSEC implementation because there isn't effective with the 2.6 native IPsec implementation because there
is no separate ipsec device with a lower mtu as there was under the is no separate IPsec device with a lower mtu as there was under the
2.4 and earlier kernels.</para> 2.4 and earlier kernels.</para>
</warning> </warning>
</blockquote> </blockquote>
@ -556,7 +556,7 @@ vpn eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>On system A, here are the IPSEC files:</para> <para>On system A, here are the IPsec files:</para>
<blockquote> <blockquote>
<para><filename>/etc/racoon/racoon.conf</filename> - System A:</para> <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
@ -606,7 +606,7 @@ spdflush;</programlisting>
running ipsec-tools (racoon) 0.5rc1 or later.</para> running ipsec-tools (racoon) 0.5rc1 or later.</para>
<para>On the mobile system (system B), it is not possible to create a <para>On the mobile system (system B), it is not possible to create a
static IPSEC configuration because the IP address of the laptop's static IPsec configuration because the IP address of the laptop's
Internet connection isn't static. I have created an 'ipsecvpn' script Internet connection isn't static. I have created an 'ipsecvpn' script
and included in the tarball and in the RPM's documentation directory; and included in the tarball and in the RPM's documentation directory;
this script can be used to start and stop the connection.</para> this script can be used to start and stop the connection.</para>
@ -620,7 +620,7 @@ spdflush;</programlisting>
# #
INTERFACE=eth0 INTERFACE=eth0
# #
# Remote IPSEC Gateway # Remote IPsec Gateway
# #
GATEWAY=206.162.148.9 GATEWAY=206.162.148.9
# #
@ -675,10 +675,10 @@ RACOON=/usr/sbin/racoon</programlisting>
you read it thoroughly and understand it. The setup described in this you read it thoroughly and understand it. The setup described in this
section is more complex because you are including an additional layer of section is more complex because you are including an additional layer of
tunneling. Again, make sure that you have read the previous section and it tunneling. Again, make sure that you have read the previous section and it
is highly recommended to have the IPSEC-only configuration working is highly recommended to have the IPsec-only configuration working
first.</para> first.</para>
<para>Additionally, this section assumes that you are running IPSEC, <para>Additionally, this section assumes that you are running IPsec,
xl2tpd and pppd on the same system that is running shorewall. However, xl2tpd and pppd on the same system that is running shorewall. However,
configuration of these additional services is beyond the scope of this configuration of these additional services is beyond the scope of this
document.</para> document.</para>
@ -698,7 +698,7 @@ RACOON=/usr/sbin/racoon</programlisting>
MS Windows or Mac OS X) and you do not want them to have to install MS Windows or Mac OS X) and you do not want them to have to install
third party software in order to connect to the VPN (both MS Windows third party software in order to connect to the VPN (both MS Windows
and Mac OS X include VPN clients which natively support L2TP over and Mac OS X include VPN clients which natively support L2TP over
IPSEC, but not plain IPSEC).</para> IPsec, but not plain IPsec).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -805,7 +805,7 @@ all all REJECT info
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S) # PORT(S) PORT(S)
SECTION ESTABLISHED SECTION ESTABLISHED
# Prevent IPSEC bypass by hosts behind a NAT gateway # Prevent IPsec bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW L2TP(REJECT) net $FW
REJECT $FW net udp - 1701 REJECT $FW net udp - 1701
# l2tp over the IPsec VPN # l2tp over the IPsec VPN
@ -824,7 +824,7 @@ HTTPS(ACCEPT) l2tp $FW
<para>In today's wireless world, it is often the case that individual <para>In today's wireless world, it is often the case that individual
hosts in a network need to establish secure connections with the other hosts in a network need to establish secure connections with the other
hosts in that network. In that case, IPSEC transport mode is an hosts in that network. In that case, IPsec transport mode is an
appropriate solution.</para> appropriate solution.</para>
<para><graphic fileref="images/TransportMode.png"/>Here's an example using <para><graphic fileref="images/TransportMode.png"/>Here's an example using
@ -914,7 +914,7 @@ loc eth0:192.168.20.0/24
<para>It is worth noting that although <emphasis>loc</emphasis> is a <para>It is worth noting that although <emphasis>loc</emphasis> is a
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis> sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
is an IPSEC-only zone it does not need to be defined before is an IPsec-only zone it does not need to be defined before
<emphasis>net</emphasis> in <emphasis>net</emphasis> in
<emphasis>/etc/shorewall/zones</emphasis>.</para> <emphasis>/etc/shorewall/zones</emphasis>.</para>
@ -938,7 +938,7 @@ all all REJECT info
<section id="ipcomp"> <section id="ipcomp">
<title>IPCOMP</title> <title>IPCOMP</title>
<para>If your IPSEC tunnel or transport mode connection fails to work with <para>If your IPsec tunnel or transport mode connection fails to work with
Shorewall started and you see log messages like the following when you try Shorewall started and you see log messages like the following when you try
to use the connection, the problem is that ip compression is being to use the connection, the problem is that ip compression is being
used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis
@ -948,14 +948,14 @@ all all REJECT info
add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE ZONE GATEWAY GATEWAY add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</programlisting>The ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</programlisting>The
above assumes that the name of your IPSEC vpn zone is above assumes that the name of your IPsec vpn zone is
<emphasis>vpn</emphasis>.</para> <emphasis>vpn</emphasis>.</para>
</section> </section>
<section id="XP"> <section id="XP">
<title>IPSEC and <trademark>Windows</trademark> XP</title> <title>IPsec and <trademark>Windows</trademark> XP</title>
<para>I have successfully configured my work laptop to use IPSEC with <para>I have successfully configured my work laptop to use IPsec with
X.509 certificates for wireless IP communication when it is undocked at X.509 certificates for wireless IP communication when it is undocked at
home. I looked at dozens of sites and the one I found most helpful was home. I looked at dozens of sites and the one I found most helpful was
<ulink <ulink
@ -974,7 +974,7 @@ ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</prog
do I generate a PKCS#12 certificate to import into Windows?". Here's the do I generate a PKCS#12 certificate to import into Windows?". Here's the
openssl command that I used:</para> openssl command that I used:</para>
<programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting> <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
<para>I was prompted for a password to associate with the certificate. <para>I was prompted for a password to associate with the certificate.
This password is entered on the Windows system during import.</para> This password is entered on the Windows system during import.</para>
@ -999,7 +999,7 @@ ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</prog
</listitem> </listitem>
<listitem> <listitem>
<para>"IPSEC Cert for Home Wireless" is the friendly name for the <para>"IPsec Cert for Home Wireless" is the friendly name for the
certificate.</para> certificate.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -1007,7 +1007,7 @@ ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</prog
<para>I started to write an article about how to do this, complete with <para>I started to write an article about how to do this, complete with
graphics captured from my laptop. I gave up. I had captured 12 images graphics captured from my laptop. I gave up. I had captured 12 images
and hadn't really started yet. The Windows interface for configuring and hadn't really started yet. The Windows interface for configuring
IPSEC is the worst GUI that I have ever used. What can be displayed on IPsec is the worst GUI that I have ever used. What can be displayed on
one split Emacs screen (racoon.conf plus setkey.conf) takes 20+ one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
different dialog boxes on Windows XP!!!</para> different dialog boxes on Windows XP!!!</para>
</warning> </warning>