Update of /cvsroot/leaf/doc/guide/user-bering-uclibc
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30540

Modified Files:
        book.xml bucu-upnpd.xml bucu-zebra.xml 
Added Files:
        bucu-openswan.xml bucu-tinyca.xml 
Log Message:
- small fix to zebra chapter (make multiple lines out of one in config example)
- added openswan chapter
- added tinyca chapter
- added images for new chapters


--- NEW FILE: bucu-tinyca.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<chapter id="bucu-tinyca">
  <chapterinfo>
    <authorgroup>
      <author>
        <firstname>Arne</firstname>

        <surname>Bernin</surname>

        <affiliation>
          <address><email>arneb at users.sourceforge.net</email></address>
        </affiliation>
      </author>

    </authorgroup>

    <revhistory>
      <revision>
        <revnumber>0.1</revnumber>

        <date>2005-11-18</date>

        <authorinitials>AB</authorinitials>

        <revremark>Initial document</revremark>
      </revision>

    </revhistory>
  </chapterinfo>

  <title>Managing Certs with tinyca</title>

  <section>
    <title>Introduction</title>
    <para>Managing your certificates on your router is possible,
      but might be not a good idea regarding security. You also
      might want to have a graphical frontend for easy creating
      and managing your keys and certs. In this chapter you will
      find information on how to do this all with <ulink
        url="http://tinyca.sm-zone.net/"; >tinyca.</ulink></para>

    <para>Tinyca is a GTK based Frontend for creating and maintaining
      certificates with openssl. It is written in perl, to be able
      to use it, you need a Unix Machine. If you don't have one,
      download yourself a Linux Live CD (e.g. Knoppix) and use a
      USB Stick to save your certs and keys.</para>

    <para>This Documentation assumes that you already have a copy
      of tinyca installed. If your distribution does not contain
      a version of tinyca, get it from the <ulink
        url="http://tinyca.sm-zone.net/"; >tinyca homepage.</ulink></para>
    

  </section>

  <section>
    <title>Getting started</title>

    <para>After starting tinyca you should get a screen like this:
      <graphic align="center" fileref="images/tinyca1.png" ></graphic></para>

    <para>We now start creating a new CA for ourself</para>

    <para>Press the <emphasis>New CA</emphasis> button and enter
      the needed information (an example follows), please note
      that choosing a key length of 2048 should be enough.
      <graphic align="center" fileref="images/tinyca2.png" ></graphic></para>

    <para>After that you will be presented a window showing the possible
      CA options. You should not need to change anything.
    <graphic align="center" fileref="images/tinyca3.png" ></graphic></para>

    <para>When the program has finished creating the CA, the main window
      will look like this. You are now ready to create the needed certificates.
    <graphic align="center" fileref="images/tinyca4.png" ></graphic></para>
      
  </section>

  <section>
    <title>Create a Certificate</title>

    <para>change to the certificates View in the main window.
    <graphic align="center" fileref="images/tinyca5.png" ></graphic></para>

    <para>Start creation by pressing the <emphasis>New</emphasis> button,
      a new window will open. The screens hot should give you an example.
    <graphic align="center" fileref="images/tinyca6.png" ></graphic></para>

    <para>After the certificate request has been created, you need to sign
      it with the CA certificate. Please note that the Valid for (Days) value
      means that after this period of time you are not able to use it anymore.
      If you don't plan to change your certs often, 365 days is rather short,
      you better choose 730 or 1095 (which will be 3 years). Not adding
      the email Address to the Subject might prevent you from running into
      trouble with some software that has problem with the @ in the email
      address. It is not needed, anyway.
    <graphic align="center" fileref="images/tinyca7.png" ></graphic></para>

    <para>After creating your cert, the main window looks like this:
    <graphic align="center" fileref="images/tinyca8.png" ></graphic></para>

    <para>Create as much certificates as you need, for a 2 host VPN you normally
      need 2.</para>
    </section>

  <section>
    <title>Exporting everything</title>

    <para>To be able to use the certs for open vpn or openswan, you need to
      export them in the correct format. This is normally PEM. Now choose
      the certificate you want to export and press <emphasis>Export</emphasis>.
      You will get a window asking for some options:
    <graphic align="center" fileref="images/tinyca9.png" ></graphic></para>

    <para>After you exported all required certs, change to the key view of
      the main window.
    <graphic align="center" fileref="images/tinyca10.png" ></graphic></para>

    <para>Choose the key, press <emphasis>Export</emphasis> and you will get
      a similar window as before. With one difference, you will be asked
      if you want to export the key with or without a passphrase. Choose
      no, so you will export it with a passphrase securing the private key.

    <graphic align="center" fileref="images/tinyca11.png" ></graphic></para>
    
    <para>After exporting all your keys, go to the CA view of the main window
      and choose <emphasis>Export Ca</emphasis> which will get you another
      export window. Choose PEM Format, too.
    
    <graphic align="center" fileref="images/tinyca12.png" ></graphic></para>
    
    <para>The Last thing to export is the CRL (Certificate revocation list),
      to do this, choose <emphasis>Export CRL</emphasis> from the CA view.
      You might set the value of how long this list is valid to a value
      greater than 30 days. If this matters at all changes with the software
      you want to use this cert with. You can , for example, configure openswan
      to reject connections when the crl is not up to date. Choosing a value
      of 90 days means that you have to export a new crl in the next 90 days
      regardless whether you revoke a cert or not...
    <graphic align="center" fileref="images/tinyca13.png" ></graphic></para>
      
    </section>
</chapter>

--- NEW FILE: bucu-openswan.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<chapter id="bucu-openswan">
  <chapterinfo>
    <authorgroup>
      <author>
        <firstname>Arne</firstname>

        <surname>Bernin</surname>

        <affiliation>
          <address><email>arneb at users.sourceforge.net</email></address>
        </affiliation>
      </author>

    </authorgroup>

    <revhistory>
      <revision>
        <revnumber>0.1</revnumber>

        <date>2005-11-19</date>

        <authorinitials>AB</authorinitials>

        <revremark>Initial document</revremark>
      </revision>

    </revhistory>
  </chapterinfo>

  <title>Configuring openswan(ipsec)</title>

  <section>
    <title>Introduction</title>

    <section>
      <title>Objectives</title>

      <para>This chapter describes how to configure your LEAF system(s) to
      build Virtual Private Networks (VPN) with <ulink
      url="http://www.openswan.org";>Openswan</ulink>.</para>
    </section>

    <section>
      <title>Overview of the setup described here</title>

      <para>The setup described here assumes you are using openswan 2.4.x with
        KLIPS (virtual interface support) Furthermore the setup used for this 
        chapter is based on LEAF systems connected to the internet via 
        static IP's. If you don't have a fixed ip, use the <filename>ezipupd.lrp
        </filename> package and a dynamic DNS service like <ulink 
          url="www.dyndns.org">www.dyndns.org</ulink>.</para>

      <para>In the following sections we describe a setup for
        connecting subnets behind 2 LEAF systems. For the example, these
        systems are called west and east, and both have a DNS name like
        west.dyndns.org and east.dyndns.org. Please remember that
        these names are only examples, use real ones instead!</para>
      <para><inlinegraphic fileref="images/ipsec1.png" 
format="png"></inlinegraphic>Example Setup</para> 

    </section>

    <section>
      <title>About openswan</title>

      <para>Openswan implements the IPSec Internet Standard for Linux. It is
        not the only solution but it is based on the oldest implementation
        of IPSec for Linux called FreeSwan. The FreeSwan project ended some
        years ago and their code base was used to create openswan. The feature
        list includes X.509 Certificates, support for nat-t and aggressive mode.
        
        It might be a good idea to take a look at the <ulink 
url="www.openswan.org">
          openswan Homepage</ulink> for a brief description of the features of
        this software.</para>
    </section>
  </section>

  <section>
    <title>Loading the packages</title>

    <para>Edit the  <filename>leaf.cfg</filename> (Bering-uClibc-2.2.0 onwards) 
      file and add <filename>openswan.lrp, libpthread.lrp</filename> and 
<filename>mawk.lrp</filename> 
      to the list of packages to be loaded at boot. Check the Bering-uClibc 
<ulink
    url="http://leaf.sourceforge.net/doc/guide/buci-install.html";>Installation
    Guide</ulink> to learn how to do that.</para>

  </section>

  <section>
    <title>Loading the modules</title>

    <para>You need to load the tun module <filename>ipsec.o</filename> to have a
    virtual tunnel interface and kernel support for ipsec.</para>

    <para>To accomplish this, you need the appropriate modules tarball for
    your LEAF Bering-uClibc. It's usually available for download in our FRS,
    older versions are available in our cvs repository.</para>

    <para>Unpack the modules tarball and copy
    <filename>2.4.32/kernel/net/ipsec/ipsec.o</filename> to
    <filename>/lib/modules</filename> on your router.</para>

    <para>You don't need to put it in <filename>/etc/modules</filename>
      as the ipsec init script loads and unloads the module on demand.</para>

    <para>Save modules.lrp</para>
  </section>

  <section>
    <title>Generating keys</title>

    <para>To start with you will need to generate the necessary certificates,
      keys and a crl file. The easiest way to do this is to use a frontend
      like tinyca.</para>

    <para>For this example we would need the following files (remember that
      our systems are called west and east):</para>

      <itemizedlist>
        <listitem>
          <para><filename>west-cert.pem</filename></para>
        </listitem>
        <listitem>
          <para><filename>east-cert.pem</filename></para>
        </listitem>
        <listitem>
          <para><filename>testca-cert.pem</filename></para>
        </listitem>
        <listitem>
          <para><filename>west-key.pem</filename></para>
        </listitem>
        <listitem>
          <para><filename>east-key.pem</filename></para>
        </listitem>
        <listitem>
          <para><filename>crl.pem</filename></para>
        </listitem>
      </itemizedlist>
    <para>The first two files contain the public keys for the leaf systems.
        copy them to <filename>/etc/ipsec.d/certs/</filename> on both machines.
        <filename>testca-cert.pem</filename> is the public key of the CA. This
        file goes onto both machines into 
<filename>/etc/ipsec.d/cacerts/</filename>.
        <filename>crl.pem</filename> is the certificate revoke list for the CA,
        which contains a list of disabled certificates. It is normally empty, 
you
        would add a cert to this list in case it is stolen, or otherwise 
compromised.
        The key files need only to be present on the router they belong to, so
        <filename>west-key.pem</filename>would only go to 
<filename>/etc/ipsec.d/private/
          </filename> on router west.</para>

      <para> These keys are sensitive information, you should 
        <emphasis role="bold">NOT</emphasis> put them all on all machines as 
breaking 
          into this one would compromise them all!</para>

      </section>

  <section>
    <title>Configuration</title>

    <section>
      <title>ipsec.secrets</title>

      <para>Edit /etc/ipsec.secrets.</para>

      <para>Change it to look like this (of course use the real password for
        this key and not "password".

        <programlisting>
          
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: west-key.pem "password" 
# do not change the indenting of that "}"</programlisting></para>

      </section>
    <section>
      <title>ipsec.conf</title>

      <para><filename>/etc/ipsec.conf</filename> is the main configuration
        file for openswan ipsec. For our example, it would look like this
        for router west:</para>
      
      <para><programlisting># /etc/ipsec.conf - Openswan IPSec configuration 
file
# RCSID $Id: bucu-openswan.xml,v 1.1 2005/11/19 11:11:37 arneb Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        interfaces=%defaultroute

# Add connections here

# sample VPN connection
conn sample
        # Left security gateway, subnet behind it, nexthop toward right.
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftcert=west-cert.pem
        # Right security gateway, subnet behind it, nexthop toward left.
        right=east.dyndns.org
        rightsubnet=192.168.2.0/24
        rightcert=east-cert.pem
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf</programlisting></para>

      <para>The %defaultroute entry in interfaces and as left
        causes openswan to get the corresponding entries by looking
        at which interface the default route of the system is on.
        This is normally ok for dynamic connections (DSL, Cable, DHCP).
        If you have a static IP and are connected to a router via eth1
        the interfaces and left entries might look like this (172.16.0.1
        is the IP of this router, 172.16.0.2 the IP of router west. 
        Please note that in this case the leftnexthop entry is mandatory!.
        </para>
      <para><programlisting>    interfaces="ipsec0=eth1"
        left=172.16.0.2
        leftnexthop=172.16.0.1</programlisting></para>
          
      <para>For router east, you take the same file, put it onto that
        machine and exchange the left and right values, to look like:</para>

      <para><programlisting># /etc/ipsec.conf - Openswan IPSec configuration 
file
# RCSID $Id: bucu-openswan.xml,v 1.1 2005/11/19 11:11:37 arneb Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        interfaces=%defaultroute

# Add connections here

# sample VPN connection
conn sample
        # Left security gateway, subnet behind it, nexthop toward right.
        left=west.dyndns.org
        leftsubnet=192.168.1.0/24
        leftcert=west-cert.pem
        # Right security gateway, subnet behind it, nexthop toward left.
        right=%defaultroute
        rightsubnet=192.168.2.0/24
        rightcert=east-cert.pem
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf</programlisting></para>

<para>You do not need to be consistent in what you call left and right
        at both machines. But it makes things a lot easier if you do
        keep that naming.</para>


    <section>
      <title>Configure shorewall</title>

      <para>Add a new zone to /etc/shorewall/zones:</para>

      <para><screen>vpn VPN Remote Subnet</screen></para>

      <para>Add the ipsec interface to /etc/shorewall/interfaces:</para>

      <para><screen>vpn ipsec+</screen></para>

      <para>Note that we added a wildcard ("+") to the tun interface so the
      vpn zone applies to all tun interfaces - important if you want to
      support more than one IPSec enabled interface.</para>

      <para>You can either open the traffic between the vpn zone and the local
      net completely with adding</para>

      <para><screen>loc vpn ACCEPT 
vpn loc ACCEPT</screen></para>

      <para>to /etc/shorewall/policy - or just add the ports you want to open
      in /etc/shorewall/rules.</para>

      <para>As last step add your vpn to the shorewall tunnel definitions
      (/etc/shorewall/tunnels)</para>

      <para><screen>ipsec net 0.0.0.0/0</screen></para>

      <para>Note: The gateway is defined as "0.0.0.0/0" to 
          support remote hosts with dynamic ip addresses.</para>
    </section>
      </section>
    <section>
      <title>Starting Openswan</title>

      <section>
        <title>Manual</title>

        <para>To test the server configuration you can manually start
        Openswan with the command</para>

        <para><command># /etc/init.d/ipsec start</command></para>
      </section>

      <section>
        <title>Automatic</title>

        <para>After a (re)boot the <filename>/etc/init.d/ipsec</filename>
        script starts all tunnels that have a definition file in
        <filename>/etc/ipsec.conf</filename> and are marked with a
        <programlisting>auto=start</programlisting> in the definition
            of the connection.</para> 
      </section>

      <section>
        <title>Checking</title>

        <para>Check <filename>/var/log/daemon.log</filename> and <filename>
              /var/log/auth.log</filename> for the status of your 
            ipsec tunnels. You can also use <command>ipsec auto 
--status</command></para>
      </section>
    </section>
  </section>

  <section>
    <title>Links</title>

    <section>
      <title>Openswan links</title>

      <para><ulink url="http://openswan.org";>Openswan main page</ulink></para>

    </section>

  </section>
</chapter>
Index: bucu-upnpd.xml
===================================================================
RCS file: /cvsroot/leaf/doc/guide/user-bering-uclibc/bucu-upnpd.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** bucu-upnpd.xml      4 Aug 2005 11:25:47 -0000       1.3
--- bucu-upnpd.xml      19 Nov 2005 11:11:37 -0000      1.4
***************
*** 206,210 ****
      Bering-uClibc kernel modules distribution. Add it to
      <filename>/lib/modules</filename> and make sure it is loaded in
!     <filename><filename>/etc/modules</filename></filename> at system startup.
      If you see an error message when Shorewall runs trying to add an iptables
      rule with the <code>--cmd-owner</code> option,
--- 206,210 ----
      Bering-uClibc kernel modules distribution. Add it to
      <filename>/lib/modules</filename> and make sure it is loaded in
!     <filename>/etc/modules</filename> at system startup.
      If you see an error message when Shorewall runs trying to add an iptables
      rule with the <code>--cmd-owner</code> option,

Index: book.xml
===================================================================
RCS file: /cvsroot/leaf/doc/guide/user-bering-uclibc/book.xml,v
retrieving revision 1.23
retrieving revision 1.24
diff -C2 -d -r1.23 -r1.24
*** book.xml    8 Nov 2005 09:23:38 -0000       1.23
--- book.xml    19 Nov 2005 11:11:36 -0000      1.24
***************
*** 8,12 ****
  <!ENTITY freenet6     SYSTEM "bucu-freenet6.xml">
  <!ENTITY zebra                SYSTEM "bucu-zebra.xml">
! <!ENTITY openvpn              SYSTEM "bucu-openvpn.xml">
  <!ENTITY rrdtool      SYSTEM "bucu-rrdtool.xml">
  <!ENTITY keepalived   SYSTEM "bucu-keepalived.xml">
--- 8,14 ----
  <!ENTITY freenet6     SYSTEM "bucu-freenet6.xml">
  <!ENTITY zebra                SYSTEM "bucu-zebra.xml">
! <!ENTITY openvpn      SYSTEM "bucu-openvpn.xml">
! <!ENTITY openswan     SYSTEM "bucu-openswan.xml">
! <!ENTITY tinyca               SYSTEM "bucu-tinyca.xml">
  <!ENTITY rrdtool      SYSTEM "bucu-rrdtool.xml">
  <!ENTITY keepalived   SYSTEM "bucu-keepalived.xml">
***************
*** 22,26 ****
--- 24,30 ----
    &ipv6;
    &freenet6;
+   &tinyca;
    &openvpn;
+   &openswan;
    &zebra;
    &rrdtool;

Index: bucu-zebra.xml
===================================================================
RCS file: /cvsroot/leaf/doc/guide/user-bering-uclibc/bucu-zebra.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** bucu-zebra.xml      18 Jan 2004 17:14:25 -0000      1.2
--- bucu-zebra.xml      19 Nov 2005 11:11:37 -0000      1.3
***************
*** 12,15 ****
--- 12,24 ----
          </affiliation>
        </author>
+       <author>
+         <firstname>Arne</firstname>
+ 
+         <surname>Bernin</surname>
+ 
+         <affiliation>
+           <address><email>arneb at users.sf.net</email></address>
+         </affiliation>
+       </author>
      </authorgroup>
  
***************
*** 23,26 ****
--- 32,44 ----
  
          <revremark>Initial version</revremark>
+       </revision>
+       <revision>
+         <revnumber>0.2</revnumber>
+ 
+         <date>2005-11-19</date>
+ 
+         <authorinitials>ab</authorinitials>
+ 
+         <revremark>make bgpd.conf more readable</revremark>
        </revision>
      </revhistory>
***************
*** 82,87 ****
      following lines :</para>
  
!     <para>router bgp ASN bgp router-id ROUTERID network 192.168.A.B/M network
!     192.168.C.D/N neighbor 192.168.P.Q remote-as REMOTEASN</para>
  
      <para>Where ASN is your Autonomous System Number (it will look like a
--- 100,109 ----
      following lines :</para>
  
!     <para><programlisting>router bgp ASN 
!  bgp router-id ROUTERID 
!  network 192.168.A.B/M 
!  network 192.168.C.D/N 
!  neighbor 192.168.P.Q 
!  remote-as REMOTEASN</programlisting></para>
  
      <para>Where ASN is your Autonomous System Number (it will look like a



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
leaf-cvs-commits mailing list
leaf-cvs-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits

Reply via email to