I have a couple questions about pipsecd and OpenSSL on FreeBSD... I
cannot find a pipsecd document or anything, so I am mailing you, hoping
to find answers.
1) Is there a good document that covers OpenSSL usage? I found
openssl.org's documentation section to be rather... lacking...
2) What kind of key generation do I need for pipsecd?
3) where does the priate key get generated if you openssl genrsa -o
keyfile, if any?
3.5) If not rsakeygen, how do I go about creating key pairs for
client/server or server/server authentication?
4) Have any of you used pipsecd? Good? Bad? Ugly?
5) Can anyone recommend a book on SSL?
I am looking at a replacement for our current VPN using PPP over SSH,
and ipsec seems to be the way to go.
Attached is the only readme for pipsecd, and the sample configuration
file, in case it helps.
Thanks very much in advance.
--README--
$Id: README,v 1.11 1999/06/28 16:03:28 beyssac Exp $
Currently implements:
- IPSEC-compliant IP tunnelling (i.e., tunnel-mode only):
- authentication: IP-AH (RFC 2402) and HMAC (RFC 2104) with:
RFC 2403: MD5 (HMAC-MD5-96)
RFC 2404: SHA1 (HMAC-SHA1-96)
RIPEMD160 (HMAC-RIPEMD160-96)
- encryption: IP-ESP (RFC 2406) with:
Blowfish in CBC mode.
RFC 2405: DES in CBC mode.
DES3 in CBC mode.
CAST in CBC mode.
IDEA in CBC mode.
Additional authentication is supported too, with the same
methods
as in AH mode.
- IP tunnels over UDP with MD5 (simple keyed hash)
authentication.
- IP tunnels over ICMP ECHO REPLY with HMAC-MD5-96
authentication.
You NEED to first install the OpenSSL "crypto" library (previously
part of SSLeay). See http://www.openssl.org/ for download and mirrors.
- compile and install
- under *BSD: make a kernel with the "tun" device, by adding the
following
line to your kernel configuration:
pseudo-device tun 1
Then remake a kernel (config MYKERNEL; cd ../../compile/MYKERNEL;
make depend; make; mv /kernel /kernel.old; cp kernel /)
- under Linux: install the "userlink" module, port of the BSD tun driver
- create the file /etc/ipsec/pipsecd.conf (see pipsecd.conf.sample
for an example)
- start /usr/local/sbin/pipsecd
- under *BSD:
ifconfig tun0 <virtual_local_ip> <virtual_dest_ip> netmask
<mask> mtu 1440
- under Linux 2.0.x:
ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip>
netmask <mask> mtu 14
40
route add <virtual_dest_ip> ul0
- under Linux 2.2.x, approximately this (I need to check the MTU stuff):
ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip>
netmask <mask>
ip route add <virtual_dest_ip> mtu 1440 dev ul0
(portability? what do you mean?)
- once this works, you can create the script /etc/ipsec/startup
and make it executable. It's run after the program starts, you
can put there any interface configuration, routes, mtu and such.
- this should be done on both ends, of course. Then a ping to the remote
point to point virtual address (the one ifconfig shows) should work.
>From then on, add any routes or routing protocols of your liking.
Be careful, however, that the route to the REAL IP address of the
other end of the tunnel is not routed _through_ the tunnel, as it
would create a loop (the program detects this and warns you but is
unable to correct it).
--README--
--CONFIG--
#
# $Id: pipsecd.conf.sample,v 1.3 1999/08/17 10:15:08 beyssac Exp $
#
# Syntax:
#
# Security Association lines:
#
# For authentication:
# sa <encap_type> spi=<spi> auth=<auth> [dest=<dest_ip>]
akey=<auth_key>
# <encap_type>: ipah, icmp or udp.
# <auth>: hmac-md5-96, sha1-md5-96 or hmac-rmd160-96.
# <akey>: authentication key
#
# For encryption:
# sa <encap_type> spi=<spi> enc=<encr> [dest=<dest_ip>]
ekey=<encrypt_key>
# [auth=<auth> akey=<auth_key>] [noiv]
# <encap_type>: "ipesp"
# <encr>: blowfish_cbc, cast_cbc, des_cbc, des3_cbc, null.
# <ekey>: encryption key
# optional <auth>: hmac-md5-96, sha1-md5-96 or hmac-rmd160-96.
# optional <akey>: authentication key
# optional "noiv": use an implicit initialization vector made
# from the sequence number (OpenBSD-compatible
mode,
# untested)
#
# Common parameters for SA descriptions:
# <dest_ip>: (optional) REAL IP address of the remote end,
# to define a remote SA.
# If not included, the SA is considered local.
#
# Interface lines:
# if <device_path> local_spi=<local_spi> remote_spi=<remote_spi>
#
# <device_path>: path to the tunnel device for this virtual link
# <local_spi>: SPI for the local SA
# <remote_spi>: SPI for the remote SA
#
#
sa ipah spi=1000 auth=hmac-md5-96 akey=0102030405060708090a0b0c0d0e0f
dest=1.2.3.4
sa ipah spi=1000 auth=hmac-md5-96 akey=deadbeefdeadc0deadbeefdeadc0de
sa ipesp spi=1001 enc=blowfish_cbc ekey=f1f2f3f4f5f6f7f8f9fafbfcfdfeff
dest=5.6.7.8
sa ipesp spi=1001 enc=blowfish_cbc ekey=d00db00fd00d00d00db00fd00dc00e
if /dev/tun0 local_spi=1000 remote_spi=1000
if /dev/tun1 local_spi=1001 remote_spi=1001
--CONFIG--
--
Brian Nelson Network Minion
mailto:[EMAIL PROTECTED] PocketScience, Inc.
* Press every key to continue.
begin:vcard
n:Nelson;Brian
x-mozilla-html:FALSE
org:PocketScience, Inc;Network Operations
adr:;;;;;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Network Daemon
x-mozilla-cpt:;0
fn:Brian Nelson
end:vcard
