特殊:Badtitle/NS100:IPSecHowTo:修订间差异
小 New page: {{From|https://help.ubuntu.com/community/IPSecHowTo}} {{Languages|php5}} [mailto:[email protected] Matthew Caron] This howto is primarily taken from [http://www.ipsec-howto.org/x299.html... |
小无编辑摘要 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/IPSecHowTo}} | {{From|https://help.ubuntu.com/community/IPSecHowTo}} | ||
{{Languages| | {{Languages|UbuntuHelp:IPSecHowTo}} | ||
[mailto:[email protected] Matthew Caron] | [mailto:[email protected] Matthew Caron] | ||
| 第14行: | 第14行: | ||
2. Edit /etc/ipsec-tools.conf file. This file should be of the general form: | 2. Edit /etc/ipsec-tools.conf file. This file should be of the general form: | ||
<pre><nowiki> | <pre><nowiki> | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5 | add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5 | ||
0xc0291ff014dccdd03874d9e8e4cdf3e6; | 0xc0291ff014dccdd03874d9e8e4cdf3e6; | ||
| 第31行: | 第25行: | ||
0x96358c90783bbfa3d7b196ceabe0536b; | 0x96358c90783bbfa3d7b196ceabe0536b; | ||
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc | add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc | ||
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; | 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; | ||
| 第37行: | 第30行: | ||
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; | 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; | ||
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec | spdadd 192.168.1.100 192.168.2.100 any -P out ipsec | ||
esp/transport//require | esp/transport//require | ||
| 第48行: | 第40行: | ||
It is important to understand this, so let me break it down: | It is important to understand this, so let me break it down: | ||
<pre><nowiki> | <pre><nowiki> | ||
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5 | add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5 | ||
0xc0291ff014dccdd03874d9e8e4cdf3e6; | 0xc0291ff014dccdd03874d9e8e4cdf3e6; | ||
| 第64行: | 第55行: | ||
Similarly, this section: | Similarly, this section: | ||
<pre><nowiki> | <pre><nowiki> | ||
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc | add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc | ||
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; | 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; | ||
| 第78行: | 第68行: | ||
So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section: | So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section: | ||
<pre><nowiki> | <pre><nowiki> | ||
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec | spdadd 192.168.1.100 192.168.2.100 any -P out ipsec | ||
esp/transport//require | esp/transport//require | ||
| 第89行: | 第78行: | ||
This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all '''outgoing''' communication to 192.168.2.100 and all '''incoming''' communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows: | This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all '''outgoing''' communication to 192.168.2.100 and all '''incoming''' communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows: | ||
<pre><nowiki> | <pre><nowiki> | ||
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec | spdadd 192.168.1.100 192.168.2.100 any -P in ipsec | ||
esp/transport//require | esp/transport//require | ||
| 第113行: | 第101行: | ||
</nowiki></pre> | </nowiki></pre> | ||
CategoryDocumentation CategoryCleanup | [[category:CategoryDocumentation]] [[category:CategoryCleanup]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年5月14日 (一) 11:47的版本
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/IPSecHowTo }} |
|
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/af | • {{#if: UbuntuHelp:IPSecHowTo|Afrikaans| [[::IPSecHowTo/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ar | • {{#if: UbuntuHelp:IPSecHowTo|العربية| [[::IPSecHowTo/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/az | • {{#if: UbuntuHelp:IPSecHowTo|azərbaycanca| [[::IPSecHowTo/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/bcc | • {{#if: UbuntuHelp:IPSecHowTo|جهلسری بلوچی| [[::IPSecHowTo/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/bg | • {{#if: UbuntuHelp:IPSecHowTo|български| [[::IPSecHowTo/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/br | • {{#if: UbuntuHelp:IPSecHowTo|brezhoneg| [[::IPSecHowTo/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ca | • {{#if: UbuntuHelp:IPSecHowTo|català| [[::IPSecHowTo/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/cs | • {{#if: UbuntuHelp:IPSecHowTo|čeština| [[::IPSecHowTo/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/de | • {{#if: UbuntuHelp:IPSecHowTo|Deutsch| [[::IPSecHowTo/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/el | • {{#if: UbuntuHelp:IPSecHowTo|Ελληνικά| [[::IPSecHowTo/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/es | • {{#if: UbuntuHelp:IPSecHowTo|español| [[::IPSecHowTo/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/fa | • {{#if: UbuntuHelp:IPSecHowTo|فارسی| [[::IPSecHowTo/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/fi | • {{#if: UbuntuHelp:IPSecHowTo|suomi| [[::IPSecHowTo/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/fr | • {{#if: UbuntuHelp:IPSecHowTo|français| [[::IPSecHowTo/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/gu | • {{#if: UbuntuHelp:IPSecHowTo|ગુજરાતી| [[::IPSecHowTo/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/he | • {{#if: UbuntuHelp:IPSecHowTo|עברית| [[::IPSecHowTo/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/hu | • {{#if: UbuntuHelp:IPSecHowTo|magyar| [[::IPSecHowTo/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/id | • {{#if: UbuntuHelp:IPSecHowTo|Bahasa Indonesia| [[::IPSecHowTo/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/it | • {{#if: UbuntuHelp:IPSecHowTo|italiano| [[::IPSecHowTo/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ja | • {{#if: UbuntuHelp:IPSecHowTo|日本語| [[::IPSecHowTo/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ko | • {{#if: UbuntuHelp:IPSecHowTo|한국어| [[::IPSecHowTo/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ksh | • {{#if: UbuntuHelp:IPSecHowTo|Ripoarisch| [[::IPSecHowTo/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/mr | • {{#if: UbuntuHelp:IPSecHowTo|मराठी| [[::IPSecHowTo/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ms | • {{#if: UbuntuHelp:IPSecHowTo|Bahasa Melayu| [[::IPSecHowTo/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/nl | • {{#if: UbuntuHelp:IPSecHowTo|Nederlands| [[::IPSecHowTo/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/no | • {{#if: UbuntuHelp:IPSecHowTo|norsk| [[::IPSecHowTo/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/oc | • {{#if: UbuntuHelp:IPSecHowTo|occitan| [[::IPSecHowTo/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/pl | • {{#if: UbuntuHelp:IPSecHowTo|polski| [[::IPSecHowTo/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/pt | • {{#if: UbuntuHelp:IPSecHowTo|português| [[::IPSecHowTo/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ro | • {{#if: UbuntuHelp:IPSecHowTo|română| [[::IPSecHowTo/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/ru | • {{#if: UbuntuHelp:IPSecHowTo|русский| [[::IPSecHowTo/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/si | • {{#if: UbuntuHelp:IPSecHowTo|සිංහල| [[::IPSecHowTo/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/sq | • {{#if: UbuntuHelp:IPSecHowTo|shqip| [[::IPSecHowTo/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/sr | • {{#if: UbuntuHelp:IPSecHowTo|српски / srpski| [[::IPSecHowTo/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/sv | • {{#if: UbuntuHelp:IPSecHowTo|svenska| [[::IPSecHowTo/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/th | • {{#if: UbuntuHelp:IPSecHowTo|ไทย| [[::IPSecHowTo/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/tr | • {{#if: UbuntuHelp:IPSecHowTo|Türkçe| [[::IPSecHowTo/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/vi | • {{#if: UbuntuHelp:IPSecHowTo|Tiếng Việt| [[::IPSecHowTo/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/yue | • {{#if: UbuntuHelp:IPSecHowTo|粵語| [[::IPSecHowTo/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/zh | • {{#if: UbuntuHelp:IPSecHowTo|中文| [[::IPSecHowTo/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/zh-hans | • {{#if: UbuntuHelp:IPSecHowTo|中文(简体)| [[::IPSecHowTo/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IPSecHowTo | UbuntuHelp:IPSecHowTo | {{#if: | :}}IPSecHowTo}}/zh-hant | • {{#if: UbuntuHelp:IPSecHowTo|中文(繁體)| [[::IPSecHowTo/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:IPSecHowTo|:IPSecHowTo|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :IPSecHowTo/zh | | {{#ifexist: IPSecHowTo/zh | | {{#ifeq: {{#titleparts:IPSecHowTo|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:IPSecHowTo|1|-1|}} | zh | | }}
This howto is primarily taken from IPSec - Linux Kernel 2.6 using KAME-tools; the native IPSec stack in the 2.6 kernel series.
This covers using manually-keyed connections, and is geared toward very small or primarily star toplogy networks (an NIS server and all it's clients, for example). Larger networks (if all the NIS clients want to talk to each other in an encrypted fashion) would benefit from the use of an automated keying agent, such as racoon. Discussion of such agents is outside the scope of this draft of this document (maybe later).
1. Install the tools:
sudo apt-get install ipsec-tools
2. Edit /etc/ipsec-tools.conf file. This file should be of the general form:
flush;
spdflush;
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
esp/transport//require
ah/transport//require;
It is important to understand this, so let me break it down:
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
This section lists the 128 bit keys for the 192.168.2.100 and 192.168.1.100 connection. Each IP pair has 2 keys - one for each direction (in and out). Each pair of machines needs to know the this information. So, this means that, for each pair of IP's, you need to generate a new key (hence why this works for small networks, but anything major probably wants a daemon to handle this. Maybe if I feel ambitious, I'll set mine up to use it and update this with that info).
Also, note the number right after the 'ah' for each of these keys. This number needs to be unique for each 'add' statement. These keys are generated as follows:
dd if=/dev/random count=16 bs=1| xxd -ps
Don't forget to add the 0x in front of it.
Similarly, this section:
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
This works just like the AH keys, except that they are longer. Again, the number after 'esp' must be unique. These keys are generated as follows:
dd if=/dev/random count=24 bs=1| xxd -ps
Again, don't forget to add the 0x in front of it.
So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section:
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
esp/transport//require
ah/transport//require;
This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all outgoing communication to 192.168.2.100 and all incoming communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows:
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P out ipsec
esp/transport//require
ah/transport//require;
3. Make the conf file not readable to the world:
sudo chmod 750 ipsec-tools.conf
Okay, do both sides of the connection have an ipsec-tools.conf? Everyone set? Good, now it gets easy.
4. It will be started at boot by default on systems, so you don't have to worry about that.
5. Also, starting it wouldn't hurt either (make sure to do this on both sides of the connection before trying to have them talk to each other; you could also reboot):
sudo /etc/init.d/setkey start
