# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-01-17 20:35-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Title = #: documentation/content/en/articles/vpn-ipsec/_index.adoc:1 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:10 #, no-wrap msgid "VPN over IPsec" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:21 msgid "'''" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:27 msgid "" "Internet Protocol Security (IPsec) is a set of protocols which sit on top of " "the Internet Protocol (IP) layer. It allows two or more hosts to " "communicate in a secure manner by authenticating and encrypting each IP " "packet of a communication session. The FreeBSD IPsec network stack is based " "on the http://www.kame.net/[http://www.kame.net/] implementation and " "supports both IPv4 and IPv6 sessions." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:29 msgid "IPsec is comprised of the following sub-protocols:" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:31 msgid "" "_Encapsulated Security Payload (ESP)_: this protocol protects the IP packet " "data from third party interference by encrypting the contents using " "symmetric cryptography algorithms such as Blowfish and 3DES." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:32 msgid "" "_Authentication Header (AH)_: this protocol protects the IP packet header " "from third party interference and spoofing by computing a cryptographic " "checksum and hashing the IP packet header fields with a secure hashing " "function. This is then followed by an additional header that contains the " "hash, to allow the information in the packet to be authenticated." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:33 msgid "" "_IP Payload Compression Protocol (IPComp_): this protocol tries to increase " "communication performance by compressing the IP payload in order to reduce " "the amount of data sent." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:35 msgid "" "These protocols can either be used together or separately, depending on the " "environment." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:40 msgid "" "IPsec supports two modes of operation. The first mode, _Transport Mode_, " "protects communications between two hosts. The second mode, _Tunnel Mode_, " "is used to build virtual tunnels, commonly known as Virtual Private Networks " "(VPNs). Consult man:ipsec[4] for detailed information on the IPsec " "subsystem in FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:42 msgid "" "The article demonstrates the process of setting up an IPsecVPN between a " "home network and a corporate network." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:44 msgid "In the example scenario:" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:46 msgid "" "Both sites are connected to the Internet through a gateway that is running " "FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:47 msgid "" "The gateway on each network has at least one external IP address. In this " "example, the corporate LAN's external IP address is `172.16.5.4` and the " "home LAN's external IP address is `192.168.1.12`." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:48 msgid "" "The internal addresses of the two networks can be either public or private " "IP addresses. However, the address space must not overlap. In this example, " "the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's " "internal IP address is `10.0.0.5`." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:53 #, no-wrap msgid "" " corporate home\n" "10.246.38.1/24 -- 172.16.5.4 <--> 192.168.1.12 -- 10.0.0.5/24\n" msgstr "" #. type: Title == #: documentation/content/en/articles/vpn-ipsec/_index.adoc:55 #, no-wrap msgid "Configuring a VPN on FreeBSD" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:59 msgid "" "To begin, package:security/ipsec-tools[] must be installed from the Ports " "Collection. This software provides a number of applications which support " "the configuration." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:62 msgid "" "The next requirement is to create two man:gif[4] pseudo-devices which will " "be used to tunnel packets and allow both networks to communicate properly. " "As `root`, run the following command on each gateway:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:68 #, no-wrap msgid "" "corp-gw# ifconfig gif0 create\n" "corp-gw# ifconfig gif0 10.246.38.1 10.0.0.5\n" "corp-gw# ifconfig gif0 tunnel 172.16.5.4 192.168.1.12\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:75 #, no-wrap msgid "" "home-gw# ifconfig gif0 create\n" "home-gw# ifconfig gif0 10.0.0.5 10.246.38.1\n" "home-gw# ifconfig gif0 tunnel 192.168.1.12 172.16.5.4\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:79 msgid "" "Verify the setup on each gateway, using `ifconfig gif0`. Here is the output " "from the home gateway:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:86 #, no-wrap msgid "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 172.16.5.4 --> 192.168.1.12\n" "inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6\n" "inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:89 msgid "Here is the output from the corporate gateway:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:96 #, no-wrap msgid "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 192.168.1.12 --> 172.16.5.4\n" "inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00\n" "inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:99 msgid "" "Once complete, both internal IP addresses should be reachable using " "man:ping[8]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:111 #, no-wrap msgid "" "home-gw# ping 10.0.0.5\n" "PING 10.0.0.5 (10.0.0.5): 56 data bytes\n" "64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms\n" "64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms\n" "64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms\n" "64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms\n" "--- 10.0.0.5 ping statistics ---\n" "4 packets transmitted, 4 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:122 #, no-wrap msgid "" "corp-gw# ping 10.246.38.1\n" "PING 10.246.38.1 (10.246.38.1): 56 data bytes\n" "64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms\n" "64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms\n" "64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms\n" "64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms\n" "64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms\n" "--- 10.246.38.1 ping statistics ---\n" "5 packets transmitted, 5 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:127 msgid "" "As expected, both sides have the ability to send and receive ICMP packets " "from the privately configured addresses. Next, both gateways must be told " "how to route packets in order to correctly send traffic from the networks " "behind each gateway. The following commands will achieve this goal:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:134 #, no-wrap msgid "" "corp-gw# route add 10.0.0.0 10.0.0.5 255.255.255.0\n" "corp-gw# route add net 10.0.0.0: gateway 10.0.0.5\n" "home-gw# route add 10.246.38.0 10.246.38.1 255.255.255.0\n" "home-gw# route add host 10.246.38.0: gateway 10.246.38.1\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:138 msgid "" "Internal machines should be reachable from each gateway as well as from " "machines behind the gateways. Again, use man:ping[8] to confirm:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:149 #, no-wrap msgid "" "corp-gw# ping -c 3 10.0.0.8\n" "PING 10.0.0.8 (10.0.0.8): 56 data bytes\n" "64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms\n" "64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms\n" "64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms\n" "--- 10.0.0.8 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:158 #, no-wrap msgid "" "home-gw# ping -c 3 10.246.38.107\n" "PING 10.246.38.1 (10.246.38.107): 56 data bytes\n" "64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms\n" "64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms\n" "64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms\n" "--- 10.246.38.107 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:163 msgid "" "At this point, traffic is flowing between the networks encapsulated in a gif " "tunnel but without any encryption. Next, use IPSec to encrypt traffic using " "pre-shared keys (PSK). Other than the IP addresses, " "[.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be " "identical and look similar to:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:168 #, no-wrap msgid "" "path pre_shared_key \"/usr/local/etc/racoon/psk.txt\"; #location of " "pre-shared key file\n" "log debug;\t#log verbosity setting: set to 'notify' when testing and " "debugging is complete\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:176 #, no-wrap msgid "" "padding\t# options are not to be changed\n" "{\n" " maximum_length 20;\n" " randomize off;\n" " strict_check off;\n" " exclusive_tail off;\n" "}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:186 #, no-wrap msgid "" "timer\t# timing options. change as needed\n" "{\n" " counter 5;\n" " interval 20 sec;\n" " persend 1;\n" "# natt_keepalive 15 sec;\n" " phase1 30 sec;\n" " phase2 15 sec;\n" "}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:192 #, no-wrap msgid "" "listen\t# address [port] that racoon will listen on\n" "{\n" " isakmp 172.16.5.4 [500];\n" " isakmp_natt 172.16.5.4 [4500];\n" "}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:205 #, no-wrap msgid "" "remote 192.168.1.12 [500]\n" "{\n" " exchange_mode main,aggressive;\n" " doi ipsec_doi;\n" " situation identity_only;\n" " my_identifier address 172.16.5.4;\n" " peers_identifier address 192.168.1.12;\n" " lifetime time 8 hour;\n" " passive off;\n" " proposal_check obey;\n" "# nat_traversal off;\n" " generate_policy off;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:214 #, no-wrap msgid "" " proposal {\n" " encryption_algorithm blowfish;\n" " hash_algorithm md5;\n" " authentication_method pre_shared_key;\n" " lifetime time 30 sec;\n" " dh_group 1;\n" " }\n" "}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:223 #, no-wrap msgid "" "sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any)\t# address " "$network/$netmask $type address $network/$netmask $type ( $type being any or " "esp)\n" "{\t\t\t\t\t\t\t\t# $network must be the two internal networks you are " "joining.\n" " pfs_group 1;\n" " lifetime time 36000 sec;\n" " encryption_algorithm blowfish,3des;\n" " authentication_algorithm hmac_md5,hmac_sha1;\n" " compression_algorithm deflate;\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:226 msgid "" "For descriptions of each available option, refer to the manual page for " "[.filename]#racoon.conf#." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:228 msgid "" "The Security Policy Database (SPD) needs to be configured so that FreeBSD " "and racoon are able to encrypt and decrypt network traffic between the " "hosts." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:231 msgid "" "This can be achieved with a shell script, similar to the following, on the " "corporate gateway. This file will be used during system initialization and " "should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:239 #, no-wrap msgid "" "flush;\n" "spdflush;\n" "# To the home network\n" "spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec " "esp/tunnel/172.16.5.4-192.168.1.12/use;\n" "spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec " "esp/tunnel/192.168.1.12-172.16.5.4/use;\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:242 msgid "" "Once in place, racoon may be started on both gateways using the following " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:246 #, no-wrap msgid "" "# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l " "/var/log/racoon.log\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:249 msgid "The output should be similar to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:264 #, no-wrap msgid "" "corp-gw# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf\n" "Foreground mode.\n" "2006-01-30 01:35:47: INFO: begin Identity Protection mode.\n" "2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:36:04: INFO: ISAKMP-SA established " "172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a\n" "2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: " "172.16.5.4[0]192.168.1.12[0]\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel " "192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel " "172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)\n" "2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: " "172.16.5.4[0]192.168.1.12[0]\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel " "192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel " "172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:268 msgid "" "To ensure the tunnel is working properly, switch to another console and use " "man:tcpdump[1] to view network traffic using the following command. Replace " "`em0` with the network interface card as required:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:272 #, no-wrap msgid "corp-gw# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:276 msgid "" "Data similar to the following should appear on the console. If not, there " "is an issue and debugging the returned data will be required." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:282 #, no-wrap msgid "" "01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xa)\n" "01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xb)\n" "01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xc)\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:288 msgid "" "At this point, both networks should be available and seem to be part of the " "same network. Most likely both networks are protected by a firewall. To " "allow traffic to flow between them, rules need to be added to pass packets. " "For the man:ipfw[8] firewall, add the following lines to the firewall " "configuration file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:295 #, no-wrap msgid "" "ipfw add 00201 allow log esp from any to any\n" "ipfw add 00202 allow log ah from any to any\n" "ipfw add 00203 allow log ipencap from any to any\n" "ipfw add 00204 allow log udp from any 500 to any\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:300 msgid "" "The rule numbers may need to be altered depending on the current host " "configuration." msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:303 msgid "" "For users of man:pf[4] or man:ipf[8], the following rules should do the " "trick:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:316 #, no-wrap msgid "" "pass in quick proto esp from any to any\n" "pass in quick proto ah from any to any\n" "pass in quick proto ipencap from any to any\n" "pass in quick proto udp from any port = 500 to any port = 500\n" "pass in quick on gif0 from any to any\n" "pass out quick proto esp from any to any\n" "pass out quick proto ah from any to any\n" "pass out quick proto ipencap from any to any\n" "pass out quick proto udp from any port = 500 to any port = 500\n" "pass out quick on gif0 from any to any\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:319 msgid "" "Finally, to allow the machine to start support for the VPN during system " "initialization, add the following lines to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:326 #, no-wrap msgid "" "ipsec_enable=\"YES\"\n" "ipsec_program=\"/usr/local/sbin/setkey\"\n" "ipsec_file=\"/usr/local/etc/racoon/setkey.conf\" # allows setting up spd " "policies on boot\n" "racoon_enable=\"yes\"\n" msgstr ""