Other configuration possibilities

This document describes various options for FreeS/WAN configuration which are less used or more complex (often both) than the standard cases described in our quickstart document.

Some rules of thumb about configuration

Tunnels are cheap

Nearly all of the overhead in IPsec processing is in the encryption and authentication of packets. Our performance document discusses these overheads.

Beside those overheads, the cost of managing additional tunnels is trivial. Whether your gateway supports one tunnel or ten just does not matter. A hundred might be a problem; there is a section on this in the performance document.

So, in nearly all cases, if using multiple tunnels gives you a reasonable way to describe what you need to do, you should describe it that way in your configuration files.

For example, one user recently asked on a mailing list about this network configuration:

        netA---gwA---gwB---netB
                            |----netC

   netA and B are secured netC not.
   netA and gwA can not access netC

The user had constructed only one tunnel, netA to netB, and wanted to know how to use ip-route to get netC packets into it. This is entirely unnecessary. One of the replies was:

  The simplest way and indeed the right way to
  solve this problem is to set up two connections:

        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetB
  and
        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetC

This would still be correct even if we added nets D, E, F, ...to the above diagram and needed twenty tunnels.

Of course another possibility would be to just use one tunnel, with a subnet mask that includes both netB and netC (or B, C, D, ...). See next section.

In general, you can construct as many tunnels as you need. Networks like netC in this example that do not connect directly to the gateway are fine, as long as the gateway can route to them.

The number of tunnels can become an issue if it reaches 50 or so. This is discussed in the performance document. Look there for information on supporting hundreds of Road Warriors from one gateway.

If you find yourself with too many tunnels for some reason like having eight subnets at one location and nine at another so you end up with 9*8=72tunnels, read the next section here.

Subnet sizes

The subnets used in leftsubnet and rightsubnet can be of any size that fits your needs, and they need not correspond to physical networks.

You adjust the size by changing the subnet mask, the number after the slash in the subnet description. For example

• in 192.168.100.0/24 the /24 mask says 24 bits are used to designate the network. This leave 8 bits to label machines. This subnet has 256 addresses. .0 and .255 are reserved, so it can have 254 machines.
• A subnet with a /23 mask would be twice as large, 512 addresses.
• A subnet with a /25 mask would be half the size, 128 addresses.
• /0 is the whole Internet
• /32 is a single machine

As an example of using these in connection descriptions, suppose your company's head office has four physical networks using the address ranges:

192.168.100.0/24

development

192.168.101.0/24

production

192.168.102.0/24

marketing

192.168.103.0/24

administration

You can use exactly those subnets in your connection descriptions, or use larger subnets to grant broad access if required:

leftsubnet=192.168.100.0/24

remote hosts can access only development

leftsubnet=192.168.100.0/23

remote hosts can access development or production

leftsubnet=192.168.102.0/23

remote hosts can access marketing or administration

leftsubnet=192.168.100.0/22

remote hosts can access any of the four departments

or use smaller subnets to restrict access:

leftsubnet=192.168.103.0/24

remote hosts can access any machine in administration

leftsubnet=192.168.103.64/28

remote hosts can access only certain machines in administration.

leftsubnet=192.168.103.42/32

remote hosts can access only one particular machine in administration

To be exact, 192.68.103.64/28 means all addresses whose top 28 bits match 192.168.103.64. There are 16 of these because there are 16 possibilities for the remainingg 4 bits. Their addresses are 192.168.103.64 to 192.168.103.79.

Each connection description can use a different subnet if required.

It is possible to use all the examples above on the same FreeS/WAN gateway, each in a different connection description, perhaps for different classes of user or for different remote offices.

It is also possible to have multiple tunnels using different leftsubnet descriptions with the same right. For example, when the marketing manager is on the road he or she might have access to:

leftsubnet=192.168.102.0/24

all machines in marketing

192.168.101.32/29

some machines in production

leftsubnet=192.168.103.42/32

one particular machine in administration

This takes three tunnels, but tunnels are cheap. If the laptop is set up to build all three tunnels automatically, then he or she can access all these machines concurrently, perhaps from different windows.

Other network layouts

In our VPN example, we used a simple network picture:

     Sunset==========West------------------East=========Sunrise
           local net       untrusted net       local net

And for the Road Warrior, another:

                                           telecommuter's PC or
                                           traveller's laptop
     Sunset==========West------------------East
         corporate LAN     untrusted net

Other configurations are also possible.

The Internet as a big subnet

A telecommuter might have:

     Sunset==========West------------------East ================= firewall --- the Internet
         home network      untrusted net        corporate network

This can be described as a special case of the general subnet-to-subnet connection. The subnet on the right is 0.0.0.0/0, the whole Internet.

West (the home gateway) can have its firewall rules set up so that only IPsec packets to East are allowed out. It will then behave as if its only connection to the world was a wire to East.

When machines on the home network need to reach the Internet, they do so via the tunnel, East and the corporate firewall. From the viewpoint of the Internet (perhaps of some EvilDoer trying to break in!), those home office machines are behind the firewall and protected by it.

Wireless

Another possible configuration comes up when you do not trust the local network, either because you have very high security standards or because your are using easily-intercepted wireless signals.

Some wireless ��=�5H�oم.e5�p!D.��+��l|���j#���Rv��v�ߗ_�N���0�1���T��v��p��&97�np�R�.^M������|h��5�%��,�c:x˷Iey��`��+��Ņ��I��7�٢?��`Rm9�Z|�񄕥�U9���9�x1s�8�Ng���-8�& dđ����z*ߐ�� ���s���@$PamH���%���<�� ����H_��"��R��g�u��w�v "��d��$^�"+l�k�!�`����b��F�H��>ٴM��x��k"V��Nɚ�8�ڃ����((���pS�9�����͟���~U��>� �R���o����R��E�}�h�f��r4F�(�cM�S�3�bǏ���T@���Z�h�$� ��Dvk���y�y�NI�%�p)�P�d���W��7">V6sj�8�|�^&��G?Dݛ�"R׳�z�׺����AX$�������4�W�����A/f�
��X�j���JYWTq.OL\ɨ}��e`-�����M�-+yqq�P�`��-��wτ:�S=�Cʧ(���X��4���� �R[��/`g�3f���!�h�Ӏ�D��y�7��y���{����m�h�����{
tŎc �O
�hb���;#����{K�8�4-�$��� �.u���1`��K�4AXS|�� M4������V�ԋ]��?����]���rs�Q�A�-�Oo9�b>}҇'_�>�G'g��N�/N�Cs��C�]H�~>yr\�<�A^f%;��³��.Ʌ����1&��C<�رlԆj~�V�!K���5��6d��S�Mb8"� ��zhƠD&;���[��W��{gB� �5��W��h��DD�D��ϛ�J�����%Uz\!�: ��YC�Z�:P����i�*z<�4�#��-��s���$E�� m�_Ĕ9����>m���q�!�˜ğ�:�؊���[��?�Ѻ��7�]ЌI ����Ο�Id]��NXE���9AC��W~���m�v����'�}ɂl}���V 9��A���@����7�7|�H0���g9�#+ 40 b�����$WC��sxĉ���ON-�v��տ�@�m�x*��Z�g6)���#���zKq�����b�\!���jC�c��˰��E�A ��jp_�[v���d�`�s�cW��e���e'Cq�T��s��U6�2l}���O�T�}<�[�nR*������.&x�W D�6�[/,+NdK?lo/����
��tqI�?����*�naⷔ��lB�^M�z��פ�77��c��Æ�X��%�]��#
�ɽ��p<�4:`p�t�T�ځRe���L�&&����.�S5A��3���t9��cXK�݃�N���wg�r�@;|Z�`w� �g������ȭV6g����݁&�=h�s�m���K���1K�f.M{�0�P
m.��ל^�"
#ۀ� ��/��EH��67��o����#{�dz���2u�Z��!��
!�\9�[�+��Z�뺥ê��8Z�����ے�=*R4,b��qoy=�-m��~)�"���v<�c��o��3�I�Kzm8=�R´'LRH��up7B���7�kQhk&���j���nTn��-ܨ�״�I)�4��!�S���Q�$�r��Y�T�ݟ��Pֱ��� �� �-�a�����������v�iWG;�Q�����n��>>N�u�"p[��� J};*Z���Н�7��@X]��Ź��CB�Q<�nJ��/��(Ҏ# *��Q|�������q ���U
�cÖ��OXO��_9>D��,q��o$n���U�<��B��y�����wH\bY�( �S�I b����| Dx��fdl��F}�@�#UR�+���֗��J�$ /��I:W�g��AD���#|�>��[Rd�/߂�K���I�h�"���e-ô�n�z 6�\ͳ��Ո��ʧI� �bM�5
4�ojg
�q���@��1+�f\o����V��2 �-�"à8
!g�B�-J)�ҧ�S�
����M_�9�eĹ�|�t�> .��O��N9����nLH�(��IG� n,F�a�l�_����=.�.S�Qgb��r����>��M�('@ p�Wt�,�b���oE2H�3�2��]m[�p<@�|� 쮖}V_�w��ͼ���mg`�N���|_^���
�ֺ?�a�`�����ͨ��}����9F�����&,��_n����|)���l���!]�� <�b���1������ă=�Y�,�aw�R�F> ��ǡ�m��(fl��L�H�����/��W�S�A�n��~���Ŝj�j�˾�׳�/��־�-J�ϯ����ߞ̮�kR�?�g�)Q�m5����-?s�a 랷`H�E���0]����g#����<��H�Q�0GLh�M��fԏe�e�� ���z��.������AoQ��Q1�o��9tl�� �>&�����tԞ���s+�n&���d(�gQ�W��^�V�?�����{���������ŋ�{�頿e�ŲgŘ������7������N/^@c��N/�����GO��}vxvqz����3���ٳ��'<��Z���H�@D��~�*�?����ʡ./usr/share/doc/freeswan/CREDITS0100644000000000000000000000537307376333733015252 0ustar rootrootWe haven't kept proper track of everybody who has helped us, alas, but here's a first attempt at acknowledgements... Most of the FreeS/WAN software has been done by Richard Guy Briggs (KLIPS), D. Hugh Redelmeier (Pluto), Michael Richardson (KLIPS, testing, etc.), Henry Spencer (technical lead, scripts, libraries, packaging, etc.), Sandy Harris (documentation), and Claudia Schmeing (user support). Peter Onion has collaborated extensively with RGB on PFKEY2 stuff. The original version of our IPComp code came from Svenning Soerensen, who has also contributed various bug fixes and improvements. The first versions of KLIPS were done by John Ioannidis . The first versions of Pluto (and further work on KLIPS) were done by Angelos D. Keromytis . The MD5 implementation is from RSADSI, so this package must include the following phrase: "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm". It is not under the GPL; see details in klips/net/ipsec/ipsec_md5c.c. The LIBDES library by Eric Young is used. It is not under the GPL -- see details in libdes/COPYRIGHT -- although he has graciously waived the advertising clause for FreeS/WAN use of LIBDES. The SHA-1 code is derived from Steve Reid's; it is public domain. Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c, are used in heavily modified forms. The radix-tree code from 4.4BSD is used in a modified form. It is not under the GPL; see details in klips/net/ipsec/radij.c. The lib/pfkeyv2.h header file contains public-domain material published in RFC 2367. Some parts of this distribution are under the GLL rather than the GPL; see the README files in the individual directories. Peter Onion has been immensely helpful in finding portability bugs in general, and in making FreeS/WAN work on the Alpha in particular. Rob Hatfield likewise found and fixed some problems making it work on the Netwinder. John S. Denker of AT&T Shannon Labs has found a number of bugs the hard way, has pointed out various problems (some of which we have fixed!) in using the software in production applications, and has suggested some substantial improvements to the documentation. Marc Boucher did a quick-and-dirty port of KLIPS to the Linux 2.2.x kernels, at a time when we needed it badly, and has helped chase down 2.2.xx bugs and keep us current with 2.4.x development. John Gilmore organized the FreeS/WAN project and continues to direct it. Hugh Daniel handles day-to-day management, customer interface, and both constructive and destructive testing. See the project's web page for other contributors to this project and related ones. This file is RCSID $Id: CREDITS,v 1.23 2001/11/20 01:54:35 henry Exp $ ./usr/share/doc/freeswan/doc/0040755000000000000000000000000007572121746014767 5ustar rootroot./usr/share/doc/freeswan/doc/src/0040755000000000000000000000000007572121745015555 5ustar rootroot./usr/share/doc/freeswan/doc/src/adv_config.html0100644000000000000000000015514607437341426020553 0ustar rootroot

Other configuration possibilities

This document describes various options for FreeS/WAN configuration which are less used or more complex (often both) than the standard cases described in our quickstart document.

Some rules of thumb about configuration

Tunnels are cheap

Nearly all of the overhead in IPsec processing is in the encryption and authentication of packets. Our performance document discusses these overheads.

Beside those overheads, the cost of managing additional tunnels is trivial. Whether your gateway supports one tunnel or ten just does not matter. A hundred might be a problem; there is a section on this in the performance document.

So, in nearly all cases, if using multiple tunnels gives you a reasonable way to describe what you need to do, you should describe it that way in your configuration files.

For example, one user recently asked on a mailing list about this network configuration:

        netA---gwA---gwB---netB
                            |----netC

   netA and B are secured netC not.
   netA and gwA can not access netC

The user had constructed only one tunnel, netA to netB, and wanted to know how to use ip-route to get netC packets into it. This is entirely unnecessary. One of the replies was:

  The simplest way and indeed the right way to
  solve this problem is to set up two connections:

        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetB
  and
        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetC

This would still be correct even if we added nets D, E, F, ...to the above diagram and needed twenty tunnels.

Of course another possibility would be to just use one tunnel, with a subnet mask that includes both netB and netC (or B, C, D, ...). See next section.

In general, you can construct as many tunnels as you need. Networks like netC in this example that do not connect directly to the gateway are fine, as long as the gateway can route to them.

The number of tunnels can become an issue if it reaches 50 or so. This is discussed in the performance document. Look there for information on supporting hundreds of Road Warriors from one gateway.

If you find yourself with too many tunnels for some reason like having eight subnets at one location and nine at another so you end up with 9*8=72tunnels, read the next section here.

Subnet sizes

The subnets used in leftsubnet and rightsubnet can be of any size that fits your needs, and they need not correspond to physical networks.

You adjust the size by changing the subnet mask, the number after the slash in the subnet description. For example

• in 192.168.100.0/24 the /24 mask says 24 bits are used to designate the network. This leave 8 bits to label machines. This subnet has 256 addresses. .0 and .255 are reserved, so it can have 254 machines.
• A subnet with a /23 mask would be twice as large, 512 addresses.
• A subnet with a /25 mask would be half the size, 128 addresses.
• /0 is the whole Internet
• /32 is a single machine

As an example of using these in connection descriptions, suppose your company's head office has four physical networks using the address ranges:

192.168.100.0/24

development

192.168.101.0/24

production

192.168.102.0/24

marketing

192.168.103.0/24

administration

You can use exactly those subnets in your connection descriptions, or use larger subnets to grant broad access if required:

leftsubnet=192.168.100.0/24

remote hosts can access only development

leftsubnet=192.168.100.0/23

remote hosts can access development or production

leftsubnet=192.168.102.0/23

remote hosts can access marketing or administration

leftsubnet=192.168.100.0/22

remote hosts can access any of the four departments

or use smaller subnets to restrict access:

leftsubnet=192.168.103.0/24

remote hosts can access any machine in administration

leftsubnet=192.168.103.64/28

remote hosts can access only certain machines in administration.

leftsubnet=192.168.103.42/32

remote hosts can access only one particular machine in administration

To be exact, 192.68.103.64/28 means all addresses whose top 28 bits match 192.168.103.64. There are 16 of these because there are 16 possibilities for the remainingg 4 bits. Their addresses are 192.168.103.64 to 192.168.103.79.

Each connection description can use a different subnet if required.

It is possible to use all the examples above on the same FreeS/WAN gateway, each in a different connection description, perhaps for different classes of user or for different remote offices.

It is also possible to have multiple tunnels using different leftsubnet descriptions with the same right. For example, when the marketing manager is on the road he or she might have access to:

leftsubnet=192.168.102.0/24

all machines in marketing

192.168.101.32/29

some machines in production

leftsubnet=192.168.103.42/32

one particular machine in administration

This takes three tunnels, but tunnels are cheap. If the laptop is set up to build all three tunnels automatically, then he or she can access all these machines concurrently, perhaps from different windows.

Other network layouts

In our VPN example, we used a simple network picture:

     Sunset==========West------------------East=========Sunrise
           local net       untrusted net       local net

And for the Road Warrior, another:

                                           telecommuter's PC or
                                           traveller's laptop
     Sunset==========West------------------East
         corporate LAN     untrusted net

Other configurations are also possible.

The Internet as a big subnet

A telecommuter might have:

     Sunset==========West------------------East ================= firewall --- the Internet
         home network      untrusted net        corporate network

This can be described as a special case of the general subnet-to-subnet connection. The subnet on the right is 0.0.0.0/0, the whole Internet.

West (the home gateway) can have its firewall rules set up so that only IPsec packets to East are allowed out. It will then behave as if its only connection to the world was a wire to East.

When machines on the home network need to reach the Internet, they do so via the tunnel, East and the corporate firewall. From the viewpoint of the Internet (perhaps of some EvilDoer trying to break in!), those home office machines are behind the firewall and protected by it.

Wireless

Another possible configuration comes up when you do not trust the local network, either because you have very high security standards or because your are using easily-intercepted wireless signals.

Some wireless ��=�5H�oم.e5�p!D.��+��l|���j#���Rv��v�ߗ_�N���0�1���T��v��p��&97�np�R�.^M������|h��5�%��,�c:x˷Iey��`��+��Ņ��I��7�٢?��`Rm9�Z|�񄕥�U9���9�x1s�8�Ng���-8�& dđ����z*ߐ�� ���s���@$PamH���%���<�� ����H_��"��R��g�u��w�v "��d��$^�"+l�k�!�`����b��F�H��>ٴM��x��k"V��Nɚ�8�ڃ����((���pS�9�����͟���~U��>� �R���o����R��E�}�h�f��r4F�(�cM�S�3�bǏ���T@���Z�h�$� ��Dvk���y�y�NI�%�p)�P�d���W��7">V6sj�8�|�^&��G?Dݛ�"R׳�z�׺����AX$�������4�W�����A/f�
��X�j���JYWTq.OL\ɨ}��e`-�����M�-+yqq�P�`��-��wτ:�S=�Cʧ(���X��4���� �R[��/`g�3f���!�h�Ӏ�D��y�7��y���{����m�h�����{
tŎc �O
�hb���;#����{K�8�4-�$��� �.u���1`��K�4AXS|�� M4������V�ԋ]��?����]���rs�Q�A�-�Oo9�b>}҇'_�>�G'g��N�/N�Cs��C�]H�~>yr\�<�A^f%;��³��.Ʌ����1&��C<�رlԆj~�V�!K���5��6d��S�Mb8"� ��zhƠD&;���[��W��{gB� �5��W��h��DD�D��ϛ�J�����%Uz\!�: ��YC�Z�:P����i�*z<�4�#��-��s���$E�� m�_Ĕ9����>m���q�!�˜ğ�:�؊���[��?�Ѻ��7�]ЌI ����Ο�Id]��NXE���9AC��W~���m�v����'�}ɂl}���V 9��A���@����7�7|�H0���g9�#+ 40 b�����$WC��sxĉ���ON-�v��տ�@�m�x*��Z�g6)���#���zKq�����b�\!���jC�c��˰��E�A ��jp_�[v���d�`�s�cW��e���e'Cq�T��s��U6�2l}���O�T�}<�[�nR*������.&x�W D�6�[/,+NdK?lo/����
��tqI�?����*�naⷔ��lB�^M�z��פ�77��c��Æ�X��%�]��#
�ɽ��p<�4:`p�t�T�ځRe���L�&&����.�S5A��3���t9��cXK�݃�N���wg�r�@;|Z�`w� �g������ȭV6g����݁&�=h�s�m���K���1K�f.M{�0�P
m.��ל^�"
#ۀ� ��/��EH��67��o����#{�dz���2u�Z��!��
!�\9�[�+��Z�뺥ê��8Z�����ے�=*R4,b��qoy=�-m��~)�"���v<�c��o��3�I�Kzm8=�R´'LRH��up7B���7�kQhk&���j���nTn��-ܨ�״�I)�4��!�S���Q�$�r��Y�T�ݟ��Pֱ��� �� �-�a�����������v�iWG;�Q�����n��>>N�u�"p[��� J};*Z���Н�7��@X]��Ź��CB�Q<�nJ��/��(Ҏ# *��Q|�������q ���U
�cÖ��OXO��_9>D��,q��o$n���U�<��B��y�����wH\bY�( �S�I b����| Dx��fdl��F}�@�#UR�+���֗��J�$ /��I:W�g��AD���#|�>��[Rd�/߂�K���I�h�"���e-ô�n�z 6�\ͳ��Ո��ʧI� �bM�5
4�ojg
�q���@��1+�f\o����V��2 �-�"à8
!g�B�-J)�ҧ�S�
����M_�9�eĹ�|�t�> .��O��N9����nLH�(��IG� n,F�a�l�_����=.�.S�Qgb��r����>��M�('@ p�Wt�,�b���oE2H�3�2��]m[�p<@�|� 쮖}V_�w��ͼ���mg`�N���|_^���
�ֺ?�a�`�����ͨ��}����9F�����&,��_n����|)���l���!]�� <�b���1������ă=�Y�,�aw�R�F> ��ǡ�m��(fl��L�H�����/��W�S�A�n��~���Ŝj�j�˾�׳�/��־�-J�ϯ����ߞ̮�kR�?�g�)Q�m5����-?s�a 랷`H�E���0]����g#����<��H�Q�0GLh�M��fԏe�e�� ���z��.������AoQ��Q1�o��9tl�� �>&�����tԞ���s+�n&���d(�gQ�W��^�V�?�����{���������ŋ�{�頿e�ŲgŘ������7������N/^@c��N/�����GO��}vxvqz����3���ٳ��'<��Z���H�@D��~�*�?����ʡ./usr/share/doc/freeswan/CREDITS0100644000000000000000000000537307376333733015252 0ustar rootrootWe haven't kept proper track of everybody who has helped us, alas, but here's a first attempt at acknowledgements... Most of the FreeS/WAN software has been done by Richard Guy Briggs (KLIPS), D. Hugh Redelmeier (Pluto), Michael Richardson (KLIPS, testing, etc.), Henry Spencer (technical lead, scripts, libraries, packaging, etc.), Sandy Harris (documentation), and Claudia Schmeing (user support). Peter Onion has collaborated extensively with RGB on PFKEY2 stuff. The original version of our IPComp code came from Svenning Soerensen, who has also contributed various bug fixes and improvements. The first versions of KLIPS were done by John Ioannidis . The first versions of Pluto (and further work on KLIPS) were done by Angelos D. Keromytis . The MD5 implementation is from RSADSI, so this package must include the following phrase: "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm". It is not under the GPL; see details in klips/net/ipsec/ipsec_md5c.c. The LIBDES library by Eric Young is used. It is not under the GPL -- see details in libdes/COPYRIGHT -- although he has graciously waived the advertising clause for FreeS/WAN use of LIBDES. The SHA-1 code is derived from Steve Reid's; it is public domain. Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c, are used in heavily modified forms. The radix-tree code from 4.4BSD is used in a modified form. It is not under the GPL; see details in klips/net/ipsec/radij.c. The lib/pfkeyv2.h header file contains public-domain material published in RFC 2367. Some parts of this distribution are under the GLL rather than the GPL; see the README files in the individual directories. Peter Onion has been immensely helpful in finding portability bugs in general, and in making FreeS/WAN work on the Alpha in particular. Rob Hatfield likewise found and fixed some problems making it work on the Netwinder. John S. Denker of AT&T Shannon Labs has found a number of bugs the hard way, has pointed out various problems (some of which we have fixed!) in using the software in production applications, and has suggested some substantial improvements to the documentation. Marc Boucher did a quick-and-dirty port of KLIPS to the Linux 2.2.x kernels, at a time when we needed it badly, and has helped chase down 2.2.xx bugs and keep us current with 2.4.x development. John Gilmore organized the FreeS/WAN project and continues to direct it. Hugh Daniel handles day-to-day management, customer interface, and both constructive and destructive testing. See the project's web page for other contributors to this project and related ones. This file is RCSID $Id: CREDITS,v 1.23 2001/11/20 01:54:35 henry Exp $ ./usr/share/doc/freeswan/doc/0040755000000000000000000000000007572121746014767 5ustar rootroot./usr/share/doc/freeswan/doc/src/0040755000000000000000000000000007572121745015555 5ustar rootroot./usr/share/doc/freeswan/doc/src/adv_config.html0100644000000000000000000015514607437341426020553 0ustar rootroot

Other configuration possibilities

This document describes various options for FreeS/WAN configuration which are less used or more complex (often both) than the standard cases described in our quickstart document.

Some rules of thumb about configuration

Tunnels are cheap

Nearly all of the overhead in IPsec processing is in the encryption and authentication of packets. Our performance document discusses these overheads.

Beside those overheads, the cost of managing additional tunnels is trivial. Whether your gateway supports one tunnel or ten just does not matter. A hundred might be a problem; there is a section on this in the performance document.

So, in nearly all cases, if using multiple tunnels gives you a reasonable way to describe what you need to do, you should describe it that way in your configuration files.

For example, one user recently asked on a mailing list about this network configuration:

        netA---gwA---gwB---netB
                            |----netC

   netA and B are secured netC not.
   netA and gwA can not access netC

The user had constructed only one tunnel, netA to netB, and wanted to know how to use ip-route to get netC packets into it. This is entirely unnecessary. One of the replies was:

  The simplest way and indeed the right way to
  solve this problem is to set up two connections:

        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetB
  and
        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetC

This would still be correct even if we added nets D, E, F, ...to the above diagram and needed twenty tunnels.

Of course another possibility would be to just use one tunnel, with a subnet mask that includes both netB and netC (or B, C, D, ...). See next section.

In general, you can construct as many tunnels as you need. Networks like netC in this example that do not connect directly to the gateway are fine, as long as the gateway can route to them.

The number of tunnels can become an issue if it reaches 50 or so. This is discussed in the performance document. Look there for information on supporting hundreds of Road Warriors from one gateway.

If you find yourself with too many tunnels for some reason like having eight subnets at one location and nine at another so you end up with 9*8=72tunnels, read the next section here.

Subnet sizes

The subnets used in leftsubnet and rightsubnet can be of any size that fits your needs, and they need not correspond to physical networks.

You adjust the size by changing the subnet mask, the number after the slash in the subnet description. For example

• in 192.168.100.0/24 the /24 mask says 24 bits are used to designate the network. This leave 8 bits to label machines. This subnet has 256 addresses. .0 and .255 are reserved, so it can have 254 machines.
• A subnet with a /23 mask would be twice as large, 512 addresses.
• A subnet with a /25 mask would be half the size, 128 addresses.
• /0 is the whole Internet
• /32 is a single machine

As an example of using these in connection descriptions, suppose your company's head office has four physical networks using the address ranges:

192.168.100.0/24

development

192.168.101.0/24

production

192.168.102.0/24

marketing

192.168.103.0/24

administration

You can use exactly those subnets in your connection descriptions, or use larger subnets to grant broad access if required:

leftsubnet=192.168.100.0/24

remote hosts can access only development

leftsubnet=192.168.100.0/23

remote hosts can access development or production

leftsubnet=192.168.102.0/23

remote hosts can access marketing or administration

leftsubnet=192.168.100.0/22

remote hosts can access any of the four departments

or use smaller subnets to restrict access:

leftsubnet=192.168.103.0/24

remote hosts can access any machine in administration

leftsubnet=192.168.103.64/28

remote hosts can access only certain machines in administration.

leftsubnet=192.168.103.42/32

remote hosts can access only one particular machine in administration

To be exact, 192.68.103.64/28 means all addresses whose top 28 bits match 192.168.103.64. There are 16 of these because there are 16 possibilities for the remainingg 4 bits. Their addresses are 192.168.103.64 to 192.168.103.79.

Each connection description can use a different subnet if required.

It is possible to use all the examples above on the same FreeS/WAN gateway, each in a different connection description, perhaps for different classes of user or for different remote offices.

It is also possible to have multiple tunnels using different leftsubnet descriptions with the same right. For example, when the marketing manager is on the road he or she might have access to:

leftsubnet=192.168.102.0/24

all machines in marketing

192.168.101.32/29

some machines in production

leftsubnet=192.168.103.42/32

one particular machine in administration

This takes three tunnels, but tunnels are cheap. If the laptop is set up to build all three tunnels automatically, then he or she can access all these machines concurrently, perhaps from different windows.

Other network layouts

In our VPN example, we used a simple network picture:

     Sunset==========West------------------East=========Sunrise
           local net       untrusted net       local net

And for the Road Warrior, another:

                                           telecommuter's PC or
                                           traveller's laptop
     Sunset==========West------------------East
         corporate LAN     untrusted net

Other configurations are also possible.

The Internet as a big subnet

A telecommuter might have:

     Sunset==========West------------------East ================= firewall --- the Internet
         home network      untrusted net        corporate network

This can be described as a special case of the general subnet-to-subnet connection. The subnet on the right is 0.0.0.0/0, the whole Internet.

West (the home gateway) can have its firewall rules set up so that only IPsec packets to East are allowed out. It will then behave as if its only connection to the world was a wire to East.

When machines on the home network need to reach the Internet, they do so via the tunnel, East and the corporate firewall. From the viewpoint of the Internet (perhaps of some EvilDoer trying to break in!), those home office machines are behind the firewall and protected by it.

Wireless

Another possible configuration comes up when you do not trust the local network, either because you have very high security standards or because your are using easily-intercepted wireless signals.

Some wireless ��=�5H�oم.e5�p!D.��+��l|���j#���Rv��v�ߗ_�N���0�1���T��v��p��&97�np�R�.^M������|h��5�%��,�c:x˷Iey��`��+��Ņ��I��7�٢?��`Rm9�Z|�񄕥�U9���9�x1s�8�Ng���-8�& dđ����z*ߐ�� ���s���@$PamH���%���<�� ����H_��"��R��g�u��w�v "��d��$^�"+l�k�!�`����b��F�H��>ٴM��x��k"V��Nɚ�8�ڃ����((���pS�9�����͟���~U��>� �R���o����R��E�}�h�f��r4F�(�cM�S�3�bǏ���T@���Z�h�$� ��Dvk���y�y�NI�%�p)�P�d���W��7">V6sj�8�|�^&��G?Dݛ�"R׳�z�׺����AX$�������4�W�����A/f�
��X�j���JYWTq.OL\ɨ}��e`-�����M�-+yqq�P�`��-��wτ:�S=�Cʧ(���X��4���� �R[��/`g�3f���!�h�Ӏ�D��y�7��y���{����m�h�����{
tŎc �O
�hb���;#����{K�8�4-�$��� �.u���1`��K�4AXS|�� M4������V�ԋ]��?����]���rs�Q�A�-�Oo9�b>}҇'_�>�G'g��N�/N�Cs��C�]H�~>yr\�<�A^f%;��³��.Ʌ����1&��C<�رlԆj~�V�!K���5��6d��S�Mb8"� ��zhƠD&;���[��W��{gB� �5��W��h��DD�D��ϛ�J�����%Uz\!�: ��YC�Z�:P����i�*z<�4�#��-��s���$E�� m�_Ĕ9����>m���q�!�˜ğ�:�؊���[��?�Ѻ��7�]ЌI ����Ο�Id]��NXE���9AC��W~���m�v����'�}ɂl}���V 9��A���@����7�7|�H0���g9�#+ 40 b�����$WC��sxĉ���ON-�v��տ�@�m�x*��Z�g6)���#���zKq�����b�\!���jC�c��˰��E�A ��jp_�[v���d�`�s�cW��e���e'Cq�T��s��U6�2l}���O�T�}<�[�nR*������.&x�W D�6�[/,+NdK?lo/����
��tqI�?����*�naⷔ��lB�^M�z��פ�77��c��Æ�X��%�]��#
�ɽ��p<�4:`p�t�T�ځRe���L�&&����.�S5A��3���t9��cXK�݃�N���wg�r�@;|Z�`w� �g������ȭV6g����݁&�=h�s�m���K���1K�f.M{�0�P
m.��ל^�"
#ۀ� ��/��EH��67��o����#{�dz���2u�Z��!��
!�\9�[�+��Z�뺥ê��8Z�����ے�=*R4,b��qoy=�-m��~)�"���v<�c��o��3�I�Kzm8=�R´'LRH��up7B���7�kQhk&���j���nTn��-ܨ�״�I)�4��!�S���Q�$�r��Y�T�ݟ��Pֱ��� �� �-�a�����������v�iWG;�Q�����n��>>N�u�"p[��� J};*Z���Н�7��@X]��Ź��CB�Q<�nJ��/��(Ҏ# *��Q|�������q ���U
�cÖ��OXO��_9>D��,q��o$n���U�<��B��y�����wH\bY�( �S�I b����| Dx��fdl��F}�@�#UR�+���֗��J�$ /��I:W�g��AD���#|�>��[Rd�/߂�K���I�h�"���e-ô�n�z 6�\ͳ��Ո��ʧI� �bM�5
4�ojg
�q���@��1+�f\o����V��2 �-�"à8
!g�B�-J)�ҧ�S�
����M_�9�eĹ�|�t�> .��O��N9����nLH�(��IG� n,F�a�l�_����=.�.S�Qgb��r����>��M�('@ p�Wt�,�b���oE2H�3�2��]m[�p<@�|� 쮖}V_�w��ͼ���mg`�N���|_^���
�ֺ?�a�`�����ͨ��}����9F�����&,��_n����|)���l���!]�� <�b���1������ă=�Y�,�aw�R�F> ��ǡ�m��(fl��L�H�����/��W�S�A�n��~���Ŝj�j�˾�׳�/��־�-J�ϯ����ߞ̮�kR�?�g�)Q�m5����-?s�a 랷`H�E���0]����g#����<��H�Q�0GLh�M��fԏe�e�� ���z��.������AoQ��Q1�o��9tl�� �>&�����tԞ���s+�n&���d(�gQ�W��^�V�?�����{���������ŋ�{�頿e�ŲgŘ������7������N/^@c��N/�����GO��}vxvqz����3���ٳ��'<��Z���H�@D��~�*�?����ʡ./usr/share/doc/freeswan/CREDITS0100644000000000000000000000537307376333733015252 0ustar rootrootWe haven't kept proper track of everybody who has helped us, alas, but here's a first attempt at acknowledgements... Most of the FreeS/WAN software has been done by Richard Guy Briggs (KLIPS), D. Hugh Redelmeier (Pluto), Michael Richardson (KLIPS, testing, etc.), Henry Spencer (technical lead, scripts, libraries, packaging, etc.), Sandy Harris (documentation), and Claudia Schmeing (user support). Peter Onion has collaborated extensively with RGB on PFKEY2 stuff. The original version of our IPComp code came from Svenning Soerensen, who has also contributed various bug fixes and improvements. The first versions of KLIPS were done by John Ioannidis . The first versions of Pluto (and further work on KLIPS) were done by Angelos D. Keromytis . The MD5 implementation is from RSADSI, so this package must include the following phrase: "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm". It is not under the GPL; see details in klips/net/ipsec/ipsec_md5c.c. The LIBDES library by Eric Young is used. It is not under the GPL -- see details in libdes/COPYRIGHT -- although he has graciously waived the advertising clause for FreeS/WAN use of LIBDES. The SHA-1 code is derived from Steve Reid's; it is public domain. Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c, are used in heavily modified forms. The radix-tree code from 4.4BSD is used in a modified form. It is not under the GPL; see details in klips/net/ipsec/radij.c. The lib/pfkeyv2.h header file contains public-domain material published in RFC 2367. Some parts of this distribution are under the GLL rather than the GPL; see the README files in the individual directories. Peter Onion has been immensely helpful in finding portability bugs in general, and in making FreeS/WAN work on the Alpha in particular. Rob Hatfield likewise found and fixed some problems making it work on the Netwinder. John S. Denker of AT&T Shannon Labs has found a number of bugs the hard way, has pointed out various problems (some of which we have fixed!) in using the software in production applications, and has suggested some substantial improvements to the documentation. Marc Boucher did a quick-and-dirty port of KLIPS to the Linux 2.2.x kernels, at a time when we needed it badly, and has helped chase down 2.2.xx bugs and keep us current with 2.4.x development. John Gilmore organized the FreeS/WAN project and continues to direct it. Hugh Daniel handles day-to-day management, customer interface, and both constructive and destructive testing. See the project's web page for other contributors to this project and related ones. This file is RCSID $Id: CREDITS,v 1.23 2001/11/20 01:54:35 henry Exp $ ./usr/share/doc/freeswan/doc/0040755000000000000000000000000007572121746014767 5ustar rootroot./usr/share/doc/freeswan/doc/src/0040755000000000000000000000000007572121745015555 5ustar rootroot./usr/share/doc/freeswan/doc/src/adv_config.html0100644000000000000000000015514607437341426020553 0ustar rootroot

Other configuration possibilities

This document describes various options for FreeS/WAN configuration which are less used or more complex (often both) than the standard cases described in our quickstart document.

Some rules of thumb about configuration

Tunnels are cheap

Nearly all of the overhead in IPsec processing is in the encryption and authentication of packets. Our performance document discusses these overheads.

Beside those overheads, the cost of managing additional tunnels is trivial. Whether your gateway supports one tunnel or ten just does not matter. A hundred might be a problem; there is a section on this in the performance document.

So, in nearly all cases, if using multiple tunnels gives you a reasonable way to describe what you need to do, you should describe it that way in your configuration files.

For example, one user recently asked on a mailing list about this network configuration:

        netA---gwA---gwB---netB
                            |----netC

   netA and B are secured netC not.
   netA and gwA can not access netC

The user had constructed only one tunnel, netA to netB, and wanted to know how to use ip-route to get netC packets into it. This is entirely unnecessary. One of the replies was:

  The simplest way and indeed the right way to
  solve this problem is to set up two connections:

        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetB
  and
        leftsubnet=NetA
        left=gwA
        right=gwB
        rightsubnet=NetC

This would still be correct even if we added nets D, E, F, ...to the above diagram and needed twenty tunnels.

Of course another possibility would be to just use one tunnel, with a subnet mask that includes both netB and netC (or B, C, D, ...). See next section.

In general, you can construct as many tunnels as you need. Networks like netC in this example that do not connect directly to the gateway are fine, as long as the gateway can route to them.

The number of tunnels can become an issue if it reaches 50 or so. This is discussed in the performance document. Look there for information on supporting hundreds of Road Warriors from one gateway.

If you find yourself with too many tunnels for some reason like having eight subnets at one location and nine at another so you end up with 9*8=72tunnels, read the next section here.

Subnet sizes

The subnets used in leftsubnet and rightsubnet can be of any size that fits your needs, and they need not correspond to physical networks.

You adjust the size by changing the subnet mask, the number after the slash in the subnet description. For example

• in 192.168.100.0/24 the /24 mask says 24 bits are used to designate the network. This leave 8 bits to label machines. This subnet has 256 addresses. .0 and .255 are reserved, so it can have 254 machines.
• A subnet with a /23 mask would be twice as large, 512 addresses.
• A subnet with a /25 mask would be half the size, 128 addresses.
• /0 is the whole Internet
• /32 is a single machine

As an example of using these in connection descriptions, suppose your company's head office has four physical networks using the address ranges:

192.168.100.0/24

development

192.168.101.0/24

production

192.168.102.0/24

marketing

192.168.103.0/24

administration

You can use exactly those subnets in your connection descriptions, or use larger subnets to grant broad access if required:

leftsubnet=192.168.100.0/24

remote hosts can access only development

leftsubnet=192.168.100.0/23

remote hosts can access development or production

leftsubnet=192.168.102.0/23

remote hosts can access marketing or administration

leftsubnet=192.168.100.0/22

remote hosts can access any of the four departments

or use smaller subnets to restrict access:

leftsubnet=192.168.103.0/24

remote hosts can access any machine in administration

leftsubnet=192.168.103.64/28

remote hosts can access only certain machines in administration.

leftsubnet=192.168.103.42/32

remote hosts can access only one particular machine in administration

To be exact, 192.68.103.64/28 means all addresses whose top 28 bits match 192.168.103.64. There are 16 of these because there are 16 possibilities for the remainingg 4 bits. Their addresses are 192.168.103.64 to 192.168.103.79.

Each connection description can use a different subnet if required.

It is possible to use all the examples above on the same FreeS/WAN gateway, each in a different connection description, perhaps for different classes of user or for different remote offices.

It is also possible to have multiple tunnels using different leftsubnet descriptions with the same right. For example, when the marketing manager is on the road he or she might have access to:

leftsubnet=192.168.102.0/24

all machines in marketing

192.168.101.32/29

some machines in production

leftsubnet=192.168.103.42/32

one particular machine in administration

This takes three tunnels, but tunnels are cheap. If the laptop is set up to build all three tunnels automatically, then he or she can access all these machines concurrently, perhaps from di