File: README

package info (click to toggle)
pipsecd 1%3A19990511-28
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 284 kB
  • ctags: 272
  • sloc: ansic: 2,183; perl: 1,832; sh: 82; makefile: 41
file content (70 lines) | stat: -rw-r--r-- 2,752 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
$Id: README 1.4 Wed, 12 May 1999 15:05:23 +0200 sam $

Currently implements:

	- IPSEC-compliant IP tunnelling (i.e., tunnel-mode only):
	    - authentication: IP-AH (RFC 2402) and HMAC (RFC 2104) with:
			RFC 2403: MD5 (HMAC-MD5-96)
			RFC 2404: SHA1 (HMAC-SHA1-96)
			RIPEMD160 (HMAC-RIPEMD160-96)
	    - encryption: IP-ESP (RFC 2406) with:
			Blowfish in CBC mode.
			RFC 2405: DES in CBC mode.
			DES3 in CBC mode.
			CAST in CBC mode.
			IDEA in CBC mode. (not on Debian)
	      Additional authentication is supported too, with the same methods
	      as in AH mode.
	- IP tunnels over UDP with MD5 (simple keyed hash) authentication.
	- IP tunnels over ICMP ECHO REPLY with HMAC-MD5-96 authentication.

You NEED to first install the OpenSSL "crypto" library (previously
part of SSLeay). See http://www.openssl.org/ for download and mirrors.

- compile and install
- under *BSD: make a kernel with the "tun" device, by adding the following
  line to your kernel configuration:

	pseudo-device tun 1

  Then remake a kernel (config MYKERNEL; cd ../../compile/MYKERNEL;
	make depend; make; mv /kernel /kernel.old; cp kernel /)

- under Linux: install the "userlink" module, port of the BSD tun driver

- create the file /etc/pipsecd/pipsecd.conf (see pipsecd.conf.sample
  for an example)

- start /usr/local/sbin/tunip2

- under *BSD:
	ifconfig tun0 <virtual_local_ip> <virtual_dest_ip> netmask <mask> mtu 1440

- under Linux 2.0.x:
	ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask> mtu 1440
	route add <virtual_dest_ip> ul0

- under Linux 2.2.x, approximately this (I need to check the MTU stuff):
	ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask>
	ip route add <virtual_dest_ip> mtu 1440 dev ul0
  (portability? what do you mean?)

- once this works, you can create the script /etc/pipsecd/startup
  and make it executable. It's run after the program starts, you
  can put there any interface configuration, routes, mtu and such.

- when a peer changes its address or at the very beginning for every tunnel,
  the script /etc/pipsecd/configure is called with arguments:
     configure interface realip
  (example: configure ul0 137.194.191.199)
  You can then take care of positionning the routes in the script, bringing
  interface up and doing proxyarp.

- this should be done on both ends, of course. Then a ping to the remote
  point to point virtual address (the one ifconfig shows) should work.

From then on, add any routes or routing protocols of your liking.
Be careful, however, that the route to the REAL IP address of the
other end of the tunnel is not routed _through_ the tunnel, as it
would create a loop (the program detects this and warns you but is
unable to correct it).