[ViewVC] Diff of: cvs/gvpe/doc/vpe.8

Comparing gvpe/doc/vpe.8 (file contents):
Revision 1.1 by pcg, Sun Mar 23 14:50:57 2003 UTC vs.
Revision 1.2 by pcg, Mon Mar 24 15:20:24 2003 UTC

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

…		…
127	.\}	127	.\}
128	.rm #[ #] #H #V #F C	128	.rm #[ #] #H #V #F C
129	.\" ========================================================================	129	.\" ========================================================================
130	.\"	130	.\"
131	.IX Title "VPE 8"	131	.IX Title "VPE 8"
132	.TH VPE 8 "2003-03-23" "0.1" "Virtual Private Ethernet"	132	.TH VPE 8 "2003-03-24" "0.1" "Virtual Private Ethernet"
133	.SH "NAME"	133	.SH "NAME"
134	vpe \- Overview of the virtual private ethernet suite.	134	vpe \- Overview of the virtual private ethernet suite.
135	.SH "DESCRIPTION"	135	.SH "DESCRIPTION"
136	.IX Header "DESCRIPTION"	136	.IX Header "DESCRIPTION"
137	Vpe is a suite designed to provide a virtual private network for multiple	137	Vpe is a suite designed to provide a virtual private network for multiple
…		…
165	address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in	165	address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in
166	fact, from a specific host.	166	fact, from a specific host.
167	.SH "PROGRAMS"	167	.SH "PROGRAMS"
168	.IX Header "PROGRAMS"	168	.IX Header "PROGRAMS"
169	Vpe comes with two programs: one daemon (\f(CW\(C`vped\(C'\fR) and one control program	169	Vpe comes with two programs: one daemon (\f(CW\(C`vped\(C'\fR) and one control program
170	\&\f(CW\(C`vpectrl\(C'\fR).	170	(\f(CW\(C`vpectrl\(C'\fR).
171	.IP "vpectrl" 4	171	.IP "vpectrl" 4
172	.IX Item "vpectrl"	172	.IX Item "vpectrl"
173	Is used to generate the keys and give an overview of the configuration.	173	Is used to generate the keys, check and give an overview of of the
		174	configuration and contorl the daemon (restarting etc.).
174	.IP "vped" 4	175	.IP "vped" 4
175	.IX Item "vped"	176	.IX Item "vped"
176	Is the daemon used to establish and maintain conenctions to the other	177	Is the daemon used to establish and maintain conenctions to the other
177	network members. It should be run on the gateway machine.	178	network members. It should be run on the gateway machine.
178	.SH "CONFIGURING VPE"	179	.SH "COMPILETIME CONFIGURATION"
179	.IX Header "CONFIGURING VPE"	180	.IX Header "COMPILETIME CONFIGURATION"
180	Here are a few recipes for configuring your vpe:	181	Here are a few recipes for compiling your vpe:
181	.Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0"	182	.Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0"
182	.IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE"	183	.IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE"
183	.Vb 1	184	.Vb 1
184	\& ./configure --enable-hmac-length=4 --enable-rand-length=0	185	\& ./configure --enable-hmac-length=4 --enable-rand-length=0
185	.Ve	186	.Ve
186	.PP	187	.PP
187	Minimize the header overhead of \s-1VPN\s0 packets.	188	Minimize the header overhead of \s-1VPN\s0 packets (the above will result in only
		189	4 bytes of overhead over the raw ethernet frame).
188	.Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0"	190	.Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0"
189	.IX Subsection "MINIMIZE CPU TIME REQUIRED"	191	.IX Subsection "MINIMIZE CPU TIME REQUIRED"
190	.Vb 1	192	.Vb 1
191	\& ./configure --enable-cipher=bf --enable-digest=md4	193	\& ./configure --enable-cipher=bf --enable-digest=md4
192	.Ve	194	.Ve
193	.PP	195	.PP
194	Use the fastest cipher and digest algorithms.	196	Use the fastest cipher and digest algorithms currently available in vpe.
195	.Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0"	197	.Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0"
196	.IX Subsection "MAXIMIZE SECURITY"	198	.IX Subsection "MAXIMIZE SECURITY"
197	.Vb 1	199	.Vb 1
198	\& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1	200	\& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1
199	.Ve	201	.Ve
		202	.PP
		203	This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12
		204	would also be pretty secure ;) and will additionally prefix each packet
		205	with 8 bytes of random data.
200	.PP	206	.PP
201	In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than	207	In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than
202	\&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness and longer hmac is more secure, \s-1MD4\s0 is	208	\&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer
203	a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are better, and Blowfish is a fast and	209	\&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are
204	so-far quite secure cipher.	210	better, and Blowfish is a fast cipher (and also quite secure).
205	.SH "HOW TO SET UP A SIMPLE VPN"	211	.SH "HOW TO SET UP A SIMPLE VPN"
206	.IX Header "HOW TO SET UP A SIMPLE VPN"	212	.IX Header "HOW TO SET UP A SIMPLE VPN"
207	In this section I will describe how to get a simple \s-1VPN\s0 consisting of	213	In this section I will describe how to get a simple \s-1VPN\s0 consisting of
208	three hosts up and running.	214	three hosts up and running.
209	.Sh "\s-1STEP\s0 1: configuration"	215	.Sh "\s-1STEP\s0 1: configuration"
…		…
213	configured vpe, and can be overwritten using the \f(CW\(C`\-c\(C'\fR commandline switch.	219	configured vpe, and can be overwritten using the \f(CW\(C`\-c\(C'\fR commandline switch.
214	.PP	220	.PP
215	Put the following lines into \f(CW\(C`/etc/vpe/vped.conf\(C'\fR:	221	Put the following lines into \f(CW\(C`/etc/vpe/vped.conf\(C'\fR:
216	.PP	222	.PP
217	.Vb 3	223	.Vb 3
218	\& udp-port = 50000 # the external port to listen on (configure your firewall)	224	\& udp-port = 50000 # the external port to listen on (configure your firewall)
219	\& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts	225	\& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts
220	\& ifname = vpn0 # the local network device name	226	\& ifname = vpn0 # the local network device name
221	.Ve	227	.Ve
222	.PP	228	.PP
223	.Vb 2	229	.Vb 2
224	\& node = first # just a nickname	230	\& node = first # just a nickname
225	\& hostname = first.example.net # the DNS name or IP address of the host	231	\& hostname = first.example.net # the DNS name or IP address of the host
226	.Ve	232	.Ve
227	.PP	233	.PP
228	.Vb 2	234	.Vb 2
229	\& node = second	235	\& node = second
230	\& hostname = 133.55.82.9	236	\& hostname = 133.55.82.9
231	.Ve	237	.Ve
232	.PP	238	.PP
233	.Vb 2	239	.Vb 2
234	\& node = third	240	\& node = third
235	\& hostname = third.example.net	241	\& hostname = third.example.net
236	.Ve	242	.Ve
237	.PP	243	.PP
238	The only other file neccessary if the \f(CW\(C`if\-up\(C'\fR script that initializes the	244	The only other file neccessary if the \f(CW\(C`if\-up\(C'\fR script that initializes the
239	local ethernet interface. Put the following lines into \f(CW\(C`/etc/vpe/if\-up\(C'\fR	245	local ethernet interface. Put the following lines into \f(CW\(C`/etc/vpe/if\-up\(C'\fR
240	and make it execute (\f(CW\(C`chmod 755 /etc/vpe/if\-up\(C'\fR):	246	and make it execute (\f(CW\(C`chmod 755 /etc/vpe/if\-up\(C'\fR):
241	.PP	247	.PP
242	.Vb 6	248	.Vb 6
243	\& #!/bin/sh	249	\& #!/bin/sh
244	\& ip link set $IFNAME address $MAC mtu $MTU up	250	\& ip link set $IFNAME address $MAC mtu $MTU up
245	\& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME	251	\& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME
246	\& [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME	252	\& [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
247	\& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME	253	\& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME
248	\& ip route add 10.0.0.0/16 dev $IFNAME	254	\& ip route add 10.0.0.0/16 dev $IFNAME
249	.Ve	255	.Ve
250	.PP	256	.PP
251	This script will give each node a different \s-1IP\s0 address in the \f(CW\(C`10.0/16\(C'\fR	257	This script will give each node a different \s-1IP\s0 address in the \f(CW\(C`10.0/16\(C'\fR
252	network. The internal network (e.g. the \f(CW\(C`eth0\(C'\fR interface) should then be	258	network. The internal network (e.g. the \f(CW\(C`eth0\(C'\fR interface) should then be
253	set to a subset of that network, e.g. \f(CW\(C`10.0.1.0/24\(C'\fR on node \f(CW\(C`first\(C'\fR,	259	set to a subset of that network, e.g. \f(CW\(C`10.0.1.0/24\(C'\fR on node \f(CW\(C`first\(C'\fR,
…		…
261	.IX Subsection "STEP 2: create the RSA key pairs for all hosts"	267	.IX Subsection "STEP 2: create the RSA key pairs for all hosts"
262	Run the following command to generate all key pairs (that might take a	268	Run the following command to generate all key pairs (that might take a
263	while):	269	while):
264	.PP	270	.PP
265	.Vb 1	271	.Vb 1
266	\& vpectrl -c /etc/vpe -g	272	\& vpectrl -c /etc/vpe -g
267	.Ve	273	.Ve
268	.PP	274	.PP
269	This command will put the public keys into \f(CW\(C`/etc/vpe/pubkeys/\f(CInodename\f(CW\(C'\fR and the private keys into \f(CW\(C`/etc/vpe/hostkeys/\f(CInodename\f(CW\(C'\fR.	275	This command will put the public keys into \f(CW\(C`/etc/vpe/pubkeys/\f(CInodename\f(CW\(C'\fR and the private keys into \f(CW\(C`/etc/vpe/hostkeys/\f(CInodename\f(CW\(C'\fR.
270	.Sh "\s-1STEP\s0 3: distribute the config files to all nodes"	276	.Sh "\s-1STEP\s0 3: distribute the config files to all nodes"
271	.IX Subsection "STEP 3: distribute the config files to all nodes"	277	.IX Subsection "STEP 3: distribute the config files to all nodes"
…		…
273	private keys should not be distributed. The example uses rsync-over-ssh	279	private keys should not be distributed. The example uses rsync-over-ssh
274	.PP	280	.PP
275	First all the config files without the hostkeys should be distributed:	281	First all the config files without the hostkeys should be distributed:
276	.PP	282	.PP
277	.Vb 3	283	.Vb 3
278	\& rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys	284	\& rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys
279	\& rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys	285	\& rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys
280	\& rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys	286	\& rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys
281	.Ve	287	.Ve
282	.PP	288	.PP
283	Then the hostkeys should be copied:	289	Then the hostkeys should be copied:
284	.PP	290	.PP
285	.Vb 3	291	.Vb 3
286	\& rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey	292	\& rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey
287	\& rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey	293	\& rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey
288	\& rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey	294	\& rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey
289	.Ve	295	.Ve
290	.PP	296	.PP
291	You should now check the configration by issuing the command \f(CW\*(C`vpectrl \-c	297	You should now check the configration by issuing the command \f(CW\*(C`vpectrl \-c
292	/etc/vpe \-s\*(C'\fR on each node and verify it's output.	298	/etc/vpe \-s\*(C'\fR on each node and verify it's output.
293	.Sh "\s-1STEP\s0 4: starting vped"	299	.Sh "\s-1STEP\s0 4: starting vped"
294	.IX Subsection "STEP 4: starting vped"	300	.IX Subsection "STEP 4: starting vped"
295	You should then start vped on each node by issuing a command like:	301	You should then start vped on each node by issuing a command like:
296	.PP	302	.PP
297	.Vb 1	303	.Vb 1
298	\& vped -D -linfo first # first is the nodename	304	\& vped -D -linfo first # first is the nodename
299	.Ve	305	.Ve
300	.PP	306	.PP
301	This will make the vped stay in foreground. You should then see	307	This will make the vped stay in foreground. You should then see
302	\&\(L"connection established\(R" messages. If you don't see them check your	308	\&\(L"connection established\(R" messages. If you don't see them check your
303	firewall and routing (use tcpdump ;).	309	firewall and routing (use tcpdump ;).
…		…
308	To make vped run more permanently you can either run it as a daemon	314	To make vped run more permanently you can either run it as a daemon
309	(by starting it without the \f(CW\(C`\-D\(C'\fR switch), or, much better, from your	315	(by starting it without the \f(CW\(C`\-D\(C'\fR switch), or, much better, from your
310	inittab. I use a line like this on my systems:	316	inittab. I use a line like this on my systems:
311	.PP	317	.PP
312	.Vb 1	318	.Vb 1
313	\& t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1	319	\& t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1
314	.Ve	320	.Ve
315	.Sh "\s-1STEP\s0 5: enjoy"	321	.Sh "\s-1STEP\s0 5: enjoy"
316	.IX Subsection "STEP 5: enjoy"	322	.IX Subsection "STEP 5: enjoy"
317	\&... and play around. Sending a \-HUP (\f(CW\(C`vpectrl \-kHUP\(C'\fR) to the daemon	323	\&... and play around. Sending a \-HUP (\f(CW\(C`vpectrl \-kHUP\(C'\fR) to the daemon
318	will make it try to connect to all other nodes again. If you run it from	324	will make it try to connect to all other nodes again. If you run it from

Comparing gvpe/doc/vpe.8 (file contents): Revision 1.1 by pcg, Sun Mar 23 14:50:57 2003 UTC vs. Revision 1.2 by pcg, Mon Mar 24 15:20:24 2003 UTC

Diff Legend

Comparing gvpe/doc/vpe.8 (file contents):
Revision 1.1 by pcg, Sun Mar 23 14:50:57 2003 UTC vs.
Revision 1.2 by pcg, Mon Mar 24 15:20:24 2003 UTC