IPSec creates secure information transmission in FreeBSD

IPSec creates secure information transmission in FreeBSD
Author: dahubaobao
Home: http://www.ringz.org
Mail: dahushibaobao@vip.sina.com
QQ: 382690
Tools and images are all in the compressed package. Unzip the password: www.ringz.org
Http://dahubaobao.go.nease.net/IPSec.rar
Welcome to the ring area, a group of tech geeks, www.ringz.org. welcome to join us!
Note: Please repost the famous source (including the statement here). Thank you!
========================================================== ==================================
Application Instance of IPSec in FreeBSD
Overview
In today's network security, because many services communicate in plain text, the security is very low, so it is very necessary to adopt communication encryption, otherwise it is likely to be listened to by the sniffing tool. As a leader in encrypted communication, IPSec has no reason not to use it. I want to know more or less about IPSec. The hacker line also published many IPSec-related articles. However, these articles are based on Windows and are all about how to filter data packets. In fact, the task of filtering data packets can be handed over to the firewall for processing, the real strength of IPSec is its communication encryption. In view of this, I think it is necessary to talk about the use of IPSec for communication encryption. Therefore, I have written this article after a period of study. Taking FreeBSD as an example, I will explain how to use IPSec for encrypted communication with Windows/Unix, we hope to help security enthusiasts and BSD enthusiasts.

First, let's introduce my testing environment:
Local: FreeBSD 4.9 stable ip: 192.168.0.20
Target: Wdinwos 2000 Advanced Server IP: 192.168.0.1
Purpose: To use IPSec to encrypt all IP packets, except the broadcast and multicast protocols.
Note: This section does not describe how to use IPSec to filter data packets, because these packets can be sent to IPFW.

1. What is IPSec
IPSec is the Internet Security Protocol. it encrypts IP packets and encapsulates them in the IP header for sending through the enterprise private network or public network. IPSec protects all IP addresses and higher-level protocols (such as TCP, UDP, and ICMP) in the TCP/IP protocol stack at the network layer. Applications can enjoy security services at the network layer processed by IPSec, you don't have to worry about your own security mechanisms. IPSec can be configured on routers, firewalls, and hosts to implement end-to-end security communication. IPSec works at the network layer. It can encapsulate data packets in tunneling mode or directly encrypt the entire data packet. Then, the encrypted data packets can be encapsulated in the new IP address header and finally transmitted to the destination. After receiving the data packet, the target removes the IP header and decrypts it (the client-to-server key exchange and authentication have been completed). Finally, the original data packet is obtained. 1 is the IPSec workflow. For more information about IPSec, the IPSec help on Windows is a good reference.

2. Update FreeBSD
FreeBSD does not support IPSec by default. This is because there are no related options in the default kernel GENERIC, so you need to add it yourself and re-compile the kernel.
# Cd/usr/src/sys/i386/conf
# Cp GENERIC DAHUKERNEL
# Vi DAHUKERNEL
// Add IPSec-related options. See figure 2.
Options IPSEC
Options IPSEC_ESP
Options IPSEC_DEBUG
// Save and exit. The system source code and Ports are updated below.
# Mkdir/root/ports_src_update
# Cd/usr/share/examples/cvsup
# Cp ports-supfile stable-supfile/root/ports_src_update/
# Cd/; cd/root/ports_src_update
# Vi ports-supfile
// Modify "default host =" to the server you want, for example, cvsup.freebsdchina.org.
# Vi stable-supfile
// Modify "default host =" and the server you want to use
# Cvsup-g-L 2 ports-supfile
// Update Ports, which may take about 10-20 minutes, depending on the network speed
# Cvsup-g-L 2 stable-supfile
// Update the system source code and synchronize it to Stable. It may take about 10-20 minutes, depending on the network speed. After the source code is updated, You need to replace the original system code with the new code, merge the configuration files under/etc, and replace the old kernel with the new kernel. Of course, this step is not necessary. If you have updated the source code (or synchronized to Stable) before long, you can skip this step. However, you must update Ports and recompile the kernel.
# Cd/; cd/usr/src
# Make buildworld // synchronize the system. This takes a long time, at least one hour, or more operations.
Processes: make-j4 buildworld
# Make buildkernel GENERIC = DAHUKERNEL
# Make installkernel GENERIC = DAHUKERNEL
// Compile the kernel and replace the old kernel (GENERIC) with the new kernel (DAHUKERNEL ). After compilation, restart. Tip: If you have compiled the kernel before, you should first Delete the kernel component file under/usr/obj to speed up make, it can also avoid conflicts when the system encounters files that cannot be overwritten. Files in the/usr/obj directory are special. It uses the schg (system immutable) flag. This is a security measure that provides a protection method to prevent accidental operations, even if it is a root user, this file cannot be deleted. To bypass this restriction, use the following method:
# Cd/usr/obj
# Chflags-R noschg *
# Rm-rf *
If the system security level is 1 or higher at this time (as defined in the rc. conf file), the preceding command cannot be used to delete the schg flag. You need to restart the system to single-user mode to complete this operation.

# Cp-Rp/etc. old
# Cd/etc
# Mergemaster-cv
// Synchronize the configuration file.-v indicates that the detailed process is restricted.-c indicates that the configuration file is compared (diff) instead of merged. If you want to merge the configuration file, you can use the-I parameter. Finally, use uname-a to view the result.

Now, your system is up to date. If you are a newly installed system, follow the above steps to update the system so that you can add some security vulnerabilities, it can also bring better performance to the system, and it is fun not to do it ?!

3. Apply IPSec
1. FreeBSD
After the above settings, the system is the latest, but now it cannot use IPSec, you also need to install a software for IKE (ISAKMP/Oakley) Key Management Daemon, fortunately, FreeBSD has included it in Ports, so it does not need to be downloaded.
# Cd/usr/ports/security/racoon
# Make install clean
After that, we need to configure it accordingly. It is installed in the/usr/local/etc/racoon/directory. You need to edit psk.txt and racoon. conf to meet our needs. Tip: In the FreeBSD world, all installed software (whether through Package or Ports) will be installed under the/usr/local directory, put the configuration file under/usr/local/etc, and put the library file in the/usr/local/lib,/usr/local/libexec,/usr/local/libdata directory, binary files are stored in the/usr/local/bin and/usr/local/sbin directories. The advantage of doing so is obvious, because you can copy the subdirectories and all files in the/usr/local directory to another new system without modifying the system, most installed software can run.
# Cd ../local/etc/racoon
# Cp psk.txt. dist psk.txt
# Chmod 0600 psk.txt
// The psk.txt permission must be modified to 0600 and owned by the root user; otherwise, racoon cannot run.
# Vi psk.txt
// See Figure 3. Delete all content and add only:
Destination IP pre-shared key
192.168.0.1 dahubaobao
# Cp racoon. conf. dist racoon. conf
# Chmod 0600 racoon. conf
// After two chmod operations, the permission and file should belong to 4.
# Vi racoon... conf
// Edit the configuration file and comment out unnecessary content. Here, we need to separate them. One is to use CA authentication, and the other is not to use. If you do not use CA authentication, You Need To comment out the CA authentication section. If you need to use it, use OpenSSL to create a CA certificate, fill in the relevant information in the configuration file (which will be discussed later ). The details are as follows.
Path certificate "/usr/local/etc/cert ";
// If CA authentication is required, no changes are made here. If not, comment out the changes. Here is the directory for storing the CA certificate. No Comments by default.

Log debug; // remove comments if you need logs.

Isakmp 192.168.0.20 [1, 500];
// Remove the comment and add a local IP address.

# My_identifier address;
# My_identifier user_fqdn "sakane@kame.net ";
# Peers_identifier user_fqdn "sakane@kame.net ";
# Certificate_type x509 "mycert" "mypriv ";
// Here is about CA authentication. If CA authentication is used, you need to modify it according to the information filled in when you create a CA certificate using OpenSSL. If not, comment out.

# My_identifier user_fqdn "sakane@kame.net ";
# Peers_identifier user_fqdn "sakane@kame.net ";
# Certificate_type x509 "mycert" "mypriv ";
// Same as above

The following describes how to use OpenSSL to create a certificate.
# Openssl genrsa-des3-out ca. key 1024
# Openssl req-new-x509-days 365-key ca. key-out ca. crt

# Openssl genrsa-out win2000.key 1024
# Openssl req-new-key win2000.key-out win2000.csr
# Openssl x509-req-days 166-in win2000.csr-CA ca. crt-CAkey ca. key-CAcreateserial-out
Win2000.crt
# Openssl pkcs12-export-inkey win2000.key-certfile ca. crt-in win2000.crt-out win2000.p12
// The above is the certificate created for Windows 2000 (target). Because Windows 2000 certificates require Pkcs12 format, use the above command to convert. Create a certificate on the FreeBSD (local) system.
# Openssl genrsa-out freebsd. key 1024
# Openssl req-new-key freebsd. key-out freebsd. csr
# Openssl x509-req-days 166-in freebsd. csr-CA ca. crt-CAkey ca. key-CAcreateserial-out
Freebsd. crt
// In this way, the required certificate file is created, and all related files will be in the current directory. For the certificate creation process, see Figure 5, 6, and 7.

Copy win2000.p12 to Windows 2000 and run mmc, "console --- add/delete management unit --- add --- certificate --- add --- Service account --- next --- local computer --- next --- IPSEC Policy Agent --- complete ". Import the certificate in the last 8 days.
# Mkdir/usr/local/etc/racoon/cert
# Cp */usr/local/etc/racoon/cert/
# Chmod 0600/usr/local/etc/racoon/cert /*
// Copy the Certificate file to/usr/local/etc/r