Changeset View
Changeset View
Standalone View
Standalone View
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
| Show First 20 Lines • Show All 2,121 Lines • ▼ Show 20 Lines | <para><acronym>IPsec</acronym> supports two modes of operation. | ||||
| The first mode, <firstterm>Transport Mode</firstterm>, protects | The first mode, <firstterm>Transport Mode</firstterm>, protects | ||||
| communications between two hosts. The second mode, | communications between two hosts. The second mode, | ||||
| <firstterm>Tunnel Mode</firstterm>, is used to build virtual | <firstterm>Tunnel Mode</firstterm>, is used to build virtual | ||||
| tunnels, commonly known as Virtual Private Networks | tunnels, commonly known as Virtual Private Networks | ||||
| (<acronym>VPN</acronym>s). Consult &man.ipsec.4; for detailed | (<acronym>VPN</acronym>s). Consult &man.ipsec.4; for detailed | ||||
| information on the <acronym>IPsec</acronym> subsystem in | information on the <acronym>IPsec</acronym> subsystem in | ||||
| &os;.</para> | &os;.</para> | ||||
| <para>To add <acronym>IPsec</acronym> support to the kernel, add | <para><acronym>IPsec</acronym> support is enabled by default on &os; 11 and newer. | ||||
wblock: I think we generally say "later" rather than "newer". | |||||
| the following options to the custom kernel configuration file | To add <acronym>IPsec</acronym> support to the kernel of older &os; releases, | ||||
wblockUnsubmitted Done Inline Actionss/older releases/previous versions/ Rewriting to avoid the if/pause/then structure (and leaving out some markup for clarity): Add these options to the custom kernel configuration file to add IPsec support to previous versions of &os;. wblock: s/older releases/previous versions/
Rewriting to avoid the if/pause/then structure (and… | |||||
| add the following options to the custom kernel configuration file | |||||
wblockUnsubmitted Done Inline ActionsPlease eliminate "the following" whenever it is used incorrectly, which is almost always. The only time to use it is when it can't be replaced with a simpler "this" or "these". wblock: Please eliminate "the following" whenever it is used incorrectly, which is almost always. The… | |||||
| and rebuild the kernel using the instructions in <xref | and rebuild the kernel using the instructions in <xref | ||||
| linkend="kernelconfig"/>:</para> | linkend="kernelconfig"/>:</para> | ||||
| <indexterm> | <indexterm> | ||||
| <primary>kernel options</primary> | <primary>kernel options</primary> | ||||
| <secondary>IPSEC</secondary> | <secondary>IPSEC</secondary> | ||||
| </indexterm> | </indexterm> | ||||
| ▲ Show 20 Lines • Show All 126 Lines • ▼ Show 20 Lines | round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting> | ||||
| <para>As expected, both sides have the ability to send and | <para>As expected, both sides have the ability to send and | ||||
| receive <acronym>ICMP</acronym> packets from the privately | receive <acronym>ICMP</acronym> packets from the privately | ||||
| configured addresses. Next, both gateways must be told how to | configured addresses. Next, both gateways must be told how to | ||||
| route packets in order to correctly send traffic from either | route packets in order to correctly send traffic from either | ||||
| network. The following commands will achieve this | network. The following commands will achieve this | ||||
| goal:</para> | goal:</para> | ||||
| <screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput> | <screen>corp-net&prompt.root; <userinput>route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput> | ||||
| &prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput> | corp-net&prompt.root; <userinput>route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput> | ||||
| &prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput> | priv-net&prompt.root; <userinput>route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput> | ||||
| &prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen> | priv-net&prompt.root; <userinput>route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen> | ||||
| <para>At this point, internal machines should be reachable from | <para>At this point, internal machines should be reachable from | ||||
| each gateway as well as from machines behind the gateways. | each gateway as well as from machines behind the gateways. | ||||
| Again, use &man.ping.8; to confirm:</para> | Again, use &man.ping.8; to confirm:</para> | ||||
| <programlisting>corp-net# ping 10.0.0.8 | <programlisting>corp-net# ping 10.0.0.8 | ||||
| PING 10.0.0.8 (10.0.0.8): 56 data bytes | PING 10.0.0.8 (10.0.0.8): 56 data bytes | ||||
| 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms | 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms | ||||
| ▲ Show 20 Lines • Show All 1,862 Lines • Show Last 20 Lines | |||||
I think we generally say "later" rather than "newer".