Changeset afac48a in rtems-libbsd


Ignore:
Timestamp:
Jul 27, 2018, 12:39:47 PM (10 months ago)
Author:
Christian Mauderer <christian.mauderer@…>
Branches:
b5f8d4831d66364b7391e3660560cb9bbecada2e, 31b5c87357cee83d6a3419c5d801a9bf16912714
Children:
9bc7b96
Parents:
baffbf3
git-author:
Christian Mauderer <christian.mauderer@…> (07/27/18 12:39:47)
git-committer:
Christian Mauderer <christian.mauderer@…> (08/02/18 08:40:45)
Message:

libbsd.txt: Add ipsec.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • libbsd.txt

    rbaffbf3 rafac48a  
    12341234  application is not ported.
    12351235
     1236== IPSec ==
     1237
     1238The IPSec support is optional in libbsd. It is disabled in the default build
     1239set. Please make sure to use a build set with +netipsec = on+.
     1240
     1241To use IPSec the following configuration is necessary:
     1242
     1243----
     1244SYSINIT_MODULE_REFERENCE(if_gif);
     1245SYSINIT_MODULE_REFERENCE(cryptodev);
     1246RTEMS_BSD_RC_CONF_SYSINT(rc_conf_ipsec)
     1247RTEMS_BSD_DEFINE_NEXUS_DEVICE(cryptosoft, 0, 0, NULL);
     1248----
     1249
     1250Alternatively you can use the `RTEMS_BSD_CONFIG_IPSEC` which also includes the
     1251rc.conf support for ipsec. It's still necessary to include a crypto device in
     1252your config (`cryptosoft` in the above sample).
     1253
     1254The necessary initialization steps for a IPSec connection are similar to the
     1255steps on a FreeBSD-System. The example assumes the following setup:
     1256
     1257- RTEMS external IP: 192.168.10.1/24
     1258- RTEMS internal IP: 10.10.1.1/24
     1259- remote external IP: 192.168.10.10/24
     1260- remote internal IP: 172.24.0.1/24
     1261- shared key: "mysecretkey"
     1262
     1263With this the following steps are necessary:
     1264
     1265- Create a gif0 device:
     1266
     1267----
     1268SHLL [/] #  ifconfig gif0 create
     1269----
     1270
     1271- Configure the gif0 device:
     1272
     1273----
     1274SHLL [/] # ifconfig gif0 10.10.1.1 172.24.0.1
     1275SHLL [/] # ifconfig gif0 tunnel 192.168.10.1 192.168.10.10
     1276----
     1277
     1278- Add a route to the remote net via the remote IP:
     1279
     1280----
     1281SHLL [/] # route add 172.24.0.0/24 172.24.0.1
     1282----
     1283
     1284- Call `setkey` with a correct rule set:
     1285
     1286----
     1287SHLL [/] # cat /etc/setkey.conf
     1288flush;
     1289spdflush;
     1290spdadd  10.10.1.0/24 172.24.0.0/24 any -P out ipsec esp/tunnel/192.168.10.1-192.168.10.10/use;
     1291spdadd 172.24.0.0/24  10.10.1.0/24 any -P in  ipsec esp/tunnel/192.168.10.10-192.168.10.1/use;
     1292SHLL [/] # setkey -f /etc/setkey.conf
     1293----
     1294
     1295- Start a ike-daemon (racoon) with a correct configuration.
     1296----
     1297SHLL [/] # cat /etc/racoon.conf
     1298path    pre_shared_key "/etc/racoon_psk.txt";
     1299log     info;
     1300
     1301padding # options are not to be changed
     1302{
     1303        maximum_length                  20;
     1304        randomize                       off;
     1305        strict_check                    off;
     1306        exclusive_tail                  off;
     1307}
     1308
     1309listen  # address [port] that racoon will listen on
     1310{
     1311        isakmp                          192.168.10.1[500];
     1312}
     1313
     1314remote 192.168.10.10 [500]
     1315{
     1316        exchange_mode                   main;
     1317        my_identifier                   address 192.168.10.1;
     1318        peers_identifier                address 192.168.10.10;
     1319        proposal_check                  obey;
     1320       
     1321        proposal {
     1322                encryption_algorithm    3des;
     1323                hash_algorithm          md5;
     1324                authentication_method   pre_shared_key;
     1325                lifetime                time 3600 sec;
     1326                dh_group                2;
     1327        }
     1328}
     1329
     1330sainfo (address 10.10.1.0/24 any address 172.24.0.0/24 any)
     1331{
     1332        pfs_group                       2;
     1333        lifetime                        time 28800 sec;
     1334        encryption_algorithm            3des;
     1335        authentication_algorithm        hmac_md5;
     1336        compression_algorithm           deflate;
     1337}
     1338SHLL [/] # cat /etc/racoon_psk.txt
     1339192.168.10.10   mysecretkey
     1340SHLL [/] # racoon -F -f /etc/racoon.conf
     1341----
     1342
     1343All commands can be called via the respective API functions. For racoon there is
     1344a `rtems_bsd_racoon_daemon()` function that forks of racoon as a task.
     1345
     1346Alternatively IPSec can also be configured via rc.conf entries:
     1347
     1348----
     1349cloned_interfaces="gif0"
     1350ifconfig_gif0="10.10.1.1 172.24.0.1 tunnel 192.168.10.1 192.168.10.10"
     1351ike_enable="YES"
     1352ike_program="racoon"
     1353ike_flags="-F -f /etc/racoon.conf"
     1354ike_priority="250"
     1355
     1356ipsec_enable="YES"
     1357ipsec_file="/etc/setkey.conf"
     1358----
     1359
     1360ATTENTION: It is possible that the first packets slip through the tunnel without
     1361encryption (true for FreeBSD as well as RTEMS). You might want to set up a
     1362firewall rule to prevent that.
     1363
    12361364== Problems to report to FreeBSD ==
    12371365
Note: See TracChangeset for help on using the changeset viewer.