mirror of https://github.com/tLDP/LDP
Preview version, add contents to IPsec chapter
This commit is contained in:
parent
65819dbf5c
commit
c58e4567dc
|
@ -29,13 +29,16 @@ Bieringer
|
|||
<revhistory>
|
||||
|
||||
|
||||
<revision> <revnumber>Release 0.47.1</revnumber> <date>2005-01-01</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
|
||||
|
||||
<revision> <revnumber>Release 0.47</revnumber> <date>2004-08-30</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
|
||||
|
||||
<revision> <revnumber>Release 0.46</revnumber> <date>2004-03-16</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
|
||||
|
||||
<revision> <revnumber>Release 0.45</revnumber> <date>2004-01-11</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -57,7 +60,7 @@ The goal of the Linux IPv6 HOWTO is to answer both basic and advanced questions
|
|||
General
|
||||
</title>
|
||||
<remark>
|
||||
CVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.96 2004/07/19 20:08:47 pbldp Exp $
|
||||
CVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.99 2005/01/01 21:41:14 pbldp Exp $
|
||||
</remark>
|
||||
<para>
|
||||
Information about available translations you will find in section <link linkend="general-translations">Translations</link>.
|
||||
|
@ -71,7 +74,7 @@ Copyright, license and others
|
|||
Copyright
|
||||
</title>
|
||||
<para>
|
||||
Written and Copyright (C) 2001-2004 by Peter Bieringer
|
||||
Written and Copyright (C) 2001-2005 by Peter Bieringer
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
@ -239,7 +242,7 @@ Major history
|
|||
2004-06-18: Greek translation is in progress
|
||||
</para>
|
||||
<para>
|
||||
2004-08-29: Spanish translation is still not in progress
|
||||
2004-08-29: Spanish translation is still NOT in progress
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
|
@ -987,7 +990,7 @@ For more information about the IPv6 history take a look at older IPv6 related RF
|
|||
History of IPv6 in Linux
|
||||
</title>
|
||||
<para>
|
||||
The years 1992, 1993 and 1994 of the IPv6 History (in general) are covered by following document: <ulink url="http://www.laynetworks.com/users/webs/IPv6.htm#CH3">IPv6 or IPng (IP next generation)</ulink>.
|
||||
The years 1992, 1993 and 1994 of the IPv6 History (in general) are covered by following document: <ulink url="http://www.laynetworks.com/IPv6.htm#CH3">IPv6 or IPng (IP next generation)</ulink>.
|
||||
</para>
|
||||
<para>
|
||||
To-do: better time-line, more content...
|
||||
|
@ -7470,13 +7473,46 @@ Encryption and Authentication
|
|||
</title>
|
||||
<para>
|
||||
Unlike in IPv4 encryption and authentication is a mandatory feature of IPv6. This features are normally implemented using IPsec (which can be also used by IPv4).
|
||||
</para>
|
||||
<para>
|
||||
But because of the independence of encryption and authentication from the key exchange protocol there exists currently some interoperability problems regarding this issue.
|
||||
</para>
|
||||
<sect1>
|
||||
<title>
|
||||
Support in kernel
|
||||
Modes of using Encryption and Authentication
|
||||
</title>
|
||||
<para>
|
||||
Two modes of Encryption and Authentication of a connection are possible:
|
||||
</para>
|
||||
<sect2>
|
||||
<title>
|
||||
Transport mode
|
||||
</title>
|
||||
<para>
|
||||
Transport mode is a real end-to-end connection mode. Here, only the payload (usually ICMP, TCP or UDP) is encrypted with their particular header, while the IP header is not encrypted (but ususally included in authentication).
|
||||
</para>
|
||||
<para>
|
||||
Using AES-128 for encryption and SHA1 for authentication, this mode decreases the MTU by 42 octetts.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>
|
||||
Tunnel mode
|
||||
</title>
|
||||
<para>
|
||||
Tunnel mode can be used either for end-to-end or for gateway-to-gateway connection modes. Here, the complete IP packet is encrypted and got a new IP header in front of .
|
||||
</para>
|
||||
<para>
|
||||
This mode usually decreases the MTU by 40 octetts from the MTU of transport mode.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>
|
||||
Support in kernel (ESP and AH)
|
||||
</title>
|
||||
<sect2>
|
||||
<title>
|
||||
|
@ -7490,20 +7526,13 @@ Currently missing in vanilla 2.4. There is an issue about keeping the Linux kern
|
|||
|
||||
<sect2>
|
||||
<title>
|
||||
Support in USAGI kernel
|
||||
Support in vanilla Linux kernel 2.6.x
|
||||
</title>
|
||||
<para>
|
||||
The USAGI project has taken over in July 2001 the IPv6 enabled FreeS/WAN code from the <ulink url="http://www.ipv6.iabg.de/downloadframe/">IABG / IPv6 Project</ulink> and included in their kernel extensions. Nowadays they are working on implementing IPsec into 2.5.x series.
|
||||
Current versions (as time of writing 2.6.9 and upper) support native IPsec for IPv4 and IPv6.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>
|
||||
Support in vanilla Linux kernel 2.5.x
|
||||
</title>
|
||||
<para>
|
||||
Currently, the IPsec extensions of the USAGI kernel are on the way being migrated into 2.5.x developer kernels.
|
||||
Development was mostly done by the USAGI project with help from others.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
@ -7513,11 +7542,344 @@ Currently, the IPsec extensions of the USAGI kernel are on the way being migrate
|
|||
|
||||
<sect1>
|
||||
<title>
|
||||
Usage
|
||||
Automatic key exchange (IKE)
|
||||
</title>
|
||||
<para>
|
||||
In difference to FreeS/WAN, in IPsec of 2.5.x the IKE daemon "racoon" (taken from KAME) is used instead of "pluto" of FreeS/WAN. It has a different configuration syntax than "pluto", note also that the IPsec setup is splitted into 2 parts (IKE and topology setup). Until some documentation is filled here, take a look at <ulink url="http://lartc.org/howto/lartc.ipsec.html">Linux Advanced Routing & Traffic Control HOWTO / IPSEC</ulink>.
|
||||
IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called "preshared secret") or by RSA keys (which can also be used from X.509 certificates).
|
||||
</para>
|
||||
<para>
|
||||
Currently, two different IKE daemons are available, which totally differ from configuration and usage.
|
||||
</para>
|
||||
<para>
|
||||
I prefer "pluto" from the *S/WAN implementation because of the easier and one-config-only setup.
|
||||
</para>
|
||||
<sect2>
|
||||
<title>
|
||||
IKE daemon "racoon"
|
||||
</title>
|
||||
<para>
|
||||
The IKE daemon "racoon" is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package "ipsec-tools". Two executables are required for a proper IPsec setup. Take a look also on <ulink url="http://lartc.org/howto/lartc.ipsec.html">Linux Advanced Routing & Traffic Control HOWTO / IPSEC</ulink>.
|
||||
</para>
|
||||
<sect3>
|
||||
<title>
|
||||
Manipulation of the IPsec SA/SP database with the tool "setkey"
|
||||
</title>
|
||||
<para>
|
||||
"setkey" is important to tell the kernel the security policy (SP).
|
||||
</para>
|
||||
<para>
|
||||
File: /etc/racoon/setkey.sh
|
||||
</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Example for a end-to-end encrypted connection in transport mode
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
<programlisting>
|
||||
<![CDATA[#!/sbin/setkey -f
|
||||
]]><![CDATA[flush;
|
||||
]]><![CDATA[spdflush;
|
||||
]]><![CDATA[spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
|
||||
]]><![CDATA[spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec esp/transport//require;
|
||||
]]><![CDATA[
|
||||
]]>
|
||||
</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Example for a end-to-end encrypted connection in tunnel mode
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
<programlisting>
|
||||
<![CDATA[#!/sbin/setkey -f
|
||||
]]><![CDATA[flush;
|
||||
]]><![CDATA[spdflush;
|
||||
]]><![CDATA[spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec
|
||||
]]><![CDATA[¬ esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
|
||||
]]><![CDATA[spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec
|
||||
]]><![CDATA[¬ esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
For the other peer, you have to exchange "in" with "out".
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>
|
||||
Configuration of the IKE daemon "racoon"
|
||||
</title>
|
||||
<para>
|
||||
"racoon" requires a configuration file for proper running. It includes the related settings to the security policy, which should be setup previously using "setkey".
|
||||
</para>
|
||||
<para>
|
||||
File: /etc/racoon/racoon.conf
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# Racoon IKE daemon configuration file.
|
||||
]]><![CDATA[# See 'man racoon.conf' for a description of the format and entries.
|
||||
]]><![CDATA[path include "/etc/racoon";
|
||||
]]><![CDATA[path pre_shared_key "/etc/racoon/psk.txt";
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[listen
|
||||
]]><![CDATA[{
|
||||
]]><![CDATA[ isakmp 2001:db8:1:1::1;
|
||||
]]><![CDATA[}
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[remote 2001:db8:2:2::2
|
||||
]]><![CDATA[{
|
||||
]]><![CDATA[ exchange_mode main;
|
||||
]]><![CDATA[ lifetime time 24 hour;
|
||||
]]><![CDATA[ proposal
|
||||
]]><![CDATA[ {
|
||||
]]><![CDATA[ encryption_algorithm 3des;
|
||||
]]><![CDATA[ hash_algorithm md5;
|
||||
]]><![CDATA[ authentication_method pre_shared_key;
|
||||
]]><![CDATA[ dh_group 2;
|
||||
]]><![CDATA[ }
|
||||
]]><![CDATA[}
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[# gateway-to-gateway
|
||||
]]><![CDATA[sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
|
||||
]]><![CDATA[{
|
||||
]]><![CDATA[ lifetime time 1 hour;
|
||||
]]><![CDATA[ encryption_algorithm 3des;
|
||||
]]><![CDATA[ authentication_algorithm hmac_md5;
|
||||
]]><![CDATA[ compression_algorithm deflate;
|
||||
]]><![CDATA[}
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
|
||||
]]><![CDATA[{
|
||||
]]><![CDATA[ lifetime time 1 hour;
|
||||
]]><![CDATA[ encryption_algorithm 3des;
|
||||
]]><![CDATA[ authentication_algorithm hmac_md5;
|
||||
]]><![CDATA[ compression_algorithm deflate;
|
||||
]]><![CDATA[}
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Also setup the preshared secret:
|
||||
</para>
|
||||
<para>
|
||||
File: /etc/racoon/psk.txt
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# file for pre-shared keys used for IKE authentication
|
||||
]]><![CDATA[# format is: 'identifier' 'key'
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[2001:db8:2:2::2 verysecret
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>
|
||||
Running IPsec with IKE daemon "racoon"
|
||||
</title>
|
||||
<para>
|
||||
At least the daemon needs to be started, for the first time, use debug and foreground mode. The following example shows a successful IKE phase 1 (ISAKMP-SA) and 2 (IPsec-SA):
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# racoon -F -v -f /etc/racoon/racoon.conf
|
||||
]]><![CDATA[Foreground mode.
|
||||
]]><![CDATA[2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
|
||||
]]><![CDATA[2005-01-01 20:30:15: INFO: @(#)This product linked
|
||||
]]><![CDATA[¬ OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
|
||||
]]><![CDATA[2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7)
|
||||
]]><![CDATA[2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2
|
||||
]]><![CDATA[¬ queued due to no phase1 found.
|
||||
]]><![CDATA[2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation:
|
||||
]]><![CDATA[¬ 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500]
|
||||
]]><![CDATA[2005-01-01 20:31:06: INFO: begin Identity Protection mode.
|
||||
]]><![CDATA[2005-01-01 20:31:09: INFO: ISAKMP-SA established
|
||||
]]><![CDATA[¬ 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] spi:da3d3693289c9698:ac039a402b2db401
|
||||
]]><![CDATA[2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation:
|
||||
]]><![CDATA[¬ 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0]
|
||||
]]><![CDATA[2005-01-01 20:31:10: INFO: IPsec-SA established:
|
||||
]]><![CDATA[¬ ESP/Tunnel 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab)
|
||||
]]><![CDATA[2005-01-01 20:31:10: INFO: IPsec-SA established:
|
||||
]]><![CDATA[¬ ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Each direction got it's own IPsec-SA (like defined in the IPsec standard). With TCPdump on the related interface, you will see following afterwards on an IPv6 ping:
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3)
|
||||
]]><![CDATA[20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3)
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
As expected, the SPIs occur here.
|
||||
</para>
|
||||
<para>
|
||||
And using "setkey" current active parameters are shown:
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# setkey -D
|
||||
]]><![CDATA[2001:db8:1:1::1 2001:db8:2:2::2
|
||||
]]><![CDATA[ esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
|
||||
]]><![CDATA[ E: 3des-cbc bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
|
||||
]]><![CDATA[ A: hmac-md5 60c2c505 517dd8b7 c9609128 a5efc2db
|
||||
]]><![CDATA[ seq=0x00000000 replay=4 flags=0x00000000 state=mature
|
||||
]]><![CDATA[ created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
|
||||
]]><![CDATA[ diff: 577(s) hard: 3600(s) soft: 2880(s)
|
||||
]]><![CDATA[ last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ current: 540(bytes) hard: 0(bytes) soft: 0(bytes)
|
||||
]]><![CDATA[ allocated: 3 hard: 0 soft: 0
|
||||
]]><![CDATA[ sadb_seq=1 pid=22358 refcnt=0
|
||||
]]><![CDATA[2001:db8:2:2::2 2001:db8:1:1::1
|
||||
]]><![CDATA[ esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
|
||||
]]><![CDATA[ E: 3des-cbc c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
|
||||
]]><![CDATA[ A: hmac-md5 3f957db9 9adddc8c 44e5739d 3f53ca0e
|
||||
]]><![CDATA[ seq=0x00000000 replay=4 flags=0x00000000 state=mature
|
||||
]]><![CDATA[ created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
|
||||
]]><![CDATA[ diff: 577(s) hard: 3600(s) soft: 2880(s)
|
||||
]]><![CDATA[ last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ current: 312(bytes) hard: 0(bytes) soft: 0(bytes)
|
||||
]]><![CDATA[ allocated: 3 hard: 0 soft: 0
|
||||
]]><![CDATA[ sadb_seq=0 pid=22358 refcnt=0
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</sect3>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>
|
||||
IKE daemon "pluto"
|
||||
</title>
|
||||
<para>
|
||||
The IKE daemon "pluto" is contained by the *S/WAN projects. *S/WAN project starts at the beginning as <ulink url="http://www.freeswan.org/">FreeS/WAN</ulink>. Unfortunately, FreeS/WAN project stopped further development in 2004. Because of slow development the time before, there were already 2 spin-offs started: <ulink url="http://www.strongswan.org/">strongSwan</ulink> and <ulink url="http://www.openswan.org/">Openswan</ulink>. Nowadays, for at least Openswan installable packages are existing, also in Fedora Core 3 Linux it's already included.
|
||||
</para>
|
||||
<para>
|
||||
A major difference to "racoon" only one configuration file is required. Also an initscript exists for automatic setup after booting.
|
||||
</para>
|
||||
<sect3>
|
||||
<title>
|
||||
Configuration of the IKE daemon "pluto"
|
||||
</title>
|
||||
<para>
|
||||
The configuration is very similar to the IPv4 one, only one important option is necessary.
|
||||
</para>
|
||||
<para>
|
||||
File: /etc/ipsec.conf
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# /etc/ipsec.conf - Openswan IPsec configuration file
|
||||
]]><![CDATA[#
|
||||
]]><![CDATA[# Manual: ipsec.conf.5
|
||||
]]><![CDATA[version 2.0 # conforms to second version of ipsec.conf specification
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[# basic configuration
|
||||
]]><![CDATA[config setup
|
||||
]]><![CDATA[ # Debug-logging controls: "none" for (almost) none, "all" for lots.
|
||||
]]><![CDATA[ # klipsdebug=none
|
||||
]]><![CDATA[ # plutodebug="control parsing"
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[#Disable Opportunistic Encryption
|
||||
]]><![CDATA[include /etc/ipsec.d/examples/no_oe.conf
|
||||
]]><![CDATA[
|
||||
]]><![CDATA[conn ipv6-p1-p2
|
||||
]]><![CDATA[ connaddrfamily=ipv6 # Important for IPv6!
|
||||
]]><![CDATA[ left=2001:db8:1:1::1
|
||||
]]><![CDATA[ right=2001:db8:2:2::2
|
||||
]]><![CDATA[ authby=secret
|
||||
]]><![CDATA[ esp=aes128-sha1
|
||||
]]><![CDATA[ ike=aes128-sha-modp1024
|
||||
]]><![CDATA[ type=transport
|
||||
]]><![CDATA[ #type=tunnel
|
||||
]]><![CDATA[ compress=no
|
||||
]]><![CDATA[ #compress=yes
|
||||
]]><![CDATA[ auto=add
|
||||
]]><![CDATA[ #auto=start
|
||||
]]><![CDATA[
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Don't forget to define the preshared secret here also.
|
||||
</para>
|
||||
<para>
|
||||
File: /etc/ipsec.secrets
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[2001:db8:1:1::1 2001:db8:2:2::2 : PSK "verysecret"
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>
|
||||
Running IPsec with IKE daemon "pluto"
|
||||
</title>
|
||||
<para>
|
||||
If installation of Openswan was successfully, an initscript should be exist for starting IPsec, simple run (on each peer):
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# /etc/rc.d/init.d/ipsec start
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Afterwards, start this connection on one peer, if you seen the line "IPsec SA established", all worked fine.
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# ipsec auto --up ipv6-peer1-peer2
|
||||
]]><![CDATA[104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
|
||||
]]><![CDATA[106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
|
||||
]]><![CDATA[108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
|
||||
]]><![CDATA[004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
|
||||
]]><![CDATA[112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
|
||||
]]><![CDATA[004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2,
|
||||
]]><![CDATA[¬ IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22}
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Because *S/WAN and setkey/racoon uses the same IPsec implementation in Linux kernel, "setkey" can be used also here to show current active parameters:
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[# setkey -D
|
||||
]]><![CDATA[2001:db8:1:1::1 2001:db8:2:2::2
|
||||
]]><![CDATA[ esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
|
||||
]]><![CDATA[ E: aes-cbc 082ee274 2744bae5 7451da37 1162b483
|
||||
]]><![CDATA[ A: hmac-sha1 b7803753 757417da 477b1c1a 64070455 ab79082c
|
||||
]]><![CDATA[ seq=0x00000000 replay=64 flags=0x00000000 state=mature
|
||||
]]><![CDATA[ created: Jan 1 21:16:32 2005 current: Jan 1 21:22:20 2005
|
||||
]]><![CDATA[ diff: 348(s) hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ last: hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
|
||||
]]><![CDATA[ allocated: 0 hard: 0 soft: 0
|
||||
]]><![CDATA[ sadb_seq=1 pid=23825 refcnt=0
|
||||
]]><![CDATA[2001:db8:2:2::2 2001:db8:1:1::1
|
||||
]]><![CDATA[ esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
|
||||
]]><![CDATA[ E: aes-cbc 6f59cc30 8d856056 65e07b76 552cac18
|
||||
]]><![CDATA[ A: hmac-sha1 c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
|
||||
]]><![CDATA[ seq=0x00000000 replay=64 flags=0x00000000 state=mature
|
||||
]]><![CDATA[ created: Jan 1 21:16:31 2005 current: Jan 1 21:22:20 2005
|
||||
]]><![CDATA[ diff: 349(s) hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ last: hard: 0(s) soft: 0(s)
|
||||
]]><![CDATA[ current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
|
||||
]]><![CDATA[ allocated: 0 hard: 0 soft: 0
|
||||
]]><![CDATA[ sadb_seq=0 pid=23825 refcnt=0
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</sect3>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
</sect1>
|
||||
|
||||
|
@ -8887,6 +9249,22 @@ Suggestions are welcome!
|
|||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>
|
||||
2004
|
||||
</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
1st Global IPv6 Summit in Sao Paul, Brazil
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
</sect1>
|
||||
|
||||
|
@ -9065,7 +9443,7 @@ ISATAP
|
|||
|
||||
<sect2>
|
||||
<title>
|
||||
Latest news
|
||||
Latest news and URLs to other documents
|
||||
</title>
|
||||
<para>
|
||||
More to be filled later...suggestions are welcome!
|
||||
|
@ -9088,6 +9466,12 @@ More to be filled later...suggestions are welcome!
|
|||
<ulink url="http://www.ipv6-net.de/">ipv6-net.org</ulink>, German forum
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<ulink url="http://www.estoile.com/links/ipv6">Lot of URLs to others documents</ulink> by Anil Edathara
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
@ -10307,6 +10691,12 @@ Application lists
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<ulink url="http://www.deepspace6.net/docs/ipv6_status_page_apps.html">DeepSpace6 / IPv6 Status Page</ulink> (<ulink url="http://mirrors.bieringer.de/www.deepspace6.net/docs/ipv6_status_page_apps.html">Mirror</ulink>)
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<ulink url="http://www.ipv6.org/v6-apps.html">IPv6.org / IPv6 enabled applications</ulink>
|
||||
</para>
|
||||
|
||||
|
@ -11065,8 +11455,24 @@ More Tunnel brokers...
|
|||
Native IPv6 Services
|
||||
</title>
|
||||
<para>
|
||||
Note: These services are only available with a valid IPv6 connection!
|
||||
Note: These services are mostly only available with a valid IPv6 connection!
|
||||
</para>
|
||||
<sect3 id="information-nativeipv6nntp">
|
||||
<title>
|
||||
Net News (NNTP)
|
||||
</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<ulink url="nntp://news.ipv6.scarlet-internet.nl/">news.ipv6.scarlet-internet.nl</ulink> (accessible through all the SixXS POPs)
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3 id="information-nativeipv6gameserver">
|
||||
<title>
|
||||
Game Server
|
||||
|
@ -11509,6 +11915,18 @@ traceroute6, whois: <ulink url="http://www.ipng.nl/">IPng.nl</ulink>
|
|||
AAAA Lookup Checker <ulink url="http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl">http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl</ulink>
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Various tools: <ulink url="http://www.ipv6tools.com/">IPv6tools</ulink>
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<ulink url="http://doc.tavian.com/ipv6util/index.htm">IPv6 address analysis tool</ulink> (something similar to ipv6calc's information option)
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
@ -11678,6 +12096,15 @@ Releases 0.x
|
|||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>
|
||||
0.47.1
|
||||
</term><listitem><para>2005-01-01/PB: add information and examples about IPv6 IPsec, add some URLs
|
||||
</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>
|
||||
0.47
|
||||
</term><listitem><para>2004-08-30/PB: add some notes about proftpd, vsftpd and other daemons, add some URLs, minor fixes, update status of Spanish translation
|
||||
</para>
|
||||
|
|
Loading…
Reference in New Issue