README
1$Id: README,v 1.11 1999/06/28 16:03:28 beyssac Exp $
2
3Currently implements:
4
5 - IPSEC-compliant IP tunnelling (i.e., tunnel-mode only):
6 - authentication: IP-AH (RFC 2402) and HMAC (RFC 2104) with:
7 RFC 2403: MD5 (HMAC-MD5-96)
8 RFC 2404: SHA1 (HMAC-SHA1-96)
9 RIPEMD160 (HMAC-RIPEMD160-96)
10 - encryption: IP-ESP (RFC 2406) with:
11 Blowfish in CBC mode.
12 RFC 2405: DES in CBC mode.
13 DES3 in CBC mode.
14 CAST in CBC mode.
15 IDEA in CBC mode.
16 Additional authentication is supported too, with the same methods
17 as in AH mode.
18 - IP tunnels over UDP with MD5 (simple keyed hash) authentication.
19 - IP tunnels over ICMP ECHO REPLY with HMAC-MD5-96 authentication.
20
21You NEED to first install the OpenSSL "crypto" library (previously
22part of SSLeay). See http://www.openssl.org/ for download and mirrors.
23
24- compile and install
25- under *BSD: make a kernel with the "tun" device, by adding the following
26 line to your kernel configuration:
27
28 pseudo-device tun 1
29
30 Then remake a kernel (config MYKERNEL; cd ../../compile/MYKERNEL;
31 make depend; make; mv /kernel /kernel.old; cp kernel /)
32
33- under Linux: install the "userlink" module, port of the BSD tun driver
34
35- create the file /etc/ipsec/pipsecd.conf (see pipsecd.conf.sample
36 for an example)
37
38- start /usr/local/sbin/pipsecd
39
40- under *BSD:
41 ifconfig tun0 <virtual_local_ip> <virtual_dest_ip> netmask <mask> mtu 1440
42
43- under Linux 2.0.x:
44 ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask> mtu 1440
45 route add <virtual_dest_ip> ul0
46
47- under Linux 2.2.x, approximately this (I need to check the MTU stuff):
48 ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask>
49 ip route add <virtual_dest_ip> mtu 1440 dev ul0
50 (portability? what do you mean?)
51
52- once this works, you can create the script /etc/ipsec/startup
53 and make it executable. It's run after the program starts, you
54 can put there any interface configuration, routes, mtu and such.
55
56- this should be done on both ends, of course. Then a ping to the remote
57 point to point virtual address (the one ifconfig shows) should work.
58
59From then on, add any routes or routing protocols of your liking.
60Be careful, however, that the route to the REAL IP address of the
61other end of the tunnel is not routed _through_ the tunnel, as it
62would create a loop (the program detects this and warns you but is
63unable to correct it).
64
README.port