From owner-FreeBSD-users-jp@jp.FreeBSD.org Wed Nov 17 13:35:21 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id iAH4ZLU87912;
	Wed, 17 Nov 2004 13:35:21 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mail.ua.airnet.ne.jp (mail.ua.airnet.ne.jp [210.159.65.159])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id iAH4ZL887905
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Wed, 17 Nov 2004 13:35:21 +0900 (JST)
	(envelope-from audrey@ua.airnet.ne.jp)
Received: from [172.16.5.57] ([61.196.210.230])
	(authenticated bits=0)
	by mail.ua.airnet.ne.jp (8.12.6p3/8.12.5) with ESMTP id iAH4ZCSI064155;
	Wed, 17 Nov 2004 13:35:12 +0900 (JST)
	(envelope-from audrey@ua.airnet.ne.jp)
Message-ID: <419AD507.6040403@ua.airnet.ne.jp>
From: audrey <audrey@ua.airnet.ne.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
X-Accept-Language: ja, en-us, en
MIME-Version: 1.0
To: FreeBSD-users-jp@jp.FreeBSD.org
References: <F56E440F-3846-11D9-8703-000A95CD994C@exit.co.jp>
In-Reply-To: <F56E440F-3846-11D9-8703-000A95CD994C@exit.co.jp>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 17 Nov 2004 13:35:19 +0900
X-Sequence: FreeBSD-users-jp 81821
Subject: [FreeBSD-users-jp 81821] Re: IPsec
 =?ISO-2022-JP?B?GyRCJE4lSCVzJU0layViITwlSSRLJEQkJCRGGyhC?= 
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: audrey@ua.airnet.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+041115


$B!Z<ALd![(B
$B#1!K3F(BGW$B$,$/$o$($F$$$k2s@~$O2?$G$7$g$&$+!)!!(BB$B%U%l%C%D!)(B
$B!!!!!!"*2s@~$NITNI!JIT0BDj!K$d:Y$9$.$k$J$I(B

$B#2!K!V(BHost_a$B!W!V(BHost_b$B!W$r%m!<%+%k$K@\B3$7$F$I$&$J$k$+$O(B
$B!!!!D4$Y$i$l$J$$$N$G$7$g$&$+!#(B
$B!!!!!!"*(Bhost$B$+(BGW$B$+2s@~$+$N@Z$jJ,$1$,=PMh$J$$$+$H!#!#!#(B

$B#3!K!V(BHost_a$B!W!V(BHost_b$B!W4V$GAj8_$K(Bping$B$rBG$AB3$1$F(B
$B!!!!(Bdrop$B$H$+$O$J$$$N$G$7$g$&$+!)(B
$B!!!!!!"*(Bping$B%l%Y%k$G$O(BOK$B$G(BSSH$B$@$1$@$a$J$N$+!"$=$b$=$b(B
$B!!!!!!!!(Bping$B%l%Y%k$+$i$@$a$J$N$+!#(B

$B#4!K!V(BGateway_A$B!W!V(BGateway_B$B!W$+$i%$%s%?!<%M%C%H>e$N$I$3$+$K(B
$B!!!!(Bping$B$rBG$AB3$1$F(Bdrop$B$H$+$OL5$$$G$7$g$&$+!#(B
$B!!!!!!"*2s@~$,$^$H$b$+D4$Y$i$l$k$+$H!#(B

$B#5!KA4$F$r$N%P!<%8%g%s$r(B5.3R$B$KB7$($k$H$+$O=PMh$J$$$N$G$7$g$&$+!#(B

-- 
Yuri Kuwana $B7,L>M-M}!J$/$o$J$f$&$j!K!i(B




$BAp0fED2CF`(B wrote:
> $BAp0fED(B@$B%$%0%8%C%H$G$9!#(B
> 
> $B!Z2]Bj![(B
> IPsec$B$r;H$C$?%H%s%M%k%b!<%IDL?.4D6-$N9=C[$G%H%i%V%k$,5/$-$F$$$k$N$G!"(B
> $B$G$-$^$7$?$i!"3'MM$N$*CN7C$r$*B_$7$/$@$5$$!&!&!&!#(B
> 
> $BG0$N$?$a2a5n%m%0$r8!:w$7$F$_$^$7$?$,!"$$$^$$$A%T%C%?%j$H$7$?(B
> $BNc$,$J$$$h$&$G$7$?$N$G!&!&!#(B
> $B4D6-$K$D$$$F$O!"$3$3$G$O35MW$r<($7$F$$$^$9$N$G!"!V$3$l$G$O(B
> $B$o$+$i$s$+$i!"$3$3$r%A%'%C%/$;$h!"$H$$$&$+8+$;$m!W$J$I$N(B
> $B$4;XE&$,$"$j$^$7$?$i8x3+$$$?$7$^$9!#(B
> 
> 
> $B!Z>u67![(B
> <Host_a>----<Gateway_A>---Internet---<Gateway_B>---<Host_b>
> 
> 
> $B>e5-$N$h$&$J9=@.$G!"(B<Gateway_A><Gateway_B>$B4V$K!"(BIPsec$B$G(B
> $B%H%s%M%k$r$D$/$j!"(B<Host_a>$B$N(BDB$B$r(B<Host_b>$B$GA`:n$9$k$H$$$&(B
> $B%M%C%H%o!<%/$r9=C[$7$^$7$?!#(B
> <Host_a>$B$N$"$k%>!<%s$H(B<Host_b>$B$N$"$k%>!<%s$r(BVPN$B@\B3$7$?$$(B
> $B$H$$$&$N$,L\E*$G$9!#(B
> 
> $B$3$N>uBV$G!"(B<Host_b>$B$+$i(B<Gateway_A>$B!"(B<Host_a>$B$KBP$9$k(Bssh
> $B%/%i%$%"%s%H$r;H$C$?%3%^%s%I%i%$%s@\B3$O!J$=$N5U$b!K!"(B
> *$B$"$kDxEY(B*$BLdBj$J$/9T$o$l$F$$$k$h$&$K8+$($^$9!#(B
> 
> $B$7$+$7!"(B<Host_b>$B$+$i(B<Host_a>$B$KBP$7$F!J$=$N5U$N>l9g$b!K@\B3$7$F(B
> $B$$$k:]$K!"IQHK$K(Bssh$B%/%i%$%"%s%H$NI=<($,Dd;_!J%-!<F~NO$b$&$1$D$1$J$$!K(B
> $B$7$F!"$7$P$i$/8e$K%?%$%`%"%&%H$7$F$7$^$&>I>u$,$G$F$$$^$9!#(B
> $B$3$N>I>u$OITDj4|$KH/@8$7$^$9$,!"798~$H$7$F!"(B
> # ps aux
> $B$G$"$k$H$+!"(BMySQL$B$d(BPostgreSQL$B$N%F!<%V%k$r;2>H$9$k$J$I$G!"(B
> $BD9$$%G!<%?9T$,0l5$$KI=<($5$l$k;~$KB?$/H/@8$9$k$h$&$K;W$o$l$^$9!#(B
> $BD4;R$,$$$$$J!A$H;W$C$F!"(Bps aux$B$r7+$jJV$7$F$_$k$H!"2?EYL\$+$K(B
> $B!J0l2sL\$N$3$H$b$"$l$P!"==?t2sL\$N$3$H$b!&!&!KDd;_$7$F$7$^$&$H$$$&(B
> $B46$8$G$9!#(B
> 
> tcpdump$B$r;H$C$F%G!<%?$NN.$l$r8+$k$H!"I=<($,Dd;_$7$?8e$b%H%s%M%k$N(B
> $B@\B3$=$N$b$N$O<:$o$l$F$$$J$$$h$&$G$9!#(B
> $BDd;_$7$F$7$^$C$?%3%s%=!<%k$K!"%-!<F~NO$r$9$k$H!"%G!<%?$,N.$l$k(B
> $B:/@W$,$"$j$^$9!#(B
> $BDd;_$7$F$7$^$C$?%3%s%=!<%k$rJ|$C$F$*$$$F!"JL$J%3%s%=!<%k$rN)$A>e$2$F(B
> $B@\B3$9$k$H!"$=$A$i$G$O$J$K$4$H$b$J$+$C$?$h$&$K@\B3$,$G$-$^$9!#(B
> 
> $BIT;W5D$J$N$O!"$3$N@\B3CG!J!)!K$O!"0J2<$N$h$&$JNc30$,$"$k$3$H$G$9!#(B
> 
> $B!&(B<Host_b>$B$H(B<Gateway_A>$B$N%W%i%$%Y!<%H%"%I%l%9$X$N@\B3$G$OH/@8$7$J$$!#(B
> $B!!!J(B<Host_a>$B$H(B<Gateway_B>$B$N@\B3$bF1$8!#!K(B
> $B"t$3$NNc30$,$"$k$3$H$+$i!"(B<Host_b>$B$H(B<Host_a>$B$N%>!<%s$N(BHub$B$H(BNIC$B$r5?$$!"(B
> $B!!8r49$7$F$_$^$7$?$,!">I>u$KJQ2=$O$"$j$^$;$s$G$7$?!#(B
> 
> 
> $B$^$?!"JL$JLdBj$+$b$7$l$^$;$s$,!"(B<Host_b>$B$H$*$J$8%>!<%s$N(BPC$B$+$i(B
> MS$B$N(BAccess$B$r;H$C$F(B<Host_a>$B$N(BMySQL$B$d(BPostgreSQL$B$K(BODBC$B$G(B
> $B@\B3$7$h$&$H$9$k$H!"(BMySQL$B$N>l9g$O!"%F!<%V%k$N%j%s%/$,$G$-$F$b(B
> $B%G!<%?$,<h$j=P$;$J$$!#(BPostgreSQL$B$N>l9g$O(BODBC$B@\B3$,$G$-$J$$(B
> $B$H$$$&>I>u$K$J$j$^$9!#(B
> $B!J(B<Host_a>$B$HF1$8%>!<%s$K$"$k(BPC$B$G$O!"LdBj$O$"$j$^$;$s!K(B
> $B"t:G=*E*$K$d$j$?$$$N$O!"$3$N(BODBC$B@\B3$J$N$G$9$,!&!&(B
> $B"tF;$N$j$,1s$$!&!&(B(^^;
> 
> 
> $B!Z4D6-![(B
> $B860x$N@Z$jJ,$1$,$G$-$F$$$J$$$N$G!"$9$Y$F$N@_Dj$rNs5s$9$k$N$,(B
> $B$?$a$i$o$l$^$9$N$G!"35MW$r0J2<$K5-$7$^$9!#(B
> 
> $B!&(BHost$B$d(BGateway$B$r9=@.$7$F$$$k(BOS$B$O(BFreeBSD5.2$B$H(BFreeBSD5.2.1$B$H(B
> $B!!(BFreeBSD5.3$B$,:.:_$7$F$$$^$9!#(B
> $B!&(BKame$B$N%i%$%V%i%j$O%$%s%9%H!<%k;~$N$b$N$G$9!#(B
> $B!&A4$F$N%^%7%s$N(Brc.conf$B$G(Bipv6_enable="NO"$B$H$7$F$$$^$9!#(B
> $B!&FsBf$N(BGateway$B$G$O!"(Bipfw$B$H(Bnat$B$r;H$C$?%U%!%$%"%&%)!<%k$r9=C[$7$F$$$^$9!#(B
> $B!&%U%!%$%"%&%)!<%k$G$O!"(B500$BHV$N%]!<%H$r(Budp$B$H(Besp$B$,DL$k$3$H$r5v$7$F$$$^$9!#(B
> $B!&(BGateway$B4V$N(BIKE$B$N808r49$O!"(Bracoon$B$r;H$o$:!"<jF0$G$9!#(B
> $B!!!J(Bracoon$B$r;H$C$F$bF1$8>I>u$G$7$?!K(B
> $B!&@\B3$O!"$9$Y$F(BIP$B%"%I%l%9;XDj$G%F%9%H$7$F$$$^$9!J(BDNS$B$NLdBj$H@Z$jJ,$1$?(B 
> $B$$$N$G!K(B
> $B!&(B<Host_b>$B$N%>!<%s$O(B192.168.1.0/24$B!"(B<Host_a>$B$N%>!<%s$O(B192.168.0.0/24$B$G$9!#(B
> $B!&(BGateway$B4V$N(Bgif$B%H%s%M%k$O!"(B192.168.1.254-192.168.0.254$B$K:n$C$F$$$^$9!#(B
> 
> 
> 
> $B!Z3F@_Dj;qNA![(B
> $B$3$l$H$$$C$FFCJL$J$3$H$r$7$F$$$k$D$b$j$O$J$$$N$G$9$,!&!&(B(^^;
> $B!!"((Baaa.bbb.ccc.nn$B!"(Bxxx.yyy.zzz.nn$B$O%0%m!<%P%k%"%I%l%9(B
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_A>$B$N(B/etc/ipsec.conf
> 
> flush;
> spdflush;
> 
> add aaa.bbb.ccc.23 xxx.yyy.zzz.59 esp 9991 -E 3des-cbc  
> "gggggggggggggggggggggggg";
> add xxx.yyy.zzz.59 aaa.bbb.ccc.23 esp 9992 -E 3des-cbc  
> "hhhhhhhhhhhhhhhhhhhhhhhh";
> 
> spdadd 192.168.1.0/24 192.168.0.0/24 any
>         -P out ipsec esp/tunnel/aaa.bbb.ccc.23-xxx.yyy.zzz.59/require;
> spdadd 192.168.0.0/24 192.168.1.0/24 any
>         -P in ipsec esp/tunnel/xxx.yyy.zzz.59-aaa.bbb.ccc.23/require;
> 
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_B>$B$N(B/etc/ipsec.conf
> 
> flush;
> spdflush;
> 
> add aaa.bbb.ccc.23 xxx.yyy.zzz.59 esp 9991 -E 3des-cbc  
> "gggggggggggggggggggggggg";
> add xxx.yyy.zzz.59 aaa.bbb.ccc.23 esp 9992 -E 3des-cbc  
> "hhhhhhhhhhhhhhhhhhhhhhhh";
> 
> spdadd 192.168.0.0/24 192.168.1.0/24 any
>         -P out ipsec esp/tunnel/xxx.yyy.zzz.59-aaa.bbb.ccc.23/require;
> spdadd 192.168.1.0/24 192.168.0.0/24 any
>         -P in ipsec esp/tunnel/aaa.bbb.ccc.23-xxx.yyy.zzz.59/require;
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_A>$B$N(B/etc/rc.conf$B!JH4?h!K(B
> 
> defaultrouter="aaa.bbb.ccc.1"
> gateway_enable="YES"
> network_interfaces="lo0 em0 em1 gif0"
> ifconfig_em0="inet aaa.bbb.ccc.23  netmask 255.255.255.192"
> ifconfig_em1="inet 192.168.1.1  netmask 255.255.255.0"
> ifconfig_em1_alias0="inet 192.168.1.254  netmask 255.255.255.255"
> ipv6_enable="NO"
> natd_enable="YES"
> natd_interface="em0"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.conf"
> firewall_quiet="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> gif_interfaces="gif0"
> gifconfig_gif0="aaa.bbb.ccc.23 xxx.yyy.zzz.59"
> ifconfig_gif0="inet 192.168.1.254 192.168.0.254 netmask 255.255.255.255"
> static_routes="vpn"
> route_vpn="-net 192.168.0.0/24 192.168.1.254"
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_B>$B$N(B/etc/rc.conf$B!JH4?h!K(B
> 
> defaultrouter="xxx.yyy.zzz.1"
> gateway_enable="YES"
> network_interfaces="lo0 em0 nge0 gif0"
> ifconfig_em0="inet xxx.yyy.zzz.59  netmask 255.255.255.192"
> ifconfig_nge0="inet 192.168.0.1 netmask 255.255.255.0"
> ifconfig_nge0_alias0="inet 192.168.0.254 netmask 255.255.255.255"
> ipv6_enable="NO"
> inetd_enable="YES"
> inetd_flags="-wW"
> natd_program="/sbin/natd"
> natd_enable="YES"
> natd_interface="em0"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.conf"
> firewall_quiet="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> gif_interfaces="gif0"
> gifconfig_gif0="xxx.yyy.zzz.59 aaa.bbb.ccc.23"
> ifconfig_gif0="192.168.0.254 192.168.1.254 netmask 255.255.255.255"
> static_routes="vpn0"
> route_vpn0="-net 192.168.1.0/24 192.168.0.254"
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_A>$B$N(B/etc/ipfw.conf$B!JH4?h!K(B
> 
> oif="em0"
> onet="aaa.bbb.ccc.0/26"
> oip="aaa.bbb.ccc.23"
> trusted_host="xxx.yyy.zzz.0/26"
> if [ -n "${trusted_host}" ]; then
>         ${fwcmd} add allow udp from ${trusted_host} isakmp to ${oip}  
> isakmp via ${oif}
>         ${fwcmd} add allow udp from ${oip} isakmp to ${trusted_host}  
> isakmp via ${oif}
>         ${fwcmd} add allow esp from ${trusted_host} to ${oip} via ${oif}
>         ${fwcmd} add allow esp from ${oip} to ${trusted_host} via ${oif}
> fi
> ------------------------------------------------------------------------ 
> -------------------------------
> <Gateway_B>$B$N(B/etc/ipfw.conf$B!JH4?h!K(B
> 
> oif="em0"
> onet="xxx.yyy.zzz.0/26"
> oipa="xxx.yyy.zzz.59"
> trusted_host="aaa.bbb.ccc.0/26"
> if [ -n "${trusted_host}" ]; then
>         ${fwcmd} add allow udp from ${trusted_host} isakmp to ${oipa}  
> isakmp via ${oif}
>         ${fwcmd} add allow udp from ${oipa} isakmp to ${trusted_host}  
> isakmp via ${oif}
>         ${fwcmd} add allow esp from ${trusted_host} to ${oipa} via  ${oif}
>         ${fwcmd} add allow esp from ${oipa} to ${trusted_host} via  ${oif}
> fi
> ------------------------------------------------------------------------ 
> -------------------------------
> <Host_a>$B$N(Brc.conf
> 
> defaultrouter="192.168.1.254"
> ------------------------------------------------------------------------ 
> -------------------------------
> <Host_b>$B$N(Brc.conf
> 
> defaultrouter="192.168.0.254"
> ------------------------------------------------------------------------ 
> -------------------------------
> 
> 
> $B0J>e!#(B
> $BD9$/$J$C$F$7$^$C$F?=$7Lu$"$j$^$;$s!#(B
> 
> 
> 
