Upload
hoanghanh
View
273
Download
0
Embed Size (px)
Citation preview
m0n0wall
:
Chris Buechler
Manuel Kasper
Ben Zeng
m0n0wall Manuel Kasper Chris Buechler
m0nowall 1.2
2005 m0n0wall Documentation Project
m0n0wall Documentation Project
m0n0wall Documentation Project
m0n0wall Documentation Project
(
)
()
2005 9
........................................................................................................................................ 11
1.1 M0N0WALL ...................................................................................................................... 11
1.2 M0N0WALL ..................................................................................................................12
1.3 .............................................................................................................................................12
1.4 .............................................................................................................................................13
1.4.1 .....................................................................................................................................15
1.4.2 .....................................................................................................................................15
1.5 () ..............................................................................................................15
1.5.1 .........................................................................................................................16
1.6 .................................................................................................................................17
1.6.1 .....................................................................................................................................17
1.6.2 .....................................................................................................................................18
............................................................................................................................19
2.1 .........................................................................................................................19
2.2 PC ...................................................................................................................20
2.2.1 ..............................................................................................................................20
2.2.2 BIOS ...............................................................................................................20
2.2.3 .............................................................................................................................21
2.3 .....................................................................................................................22
2.3.1. Soekris Engineering .........................................................................................................22 2.3.2. PC Engines WRAP...........................................................................................................22 2.3.3. Nokia IPxxx boxes ............................................................................................................22 2.3.4. NexCom NexGate Appliances ........................................................................................23
2.4 .........................................................................................................................................24
2.5 .....................................................................................................................................24
2.5.1 .........................................................................................................................24
2.5.1.1. Soekris 45xx .............................................................................................................................. 25 2.5.1.2. Soekris 48xx .............................................................................................................................. 25 2.5.1.3. WRAP ......................................................................................................................................... 25
2.5.2 .....................................................................................................................................26
2.5.3 CPU .....................................................................................................................................26
2.5.4 .....................................................................................................................................27
2.5.5 .............................................................................................................................27
2.5.6 .....................................................................................................................27
2.6 .....................................................................................................................................28
2.6.1 .........................................................................................................................28
2.6.2 .............................................................................................................................28
2.6.3 /....................................................................................................................29
2.7 .....................................................................................................................................30
2.7.1 .............................................................................................................................31
2.7.2 ISA ...............................................................................................................................31
. .........................................................................................................................................32
3.1 .....................................................................................................................................32
3.2 .....................................................................................................................................32
3.3 .....................................................................................................................................33
3.3.1 CD .......................................................................................................................33
3.3.2 CFIDE .......................................................................................................34
3.3.3 .....................................................................................................................36
........................................................................................................................................37
4.1 .................................................................................................................................37
4.2 WEB GUI ....................................................................................................................................38
4.3 .....................................................................................................................................38
4.3.1 .............................................................................................................................38
4.3.2 .............................................................................................................................40
4.3.3 .....................................................................................................................41
4.3.4 .....................................................................................................................................42
4.4 .....................................................................................................................................42
4.4.2 LAN ..........................................................................................................................................44 4.4.3 WAN ....................................................................................................................................45
4.4.4 .................................................................................................................48
4.4.5 .............................................................................................................................49
4.5 .....................................................................................................................................49
4.5.1 DNS .............................................................................................................................49
4.5.2 .............................................................................................................................51
4.5.3 DHCP ..................................................................................................................................53
4.5.3.1 DHCP ................................................................................................................................... 57
4.5.4 SNMP ..................................................................................................................................58
4.5.5 ARP .............................................................................................................................59
4.5.6 Captive Portal.....................................................................................................................61
4.5.7 LAN ..............................................................................................................................64
4.6 VPN .............................................................................................................................65
4.6.1 IPsec....................................................................................................................................66 4.6.2 PPTP ...................................................................................................................................66
4.6.3 PPTP .........................................................................................................................66
4.7 .............................................................................................................................67
4.7.1 .....................................................................................................................................67
4.7.2 .............................................................................................................................68
4.7.3 .................................................................................................................................68
4.7.4 .....................................................................................................................................69
4.8 .....................................................................................................................................70
4.8.1 .............................................................................................................................70
4.8.2 DHCP ..........................................................................................................................70
4.8.3 IPsec....................................................................................................................................71
4.8.4 SIP ...............................................................................................................................72
4.8.5 ping/traceroute ...................................................................................................................72
4.8.6 .............................................................................................................................73
4.8.7 .............................................................................................................................74
4.8.8 .............................................................................................................................75
4.8.9 .............................................................................................................................75
. .............................................................................................................................76
5.1 .............................................................................................................................................76
5.1.1 Action..................................................................................................................76
5.1.2 .....................................................................................................................................77
5.1.3 .....................................................................................................................................77
5.1.4 .....................................................................................................................................77
5.1.5 ICMP............................................................................................................................77
5.1.6 (source) ..........................................................................................................................78
5.1.7 .........................................................................................................................78
5.1.8 Destination .........................................................................................................78
5.1.9 .....................................................................................................................79
5.1.10 ...................................................................................................................................79
5.1.11 ...................................................................................................................................79
5.1.12 ...................................................................................................................................80
5.2 NAT .............................................................................................................82
5.2.1 .....................................................................................................................................83
5.2.2 .............................................................................................................................83
5.2.3 .....................................................................................................................................83
5.2.4 .....................................................................................................................84
5.2.5 NAT IP .................................................................................................................................84
5.2.6 .............................................................................................................................84
5.2.7 .....................................................................................................................................84
5.2.8 NAT .............................................84
5.2.9 .............................................................................85
5.3 NAT.................................................................................................................................85
5.3.1 NAT .........................................................................................................85
5.3.2 NAT .........................................................................................................86
5.3.3 ARP.....................................................................................................................86
5.4. 1:1NAT.......................................................................................................................................87
5.4.1 1:1NAT ..............................................................................................................88
5.4.1.1 ............................................................................................................................................. 88
5.4.1.2 ..................................................................................................................................... 88
5.4.1.3 ..................................................................................................................................... 89
5.4.1.4 ............................................................................................................................................. 89
5.5 NAT.....................................................................................................................................89
5.5.1 NAT .............................................................................................................91
5.6 .....................................................................................................................................91
5.6.1 .............................................................................................................................92
5.6.2 .............................................................................................................................93
5.6.3 .............................................................................................................................95
5.6.4 .............................................................................................................................97
5.7 .............................................................................................................................................97
5.7.1 .............................................................................................................................98
5.7.1.1 ............................................................................................................................................. 99
5.7.1.2 ............................................................................................................................................. 99
5.7.1.3 ............................................................................................................................................. 99
5.7.1.4 ............................................................................................................................................. 99
5.7.2 .............................................................................................................................99
NAT() .........................................................................................................................100
NAT......................................................................................................................................101
() .................................................................................................................103
IPSEC ....................................................................................................................................105
8.1 IPSEC .........................................................................................................................106
8.2 IPSEC 1 2............................................................................................................107
8.3 IKE KEY ........................................................................................................................108
84 ................................................................................................................................ 110
85 HASH ............................................................................................................................. 110
86 ............................................................................................................................ 110
8.7 ................................................................................................................................... 111
8.8 ................................................................................................................................... 113
8.9 DIFFIE-HELLMAN GROUPS ........................................................................................................ 113
8.9 IKE(MAIN MODE)........................................................................................................... 115
8.10 IKEAGGRESSIVE MODE .................................................................................. 115
8.11 IKE .................................................................................................................................. 115
8.12 PFS PERFECT FORWARD SECRECY .................................................120
8.13 IPSEC OVER NAT-T ................................................................................................................120
8.13.1 NAT-T..................................................................................................................121
8.14 IPSEC ...............................................................................................................125
8.15 IPSEC VPN .............................................................................................................126
PPTP......................................................................................................................................132
9.1 ...........................................................................................................................................132
9.2 ...........................................................................................................................................132
9.3 ...................................................................................................................................133
9.4 VLAN ....................................................................................................................133
9.5 PPTP ................................................................................................................................134
9.6 PPTP ........................................................................................................................136
9.7 PPTP...................................................................................................................137
9.7.1 PPTP .....................................................................................................139
9.8 WINDOWS XP PPTP.........................................................................................140
9.9 PPTP.............................................................................................146
OPENVPN ............................................................................................................................147
............................................................................................................................147
CAPTIVE PORTAL ..........................................................................................................147
....................................................................................................................................147
............................................................................................................................148
14.1 DMZNAT ........................................................................................................148
14.1.1 .....................................................................................................................149
14.1.2 .................................................................................................................149
14.1.3 .................................................................................................................150
14.1.4 DMZ ........................................................................................150
14.1.5 DMZLAN ............................................................................................153
14.1.6 NAT.........................................................................................................................154
14.1.6.1 1:1NAT...............................................................................................................154
14.1.6.2 1:1NAT ................................................................................................................... 155
14.1.6.3 NAT.................................................................................................. 155
14.2 DMZ ................................................................................................................157
14.3 .........................................................................................................................158
14.3.1 .........................................................................................................................159
14.3.2 WAN ................................................................................................................159
14.3.3 OPT .................................................................................................................159
14.3.4 .........................................................................................................160
14.3.5 .............................................................................................................160
1.4.3.5.1 OPT .................................................................................................................... 160
14.3.5.2 WAN .................................................................................................................... 161
14.3.5.3 LAN ...................................................................................................................... 161
14.3.5.4 ................................................................................................................. 161
14.3.6 .................................................................................................................162
SITE TO SITE VPN......................................................................................162
15.1 CISCO PIX FIREWALL ..............................................................................................................162
15.1.1 PIX .......................................................................................................................163
15.1.2 m0n0wall.............................................................................................................167
15.2 SMOOTHWALL ..........................................................................................................................169 15.3 FREES/WAN (OPENSWAN) ....................................................................................................169 15.4 SONICWALL ..............................................................................................................................169 15.5 NORTEL....................................................................................................................................169
(FAQ) .........................................................................................................170
1.1 m0n0wall
m0n0wall
PC
m0n0wall bare-bones version of FreeBSD WEB PHP
XML
m0n0wall PHP UNIX shell
XML
1.2 m0n0wall
m0n0
m0n0wall 3 4
m0n0wall CPU
m0n0wall CPU
CF(Compact Flash),()
m0n0wall
/(IDS)
WEB
FTP
m0n0 (login):
telnet ssh (deamon)
1.3
Manuel Kasper, m0n0wall
PC web
WEB Linux
WEB webmin ----
LAN IP WEB
SHELL SHELL
C PHP WEB
PHP
SHELL ----
XML
m0n0wall beta 2003 2 15 1.0 2004 2
15 26 beta
m0n0wall Change Log
1.4
monowall
WEB SSL
LAN IP
access point with PRISM-II/2.5/3 cards, BSS/IBSS with other cards
including Cisco
captive portal
802.1Q VLAN
block/pass
NAT/PAT ( 1:1)
WAN DHCP PPPoEPPTP Telstra BigPond Cable
IPsec VPN IKE;
PPTP VPN RADIUS
DHCP
DNS
DNS RFC 2136 DNS
SNMP
SVG
WEB
LAN
/
/
1.4.1
m0n0wall
FreeBSD components (kernel, user programs) ipfilter PHP (CGI version) thttpd MPD ISC DHCP server ez-ipupdate (for DynDNS updates) Dnsmasq (for the caching DNS forwarder) Raccoon(for IPsec IKE)
1.4.2
m0n0wall 6M CFCD-ROM
net4501 NAT m0n0wall 17
Mbps WAN LAN TCP net4801
WRAP 50Mbp PC > 100 Mbps
net4501 , m0n0wall 40
POST ( BIOS
1.5 ()
m0n0wall is Copyright 2002-2004 by Manuel Kasper. All rights reserved.
(
)
()
1.5.1
m0n0wall m0n0wall
FreeBSD (http://www.freebsd.org) Copyright 1994-2003 FreeBSD, Inc. All rights
reserved.
This product includes PHP, freely available from http://www.php.net. Copyright 1999 -
2003 The PHP Group. All rights reserved.
mini_httpd (http://www.acme.com/software/mini_httpd) Copyright 1999, 2000 by Jef
Poskanzer . All rights reserved.
ISC DHCP server (http://www.isc.org/products/DHCP) Copyright 1996-2003 Internet
Software Consortium. All rights reserved.
ipfilter (http://www.ipfilter.org) Copyright 1993-2002 by Darren Reed.
MPD - Multi-link PPP daemon for FreeBSD (http://www.dellroad.org/mpd) Copyright
1995-1999 Whistle Communications, Inc. All rights reserved.
ez-ipupdate (http://www.gusnet.cx/proj/ez-ipupdate) Copyright 1998-2001 Angus
Mackay. All rights reserved.
Circular log support for FreeBSD syslogd (http://software.wwwi.com/syslogd) Copyright
2001 Jeff Wheelhouse ([email protected])
Dnsmasq - a DNS forwarder for NAT firewalls (http://www.thekelleys.org.uk) Copyright
2000-2003 Simon Kelley
Racoon (http://www.kame.net/racoon) Copyright 1995-2002 WIDE Project. All rights
reserved.
before version pb23: watchdogd (watchdog) Copyright 2002-2003 Dirk-Willem van
Gulik. All rights reserved. This product includes software developed by the Stichting
Wireless Leiden (http://www.wirelessleiden.nl). See LICENSE for more licensing
information.
msntp (http://www.hpcf.cam.ac.uk/export) Copyright 1996, 1997, 2000 N.M. Maclaren,
University of Cambridge. All rights reserved.
UCD-SNMP (http://www.ece.ucdavis.edu/ucd-snmp) Copyright 1989, 1991, 1992 by
Carnegie Mellon University. Copyright 1996, 1998-2000 The Regents of the University
of California. All rights reserved. Copyright 2001-2002, Network Associates Technology,
Inc. All rights reserved. Portions of this code are copyright 2001-2002, Cambridge
Broadband Ltd. All rights reserved.
choparp (http://choparp.sourceforge.net) Copyright 1997 Takamichi Tateoka
([email protected]) Copyright 2002 Thomas Quinot ([email protected])
1.6
1.6.1
m0n0wall Manuel Kasper
m0n0wall :
Bob Zoller (bob at kludgebox dot com): Diagnostics: Ping function; WLAN channel
auto-select; DNS forwarder
Michael Mee (m0n0wall at mikemee dot com): Timezone and NTP client support
Magne Andreassen (magne dot andreassen at bluezone dot no): Remote syslog'ing;
some code bits for DHCP server on optional interfaces
Rob Whyte (rob at g-labs dot com): Idea/code bits for encrypted webGUI passwords;
minimalized SNMP agent
Petr Verner (verner at ipps dot cz): Advanced outbound NAT: destination selection
Bruce A. Mah (bmah at acm dot org): Filtering bridge patches
Jim McBeath (monowall at j dot jimmc dot org): Filter rule patches (ordering, block/pass,
disabled); better status page; webGUI assign network ports page
Chris Olive (chris at technologEase dot com): enhanced "execute command" page
Pauline Middelink (middelink at polyware dot nl): DHCP client: send hostname patch
Bjrn Plsson (bjorn at networksab dot com): DHCP lease list page
Peter Allgeyer (allgeyer at web dot de): "reject" type filter rules
Thierry Lechat (dev at lechat dot org): SVG-based traffic grapher
Steven Honson (steven at honson dot org): per-user IP address assignments for PPTP
VPN
Kurt Inge Smdal (kurt at emsp dot no): NAT on optional interfaces
Dinesh Nair (dinesh at alphaque dot com): captive portal: pass-through MAC/IP
addresses, RADIUS authentication HTTP server concurrency limit
Justin Ellison (justin at techadvise dot com): traffic shaper TOS matching; magic shaper;
DHCP deny unknown clients; IPsec user FQDNs
Fred Wright (fw at well dot com): ipfilter window scaling fix; ipnat ICMP checksum
adjustment fix
1.6.2
m0n0wall Manuel Kasper
m0n0wall :
Chris Buechler (m0n0wall at chrisbuechler.com): Editor, numerous contributions
throughout.
Jim McBeath (monowall at j dot jimmc dot org): Users Guide outline, editing
Rudi van Drunen (r.van.drunen at xs4all dot nl) with thanks to Manuel Kasper, Edwin
Kremer, PicoBSD, Matt Simerson and John Voight: m0n0wall Hackers Guide, used as the
basis for the Development chapter.
Francisco Artes (falcor at netassassin.com): IPsec and PPTP chapters.
Fred Wright (fw at well dot com): Suggestions and review.
Axel Eble (axel+m0n0-0001 at balrog dot de): Help with the wiki, ddclient howto
contribution.
Brian Zushi (brian at ricerage dot org): Linux CD burning instructions, documentation
review and suggestions.
Dino Bijedic (dino.bijedic at eracom-tech dot com): Sonicwall example VPN contribution.
2.1
m0n0wall X86 PC
X86 PC
X86 MIPSLinksysARMD-Link
http://doc.m0n0.ch/handbook-single/##http://doc.m0n0.ch/handbook-single/#IPsec#IPsechttp://doc.m0n0.ch/handbook-single/#PPTP#PPTP
FreeBSD MIPS ARM FreeBSD
http://www.freebsd.org/platforms/index.htmlMIPS
m0n0wallX86
2.2 PC
m0n0wall X86 PC
2.2.1
486 CPU 486 CPU m0n0wall CPU
486 (Pentium )CPU
64M 64M RAM m0n0wall CD 32MB
m0n0wall CF(Compact Flash) 64MB
m0n0wall RAM (swap
space)
2.2.2 BIOS
BIOS m0n0wall
Plug and Play OS
BIOS Plug and Play OSNO
Disable BIOS BIOS
FreeBSD( m0n0wall)
http://www.freebsd.org/platforms/index.html
BIOS
2.2.3
m0n0wall CF(compact Flash) CD
CompactFlash
8M Compact Flash
IDE SCSI FreeBSD
CD/
IDE SCSI CD-ROM/DVD m0n0wall 1.44MB
MS-DOS/FAT
PC CD-ROM
Zip Drive setup
1.2b3 m0n0wall Zip Drive
Zip Drive
2.3
m0n0wall
2.3.1. Soekris Engineering
Soekris m0n0wall net4501 45xx net45xx
net4801 net48xx
net4501-30: 133 Mhz CPU, 64 Mbyte SDRAM, 3 Ethernet, 2 Serial, CF socket, 1 Mini-PCI socket,
3.3V PCI connector.
net4511-30: 100 Mhz CPU, 64 Mbyte SDRAM, 2 Ethernet, 1 Serial, CF socket, 1 Mini-PCI socket,
Single PC-Card socket, PoE
net4521-30: 133 Mhz CPU, 64 Mbyte SDRAM, 2 Ethernet, 1 Serial, CF socket, 1 Mini-PCI socket,
Dual PC-Card socket, PoE
net4526-20: 100 Mhz CPU, 32 Mbyte SDRAM, 1 Ethernet, 1 Serial, 16 Mbyte CF Flash, 2 Mini-PCI
sockets, PoE.
net4526-30: 133 Mhz CPU, 64 Mbyte SDRAM, 1 Ethernet, 1 Serial, 64 Mbyte CF Flash, 2 Mini-PCI
sockets, PoE.
net4801-50: 266 Mhz CPU, 128 Mbyte SDRAM, 3 Ethernet, 2 serial, USB connector, CF socket, 44
pins IDE connector, 1 Mini-PCI socket, 3.3V PCI connector.
2.3.2. PC Engines WRAP
Wireless Router Application Platform (WRAP)
PC Engines WARP m0n0wall WARP
2.3.3. Nokia IPxxx boxes
Nokia IPxxx CheckPoint PC
m0n0wall
eBay $100 IP110 IP120
IP110,120 130
10/100
National GX 300Mhz CPU
110 64MB RAM120 128MB130 256MB
5GB
auxiliary and console
IP330,440,530,650,740
m0n0wall PC
m0n0wall
HSS1,T-1CSU/DSU, V.35 X.21 OC-3 ATM, FDDI
NokiaNICMACFF.FF.FF.FF.FF.FF
http://chrisbuechler.com/m0n0wall/nokia/ip110.html
2.3.4. NexCom NexGate Appliances
NexCom Nexgate m0n0wall WRAP Soekris
$500
http://chrisbuechler.com/m0n0wall/nokia/ip110.html
2.4
m0n0wall VMware Workstation,GSX ESX
Microsoft Virtual PC Virtual Server
m0n0wall Chris Buechler 10-15 VMware
m0n0wallChris Buechlerm0n0wall
VMware http://chrisbuechler.com/index.php?id=18
MS VPCVSm0n0wallChris Buechlerm0n0wall images for
Microsoft Virtual PC and Virtual Server(http://chrisbuechler.com/index.php?id=31)
Chris Notingham
2.5
m0n0wall
2.5.1
http://chrisbuechler.com/index.php?id=18http://chrisbuechler.com/index.php?id=31
2.5.1.1. Soekris 45xx
Soekris 45xx 10Mbps IPsec VPN 45xx
3Mbps IPsec
DMZ LAN 45xx
17Mbps 17Mbps
2.5.1.2. Soekris 48xx
Soekris 48xx 30Mbps IPsec VPN 45xx
?? Mbps IPsec
DMZ LAN 48xx
40Mbps 40Mbps
2.5.1.3. WRAP
WARP 30Mbps IPsec VPN 45xx
?? Mbps IPsec
DMZ LAN WARP
40Mbps 40Mbps
2.5.2
:
PC
NICNIC CPU
CPU NIC
FreeBSD Intel Pro/100 (
fxp) 3COM 3C905 ( xl) FreeBSD fxp0,fxp1
xl0
Intel Pro/100 Pro/1000 m0n0wall
Realtek (FreeBSD rl)
m0n0wall Intel ebay $30 USD 3-5
()
6Mbps
30-40Mbps LAN DMZ LAN
2.5.3 CPU
CPU CPU CPU
Intel Pentinum CPU
30-40MbpsPentium III 100Mbps 1000
2.8+GHz Pentium 4
2.5.4
m0n0wall 64M RAM
64MB
2.5.5
m0n0wall CF 8MBm0n0wall RAM
RAM
CF
CF
2.5.6
1000 PCI
CPI
PCI 133MBbps 1064Mbsp 1000
PCI-X 1056Mbps 8.25Gbsp
1000 PCI-X PCI-X
NIC
2.6
m0n0wall FAQ
http://doc.m0n0.ch/handbook-single/#FAQ.AP
/
2.6.1
b, b/ga/b/gm0n0wallFreeBSD
5.x 6.x m0n0wall BSD 4.11m0nowallFreeBSD
http://doc.m0n0.ch/handbook-single/#
2.6.2
100%Chris
Buechler (mailto:[email protected])
(hostap)!()
m0n0wall FreeBSDno hostap
m0n0wall froogle.google.com
http://doc.m0n0.ch/handbook-single/#FAQ.APhttp://doc.m0n0.ch/handbook-single/mailto:[email protected]
3COM 3crwe737A AirConnect Wireless LAN PC Card Cisco Systems Aironet 340 - no hostap Cisco Systems Aironet 350 - no hostap Compaq WL100 Compaq WL110 D-Link DWL-520 - NOT DWL-520+ as it uses a different, unsupported, chipset. D-Link DWL-650 - Revisions A1-J3 ONLY. K1, L1, M, and P revisions not
supported.
Dell TrueMobile 1150 Series - no hostap Intel PRO/Wireless 2011 LAN PC Card Linksys Instant Wireless WPC11 Netgear MA311 Netgear MA401 SMC 2632W PC Card SMC 2602W PCI US Robotics Wireless Card 2410 NL-2511CD
miniPCI
2511MP Dell TrueMobile 1150 Series
2.6.3 /
hostap Google FreeBSD
wi hostapwi
hostap
Accton airDirect WN3301 Addtron AWA100 Adtec ADLINK340APC Aironet 4500/4800 series (PCMCIA, PCI, and ISA adapters are all supported) Airway 802.11 Adapter Avaya Wireless PC Card BayStack 650 and 660 Blue Concentric Circle CF Wireless LAN Model WL-379F BreezeNET PC-DS.11
http://froogle.google.com/froogle?q=3crwe737ahttp://froogle.google.com/froogle?q=cisco+340http://froogle.google.com/froogle?q=cisco+350http://froogle.google.com/froogle?q=compaq+wl100http://froogle.google.com/froogle?q=compaq+wl110http://froogle.google.com/froogle?q=dwl-520http://froogle.google.com/froogle?q=dwl-650http://froogle.google.com/froogle?q=TrueMobile+1150http://froogle.google.com/froogle?q=Intel+PRO%2FWireless+2011http://froogle.google.com/froogle?q=wpc11http://froogle.google.com/froogle?q=Netgear+MA311http://froogle.google.com/froogle?q=Netgear+MA401http://froogle.google.com/froogle?q=SMC+2632Whttp://froogle.google.com/froogle?q=SMC+2602Whttp://froogle.google.com/froogle?q=US+Robotics+Wireless+Card+2410http://netgate.com/EL2511.htmlhttp://tinyurl.com/65ye7http://froogle.google.com/froogle?q=TrueMobile+1150
Buffalo WLI-CF-S11G Cabletron RoamAbout 802.11 DS Corega KK Wireless LAN PCC-11, PCCA-11, PCCB-11 ELECOM Air@Hawk/LD-WL11/PCC ELSA AirLancer MC-11 Farallon Skyline 11Mbps Wireless Farallon SkyLINE Wireless ICOM SL-1100 Icom SL-200 IBM High Rate Wireless LAN PC Card IO Data WN-B11/PCM Laneed Wireless card Lucent Technologies WaveLAN/IEEE 802.11 PCMCIA and ISA standard speed
(2Mbps) and turbo speed (6Mbps) wireless network adapters and workalikes
Lucent WaveLAN/IEEE 802.11 Melco Airconnect WLI-PCM-S11, WLI-PCM-L11 Melco WLI-PCM NCR WaveLAN/IEEE 802.11 NEC Wireless Card CMZ-RT-WP NEC Aterm WL11C (PC-WL/11C) NEC PK-WL001 NEL SSMagic Netwave AirSurfer Plus and AirSurfer Pro PLANEX GeoWave/GW-NS110 Proxim Harmony, RangeLAN-DS Raytheon Raylink PC Card Sony PCWA-C100 TDK LAK-CD011WL Toshiba Wireless LAN Card Webgear Aviator Webgear Aviator Pro Xircom Wireless Ethernet adapter (rebadged Aironet) ZoomAir 4000
2.7
m0n0wall NIC
m0n0wall Realtek
Intel
CPU CPU
Intel Intel Pro/100
eBay $25
2.7.1
1000
Intel Pro/1000
FreeBSD 411-RELEASE Hardware
Notes(http://www.freebsd.org/releases/4.11R/hardware-i386.html#ETHERNET)
2.7.2 ISA
ISA
PCI
ISA PCI
ISA
PCI
ISA ISA
3COM ISA plug and playFreeBSD plug and play
http://www.freebsd.org/releases/4.11R/hardware-i386.html#ETHERNET
3COM ISA 3COM DOS
DOS
Plug and Play
BIOS ISA IRQ
ISA/PnP
.
3.1
m0n0wall X86 PC Soekris Engineering net45xx/48xx
PC Engines WARP X86 PC
m0n0wallPCgeneric-pcCF
CD-ROM+m0n0wallFreeBSD4
FreeBSDm0n0wallFreeBSD/i386
Hardware Noteshttp://www.freebsd.org/releases/4.9R/hardware-i386.html
m0n0wall 64M/
m0n0wall swap
3.2
Soekris net45xx/48xx PC Engines Wireless
http://www.freebsd.org/releases/4.9R/hardware-i386.html
Router Application Platform(WARP) PC CF/HD
PC CD-ROM(ISO) TAR (tarball)
http://www.m0n0.ch/wall/downloads.php
CD-R CF
3.3
m0n0wall CD CF /IDE
CD CF
3.3.1 CD
CD-ROM PC m0n0wallm0n0wall
CD PC
HD CD m0n0wall
ISO 3.2
ISO CD-R(-RW)
FreeBSD(ATAPI Recorder) burncd -s max -e data cdrom-xxx.iso fixate
Linux(ATAPI w/ SCSI emulation)
SCSI ID/LUN
linuxbox# cdrecord --scanbus Cdrecord-Clone 2.01 (i686-pc-linux-gnu) Copyright (C) 1995-2004 J?rg Schilling Linux sg driver version: 3.1.25 Using libscg version 'schily-0.8'.
http://www.m0n0.ch/wall/downloads.php
scsibus0: 0,0,0 100) 'LITE-ON ' 'COMBO LTC-48161H' 'KH0F' Removable CD-ROM
SCSI ID/LUN 0,0,0
cdrecord --dev=0,0,0 --speed= cdrom-xxx.iso
Windows Nero ISO
(2048bytes/sector, Mode-1)
1.44MB MS-DOS/FAT
FreeBSD fdformat -f 1440 /dev/fd0 && newfs_msdos -L "m0n0wallcfg" -f 1440 /dev/fd0
: (low-level)fdformat
Windows
format A:
m0n0wall PC CD-ROM
3.3.2 CF IDE
m0n0wall CF Soekris
IDE PC m0n0wall CF
SWAP CF
CF/IDE 3.2
CF 5MBCF
CF
FreeBSD
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k
n=CF ( dmesg)net4801 net48xx-xxx.imgWRAP
wrap-xxx.img PC generic-pc-xxx.img
Trailing garbage -
Linux gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
X=CF ( hdparm I /dev/hdX )- USB
SCSI /dev/sdX
Trailing garbage -
Windows physdiskwrite [-u] net45xx-xxx.img
physdiskwrite 0.3 m0n0wall physdiskwrite
(http://www.m0n0.ch/wall/physdiskwrite.php) 800M -u
()
CF/HD physdiskwrite
physdiskwrite v0.5 by Manuel Kasper Searching for physical drives... Information for \\.\PhysicalDrive0: Windows: cyl: 14593 tpc: 255 spt: 63 C/H/S: 16383/16/63 Model: ST3120026A Serial number: 3JT1V2FS Firmware rev.: 3.06
CF physdiskwrite
http://www.m0n0.ch/wall/physdiskwrite.php
3.3.3
m0n0wall
(http://doc.m0n0.ch/handbook-single/#OtherDoc.Installation)
3.4 m0n0wall
m0n0wall
m0n0wall
m0n0wall
m0n0wall CDCF CD
FAT
CDCF BIOS
PC Soekris
NULL-MODEM
PC
Soekris WRAP () BIOS 9600bps
Soekris ConSpeed=9600
webGUI m0n0wall
http://doc.m0n0.ch/handbook-single/#OtherDoc.Installation
:
Soekris net45xx BUG
BIOS 1.15a
m0n0wall
m0n0wall LAN IP
192.168.1.1 192.168.1.X DHCP
m0n0wall LAN LAN
192.168.1.1:80WEB m0n0wall webGUI
m0n0wall
webGUI webGUI
webGUI
4.1
BIOS FreeBSD m0n0wall
LANWAN OPTOPT
DMZ Host Access Point LAN
webGUI LAN IP LAN IP
webGUI
4.2 WEB GUI
m0n0wall m0n0wall LAN WEB
80 m0n0wall WEB
admin mono
m0n0wall
LAN
m0n0wall webGUI
m0n0wall
4.3
4.3.1
4.1:
4.1.
myfirewall
IP
Mydomain.com
IP
DNS DNS IP DNS
webGUI admin
webGUI
m0nowall
webGUI m0n0wall webGUI
HTTS webGUI HTTS
webGUI m0n0wall webGUI
80
Logging
NTP Logging
NTP NTP(Network Time Protocol)
Logging
4.3.2
CIDR (Classless Inter-Domain
Routing, RFC 1517,RFC1518,RFC1519,RFC1520)
4.3.2
4.3.3
4.3.3
4.3.4
[]
4.4
4.4.1
LANWAN
VLAN
4.4.2 LAN
LAN IP CIDR
4.4.3 WAN
WAN WAN IP DHCP
PPPoE PPTP WAN
IP Ipsec VPN WAN WAN
VPN IP VPN WAN
WAN
WAN IP
DHCP WAN DHCP IP
PPPoEPPP over Ethernet ADSL
PPTP PPTP ADSL PPTP
: MAC MTU
WAN MAC
xx:xx:xx:xx:xx:xx MAC
TCP MSS 40TCPIP
PPPoE MTU 14928 PPPoE
4 1500
IP WAN IP IP
IP IP
PPPoE WAN PPPoE ADSL
ADSL
ADSL
PPTP WAN PPTP PPTP ADSL
PPTP (ADSL)
PPTP (ADSL)
IP IP
IP IP
RFC1918 (10/8, 172.16/12,
192.168/16 127/8)
WAN
4.4.4
LAN DMZ
4.4.5
4.5
4.5.1 DNS
m0n0wall DNS
DNS
DNS LAN DNS
DNS m0n0wall LAN IP DNS
DNSDHCP LANIP
DNSDNS DNS
DNS
DHCPPPPDNSDNS DNS
DNS WAN
IP DNS
DNS
m0n0wallLANDHCPLAN
DNSDHCPm0n0wall
my-pc
example.comm0n0wallIPmy-pc.example.com
DNS
(DNS )/IP
www.yourcompany.com
IP
IP
www.example.com 1.2.3.4
DNS (hosts)
( DNS )
4.5.2
IP DHCP
( ADSL) IP WEB
m0n0wall ez-ipupdate(http://www.ez-ipupdate.com/)
MX DNS ()
(dyndns.org )
MX
()
example.homeip.net
example.homeip.net example.homeip.net www.
example.homeip.net,mail example.homeip.net,
WAN IP PING
WAN IP :
4.5.3 DHCP
DHCP WAN
DHCP
( WAN ) xxx DHCP
DHCP
DHCP IP
DHCP IP(
)
MAC
DHCP
IP
DHCP IP
( ID) m0n0wall
WINs
NT 4 windows 2000 (AD)
WINs IP WINs
DHCP
DHCP 7200 (
)
604800
DHCP
DHCP
DHCP IP IP
DHCP LAN
MAC IP
IP
MAC MAC xx:xx:xx:xx:xx:xx Windows NT/2000/XP
ipconfig MAC Windows 95/98/ME
-> winipcfg Unix ifconfig
IP IP IP
IP IP IP IP
DNS ( DNS ) DHCP
4.5.3.1 DHCP
4.5.4 SNMP
SNMP
m0n0wall
SNMP public
SNMP
(
)
4.5.5 ARP
ARP IP IP ARP
1:1NAT NAT NAT WAN
PPPoe/PPTP WAN IP DHCP
1:1 NAT NAT NAT IP ARP
+
ARP
ARP
http://doc.m0n0.ch/handbook-single/#Proxy.ARP
http://doc.m0n0.ch/handbook-single/#Proxy.ARP
4.5.6 Captive Portal
Captive Portal HTTP
internet HTTP
Captive
Captive Portal (Wi-Fi)
Captive Portral
Captive Portral
HTTP(S)
Captive portal Captive portal
IP 4 16
Captive portal
URL URL Captive portal URL
MAC MAC
MAC Captive Portal
captive portal
RADIUS
Radius
HTTPS
HTTPS
HTML (POST
to "$PORTAL_ACTION$") (name="accept")
name="redirurl" and value="$PORTAL_REDIRURL$"
"auth_user" and "auth_pass"
HTML
"$PORTAL_MESSAGE$" RADIUS
4.5.7 LAN
Magic Pakcets Wake
On Lan WOL BIOS
VPN
LAN Router/VPN
wake up
MAC
MAC
4.6 VPN
4.6.1 IPsec
4.6.2 PPTP
4.6.3 PPTP
4.7
4.7.1
4.7.2
4.7.3
4.4:
1.1
Adobe SVG Viewer
4.7.4
4.8
4.8.1
4.8.2 DHCP
DHCP
DHCP :
4.8.3 IPsec
IPsec SAD SPD
SADSecurity Association Database
SADSAs IPsec
SA
SPDSecurity Policy Database
SPD IPsec IPsec VPN
SPD IPsec IPsec VPN
IP
4.8.4 SIP
4.8.5 ping/traceroute
GUI ping/traceroute IP PING
ping/traceroute
PINGVPNPINGSNMP
VPN FAQ
http://doc.m0n0.ch/handbook-single/#FAQ.SNMPoverVPN
PINGVPN
4.8.6
NAT
NAT/Firewall
NAT
IP PPTP Ipv6
http://doc.m0n0.ch/handbook-single/#FAQ.SNMPoverVPN
4.8.7
config.xml
4.8.8
m0n0wall
4.8.9
.
5.1
LANWANOPT1OPT2
WANIPWAN
->WAN
BLOCK
5.1.1 Action
IP
Pass IP
Block IP
RejectIPIPTCP RST ICMP
TCPUDP ( "TCP/UDP")Reject
5.1.2
5.1.3
IP
5.1.4
TCP UDP TCP/UDP ICMP ESP AH GRE IPv6 IGMP
Any()
5.1.5 ICMP
ICMP ICMP
Destination unreachable Echo Echo reply Source quench Redirect Time exceeded Parameter problem
Timestamp Timestamp reply Information request Information reply Address mask request Address mask reply
5.1.6 (source)
IP
WAN
LAN
PPTP
OPTn ()
5.1.7
(
"any") ''
5.1.8 Destination
IP
WAN
LAN
PPTP
OPTn ()
5.1.9
(
"any") ''
5.1.10
DoS
5.1.11
IP
syslog ( )
http://192.168.15.2/diag_logs_settings.php
5.1.12
5.2 NAT
NAT IP LAN OPT
+
5.2.1
WAN Internet OPT
VLAN
OPT DMZ DMZ LAN
LAN DNS UDP Port 53
LAN DNS IP NAT DMZ IP DNS IP
NAT IP DMZ LAN
DNS
5.2.2
NAT WAN OPT IP WAN OPT
IP IP NAT
5.2.3
TCPUDP TCP/UDP
5.2.4
''
5.2.5 NAT IP
IPLANIP 192.168.1.12
5.2.6
IP
5.2.7
/
5.2.8 NAT
5.2.9
NATNAT
internet
->
5.3 NAT
NAT IP NAT
5.3.1 NAT
->NAT-> NAT, +
5.3.2 NAT
NAT+
NAT IP
5.3.3 ARP
WAN NAT ARP
ARP
WAN IP ISP
WAN PPPoE PPTP
ARP WAN IP DHCP
WAN IP->ARP
WAN IP ARP
5.4. 1:1NAT
1:1 NAT IP IP (), IP IP
. 1:1NAT , IP NAT
IP( Internet),, IP , NAT IP.(
, 1:1NAT )
1:1NAT .
1:1NAT OPT(),.
5.4.1 1:1NAT
: NAT: 1:1 ,+
5.4.1.1
WANOPT
5.4.1.2
IP IP/32
IP C LAN DMZ C
1:1NAT
5.4.1.3
IP LAN DMZ
IP1:1NAT
5.4.1.4
5.5 NAT
NAT LAN
NAT
NATm0n0wall NAT
WANNAT
WANIP WAN
ARP.
http://192.168.16.2/services_proxyarp.php
5.5.1 NAT
5.6
: /
5.6.1
+
5.6.2
+
5.6.3
5.6.4
5.7
WEB
IP
5.7.1
->
5.7.1.1
5.7.1.2
5.7.1.3
IP
5.7.1.4
5.7.2
,
NAT()
NATNetwork Address Translation IPRFC 1918
IP
NAT NAT IP NAT
NAT IP
IP IANA(Internet Assigned Numbers
Authority) RFC 1918 IP
10.0.0.0 10.255.255.255(CIDR: 10.0.0.0/8)
172.16.0.0 172.31.255.255(CIDR: 172.16.0.0/12)
192.168.0.0 192.168.255.255(CIDR: 192.168.0.0/16)
NAT IP IP
IP
IP NAT
NAT
NAT
NAT
NATS-NAT,SNAT
NAT SNAT
SNAT
SNATmasqueradeIP(outgoing)
IP
NATDNAT
DNAT FTP SNAT
SNAT
NATBi-Directional NAT
NAT NAT NAT
()
IPsec
IPsec VPN(Virtual Private Network)
VPN
HASH
HASH
IPsec VPN
IPsec VPN
Router/VPN site-to-site IPsec VPN ()point-to-site
site-to-site VPN VPN
IP IP
IP
site-to-site VPN
8.1 IPsec
IPsec (end-to-end)
IP IP IP
IPsec IPsec
IPsec
AH:Authentication Header Protocol
(ESPEncapsulating Security Payload Protocol)
Internet (IKE ISAKMP/Oakley)
ESP IKEESP IKE
IPsec SA
Security Association IPsec SA IPsec IPsec
SAinbound SA SA(outbound SA)
8.2 IPsec 1 2
IPsec IKE
IKE 1. DH 2
ESP SA
IKE 2. 1 ESP SA
ESP SA
IKE 1 ISAKMP SA( IKE SA)IKE
(IKE ISAKMP
Oakey IPsec )
IKE 1 ISAKMP SAIKE SAISAKMP SA
winning proposal
control channel 2
ISAKMP SA ESP SASecurity Association
, IKE
ISAKMP SA lifetime
ISAKMP SA
IKE 2 IKE IKESA
2 SA
ESP HASH IKE 2
ESP SAs( IPsec SAs)inboundoutbound
VPN
IPsec VPN control channel 2
ISAKMP SA
VPN
IPsec SA
8.3 IKE KEY
ISAKMP SA
Diffie-hellman Group
HASH
IKE1VPN1(proposals)SA
IKEKEYinitiatorVPN
1proposals VPN
Responder
ISAKMP
ISAKMP SAIKE SA 22
IPsec SA
IPsec SA IPsec
IKEVPNon-demandVPN
IP
IP
IPsec SAIP
IKE
IPsec SA
84
DES
AES
3DES
SSF33/SCB2:
85 HASH
HASHHASH
message digest/fingerprintHASH
HASH
MD5: 128bits(16bytes)
SHA1: 160bits(20bytes)
86
PSK: Pre-Shared Key/Pre-shared secret
HASHVPN
HASH
HASH
KEY,
PSK
PSKIKE
PSK KEY
KEY
KEY
PSK IKEPSK
PSKPSK
PSK
PSK
PSK
8.7
PSKRSAIKE
RSA
KEY
RSA KEY
HASH
RSA
HASHmessage digest/fingerprint
MD516SHA120
HASH
HASH
8.8
X.509 PEM
IKE1
:
8.9 Diffie-Hellman Groups
DHDH
WhiteField DiffieMartin Hellman1976
http://192.168.16.2/vpn_ipsec_ca_edit.php
DH
A,BDH Groupn,g( n = gk+1 )
A x, X = g^x mod n, X
y, = g^y mod n, Y A
Ak1 = Y^x = (g^y mod n)^x = g^xy mod n;
Bk2 = X^y = (g^x mod n)^y = g^xy mod n;
x,yRSA
DHn,g n,g,X,Y
x,y k1/k2
IPsecDH IKE1IKE
SAIKE 2 IPsec SA
Router/VPNDH Groups:
Group 2
Group 5
8.9 IKE (Main Mode)
ISAKMP SA6
DH
DH
IKE1main mode
DH
8.10 IKE Aggressive Mode
IKE
Aggressive Mode3
DHSA
Responder
8.11 IKE
RFC2409
IKE
HDR: ISAKMP, HDR*
SA: Responder
_b:
SAi_b: SAIPsec DOI(Domain of Information)situation
CKY-I,CKY-R: (Initiator)(Responder)cookie
ISAKMP
g^xi,g^xr: (Initiator)(Responder)Diffie-Hellman
xi,xr
g^xyDiffie-Hellman
KE: Diffie-Hellman
Nx: x: i,r(Initiator)(Responder)
IDx: x : ii,ir,(Initiator)(Responder)
1ui,ur, (Initiator)(Responder)2
.
SIG:
CERT
HASH: HASH
prf(key,msg):
SKEYID
SKEYID_eISAKMP SA
SKEYID_a: ISAKMP SA
SKEYID_d:
y: yx
| X|Y
IKESKEYID
: SKEYID = prf(Ni_b | Nr_b, g^xy)
RSA: SKEYID = prf(hash(Ni_b | Nr_b), CKY-I | CKY-R)
: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
IKE()
SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)
HASH
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
1+
1+
1+
2(Qick Mode)
KE PFS :
KEKEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
: KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
8.12 PFS Perfect Forward Secrecy
PFSPSKRSA
KEYKEY
PFSRoute/VPN
8.13 IPsec over NAT-T
IPsec ESP TCP/UDP NAT UDP/TCP
IPsec
NAT-T IKE 1 2(Quick
Mode) NAT NAT-T NAT-T
INTERNET-DRAFT
draft-ietf-ipsec-nat-t-ike-06.txt
draft-ietf-ipsec-udp-encaps-06.txt
FreeBSD6 IPsec over NAT-T :
racoon-nattraversal-freebsd6.patch
8.13.1 NAT-T
NAT-T INTERNET-DRAFT
NAT-D payload( NAT Discovery PayLoad)
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload length |
+---------------+---------------+---------------+---------------+
~ HASH of the address and port ~
+---------------+---------------+---------------+---------------+
UDP-encapsulated ESP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ESP header [RFC 2406] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Floated IKE Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE header [RFC 2409] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NAT-keepalive Packet Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xFF |
+-+-+-+-+-+-+-+-+
Transport Mode ESP Encapsulation
BEFORE APPLYING ESP/UDP
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING ESP/UDP
-------------------------------------------------------
IPv4 |orig IP hdr | UDP | ESP | | | ESP | ESP|
|(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth|
-------------------------------------------------------
||
||
Tunnel Mode ESP Encapsulation
BEFORE APPLYING ESP/UDP
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING ESP/UDP
--------------------------------------------------------------
IPv4 |new h.| UDP | ESP |orig IP hdr | | | ESP | ESP|
|(opts)| Hdr | Hdr |(any options)| TCP | Data | Trailer |Auth|
--------------------------------------------------------------
||
||
8.14 IPsec
IPsec IP
IP ADSL
IPsec IP IPsec
IP
ddnsguard IPsec
IP ddnsguard IPsec
IPsec
8.15 IPsec VPN
VPN IPsec IPsec VPN
http://192.168.16.2/vpn_ipsec_edit.php
IPsec
2
VPN:IPsec
->
IPsec
VPN WANLAN OPT
WAN
NAT-T NAT-T IKE NAT
UDP ESP NAT NAT-T
http://192.168.16.2/vpn_ipsec_edit.php?id=0
NAT-T IKE UDP 500 UDP4500 IKE
UDP 4500/500
VPN LAN
LAN LAN
IP IP
VPN
2
VPN IP
VPN
1
1 2
IKE
aggressive(main) VPN
SA
My IP address IP
IP Address IP
Domain Nmae
User FQDN [email protected]
IP DHCP IP
3DES SSF33/SCB2 VPN
HASH MD5SHA1 VPN
HASH
DH key group: 1024bitsGROUP 2 bit
2 1
28800
RSA
VPN
RSA : X509 PEM RSA
RSA
2
2
ESP IPsec VPN
ESPAH
ESP/AH
VPN
SSF33/SCB2
HASH SHA1MD5
SHA1 VPN
PFS key group: 1 1024bits
86400 20
PPTP
Francisoc Artes m0n0wall-PPTP
9.1
PPTP VPN windows XP PPTP
m0n0wall PPTP VPN Linux
m0n0wall
m0n0wall
9.2
TCP/IP
emailm0n0wall
eamail
mailto:[email protected]
9.3
PPTP
NAT
PPTP
9.4 VLAN
VLAN VLAN
PPTP
/28 PPTP
2.55.255.255.255 PPTP
LAN LAN IP
VLAN
WAN internet
WAN PPTP
LAN LAN 192.168.1.1/24
192.168.2.254 192.168.2.16/28PPTP
LAN PPTP WAN OPT WiFi
PPTP windows PPTP
PPTP
9.5 PPTP
1 PPTP VPN: PPTP:
2 PPTP
3 LAN IP IP
ABC
4 16 16
IP /28 IP /28
IP 192.168.1.254, 192.168.1.192/28
PPTP IP VPN IP
PPTP
9.4 VLAN
5. RADIUS
6 128-bit
7 PPTP PPTP
9.6 PPTP
RADIUS
PPTP RADIUS
IP
http://192.168.83.210/vpn_pptp_users_edit.php
9.7 PPTP
PPTP LAN
PPTP
PPTP LANWAN
LAN
1:
http://192.168.16.2/firewall_rules_edit.php?if=wan
PPTP LANWANOPT
2AnyPPTP
PPTP->
3.
PPTP
9.7.1 PPTP
PPTP PPTP
PPTP IP PPTP LAN
WAN SAMBA
PPTP SSH LAN IP 192.168.1.151
ACLs
9.8 windows XP PPTP
1.
2
3.VPN
4VPN
5 myPPTP
6.
7. PPTP IP
8.
9. IPCONFIG
PING 192.168.16.2
9.9 PPTP
NAT PPTP m0n0wall
PPTP PPTP
WiFi IP
192.168.1.0/24 PPTP PPTP 192.168.1.0/24
IPPPTP IP PPTP
TCP
PPTP IP PPTP
IP
ISP DHCP PPTP
DHCP
DHCP renew PPTP VPN DHCP
PPTP ISP
DHCP
M0n0wall UPnP
PPTP Windows
PPTP
OPenVPN
[]
[]
Captive Portal
[]
[]
14.1 DMZ NAT
LAN/WANDMZ
Quick Start Guide(http://m0n0.ch/wall/quickstart/)
DMZ
IP DMZ IP 1:1 NAT
http://m0n0.ch/wall/quickstart/
14.1.1
14.1.2
: OPT1
http://192.168.16.2/firewall_rules_edit.php?if=wan
14.1.3
OPT1
DMZIP 192.168.2.1/24
14.1.4 DMZ
DMZ internet LAN
DMZ
LAN DMZ LAN IP DMZ
: DMZ DMZ
DMZ WANinternet
http://192.168.16.2/firewall_rules_edit.php?if=wan
DMZ LAN DMZ IP DMZ
DMZ DMZ
14.1.5 DMZ LAN
DMZ LAN DMZ
LAN DNS cvsup cvsup-mirror
NTP TimeServer TimeServer cvsup-mirror
DMZ LAN
DMZ LAN
DMZ LAN
DMZ LAN
DMZ LAN DMZ
LAN
14.1.6 NAT
NAT 1:1NAT IP
1:1NAT IP NAT
IP DMZ NAT
1:1NAT
14.1.6.1 1:1NAT
/27 2.0.0.0/27VPN WAN
IP 2.0.0.2 1:1NAT IP 2.0.0.3 DMZ IP 2.0.0.4
DMZ WEB
: NAT: 1:1
WWW
http://192.168.16.2/firewall_rules_edit.php?if=wan
14.1.6.2 1:1NAT
[]
14.1.6.3 NAT
IP DMZ IP
NAT: NAT:
IP WAN
http://192.168.16.2/firewall_rules_edit.php?if=wan
WAN IP 25SMTP DMZ
HTTP
http://192.168.16.2/firewall_rules_edit.php?if=wan
14.2 DMZ
[]
14.3
DMZ colocation facility
VPN LAN LAN
NAT LAN
LAN
111.111.111.8/29 8 IP8 = NOT(0xFFFFFFF8 1) IP 9-14
ID IP IP
5 LAN
14.3.1
LAN IP webGUI
: DNS webGUI
HTTPS
14.3.2 WAN
webGUI :WAN
IP111.111.111.10/29 111.111.111.9 WAN
14.3.3 OPT
OPT ServersWAN
IP
14.3.4
14.3.5
1.4.3.5.1 OPT
WEB
DNS 111.111.110.2 111.111.109.2(
)
HTTP CVSUP
14.3.5.2 WAN
IP m0n0wall webGUI
11.12.13.30 LAN
webGUI m0n0wall ()
SMTP HTTP/HTTPS WEB
14.3.5.3 LAN
LAN
LAN
14.3.5.4
14.3.6
site to site VPN
M0n0wall IPsec site-to-site VPN
IPsec VPN
m0n0wall
m0n0wall
There is a section of the wiki dedicated to configurations for this chapter.
15.1 Cisco PIX Firewall
m0n0wall PIX IPsec
http://wiki.m0n0.ch/wikka.php?wakka=ExampleVPNs
15.1.1 PIX
PIX 3DES
pixfirewall# sh ver
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Wed 13-Aug-03 13:55 by morlee
pixfirewall up 157 days 5 hours
Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
VPN-3DES-AESEnablePIX 3DES keyPIX
CISCO 3DES Key
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl 3DES/AES
Encryption LicenseVPNDESDES
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl
PIX VPN
pixfirewall# sh isakmp policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
VPN VPN
VPN
PIX IPSec
pixfirewall(config)# sysopt connection permit-ipsec
outside ISAKMP( outside internet ):
pixfirewall(config)# isakmp enable outside
PIX isakmp policy
pixfirewall(config)# isakmp policy ?
Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig>
isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des>
isakmp policy %lt;priority> hash %lt;md5|sha>
isakmp policy %lt;priority> group %lt;1|2|5>
isakmp policy %lt;priority> lifetime %lt;seconds>
PIX ISAKMP :
isakmp policy 10 authen pre-share
isakmp policy 10 encrypt 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
pre-shared keys3DES MD5 HASH 86400
VPN pre-shared keys 1.1.1.1 m0n0wall
IPqwertyuiop
isakmp key qwertyuiop address 1.1.1.1 netmask 255.255.255.255
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
VPN
crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac
monovpnset
SA
VPN (crypto map)monovpnmap 1.1.1.1 m0n0wall IP
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto map monovpnmap 10 ipsec-isakmp
crypto map monovpnmap 10 set peer 1.1.1.1
crypto map monovpnmap 10 set transform set monovpnset
VPN ipsec-isakmp IP1.1.1.1(monovpnset,
) monovpn() VPN
PIX VPN NAT
NAT
pixfirewall# sh nat
nat (inside) 0 access-list no-nat
nat (inside) 0no-nat
NAT DMZ
access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
sh natnat (inside) 0no-nat
no-nat
nat (interface-name) 0 access-list no-nat
LAN interface-name
15.1.2 m0n0wall
webGUI VPN IPSec
IPSec
+ IPSec
WAN
NAT-T NAT
LAN
10.0.0.0/24 PIX
PIX IP
PIX VPN
1
Aggressive
My IP Address
3DES
HASH MD5
DH Key Group: 2
86400
qwertyuiop ( PIX )
2
ESP
3DES
HASH MD5
PFS key group: 2
86400
m0n0wall 1.2 beta
PFS key group :OFF
m0n0wall
Cisco Cisco VPN
concentrator
15.2 Smoothwall
15.3 FreeS/WAN (OpenSwan)
15.4 Sonicwall
15.5 Nortel
(FAQ)
1.1 m0n0wall 1.2 m0n0wall 1.3 1.4 1.4.1 1.4.2
1.5 ()1.5.1
1.6 1.6.1 1.6.2
2.1 2.2 PC2.2.12.2.2 BIOS2.2.3
2.3 2.3.1. Soekris Engineering2.3.2. PC Engines WRAP2.3.3. Nokia IPxxx boxes2.3.4. NexCom NexGate Appliances
2.4 2.5 2.5.1 2.5.1.1. Soekris 45xx2.5.1.2. Soekris 48xx2.5.1.3. WRAP
2.5.2 2.5.3 CPU2.5.4 2.5.5 2.5.6
2.6 2.6.1 2.6.2 2.6.3 /
2.7 2.7.1 2.7.2 ISA
. 3.1 3.2 3.3 3.3.1 CD3.3.2 CFIDE 3.3.3
4.1 4.2 WEB GUI4.3 4.3.1 4.3.2 4.3.3 4.3.4
4.4 4.4.2 LAN4.4.3 WAN4.4.4 4.4.5
4.5 4.5.1 DNS4.5.2 4.5.3 DHCP4.5.3.1 DHCP
4.5.4 SNMP4.5.5 ARP4.5.6 Captive Portal4.5.7 LAN
4.6 VPN4.6.1 IPsec4.6.2 PPTP4.6.3 PPTP
4.7 4.7.1 4.7.2 4.7.3 4.7.4
4.8 4.8.1 4.8.2 DHCP4.8.3 IPsec4.8.4 SIP4.8.5 ping/traceroute4.8.6 4.8.7 4.8.8 4.8.9
. 5.1 5.1.1 Action5.1.2 5.1.3 5.1.4 5.1.5 ICMP5.1.6 (source)5.1.7 5.1.8 Destination5.1.9 5.1.10 5.1.11 5.1.12
5.2 NAT5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 NAT IP5.2.6 5.2.7 5.2.8 NAT5.2.9
5.3 NAT5.3.1 NAT5.3.2 NAT5.3.3 ARP
5.4. 1:1NAT5.4.1 1:1NAT5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4
5.5 NAT5.5.1 NAT
5.6 5.6.1 5.6.2 5.6.3 5.6.4
5.7 5.7.1 5.7.1.1 5.7.1.2 5.7.1.3 5.7.1.4
5.7.2
NAT()NAT
() IPsec8.1 IPsec8.2 IPsec 1 28.3 IKE KEY8485 HASH86 8.78.8 8.9 Diffie-Hellman Groups8.9 IKE(Main Mode)8.10 IKEAggressive Mode8.11 IKE
8.12 PFS Perfect Forward Secrecy8.13 IPsec over NAT-T8.13.1 NAT-T
8.14 IPsec8.15 IPsec VPN
PPTP9.1 9.2 9.3 9.4 VLAN9.5 PPTP9.6 PPTP9.7 PPTP9.7.1 PPTP
9.8 windows XP PPTP9.9 PPTP
OPenVPN Captive Portal 14.1 DMZNAT14.1.1 14.1.2 14.1.3 14.1.4 DMZ14.1.5 DMZLAN14.1.6 NAT14.1.6.1 1:1NAT14.1.6.2 1:1NAT14.1.6.3 NAT
14.2 DMZ14.3 14.3.1 14.3.2 WAN14.3.3 OPT14.3.4 14.3.5 1.4.3.5.1 OPT14.3.5.2 WAN14.3.5.3 LAN14.3.5.4
14.3.6
site to site VPN15.1 Cisco PIX Firewall15.1.1 PIX15.1.2 m0n0wall
15.2 Smoothwall15.3 FreeS/WAN (OpenSwan)15.4 Sonicwall15.5 Nortel
(FAQ)