path: root/ru_RU.KOI8-R/articles/checkpoint/article.sgml

<!--
     The FreeBSD Russian Documentation Project

     $FreeBSDru: frdp/doc/ru_RU.KOI8-R/articles/checkpoint/article.sgml,v 1.5 2004/07/16 12:05:55 den Exp $

     Original revision: r27201
-->

<!-- Copyright (c) 2001 The FreeBSD Documentation Project

     Redistribution and use in source (SGML DocBook) and 'compiled' forms
     (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
     modification, are permitted provided that the following conditions
     are met:

      1. Redistributions of source code (SGML DocBook) must retain the above
         copyright notice, this list of conditions and the following
         disclaimer as the first lines of this file unmodified.

      2. Redistributions in compiled form (transformed to other DTDs,
         converted to PDF, PostScript, RTF and other formats) must reproduce
         the above copyright notice, this list of conditions and the
         following disclaimer in the documentation and/or other materials
         provided with the distribution.

     THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
     IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
     THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
     DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
     ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
     POSSIBILITY OF SUCH DAMAGE.
-->

<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
<!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
%articles.ent;
<!ENTITY legalnotice SYSTEM "../../share/sgml/legalnotice.sgml">

]>

<article lang="ru">
  <articleinfo>
    <title>éÎÔÅÇÒÁÃÉÑ FreeBSD IPsec É Check Point <trademark
      class='registered'>VPN-1</trademark>/<trademark
      class='registered'>Firewall-1</trademark></title>

    <authorgroup>
      <author>
	<firstname>Jon</firstname>

	<surname>Orbeton</surname>

	<affiliation>
	  <address><email>jono@securityreports.com</email></address>
	</affiliation>
      </author>

      <author>
	<firstname>Matt</firstname>

	<surname>Hite</surname>

	<affiliation>
	  <address><email>mhite@hotmail.com</email></address>
	</affiliation>
      </author>
    </authorgroup>

    <pubdate>$FreeBSD$</pubdate>

    <copyright>
      <year>2001</year>
      <year>2002</year>
      <year>2003</year>

      <holder role="mailto:jono@securityreports.com">Jon Orbeton</holder>
    </copyright>

    &legalnotice;

    <legalnotice id="trademarks" role="trademarks">
      &tm-attrib.freebsd;
      &tm-attrib.check-point;
      &tm-attrib.general;
    </legalnotice>

    <abstract>
      <para>÷ ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÏÐÉÓÙ×ÁÅÔÓÑ, ËÁË ÎÁÓÔÒÏÉÔØ
	<acronym>VPN</acronym>-ÔÕÎÎÅÌÉÒÏ×ÁÎÉÅ ÍÅÖÄÕ FreeBSD É
	<trademark class='registered'>VPN-1</trademark>/
	<trademark class='registered'>Firewall-1</trademark> ËÏÍÐÁÎÉÉ
	Check Point.  ÷ ÄÒÕÇÉÈ ÉÍÅÀÝÉÈÓÑ ÐÕÂÌÉËÁÃÉÑÈ ÄÁ£ÔÓÑ ÔÁËÁÑ ÉÎÆÏÒÍÁÃÉÑ,
	ÎÏ × ÎÅÊ ÎÅ ÓÏÄÅÒÖÁÔÓÑ ÉÎÓÔÒÕËÃÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ VPN-1/Firewall-1 É
	ÅÇÏ ÉÎÔÅÇÒÁÃÉÉ Ó FreeBSD.  ïÎÉ ÐÅÒÅÞÉÓÌÅÎÙ × ÚÁ×ÅÒÛÁÀÝÅÊ ÞÁÓÔÉ ÜÔÏÊ
	ÒÁÂÏÔÙ ÄÌÑ ÄÁÌØÎÅÊÛÅÇÏ ÉÚÕÞÅÎÉÑ.</para>
    </abstract>
  </articleinfo>

  <sect1 id="prerequisites">
    <title>éÓÈÏÄÎÙÅ ÄÁÎÎÙÅ</title>

    <para>äÁÌÅÅ ÐÏËÁÚÁÎÁ ÓÈÅÍÁ ÒÁÓÐÏÌÏÖÅÎÉÑ ÍÁÛÉÎ É ÓÅÔÅÊ, Ï ËÏÔÏÒÙÈ ÉÄ£Ô ÒÅÞØ
      × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ.</para>

    <mediaobject>
      <imageobject>
	<imagedata fileref="networks">
      </imageobject>

      <textobject>
	<literallayout class="monospaced">         ÷ÎÅÛÎÉÊ ÉÎÔÅÒÆÅÊÓ                ÷ÎÅÛÎÉÊ ÉÎÔÅÒÆÅÊÓ
           208.229.100.6                    216.218.197.2
                       |                    |
         +--&gt; Firewall-1 &lt;--&gt; Internet &lt;--&gt; FreeBSD GW &lt;--+
         |                                                |
óÅÔÉ ÐÏÄ ÚÁÝÉÔÏÊ FW-1                              ÷ÎÕÔÒÅÎÎÉÅ ÓÅÔÉ
199.208.192.0/24                               192.168.10.0/24</literallayout>
      </textobject>

      <textobject>
	<phrase>óÅÔØ FW-1 É ÓÅÔØ FreeBSD</phrase>
      </textobject>
    </mediaobject>

    <para>ûÌÀÚ <acronym>GW</acronym> ÎÁ ÏÓÎÏ×Å FreeBSD ×ÙÓÔÕÐÁÅÔ × ËÁÞÅÓÔ×Å
      ÍÅÖÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ É <acronym>NAT</acronym>-ÕÓÔÒÏÊÓÔ×Á ÄÌÑ
      <quote>×ÎÕÔÒÅÎÎÉÈ ÓÅÔÅÊ.</quote></para>

    <para>ñÄÒÏ FreeBSD ÄÏÌÖÎÏ ÂÙÔØ ÐÏÓÔÒÏÅÎÏ Ó ÐÏÄÄÅÒÖËÏÊ IPsec.  äÌÑ ×ËÌÀÞÅÎÉÑ
      IPsec × ×ÁÛÅÍ ÑÄÒÅ ÉÓÐÏÌØÚÕÊÔÅ ÓÌÅÄÕÀÝÉÅ ÐÁÒÁÍÅÔÒÙ ÑÄÒÁ:</para>

    <programlisting>options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG</programlisting>

    <para>äÌÑ ÐÏÌÕÞÅÎÉÑ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÐÏÓÔÒÏÅÎÉÀ ÎÅÓÔÁÎÄÁÒÔÎÏÇÏ ÑÄÒÁ,
      ÏÂÒÁÔÉÔÅÓØ Ë <ulink url="&url.books.handbook;/kernelconfig.html">
      òÕËÏ×ÏÄÓÔ×Õ ÐÏ FreeBSD</ulink>.  ðÏÖÁÌÕÊÓÔÁ, ÚÁÍÅÔØÔÅ, ÞÔÏ ÍÅÖÄÕ ÈÏÓÔÁÍÉ
      <trademark class='registered'>Firewall-1</trademark> É
      <acronym>GW</acronym> Ó FreeBSD ÄÏÌÖÎÙ ÂÙÔØ ÒÁÚÒÅÛÅÎÙ ÓÏÅÄÉÎÅÎÉÑ
      <acronym>IP</acronym> protocol&nbsp;50 (<acronym>ESP</acronym>) É
      <acronym>UDP</acronym> port&nbsp;<literal>500</literal>.</para>

    <para>ëÒÏÍÅ ÔÏÇÏ, ÄÌÑ ÐÏÄÄÅÒÖËÉ ÏÂÍÅÎÁ ËÌÀÞÁÍÉ ÄÏÌÖÅÎ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ
      ÐÁËÅÔ <application>racoon</application>.
      <application>Racoon</application> Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ ËÏÌÌÅËÃÉÉ ÐÏÒÔÏ×
      FreeBSD É ÎÁÈÏÄÉÔÓÑ × ÐÁËÁÄÖÅ <filename
      role="package">security/racoon</filename>.  æÁÊÌ ËÏÎÆÉÇÕÒÁÃÉÉ
      <application>racoon</application> ÂÕÄÅÔ ÏÐÉÓÁÎ ÎÉÖÅ × ÜÔÏÍ
      ÄÏËÕÍÅÎÔÅ.</para>
  </sect1>

  <sect1 id="object">
    <title>îÁÓÔÒÏÊËÁ ÓÅÔÅ×ÙÈ ÏÂßÅËÔÏ× × Firewall-1</title>

    <para>îÁÞÎÉÔÅ Ó ÎÁÓÔÒÏÊËÉ ÐÏÌÉÔÉËÉ Firewall-1.  ïÔËÒÏÊÔÅ ÒÅÄÁËÔÏÒ ÐÏÌÉÔÉË
      Policy Editor ÎÁ ÓÅÒ×ÅÒÅ ÕÐÒÁ×ÌÅÎÉÑ Firewall-1 É ÓÏÚÄÁÊÔÅ ÎÏ×ÙÊ ÓÅÔÅ×ÏÊ
      ÏÂßÅËÔ (Network Object) ÔÉÐÁ <quote>Workstation</quote>, ËÏÔÏÒÙÊ ÂÕÄÅÔ
      ÐÒÅÄÓÔÁ×ÌÑÔØ ÍÁÛÉÎÕ <acronym>GW</acronym> Ó FreeBSD.</para>

   <programlisting>General Tab:
		Set name and IP address

VPN Tab:
		Encryption Schemes Defined:             IKE               ---&gt; Edit

IKE Properties:
		Key Negotiation Encryption Methods:     3DES

Authentication Method:
		Pre-Shared Secret ---&gt; Edit</programlisting>

    <para>÷ÙÂÅÒÉÔÅ Firewall Object É ÕÓÔÁÎÏ×ÉÔÅ ÚÁÒÁÎÅÅ ÉÚ×ÅÓÔÎÙÊ ÐÁÒÏÌØ.  (îÅ
      ÉÓÐÏÌØÚÕÊÔÅ ÅÇÏ ÉÚ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ.)</para>

    <programlisting>Support Aggressive Mode:                 Checked
Supports Subnets:                      Checked</programlisting>

    <para>ðÏÓÌÅ ÕÓÔÁÎÏ×ËÉ ÉÚ×ÅÓÔÎÏÇÏ ÐÁÒÏÌÑ × ÏÐÒÅÄÅÌÅÎÉÉ ÓÅÔÅ×ÏÇÏ ÏÂßÅËÔÁ
      Firewall-1, ÕËÁÖÉÔÅ ÜÔÏÔ ÐÁÒÏÌØ × ÆÁÊÌÅ
      <filename>/usr/local/etc/racoon/psk.txt</filename> × ÓÉÓÔÅÍÅ FreeBSD ÎÁ
      <acronym>GW</acronym>.  æÏÒÍÁÔ ÆÁÊÌÁ <filename>psk.txt</filename>
      ÔÁËÏ×:</para>

    <programlisting>208.229.100.6          rUac0wtoo?</programlisting>
  </sect1>

  <sect1 id="rulecfg">
    <title>ëÏÎÆÉÇÕÒÁÃÉÑ VPN-ÐÒÁ×ÉÌÁ × Firewall-1</title>

    <para>ôÅÐÅÒØ ÓÏÚÄÁÊÔÅ × Firewall-1 ÐÒÁ×ÉÌÏ, ×ËÌÀÞÁÀÝÅÅ ÛÉÆÒÏ×ÁÎÉÅ ÍÅÖÄÕ
      ÍÁÛÉÎÏÊ <acronym>GW</acronym> Ó FreeBSD É ÓÅÔØÀ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1.
      ÷ ÜÔÏÍ ÐÒÁ×ÉÌÅ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÄÁÎÙ ÓÅÔÅ×ÙÅ ÓÅÒ×ÉÓÙ, ÒÁÚÒÅÛ£ÎÎÙÅ Ë ÒÁÂÏÔÅ
      ÞÅÒÅÚ <acronym>VPN</acronym>.</para>

    <programlisting>Source            | Destination        | Service      | Action  | Track
------------------------------------------------------------------------
FreeBSD GW        | FW-1 Protected Net | VPN services | Encrypt | Long
FW-1 Protected Net| FreeBSD GW         |              |         |</programlisting>

    <para><quote>VPN-ÓÅÒ×ÉÓÁÍÉ</quote> Ñ×ÌÑÀÔÓÑ ÌÀÂÙÅ ÓÅÒ×ÉÓÙ (ÔÏ ÅÓÔØ
      <command>telnet</command>, <acronym>SSH</acronym>,
      <acronym>NTP</acronym> É ÔÁË ÄÁÌÅÅ), Ë ËÏÔÏÒÙÍ ÒÁÚÒÅۣΠÄÏÓÔÕÐ ÕÄÁÌ£ÎÎÏÍÕ
      ÈÏÓÔÕ ÞÅÒÅÚ <acronym>VPN</acronym>.  âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ×ËÌÀÞÅÎÉÉ
      ÓÅÒ×ÉÓÏ×; ÈÏÓÔÙ, ÐÏÄËÌÀÞÁÅÍÙÅ ÞÅÒÅÚ <acronym>VPN</acronym>, ÐÒÏÄÏÌÖÁÀÔ
      ÐÒÅÄÓÔÁ×ÌÑÔØ ÐÏÔÅÎÃÉÁÌØÎÕÀ ÏÐÁÓÎÏÓÔØ.  ûÉÆÒÏ×ÁÎÉÅ ÔÒÁÆÉËÁ ÍÅÖÄÕ Ä×ÕÍÑ
      ÓÅÔÑÍÉ ÄÁ£Ô ÓÌÁÂÕÀ ÚÁÝÉÔÕ, ÅÓÌÉ ÌÀÂÏÊ ÉÚ ÈÏÓÔÏ× ÎÁ ÏÂÅÉÈ ÓÔÏÒÏÎÁÈ ÔÕÎÎÅÌÑ
      ÂÙÌ ×ÚÌÏÍÁÎ.</para>

    <para>ðÏÓÌÅ ÎÁÓÔÒÏÊËÉ ÐÒÁ×ÉÌÁ ÛÉÆÒÏ×ÁÎÉÑ ÄÁÎÎÙÈ ÍÅÖÄÕ ÍÁÛÉÎÏÊ
      <acronym>GW</acronym> Ó FreeBSD É ÓÅÔØÀ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1,
      ÐÒÏÓÍÏÔÒÉÔÅ ÎÁÓÔÒÏÊËÉ <quote>Action Encrypt</quote>.</para>

    <programlisting>Encryption Schemes Defined:     IKE ---&gt; Edit
Transform:                      Encryption + Data Integrity (ESP)
Encryption Algorithm:           3DES
Data Integrity:                 MD5
Allowed Peer Gateway:           Any or Firewall Object
Use Perfect Forward Secrecy:    Checked</programlisting>

    <para>éÓÐÏÌØÚÏ×ÁÎÉÅ ÔÅÈÎÏÌÏÇÉÉ Perfect Forward Secrecy
      (<acronym>PFS</acronym>) Ñ×ÌÑÅÔÓÑ ÎÅÏÂÑÚÁÔÅÌØÎÙÍ.  ÷ËÌÀÞÅÎÉÅ
      <acronym>PFS</acronym> ÄÏÂÁ×ÉÔ ÅÝ£ ÏÄÉÎ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ ÎÁ ÕÒÏ×ÎÅ
      ÛÉÆÒÏ×ÁÎÉÑ ÄÁÎÎÙÈ, ÏÄÎÁËÏ ÐÒÉ×ÅÄ£Ô Ë Õ×ÅÌÉÞÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ
      <acronym>CPU</acronym>.  åÓÌÉ <acronym>PFS</acronym> ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ,
      ÔÏ ×ÙËÌÀÞÉÔÅ ÆÌÁÇ ×ÙÛÅ É ÚÁËÏÍÍÅÎÔÉÒÕÊÔÅ ÓÔÒÏÞËÕ
      <literal>pfs_group&nbsp;1</literal> × ÆÁÊÌÅ
      <filename>racoon.conf</filename> ÎÁ ÍÁÛÉÎÅ <acronym>GW</acronym> Ó
      FreeBSD.  ðÒÉÍÅÒ ÆÁÊÌÁ <filename>racoon.conf</filename> ÄÁÎ × ÜÔÏÍ
      ÄÁÌØÛÅ.</para>
  </sect1>

  <sect1 id="policy">
    <title>ëÏÎÆÉÇÕÒÁÃÉÑ ÐÏÌÉÔÉËÉ <acronym>VPN</acronym> ×Ï FreeBSD</title>

    <para>îÁ ÜÔÏÍ ÜÔÁÐÅ ÄÏÌÖÎÁ ÂÙÔØ ÚÁÄÁÎÁ ÐÏÌÉÔÉËÁ <acronym>VPN</acronym> ÎÁ
      ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD.  üÔÕ ÆÕÎËÃÉÀ ×ÙÐÏÌÎÑÅÔ ÕÔÉÌÉÔÁ
      &man.setkey.8;.</para>

    <para>îÉÖÅ ÄÁ£ÔÓÑ ÐÒÉÍÅÒ ÓËÒÉÐÔÁ ËÏÍÁÎÄÎÏÇÏ ÐÒÏÃÅÓÓÏÒÁ, ËÏÔÏÒÙÊ ÓÂÒÁÓÙ×ÁÅÔ
      &man.setkey.8; É ÄÏÂÁ×ÌÑÅÔ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÐÏÌÉÔÉËÉ
      <acronym>VPN</acronym>.</para>

    <programlisting>#
# /etc/vpn1-ipsec.sh
#
# IP addresses
#
#     External Interface                    External Interface
#       208.229.100.6                       216.218.197.2
#                   |                       |
#        +--&gt; Firewall-1 &lt;--&gt; Internet &lt;--&gt; FreeBSD GW &lt;--+
#        |                                                |
# FW-1 Protected Nets                              Internal Nets
#    199.208.192.0/24                                  192.168.10.0/24
#
# Flush the policy
#
setkey -FP
setkey -F
#
# Configure the Policy
#
setkey -c &lt;&lt; END
spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec
esp/tunnel/216.218.197.2-208.229.100.6/require;
spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec
esp/tunnel/208.229.100.6-216.218.197.2/require;
END
#</programlisting>

    <para>÷ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÙ &man.setkey.8;:</para>

    <screen>&prompt.root; <userinput>sh /etc/vpn1-ipsec.sh</userinput></screen>
  </sect1>

  <sect1 id="racoon">
    <title>ëÏÎÆÉÇÕÒÁÃÉÑ <application>Racoon</application> ×Ï FreeBSD</title>

    <para>äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÓÏÇÌÁÓÏ×ÁÎÉÑ ËÌÀÞÅÊ IPsec ÎÁ ÍÁÛÉÎÅ
      <acronym>GW</acronym> Ó FreeBSD, ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ É ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÔØ
      ÐÏÒÔ <filename role="package">security/racoon</filename>.</para>

    <para>äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÆÁÊÌ ËÏÎÆÉÇÕÒÁÃÉÉ <application>racoon</application>,
      ËÏÔÏÒÙÊ ÐÏÄÈÏÄÉÔ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ÐÒÉÍÅÒÁÍÉ, ÏÐÉÓÁÎÎÙÍÉ × ÜÔÏÍ
      ÄÏËÕÍÅÎÔÅ.  ðÏÖÁÌÕÊÓÔÁ, ÐÅÒÅÄ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ × ÒÅÁÌØÎÏÊ ÜËÓÐÌÕÁÔÁÃÉÉ
      ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÐÏÌÎÏÓÔØÀ ÐÏÎÉÍÁÅÔÅ ÅÇÏ ÎÁÚÎÁÞÅÎÉÅ.</para>

    <programlisting># racoon.conf for use with Check Point VPN-1/Firewall-1
#
# search this file for pre_shared_key with various ID key.
#
        path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
        log debug;
#
# "padding" defines some parameter of padding.  You should not touch these.
#
        padding
      {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
      }

        listen
      {
        #isakmp ::1 [7000];
        #isakmp 0.0.0.0 [500];
        #admin [7002];          # administrative port by kmpstat.
        #strict_address;        # required all addresses must be bound.
      }
#
# Specification of default various timers.
#
        timer
      {
#
# These values can be changed per remote node.
#
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
#
# timer for waiting to complete each phase.
#
        phase1 30 sec;
        phase2 15 sec;
      }

        remote anonymous
      {
        exchange_mode aggressive,main; # For Firewall-1 Aggressive mode

        #my_identifier address;
        #my_identifier user_fqdn "";
        #my_identifier address "";
        #peers_identifier address "";
        #certificate_type x509 "" "";

        nonce_size 16;
        lifetime time 10 min;   # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
      }

        sainfo anonymous
      {
        pfs_group 1;
        lifetime time 10 min;
        lifetime byte 50000 KB;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
      }</programlisting>

    <para>ðÒÏ×ÅÒØÔÅ, ÞÔÏ ÆÁÊÌ
      <filename>/usr/local/etc/racoon/psk.txt</filename> ÓÏÄÅÒÖÉÔ ÔÏÔ ÖÅ ÓÁÍÙÊ
      ÚÁÒÁÎÅÅ ÉÚ×ÅÓÔÎÙÊ ÐÁÒÏÌØ, ÞÔÏ ÎÁÓÔÒÁÉ×ÁÌÓÑ ÐÒÉ ÐÏÍÏÝÉ ÒÁÚÄÅÌÁ
      <quote>îÁÓÔÒÏÊËÁ ÓÅÔÅ×ÙÈ ÏÂßÅËÔÏ× × Firewall-1</quote> ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ,
      É ÉÍÅÅÔ ÒÅÖÉÍ ÄÏÓÔÕÐÁ <literal>600</literal>.</para>

    <screen>&prompt.root; <userinput>chmod 600 /usr/local/etc/racoon/psk.txt</userinput></screen>
  </sect1>

  <sect1 id="startingvpn">
    <title>úÁÐÕÓË <acronym>VPN</acronym> × ÒÁÂÏÔÕ</title>

    <para>ôÅÐÅÒØ ×Ù ÇÏÔÏ×Ù Ë ÚÁÐÕÓËÕ <application>racoon</application> É
      ÔÅÓÔÉÒÏ×ÁÎÉÀ ÔÕÎÎÅÌÑ <acronym>VPN</acronym>.  äÌÑ ÃÅÌÅÊ ÏÔÌÁÄËÉ ÏÔËÒÏÊÔÅ
      Log Viewer ÎÁ Firewall-1 É ÚÁÄÁÊÔÅ ÆÉÌØÔÒ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ×ÙÄÅÌÅÎÉÑ
      ÚÁÐÉÓÅÊ, ÏÔÎÏÓÑÝÉÈÓÑ Ë ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD.  ÷ÁÍ ÍÏÖÅÔ
      ÔÁËÖÅ ÐÒÉÇÏÄÉÔØÓÑ ÐÒÏÓÍÏÔÒ ÖÕÒÎÁÌÁ <application>racoon</application> ÐÒÉ
      ÐÏÍÏÝÉ ËÏÍÁÎÄÙ &man.tail.1;:</para>

    <screen>&prompt.root; <userinput>tail -f /var/log/racoon.log</userinput></screen>

    <para>úÁÐÕÓÔÉÔÅ <application>racoon</application> ÐÏÓÒÅÄÓÔ×ÏÍ ÓÌÅÄÕÀÝÅÊ
      ËÏÍÁÎÄÙ:</para>

    <screen>&prompt.root; <userinput>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</userinput></screen>

    <para>ðÏÓÌÅ ÚÁÐÕÓËÁ <application>racoon</application> ×ÙÐÏÌÎÉÔÅ ÐÏÄËÌÀÞÅÎÉÅ
      ÐÏ &man.telnet.1; Ë ÈÏÓÔÕ × ÓÅÔÉ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1.</para>

    <screen>&prompt.root; <userinput>telnet -s 192.168.10.3 199.208.192.66 22</userinput></screen>

    <para>ðÏ ÜÔÏÊ ËÏÍÁÎÄÅ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÐÙÔËÁ ÐÏÄËÌÀÞÅÎÉÑ Ë &man.ssh.1;-ÐÏÒÔÕ
      ÍÁÛÉÎÙ <hostid role="ipaddr">199.208.192.66</hostid>, ÔÏÊ, ÞÔÏ ÎÁÈÏÄÉÔÓÑ
      × ÓÅÔÉ, ÚÁÝÉÝ£ÎÎÏÊ Firewall-1.  ðÁÒÁÍÅÔÒ <option>-s</option> ÚÁÄÁ£Ô
      ÉÓÐÏÌØÚÕÅÍÙÊ ÉÎÔÅÒÆÅÊÓ × ÉÓÈÏÄÑÝÅÍ ÓÏÅÄÉÎÅÎÉÉ.  üÔÏ, × ÞÁÓÔÎÏÓÔÉ, ×ÁÖÎÏ
      ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÎÁ ÍÁÛÉÎÅ <acronym>GW</acronym> Ó FreeBSD ÔÅÈÎÏÌÏÇÉÊ
      <acronym>NAT</acronym> É <acronym>IPFW</acronym>.  éÓÐÏÌØÚÏ×ÁÎÉÅ
      <literal>-s</literal> É Ñ×ÎÏÅ ÚÁÄÁÎÉÅ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ ÎÅ ÐÏÚ×ÏÌÉÔ
      <acronym>NAT</acronym> ÐÏÄÍÅÎÑÔØ ÐÁËÅÔÙ ÐÅÒÅÄ ÔÕÎÎÅÌÉÒÏ×ÁÎÉÅÍ.</para>

    <para>ðÒÉ ÕÓÐÅÛÎÏÍ ÏÂÍÅÎÅ ËÌÀÞÁÍÉ <application>racoon</application> ×ÙÄÁÓÔ
      × ÆÁÊÌ ÐÒÏÔÏËÏÌÁ <filename>racoon.log</filename> ÓÌÅÄÕÀÝÅÅ:</para>

    <programlisting>pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2</programlisting>

    <para>ðÏÓÌÅ ÔÏÇÏ, ËÁË ÏÂÍÅÎ ËÌÀÞÁÍÉ ÂÕÄÅÔ ÚÁ×ÅÒۣΠ(ÞÔÏ ÚÁÎÉÍÁÅÔ ÎÅÓËÏÌØËÏ
      ÓÅËÕÎÄ), ÂÕÄÅÔ ×ÙÄÁÎÁ ÚÁÓÔÁ×ËÁ &man.ssh.1;.  åÓÌÉ ×Ó£ ÐÒÏÛÌÏ ÎÏÒÍÁÌØÎÏ,
      × ÓÒÅÄÓÔ×Å Log Viewer ÎÁ Firewall-1 ÂÕÄÅÔ ÚÁÆÉËÓÉÒÏ×ÁÎÏ Ä×Á ÓÏÏÂÝÅÎÉÑ
      <quote>Key Install</quote>.</para>

    <programlisting>Action      |  Source        |  Dest.             | Info.
Key Install |  216.218.197.2 |  208.229.100.6     | IKE Log: Phase 1 (aggressive) completion.
Key Install |  216.218.197.2 |  208.229.100.6     | scheme: IKE methods</programlisting>

    <para>÷ ÉÎÆÏÒÍÁÃÉÏÎÎÏÊ ËÏÌÏÎËÅ ÐÏÄÒÏÂÎÙÊ ÐÒÏÔÏËÏÌ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ
      ÔÁË:</para>

    <programlisting>IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id:
scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host:</programlisting>
  </sect1>

  <sect1 id="References">
    <title>óÓÙÌËÉ</title>

    <itemizedlist>
      <listitem>
	<para>òÕËÏ×ÏÄÓÔ×Ï FreeBSD: VPN ÞÅÒÅÚ IPsec <ulink
	  url="&url.books.handbook;/ipsec.html"></ulink></para>
      </listitem>

      <listitem>
	<para>ðÒÏÅËÔ KAME <ulink url="http://www.kame.net"></ulink></para>
      </listitem>
    </itemizedlist>
  </sect1>
</article>