From 83cb0b0e8cc1e97efdbf53c4e0a14121aef08b42 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Fri, 28 Apr 2006 09:07:55 +0000
Subject:

---
 doc/src/user_examples.html | 322 ---------------------------------------------
 1 file changed, 322 deletions(-)
 delete mode 100755 doc/src/user_examples.html

(limited to 'doc/src/user_examples.html')

diff --git a/doc/src/user_examples.html b/doc/src/user_examples.html
deleted file mode 100755
index 5e3784858..000000000
--- a/doc/src/user_examples.html
+++ /dev/null
@@ -1,322 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN examples</title>
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, examples">
-
-<!--
-
-Written by Sandy Harris for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: user_examples.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
-</head>
-
-<body>
-
-<h1><a name="user.examples">FreeS/WAN script examples</a></h1>
-
-This file is intended to hold a collection of user-written example
-scripts or configuration files for use with FreeS/WAN.
-<p>
-So far it has only one entry.
-
-<h2><a name="poltorak">Poltorak's Firewall script</a></h2>
-
-<pre>
-From: Poltorak Serguei &lt;poltorak@dataforce.net&gt;
-Subject: [Users] Using FreeS/WAN
-Date: Tue, 16 Oct 2001
-
-Hello.
-
-I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
-it and I think it would be interesting for someone to see the result of my
-experiments and usage of FreeS/WAN. If you find a mistake in this
-file, please e-mail me. And excuse me for my english... I'm learning.. :)
-
-I'll talk about vary simple configuration:
-
-addresses prefix = 192.168
-
-    lan1          sgw1     .0.0/24 (Internet)       sgw2            lan2
-  .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
-
-
-We need to let lan1 see lan2 across Internet like it is behind sgw1. The
-same for lan2. And we need to do IPX bridge for Novel Clients and NDS
-synchronization.
-
-my config:
-------------------- ipsec.conf -------------------
-conn lan1-lan2
-        type=tunnel
-        compress=yes
-        #-------------------
-        left=192.168.0.1
-        leftsubnet=192.168.1.0/24
-        #-------------------
-        right=192.168.0.10
-        rightsubnet=192.168.2.0/24
-        #-------------------
-        auth=esp
-        authby=secret
---------------- end of ipsec.conf ----------------
-
-ping .2.x from .1.y   (y != 1)
-It works?? Fine. Let's continue...
-
-Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
-the first IP (which is used to go to Internet) .0.1 and the packet won't go
-through IPsec tunnel :(  But if do ping on .1.1 kernel will respond from
-that address (.1.1) and the packet will be tunneled. The same problem occurred then
-.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
-sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
-but from his "natural" IP or .0.1 . So the error message won't be delivered!
-It's a big problem...
-
-Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
-problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
-are powerful and elegant iproute2 :) We simply need to change source address
-of packet that goes to other secure lan. This is done with
-
-ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
-
-Cool!! Now it works!!
-
-The second step. We want install firewall on sgw1 and sgw2. Encryption of 
-traffic without security isn't a good idea. I don't use {left|right}firewall, 
-because I'm running firewall from init scripts.
-
-We want IPsec data between lan1-lan2, some ICMP errors (destination
-unreachable, TTL exceeded, parameter problem and source quench), replying on 
-pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
-between sgw1 and sgw2 and from/to one specified host.
-
-I'm using ipchains. With iptables there are some changes.
-
----------------- rc.firewall ---------------------
-#!/bin/sh
-#
-# Firewall for IPsec lan1-lan2
-#
-
-IPC=/sbin/ipchains
-ANY=0.0.0.0/0
-
-# left
-SGW1_EXT=192.168.0.1
-SGW1_INT=192.168.1.1
-LAN1=192.168.1.0/24
-
-# right
-SGW2_EXT=192.168.0.10
-SGW2_INT=192.168.2.10
-LAN2=192.168.2.0/24
-
-# SSH from and to this host
-SSH_PEER_HOST=_SOME_HOST_
-
-# this is for left. exchange these values for right.
-MY_EXT=$SGW1_EXT
-MY_INT=$SGW1_INT
-PEER_EXT=$SGW2_EXT
-PEER_INT=$SGW2_INT
-INT_IF=eth1
-EXT_IF=eth0
-IPSEC_IF=ipsec0
-MY_LAN=$LAN1
-PEER_LAN=$LAN2
-
-$IPC -F
-$IPC -P input DENY
-$IPC -P forward DENY
-$IPC -P output DENY
-
-# Loopback traffic
-$IPC -A input -i lo -j ACCEPT
-$IPC -A output -i lo -j ACCEPT
-
-# for IPsec SGW1-SGW2
-## IKE
-$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
-## ESP
-$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
-### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## forward LAN1-LAN2
-$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-
-# ICMP
-#
-## Dest unreachable
-### from/to Internet
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Source quench
-### from/to Internet
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Parameter problem
-### from/to Internet
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Time To Live exceeded
-### from/to Internet
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### to Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### to Peer Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-
-# ICMP PINGs
-## from Internet
-$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request  -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply  -i $EXT_IF -j ACCEPT
-## from LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $INT_IF -j ACCEPT
-## from Peer LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $IPSEC_IF -j ACCEPT
-
-# SSH
-## from SSH_PEER_HOST
-$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
-## to SSH_PEER_HOST
-$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
-## from PEER
-$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## to PEER
-$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
-
-# ipxtunnel
-$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
-
----------------- end of rc.firewall ----------------------
-
-To understand this we need to look on this scheme:
-
-           ++-----------------------&lt;----------------------------+
-           || ipsec0                                             |
-           \/                                                    |
- eth0  +--------+    /---------/ yes  /---------/ yes +-----------------------+
-------&gt;| INPUT  |--&gt;/ ?local? /-----&gt;/ ?IPsec? /-----&gt;| decrypt & decapsulate |
- eth1  +--------+  /---------/      /---------/       +-----------------------+
-                       || no            || no
-                       \/               \/
-                  +----------+      +---------+        +-------+
-                  | routing  |      |  local  |        | local |
-                  | decision |      | deliver |        | send  |
-                  +----------+      +---------+        +-------+
-                       ||                                 ||
-                       \/                                 \/
-                   +---------+                       +----------+
-                   | forward |                       | routing  |
-                   +---------+                       | decision |
-                       ||                            +----------+
-                       ||                                  ||
-                       ++----------------&lt;-----------------++
-                       ||
-                       \/
-                   +--------+ eth0
-                   | OUTPUT | eth1
-                   +--------+ ipsec0
-                       ||
-                       \/
-                   /---------/ yes +-----------------------+
-                  / ?IPsec? /-----&gt;| encrypt & encapsulate |
-                 /---------/       +-----------------------+
-                      || no                    ||
-                      ||                       ||
-                      ||                       \/   eth0, eth1
-                      ++-----------------------++--------------&gt;
-
-This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
-
-FIX ME, please, if there are any errors
-
-Test the new firewall now.
-
-
-Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
-
-tipxd didn't send packets.. :(
-SIB and ipxtunnel worked fine :)
-With ipxtunnel there was a little problem. In sources there are an error.
-
---------------------- in main.c ------------------------
-&lt;       bytes += p.len;
----
-&gt;       bytes += len;
---------------------------------------------------------
-
-After this FIX everything goes right...
-
-------------------- /etc/ipxtunnel.conf ----------------
-port    2005
-remote  192.168.101.97    2005
-interface eth1
---------------- end of /etc/ipxtunnel.conf -------------
-
-I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
-authenticate encapsulated IPX packets, it is done with IPsec.
-
-If you don't wont to use iproute2 to change source IP you need to use SIB
-(it is able to bind local address) or establish tunnel between .0.1 and
-.0.10 (external IPs, you need to do encryption in the program, but it isn't
-strong).
-
-For now I'm using ipxtunnel.
-
-I think that's all for the moment. If there are any error, please e-mail me: 
-poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
-kernel and firewall example on FreeS/WAN's manual pages.
-
-PoltoS
-</pre>
-
-</body>
-</html>
\ No newline at end of file
-- 
cgit v1.2.3