From owner-FreeBSD-users-jp@jp.FreeBSD.org Wed Nov 17 12:15:48 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id iAH3FmK69918;
	Wed, 17 Nov 2004 12:15:48 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mail-gw.welllink.co.jp (ns1.exit.co.jp [211.10.3.2])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id iAH3Fk869857
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Wed, 17 Nov 2004 12:15:47 +0900 (JST)
	(envelope-from kana@exit.co.jp)
Received: from [192.168.0.136] (falsetto.exit.co.jp [211.10.3.59])
	by mail-gw.welllink.co.jp (Postfix) with ESMTP id D2C432E06B
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Wed, 17 Nov 2004 12:07:11 +0900 (JST)
Mime-Version: 1.0 (Apple Message framework v619)
Content-Transfer-Encoding: 7bit
Message-Id: <F56E440F-3846-11D9-8703-000A95CD994C@exit.co.jp>
Content-Type: text/plain; charset=ISO-2022-JP; delsp=yes; format=flowed
To: FreeBSD-users-jp@jp.FreeBSD.org
From: =?ISO-2022-JP?B?GyRCQXAwZkVEMkNGYBsoQg==?= <kana@exit.co.jp>
X-Mailer: Apple Mail (2.619)
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 17 Nov 2004 12:15:40 +0900
X-Sequence: FreeBSD-users-jp 81817
Subject: [FreeBSD-users-jp 81817] IPsec =?ISO-2022-JP?B?GyRCJE4bKEI=?=
 =?ISO-2022-JP?B?GyRCJUglcyVNJWslYiE8JUkkSyREJCQkRhsoQg==?= 
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: kana@exit.co.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+041115

$BAp0fED(B@$B%$%0%8%C%H$G$9!#(B

$B!Z2]Bj![(B
IPsec$B$r;H$C$?%H%s%M%k%b!<%IDL?.4D6-$N9=C[$G%H%i%V%k$,5/$-$F$$$k$N$G!"(B
$B$G$-$^$7$?$i!"3'MM$N$*CN7C$r$*B_$7$/$@$5$$!&!&!&!#(B

$BG0$N$?$a2a5n%m%0$r8!:w$7$F$_$^$7$?$,!"$$$^$$$A%T%C%?%j$H$7$?(B
$BNc$,$J$$$h$&$G$7$?$N$G!&!&!#(B
$B4D6-$K$D$$$F$O!"$3$3$G$O35MW$r<($7$F$$$^$9$N$G!"!V$3$l$G$O(B
$B$o$+$i$s$+$i!"$3$3$r%A%'%C%/$;$h!"$H$$$&$+8+$;$m!W$J$I$N(B
$B$4;XE&$,$"$j$^$7$?$i8x3+$$$?$7$^$9!#(B


$B!Z>u67![(B
<Host_a>----<Gateway_A>---Internet---<Gateway_B>---<Host_b>


$B>e5-$N$h$&$J9=@.$G!"(B<Gateway_A><Gateway_B>$B4V$K!"(BIPsec$B$G(B
$B%H%s%M%k$r$D$/$j!"(B<Host_a>$B$N(BDB$B$r(B<Host_b>$B$GA`:n$9$k$H$$$&(B
$B%M%C%H%o!<%/$r9=C[$7$^$7$?!#(B
<Host_a>$B$N$"$k%>!<%s$H(B<Host_b>$B$N$"$k%>!<%s$r(BVPN$B@\B3$7$?$$(B
$B$H$$$&$N$,L\E*$G$9!#(B

$B$3$N>uBV$G!"(B<Host_b>$B$+$i(B<Gateway_A>$B!"(B<Host_a>$B$KBP$9$k(Bssh
$B%/%i%$%"%s%H$r;H$C$?%3%^%s%I%i%$%s@\B3$O!J$=$N5U$b!K!"(B
*$B$"$kDxEY(B*$BLdBj$J$/9T$o$l$F$$$k$h$&$K8+$($^$9!#(B

$B$7$+$7!"(B<Host_b>$B$+$i(B<Host_a>$B$KBP$7$F!J$=$N5U$N>l9g$b!K@\B3$7$F(B
$B$$$k:]$K!"IQHK$K(Bssh$B%/%i%$%"%s%H$NI=<($,Dd;_!J%-!<F~NO$b$&$1$D$1$J$$!K(B
$B$7$F!"$7$P$i$/8e$K%?%$%`%"%&%H$7$F$7$^$&>I>u$,$G$F$$$^$9!#(B
$B$3$N>I>u$OITDj4|$KH/@8$7$^$9$,!"798~$H$7$F!"(B
# ps aux
$B$G$"$k$H$+!"(BMySQL$B$d(BPostgreSQL$B$N%F!<%V%k$r;2>H$9$k$J$I$G!"(B
$BD9$$%G!<%?9T$,0l5$$KI=<($5$l$k;~$KB?$/H/@8$9$k$h$&$K;W$o$l$^$9!#(B
$BD4;R$,$$$$$J!A$H;W$C$F!"(Bps aux$B$r7+$jJV$7$F$_$k$H!"2?EYL\$+$K(B
$B!J0l2sL\$N$3$H$b$"$l$P!"==?t2sL\$N$3$H$b!&!&!KDd;_$7$F$7$^$&$H$$$&(B
$B46$8$G$9!#(B

tcpdump$B$r;H$C$F%G!<%?$NN.$l$r8+$k$H!"I=<($,Dd;_$7$?8e$b%H%s%M%k$N(B
$B@\B3$=$N$b$N$O<:$o$l$F$$$J$$$h$&$G$9!#(B
$BDd;_$7$F$7$^$C$?%3%s%=!<%k$K!"%-!<F~NO$r$9$k$H!"%G!<%?$,N.$l$k(B
$B:/@W$,$"$j$^$9!#(B
$BDd;_$7$F$7$^$C$?%3%s%=!<%k$rJ|$C$F$*$$$F!"JL$J%3%s%=!<%k$rN)$A>e$2$F(B
$B@\B3$9$k$H!"$=$A$i$G$O$J$K$4$H$b$J$+$C$?$h$&$K@\B3$,$G$-$^$9!#(B

$BIT;W5D$J$N$O!"$3$N@\B3CG!J!)!K$O!"0J2<$N$h$&$JNc30$,$"$k$3$H$G$9!#(B

$B!&(B<Host_b>$B$H(B<Gateway_A>$B$N%W%i%$%Y!<%H%"%I%l%9$X$N@\B3$G$OH/@8$7$J$$!#(B
$B!!!J(B<Host_a>$B$H(B<Gateway_B>$B$N@\B3$bF1$8!#!K(B
$B"t$3$NNc30$,$"$k$3$H$+$i!"(B<Host_b>$B$H(B<Host_a>$B$N%>!<%s$N(BHub$B$H(BNIC$B$r5?$$!"(B
$B!!8r49$7$F$_$^$7$?$,!">I>u$KJQ2=$O$"$j$^$;$s$G$7$?!#(B


$B$^$?!"JL$JLdBj$+$b$7$l$^$;$s$,!"(B<Host_b>$B$H$*$J$8%>!<%s$N(BPC$B$+$i(B
MS$B$N(BAccess$B$r;H$C$F(B<Host_a>$B$N(BMySQL$B$d(BPostgreSQL$B$K(BODBC$B$G(B
$B@\B3$7$h$&$H$9$k$H!"(BMySQL$B$N>l9g$O!"%F!<%V%k$N%j%s%/$,$G$-$F$b(B
$B%G!<%?$,<h$j=P$;$J$$!#(BPostgreSQL$B$N>l9g$O(BODBC$B@\B3$,$G$-$J$$(B
$B$H$$$&>I>u$K$J$j$^$9!#(B
$B!J(B<Host_a>$B$HF1$8%>!<%s$K$"$k(BPC$B$G$O!"LdBj$O$"$j$^$;$s!K(B
$B"t:G=*E*$K$d$j$?$$$N$O!"$3$N(BODBC$B@\B3$J$N$G$9$,!&!&(B
$B"tF;$N$j$,1s$$!&!&(B(^^;


$B!Z4D6-![(B
$B860x$N@Z$jJ,$1$,$G$-$F$$$J$$$N$G!"$9$Y$F$N@_Dj$rNs5s$9$k$N$,(B
$B$?$a$i$o$l$^$9$N$G!"35MW$r0J2<$K5-$7$^$9!#(B

$B!&(BHost$B$d(BGateway$B$r9=@.$7$F$$$k(BOS$B$O(BFreeBSD5.2$B$H(BFreeBSD5.2.1$B$H(B
$B!!(BFreeBSD5.3$B$,:.:_$7$F$$$^$9!#(B
$B!&(BKame$B$N%i%$%V%i%j$O%$%s%9%H!<%k;~$N$b$N$G$9!#(B
$B!&A4$F$N%^%7%s$N(Brc.conf$B$G(Bipv6_enable="NO"$B$H$7$F$$$^$9!#(B
$B!&FsBf$N(BGateway$B$G$O!"(Bipfw$B$H(Bnat$B$r;H$C$?%U%!%$%"%&%)!<%k$r9=C[$7$F$$$^$9!#(B
$B!&%U%!%$%"%&%)!<%k$G$O!"(B500$BHV$N%]!<%H$r(Budp$B$H(Besp$B$,DL$k$3$H$r5v$7$F$$$^$9!#(B
$B!&(BGateway$B4V$N(BIKE$B$N808r49$O!"(Bracoon$B$r;H$o$:!"<jF0$G$9!#(B
$B!!!J(Bracoon$B$r;H$C$F$bF1$8>I>u$G$7$?!K(B
$B!&@\B3$O!"$9$Y$F(BIP$B%"%I%l%9;XDj$G%F%9%H$7$F$$$^$9!J(BDNS$B$NLdBj$H@Z$jJ,$1$?$$$N$G!K(B
$B!&(B<Host_b>$B$N%>!<%s$O(B192.168.1.0/24$B!"(B<Host_a>$B$N%>!<%s$O(B192.168.0.0/24$B$G$9!#(B
$B!&(BGateway$B4V$N(Bgif$B%H%s%M%k$O!"(B192.168.1.254-192.168.0.254$B$K:n$C$F$$$^$9!#(B



$B!Z3F@_Dj;qNA![(B
$B$3$l$H$$$C$FFCJL$J$3$H$r$7$F$$$k$D$b$j$O$J$$$N$G$9$,!&!&(B(^^;
$B!!"((Baaa.bbb.ccc.nn$B!"(Bxxx.yyy.zzz.nn$B$O%0%m!<%P%k%"%I%l%9(B
------------------------------------------------------------------------ 
-------------------------------
<Gateway_A>$B$N(B/etc/ipsec.conf

flush;
spdflush;

add aaa.bbb.ccc.23 xxx.yyy.zzz.59 esp 9991 -E 3des-cbc  
"gggggggggggggggggggggggg";
add xxx.yyy.zzz.59 aaa.bbb.ccc.23 esp 9992 -E 3des-cbc  
"hhhhhhhhhhhhhhhhhhhhhhhh";

spdadd 192.168.1.0/24 192.168.0.0/24 any
         -P out ipsec esp/tunnel/aaa.bbb.ccc.23-xxx.yyy.zzz.59/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any
         -P in ipsec esp/tunnel/xxx.yyy.zzz.59-aaa.bbb.ccc.23/require;

------------------------------------------------------------------------ 
-------------------------------
<Gateway_B>$B$N(B/etc/ipsec.conf

flush;
spdflush;

add aaa.bbb.ccc.23 xxx.yyy.zzz.59 esp 9991 -E 3des-cbc  
"gggggggggggggggggggggggg";
add xxx.yyy.zzz.59 aaa.bbb.ccc.23 esp 9992 -E 3des-cbc  
"hhhhhhhhhhhhhhhhhhhhhhhh";

spdadd 192.168.0.0/24 192.168.1.0/24 any
         -P out ipsec esp/tunnel/xxx.yyy.zzz.59-aaa.bbb.ccc.23/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any
         -P in ipsec esp/tunnel/aaa.bbb.ccc.23-xxx.yyy.zzz.59/require;
------------------------------------------------------------------------ 
-------------------------------
<Gateway_A>$B$N(B/etc/rc.conf$B!JH4?h!K(B

defaultrouter="aaa.bbb.ccc.1"
gateway_enable="YES"
network_interfaces="lo0 em0 em1 gif0"
ifconfig_em0="inet aaa.bbb.ccc.23  netmask 255.255.255.192"
ifconfig_em1="inet 192.168.1.1  netmask 255.255.255.0"
ifconfig_em1_alias0="inet 192.168.1.254  netmask 255.255.255.255"
ipv6_enable="NO"
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_quiet="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
gif_interfaces="gif0"
gifconfig_gif0="aaa.bbb.ccc.23 xxx.yyy.zzz.59"
ifconfig_gif0="inet 192.168.1.254 192.168.0.254 netmask 255.255.255.255"
static_routes="vpn"
route_vpn="-net 192.168.0.0/24 192.168.1.254"
------------------------------------------------------------------------ 
-------------------------------
<Gateway_B>$B$N(B/etc/rc.conf$B!JH4?h!K(B

defaultrouter="xxx.yyy.zzz.1"
gateway_enable="YES"
network_interfaces="lo0 em0 nge0 gif0"
ifconfig_em0="inet xxx.yyy.zzz.59  netmask 255.255.255.192"
ifconfig_nge0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_nge0_alias0="inet 192.168.0.254 netmask 255.255.255.255"
ipv6_enable="NO"
inetd_enable="YES"
inetd_flags="-wW"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_quiet="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
gif_interfaces="gif0"
gifconfig_gif0="xxx.yyy.zzz.59 aaa.bbb.ccc.23"
ifconfig_gif0="192.168.0.254 192.168.1.254 netmask 255.255.255.255"
static_routes="vpn0"
route_vpn0="-net 192.168.1.0/24 192.168.0.254"
------------------------------------------------------------------------ 
-------------------------------
<Gateway_A>$B$N(B/etc/ipfw.conf$B!JH4?h!K(B

oif="em0"
onet="aaa.bbb.ccc.0/26"
oip="aaa.bbb.ccc.23"
trusted_host="xxx.yyy.zzz.0/26"
if [ -n "${trusted_host}" ]; then
         ${fwcmd} add allow udp from ${trusted_host} isakmp to ${oip}  
isakmp via ${oif}
         ${fwcmd} add allow udp from ${oip} isakmp to ${trusted_host}  
isakmp via ${oif}
         ${fwcmd} add allow esp from ${trusted_host} to ${oip} via ${oif}
         ${fwcmd} add allow esp from ${oip} to ${trusted_host} via ${oif}
fi
------------------------------------------------------------------------ 
-------------------------------
<Gateway_B>$B$N(B/etc/ipfw.conf$B!JH4?h!K(B

oif="em0"
onet="xxx.yyy.zzz.0/26"
oipa="xxx.yyy.zzz.59"
trusted_host="aaa.bbb.ccc.0/26"
if [ -n "${trusted_host}" ]; then
         ${fwcmd} add allow udp from ${trusted_host} isakmp to ${oipa}  
isakmp via ${oif}
         ${fwcmd} add allow udp from ${oipa} isakmp to ${trusted_host}  
isakmp via ${oif}
         ${fwcmd} add allow esp from ${trusted_host} to ${oipa} via  
${oif}
         ${fwcmd} add allow esp from ${oipa} to ${trusted_host} via  
${oif}
fi
------------------------------------------------------------------------ 
-------------------------------
<Host_a>$B$N(Brc.conf

defaultrouter="192.168.1.254"
------------------------------------------------------------------------ 
-------------------------------
<Host_b>$B$N(Brc.conf

defaultrouter="192.168.0.254"
------------------------------------------------------------------------ 
-------------------------------


$B0J>e!#(B
$BD9$/$J$C$F$7$^$C$F?=$7Lu$"$j$^$;$s!#(B

