Sifrovany nat a nebo Squid OPENVPN

Pentium pentium.konference at seznam.cz
Sun Mar 12 17:54:09 CET 2006
Previous message: Sifrovany nat a nebo Squid
Next message: Sifrovany nat a nebo Squid OPENVPN
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tak mam malej problem
Dva stroje na internetu jeden ma ip 1.2.3.4 druhy 5.6.7.8

Na 1.2.3.4 mam tento config
remote 5.6.7.8
ifconfig 10.0.0.2 255.255.255.0
port 5050
proto udp
dev tap0
secret /etc/openvpn/secret.key
ping 10
comp-lzo
verb 5
mute 10
user root
group wheel

Na 5.6.7.8
remote 1.2.3.4
ifconfig 10.0.0.1 255.255.255.0
port 5050
proto udp
dev tap0
secret /etc/openvpn/secret.key
ping 10
comp-lzo
verb 5
mute 10
user root
group wheel

Vse spustim takto nejdrive na obou stojich
kldload if_tap
Pak
openvpn openvpn.conf

Objevi se toto

pentium at intel:/etc/openvpn# openvpn openvpn.conf
Sun Mar 12 17:45:52 2006 us=454376 Current Parameter Settings:
Sun Mar 12 17:45:52 2006 us=456944   config = 'openvpn.conf'
Sun Mar 12 17:45:52 2006 us=457207   mode = 0
Sun Mar 12 17:45:52 2006 us=457411   show_ciphers = DISABLED
Sun Mar 12 17:45:52 2006 us=457611   show_digests = DISABLED
Sun Mar 12 17:45:52 2006 us=457814   show_engines = DISABLED
Sun Mar 12 17:45:52 2006 us=458013   genkey = DISABLED
Sun Mar 12 17:45:52 2006 us=458217   key_pass_file = '[UNDEF]'
Sun Mar 12 17:45:52 2006 us=458418   show_tls_ciphers = DISABLED
Sun Mar 12 17:45:52 2006 us=458622   proto = 0
Sun Mar 12 17:45:52 2006 us=458819 NOTE: --mute triggered...
Sun Mar 12 17:45:52 2006 us=459184 163 variation(s) on previous 10
message(s) suppressed by --mute
Sun Mar 12 17:45:52 2006 us=459404 OpenVPN 2.0.5 i386-portbld-freebsd5.4
[SSL] [LZO] built on Mar 12 2006
Sun Mar 12 17:45:52 2006 us=460417 WARNING: --ping should normally be used
with --ping-restart or --ping-exit
Sun Mar 12 17:45:52 2006 us=460652 WARNING: you are using user/group/chroot
without persist-key/persist-tun -- this may cause restarts to fail
Sun Mar 12 17:45:52 2006 us=464357 WARNING: file '/etc/openvpn/secret.key'
is group or others accessible
Sun Mar 12 17:45:52 2006 us=465948 Static Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Sun Mar 12 17:45:52 2006 us=466483 Static Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sun Mar 12 17:45:52 2006 us=468831 Static Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Sun Mar 12 17:45:52 2006 us=469169 Static Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sun Mar 12 17:45:52 2006 us=469481 LZO compression initialized
Sun Mar 12 17:45:52 2006 us=471151 TUN/TAP device /dev/tap0 opened
Sun Mar 12 17:45:52 2006 us=471596 /sbin/ifconfig tap0 10.0.0.1 netmask
255.255.255.0 mtu 1500 up
Sun Mar 12 17:45:52 2006 us=530550 Data Channel MTU parms [ L:1577 D:1450
EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Mar 12 17:45:52 2006 us=534278 Local Options String: 'V4,dev-type
tap,link-mtu 1577,tun-mtu 1532,proto UDPv4,ifconfig 10.0.0.0
255.255.255.0,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sun Mar 12 17:45:52 2006 us=535724 Expected Remote Options String:
'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto UDPv4,ifconfig 10.0.0.0
255.255.255.0,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sun Mar 12 17:45:52 2006 us=537888 Local Options hash (VER=V4): '6583749e'
Sun Mar 12 17:45:52 2006 us=538317 Expected Remote Options hash (VER=V4):
'6583749e'
Sun Mar 12 17:45:52 2006 us=553457 GID set to wheel
Sun Mar 12 17:45:52 2006 us=553919 UID set to root
Sun Mar 12 17:45:52 2006 us=554313 Socket Buffers: R=[42080->65536]
S=[9216->65536]
Sun Mar 12 17:45:52 2006 us=554581 UDPv4 link local (bound): [undef]:5050
Sun Mar 12 17:45:52 2006 us=554821 UDPv4 link remote: 1.2.3.4:5050
WrWRSun Mar 12 17:45:55 2006 us=410179 Peer Connection Initiated with
1.2.3.4:5050
Sun Mar 12 17:45:55 2006 us=410489 Initialization Sequence Completed
RwWWRRW^A

A pak se stale opakuji radky WRRWRWRWRWRWWRRWRWRWRWRWWRRWRWRWRWRW
Ping 10.0.0.1 v tuto chvily nefunguje 
Pouzivam PF a tam mam toto pravidlo 
#povoleni VPN
pass in quick on $ext_if inet proto udp from any to any port 5050


-----Original Message-----
From: users-l-bounces at freebsd.cz [mailto:users-l-bounces at freebsd.cz] On
Behalf Of Jiri Calda
Sent: Sunday, March 12, 2006 12:01 PM
To: FreeBSD mailing list
Subject: Re: Sifrovany nat a nebo Squid

Intel Pentium wrote:
> Zdravim,
> Potreboval bych sifrovat prenos celeho NATu a nebo alspon HTTP prenos
> 
>  priklad   lokal sit -> server Freebsd s transparent squid   -->
nebezpecna zona internetu (ssh chci) -- servrovna freebsd squid ci nat---
bezpecny :] internet 
> 
> Resil nekdo uz tento problem ??

Sifrovany nat, to je preci nesmysl. Ty chces sifrovat prenasena data mezi
dvema misty. Tak si mezi "bezpecnymi" stroji sestav tunnel (napriklad
OpenVPN) a prozen to vsechno (nebo jen co chces) jim.


Jirka
--
FreeBSD mailing list (users-l at freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l

__________ Informace od NOD32 1.1439 (20060311) __________

Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz
Previous message: Sifrovany nat a nebo Squid
Next message: Sifrovany nat a nebo Squid OPENVPN
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users-l mailing list