download

Chapter 8--- 192.168.5.1 ping statistics ---1 packets transmitted, 1 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 7.200/7.200/7.200/0.000 msOnce the tunnel is up and running, you should add static routes (unless you arealready running a dynamic routing protocol) to route each network's traffic towardsthe tunnel interface. For example, to reach the network behind Router B fromNetwork A, you must add the following route command to Router A:# route add 192.168.5.0/24 192.168.5.1add net 192.168.5.0: gateway 192.168.5.1You can verify the routing table updates using the route get command as follows:# route get 192.168.5.0/24route to: 192.168.5.0destination: 192.168.5.0mask: 255.255.255.0gateway: 192.168.5.1interface: gif0flags: recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtuexpire0 0 0 0 0 0 1280 0Now the first part of the VPN setup is ready. The next step is to apply an encryptionon the packets that are going through the tunnel interface.There are different components involved in setting up the encryption. They areas follows:• The setkey(8) utility is the kernel's "Security Policy" manipulation utility.• An IPSec key management utility such as the ipsec-tools or racoon2.Since you do not want to encrypt any outgoing packet or decrypt any incomingtraffic, you need to specify which packets should be encrypted or decrypted. Kernelkeeps a Security Policy Database (SPD) which holds the security policies you specifyusing the setkey(8) utility. This is where you can actually specify which traffic youwant to encrypt.On the other hand, the system needs an IPSec key management utility to managethe Security Association (SA) between two IPSec endpoints. SA is the mechanism forhosts to agree on encryption methods. To achieve this, you should run an InternetKey Exchange (IKE) daemon. IKE daemon takes care of key management as well asSAs between hosts.[ 139 ]