Other.md
... ...
@@ -19,7 +19,7 @@
19 19
- **RetroShare** can be run as a darknet (friend-to-friend) by default to perform anonymous file transfers if DHT and Discovery features are disabled.
20 20
- **GNUnet** is a darknet if the "F2F (network) topology" option is enabled.
21 21
- **Syndie** is software used to publish distributed forums over the anonymous networks of I2P, Tor and Freenet.
22
-OneSwarm can be run as a darknet for friend-to-friend file-sharing.
22
+- OneSwarm can be run as a darknet for friend-to-friend file-sharing.
23 23
- **Tribler** can be run as a darknet for file-sharing.
24 24
25 25
## BGP Routed IP
howto/Bird.md
... ...
@@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
26 26
27 27
## IPv6
28 28
29
-```
29
+```conf
30 30
#/etc/bird/bird6.conf
31 31
protocol device {
32 32
scan time 10;
... ...
@@ -96,7 +96,7 @@ template bgp dnpeers {
96 96
include "/etc/bird/peers6/*";
97 97
```
98 98
99
-```
99
+```conf
100 100
# /etc/bird/local6.conf
101 101
# should be a unique identifier, use same id as for ipv4
102 102
router id <GATEWAY_IP>;
... ...
@@ -115,7 +115,7 @@ function is_valid_network() {
115 115
}
116 116
```
117 117
118
-```
118
+```conf
119 119
# /etc/bird/peers6/<PEER_NAME>
120 120
protocol bgp <PEER_NAME> from dnpeers {
121 121
neighbor <PEERING_IP> as <PEER_AS>;
... ...
@@ -126,7 +126,7 @@ protocol bgp <PEER_NAME> from dnpeers {
126 126
127 127
### IPv4
128 128
129
-```
129
+```conf
130 130
# /etc/bird/bird.conf
131 131
# Device status
132 132
protocol device {
... ...
@@ -205,7 +205,7 @@ template bgp dnpeers {
205 205
include "/etc/bird/peers4/*";
206 206
```
207 207
208
-```
208
+```conf
209 209
#/etc/bird/local4.conf
210 210
# should be a unique identifier, <GATEWAY_IP> is what most people use.
211 211
router id <GATEWAY_IP>;
... ...
@@ -232,7 +232,7 @@ function is_valid_network() {
232 232
}
233 233
```
234 234
235
-```
235
+```conf
236 236
# /etc/bird/peers4/<PEER_NAME>
237 237
protocol bgp <PEER_NAME> from dnpeers {
238 238
neighbor <PEERING_IP> as <PEER_AS>;
... ...
@@ -276,27 +276,27 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are
276 276
277 277
You can add cron entries to periodically update the tables:
278 278
279
-```
279
+```conf
280 280
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
281 281
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
282 282
```
283 283
284 284
Debian version:
285 285
286
-```
286
+```conf
287 287
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
288 288
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
289 289
```
290 290
291 291
then create the directory to make sure curls can save the files:
292 292
293
-```
293
+```sh
294 294
mkdir -p /var/lib/bird/
295 295
```
296 296
297 297
Or use a systemd timer: (check the commands before copy-pasting)
298 298
299
-```
299
+```conf
300 300
# /etc/systemd/system/dn42-roa.service
301 301
[Unit]
302 302
Description=Update DN42 ROA
... ...
@@ -308,7 +308,7 @@ ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.con
308 308
ExecStart=birdc configure
309 309
```
310 310
311
-```
311
+```conf
312 312
# /etc/systemd/system/dn42-roa.timer
313 313
[Unit]
314 314
Description=Update DN42 ROA periodically
... ...
@@ -328,26 +328,28 @@ then enable and start the timer with `systemctl enable --now dn42-roa.timer`.
328 328
329 329
* Download gortr
330 330
331
-`https://github.com/cloudflare/gortr/releases`
331
+<https://github.com/cloudflare/gortr/releases>
332 332
333 333
* Run gortr.
334 334
335
-```
335
+```sh
336 336
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
337 337
```
338 338
339 339
340 340
* Run with docker
341 341
342
-`docker pull cloudflare/gortr`
343
-
342
+```sh
343
+docker pull cloudflare/gortr
344 344
```
345
+
346
+```sh
345 347
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
346 348
```
347 349
348 350
* Add this to your bird configure file,other ROA protocol must removed.
349 351
350
-```
352
+```conf
351 353
protocol rpki rpki_dn42{
352 354
roa4 { table dn42_roa; };
353 355
roa6 { table dn42_roa_v6; };
... ...
@@ -364,7 +366,7 @@ protocol rpki rpki_dn42{
364 366
365 367
In your import filter add the following to reject invalid routes:
366 368
367
-```
369
+```conf
368 370
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
369 371
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
370 372
reject;
... ...
@@ -373,7 +375,7 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
373 375
374 376
Also, define your ROA table with:
375 377
376
-```
378
+```conf
377 379
roa table dn42_roa {
378 380
include "/var/lib/bird/bird_roa_dn42.conf";
379 381
};
... ...
@@ -386,7 +388,7 @@ roa table dn42_roa {
386 388
387 389
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
388 390
389
-```
391
+```sh
390 392
$ birdc
391 393
BIRD 1.4.5 ready.
392 394
bird> configure # reload configuration
howto/Bird2.md
... ...
@@ -26,7 +26,7 @@ When copying the configuration below onto your system, you will have to enter th
26 26
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
27 27
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
28 28
29
-```
29
+```conf
30 30
################################################
31 31
# Variable header #
32 32
################################################
... ...
@@ -182,7 +182,7 @@ The example config above relies on ROA configuration files in `/etc/bird/roa_dn4
182 182
183 183
To use an RTR server for ROA information, replace this config in your bird2 configuration file:
184 184
185
-```
185
+```conf
186 186
protocol static {
187 187
roa4 { table dn42_roa; };
188 188
include "/etc/bird/roa_dn42.conf";
... ...
@@ -196,7 +196,7 @@ protocol static {
196 196
197 197
... with this one (by changing address and port so it points to your RTR server)
198 198
199
-```
199
+```conf
200 200
protocol rpki roa_dn42 {
201 201
roa4 { table dn42_roa; };
202 202
roa6 { table dn42_roa_v6; };
... ...
@@ -228,7 +228,7 @@ Please note: This section assumes that you've already got a tunnel to your peeri
228 228
229 229
First, make sure the /etc/bird/peers directory exists:
230 230
231
-```
231
+```sh
232 232
# mkdir -p /etc/bird/peers
233 233
```
234 234
... ...
@@ -246,4 +246,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
246 246
}
247 247
```
248 248
249
-Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
249
+Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended)
howto/EMail.md
... ...
@@ -11,14 +11,14 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
11 11
12 12
| Handle | Alias | Redirection |
13 13
|:------------ |:-------------- |:--------------------- |
14
-| `STV0G-DN42` | stv0g@dn42.org | post@steffenvogel.de` |
14
+| `STV0G-DN42` | stv0g@dn42.org | `post@steffenvogel.de` |
15 15
16 16
## Test email
17 17
18 18
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
19 19
sieve filter:
20 20
21
-```
21
+```conf
22 22
require ["regex", "variables", "vacation-seconds"];
23 23
if header :contains "To" ["test@evenet.dn42"] {
24 24
if header :matches "Subject" "*" {
... ...
@@ -41,31 +41,35 @@ This is controlled by the `ignore_target_hosts` variable in the configuration fi
41 41
### Receiving emails
42 42
43 43
Don't forget to add your dn42 domains to the list of local domains, so that you accept incoming emails. On Debian, it is controlled by `dc_other_hostnames` in `update-exim4.conf.conf`. For instance:
44
-
45
- dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
46
-
44
+```conf
45
+dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
46
+```
47 47
48 48
## Postfix
49 49
50 50
### Sending Mails
51 51
If your machine sends/receives Mails in "clearnet" with specific bound IP's you need to create an additional transport in master.cf
52 52
53
- out_dn42 unix - - n - - smtp
54
- -o smtp_bind_address=172.23.67.1
55
- -o smtp_bind_address6=fd70:96c9:ef25::1
56
- -o smtp_helo_name=ns1.mhm.dn42
57
- -o syslog_name=postfix-dn42
53
+```conf
54
+out_dn42 unix - - n - - smtp
55
+ -o smtp_bind_address=172.23.67.1
56
+ -o smtp_bind_address6=fd70:96c9:ef25::1
57
+ -o smtp_helo_name=ns1.mhm.dn42
58
+ -o syslog_name=postfix-dn42
59
+```
58 60
59 61
and add this transport to /etc/postfix/transport for dn42 (and dont forget to postmap)
60 62
61
- .dn42 out_dn42:
63
+```
64
+.dn42 out_dn42:
65
+```
62 66
63 67
This should to the trick for sending mails via your DN42-IP
64 68
65 69
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
66 70
This can circumvent certain rdns configuration failure or in case you use rbl lists:
67 71
68
-```
72
+```conf
69 73
smtpd_recipient_restrictions = permit_mynetworks,
70 74
permit_sasl_authenticated,
71 75
check_client_access cidr:/etc/postfix/dn42.cidr,
... ...
@@ -74,14 +78,14 @@ smtpd_recipient_restrictions = permit_mynetworks,
74 78
permit
75 79
```
76 80
77
-```
81
+```conf
78 82
#/etc/postfix/dn42.cidr
79 83
172.16.0.0/12 OK
80 84
10.0.0.0/8 OK
81 85
fc00::/7 OK
82 86
```
83 87
84
-```
88
+```sh
85 89
$ postmap /etc/postfix/dn42.cidr
86 90
```
87 91
howto/EdgeOS-Config-Example.md
... ...
@@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
20 20
21 21
# Configuration
22 22
23
-```
23
+```conf
24 24
firewall {
25 25
all-ping enable
26 26
broadcast-ping disable
howto/EdgeOS-GRE-IPsec-Example.md
... ...
@@ -12,16 +12,20 @@ This configuration assumes that both peers have static public IPs.
12 12
13 13
You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
14 14
15
- ryan@edge1:~$ generate vpn rsa-key bits 4096
16
- ryan@edge1:~$ show vpn ike rsa-keys
15
+```sh
16
+ryan@edge1:~$ generate vpn rsa-key bits 4096
17
+ryan@edge1:~$ show vpn ike rsa-keys
17 18
18
- Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19
+Local public key (/config/ipsec.d/rsa-keys/localhost.key):
20
+
21
+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
22
+```
19 23
20
- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
21 24
If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
22 25
23 26
## Configuration
24 27
28
+```conf
25 29
firewall {
26 30
all-ping enable
27 31
broadcast-ping disable
... ...
@@ -499,3 +503,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
499 503
interface eth0
500 504
}
501 505
}
506
+```
howto/GRE-on-FreeBSD.md
... ...
@@ -21,7 +21,7 @@ ifconfig gre$INDEX descr $DESCR
21 21
22 22
Add this to your `rc.conf`.
23 23
24
-```
24
+```conf
25 25
cloned_interfaces="$cloned_interfaces gre0"
26 26
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
27 27
```
howto/GRE-on-OpenBSD.md
... ...
@@ -9,7 +9,7 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
9 9
10 10
## pseudo interface
11 11
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
12
-```
12
+```conf
13 13
tunnel A.example.com D.example.net
14 14
inet6 fd42::/127
15 15
```
... ...
@@ -21,7 +21,7 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
21 21
22 22
## miscellaneous
23 23
Populate `/etc/sysctl.conf` with:
24
-```
24
+```conf
25 25
net.inet.gre.allow=1
26 26
```
27 27
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
howto/Getting-Started.md
... ...
@@ -67,7 +67,7 @@ Common authentication methods are:
67 67
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
68 68
69 69
Example: data/mntner/FOO-MNT
70
-```
70
+```conf
71 71
mntner: FOO-MNT
72 72
admin-c: FOO-DN42
73 73
tech-c: FOO-DN42
... ...
@@ -93,7 +93,7 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
93 93
94 94
95 95
Example: data/person/FOO-DN42
96
-```
96
+```conf
97 97
person: John Doe
98 98
e-mail: john.doe@example.com
99 99
nic-hdl: FOO-DN42
... ...
@@ -116,7 +116,7 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
116 116
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
117 117
118 118
Example: data/organisation/ORG-EXAMPLE
119
-```
119
+```conf
120 120
organisation: ORG-FOO
121 121
org-name: Foo Organisation
122 122
admin-c: FOO-DN42
... ...
@@ -153,7 +153,7 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
153 153
If unsure, ask on the mailing list or IRC.
154 154
155 155
Example: data/aut-num/AS4242423999
156
-```
156
+```conf
157 157
aut-num: AS4242423999
158 158
as-name: AS-FOO-DN42
159 159
admin-c: FOO-DN42
... ...
@@ -179,7 +179,7 @@ A few websites can generate random ULA prefixes for you:
179 179
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
180 180
181 181
example: data/inet6num/fd35:4992:6a6d::_48
182
-```
182
+```conf
183 183
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
184 184
cidr: fd35:4992:6a6d::/48
185 185
netname: FOO-NETWORK
... ...
@@ -223,7 +223,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
223 223
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
224 224
225 225
example: data/inetnum/172.20.150.0_27
226
-```
226
+```conf
227 227
inetnum: 172.20.150.0 - 172.20.150.31
228 228
cidr: 172.20.150.0/27
229 229
netname: FOO-NETWORK
... ...
@@ -241,7 +241,7 @@ source: DN42
241 241
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
242 242
243 243
example: data/route6/fd35:4992:6a6d::_48
244
-```
244
+```conf
245 245
route6: fd35:4992:6a6d::/48
246 246
origin: AS4242423999
247 247
max-length: 48
... ...
@@ -250,7 +250,7 @@ source: DN42
250 250
```
251 251
252 252
example data/route/172.20.150.0_27:
253
-```
253
+```conf
254 254
route: 172.20.150.0/27
255 255
origin: AS4242423999
256 256
max-length: 27
... ...
@@ -266,7 +266,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
266 266
Domain names and nserver attributes must be lowercase.
267 267
268 268
example: data/dns/foo.dn42
269
-```
269
+```conf
270 270
domain: foo.dn42
271 271
admin-c: FOO-DN42
272 272
tech-c: FOO-DN42
... ...
@@ -280,13 +280,13 @@ source: DN42
280 280
281 281
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
282 282
283
-```
283
+```conf
284 284
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
285 285
```
286 286
287 287
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
288 288
289
-```
289
+```conf
290 290
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
291 291
cidr: fd35:4992:6a6d::/48
292 292
netname: FOO-NETWORK
howto/IPsec-on-FreeBSD.md
... ...
@@ -10,9 +10,9 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
10 10
## Kernel configuration
11 11
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12 12
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13
-```
14
- options IPSEC #IP security
15
- device crypto
13
+```conf
14
+options IPSEC #IP security
15
+device crypto
16 16
```
17 17
Reboot into your new kernel.
18 18
... ...
@@ -20,7 +20,7 @@ Reboot into your new kernel.
20 20
21 21
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22 22
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23
-```
23
+```conf
24 24
path pre_shared_key "/usr/local/etc/racoon/psk";
25 25
path certificate "/usr/local/etc/racoon/certs";
26 26
log info;
howto/IPsecWithPublicKeys/CiscoIOSExample.md
... ...
@@ -5,37 +5,43 @@ _Note: You may already have completed this step, since it's required to enable S
5 5
6 6
1. Configure a hostname and domain name.
7 7
8
- Router#conf t
9
- Router(config)#hostname foo
10
- foo(config)#ip domain-name bar
8
+```
9
+Router#conf t
10
+Router(config)#hostname foo
11
+foo(config)#ip domain-name bar
12
+```
11 13
12 14
2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
13 15
14
- foo(config)#crypto key generate rsa general-keys modulus 2048
15
- % The key modulus size is 2048 bits
16
- % Generating 2048 bit RSA keys, keys will be non-exportable...
17
- foo(config)#exit
16
+```
17
+foo(config)#crypto key generate rsa general-keys modulus 2048
18
+% The key modulus size is 2048 bits
19
+% Generating 2048 bit RSA keys, keys will be non-exportable...
20
+foo(config)#exit
21
+```
18 22
19 23
### Exchange public keys with your peer
20 24
1. Display the public key. Send the key data portion to your peer.
21 25
22
- foo#show crypto key mypubkey rsa foo.bar
23
- % Key pair was generated at: 19:24:02 UTC Jul 19 2014
24
- Key name: foo.bar
25
- Storage Device: not specified
26
- Usage: General Purpose Key
27
- Key is not exportable.
28
- Key Data:
29
- 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
30
- 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
31
- 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
32
- FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
33
- CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
34
- D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
35
- 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
36
- C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
37
- F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
38
- 8F020301 0001
26
+```
27
+foo#show crypto key mypubkey rsa foo.bar
28
+% Key pair was generated at: 19:24:02 UTC Jul 19 2014
29
+Key name: foo.bar
30
+Storage Device: not specified
31
+Usage: General Purpose Key
32
+Key is not exportable.
33
+Key Data:
34
+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
35
+ 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
36
+ 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
37
+ FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
38
+ CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
39
+ D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
40
+ 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
41
+ C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
42
+ F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
43
+ 8F020301 0001
44
+```
39 45
40 46
2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
41 47
... ...
@@ -56,76 +62,83 @@ In this example, we'll use the following settings:
56 62
57 63
1. Add your peer's public key
58 64
59
- foo#conf t
60
- Enter configuration commands, one per line. End with CNTL/Z.
61
- foo(config)#crypto key pubkey-chain rsa
62
- foo(config-pubkey-chain)#addressed-key 192.0.2.2
63
- foo(config-pubkey-key)#key-string
64
- Enter a public key as a hexidecimal number ....
65
-
66
- foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
67
- foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
68
- foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
69
- foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
70
- foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
71
- foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
72
- foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
73
- foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
74
- foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
75
- foo(config-pubkey)#D5020301 0001
76
- foo(config-pubkey)#quit
77
- foo(config-pubkey-key)#exit
78
- foo(config-pubkey-chain)#exit
65
+```
66
+foo#conf t
67
+Enter configuration commands, one per line. End with CNTL/Z.
68
+foo(config)#crypto key pubkey-chain rsa
69
+foo(config-pubkey-chain)#addressed-key 192.0.2.2
70
+foo(config-pubkey-key)#key-string
71
+Enter a public key as a hexidecimal number ....
72
+
73
+foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
74
+foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
75
+foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
76
+foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
77
+foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
78
+foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
79
+foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
80
+foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
81
+foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
82
+foo(config-pubkey)#D5020301 0001
83
+foo(config-pubkey)#quit
84
+foo(config-pubkey-key)#exit
85
+foo(config-pubkey-chain)#exit
86
+```
79 87
80 88
2. Configure an ISAKMP policy
81 89
82
- foo(config)#crypto isakmp policy 10
83
- foo(config-isakmp)#encryption aes
84
- foo(config-isakmp)#hash sha
85
- foo(config-isakmp)#group 5
86
- foo(config-isakmp)#lifetime 28800
87
- foo(config-isakmp)#authentication rsa-sig
88
- foo(config-isakmp)#exit
90
+```
91
+foo(config)#crypto isakmp policy 10
92
+foo(config-isakmp)#encryption aes
93
+foo(config-isakmp)#hash sha
94
+foo(config-isakmp)#group 5
95
+foo(config-isakmp)#lifetime 28800
96
+foo(config-isakmp)#authentication rsa-sig
97
+foo(config-isakmp)#exit
98
+```
89 99
90 100
3. All done! Configure the phase 2 parameters as you otherwise would.
91 101
92 102
## Full GRE/IPsec example
93
- crypto key pubkey-chain rsa
94
- addressed-key 192.0.2.2
95
- address 192.0.2.2
96
- key-string
97
- 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
98
- 00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
99
- 33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
100
- FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
101
- 065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
102
- 0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
103
- F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
104
- F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
105
- E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
106
- D5020301 0001
107
- quit
108
- !
109
- crypto isakmp policy 10
110
- encr aes
111
- group 5
112
- lifetime 28800
113
- !
114
- crypto ipsec transform-set tset esp-aes esp-sha-hmac
115
- mode transport
116
- !
117
- crypto ipsec profile FOO
118
- set transform-set tset
119
- set pfs group5
120
- !
121
- interface Tunnel0
122
- ip address 10.1.2.0 255.255.255.254
123
- ip mtu 1400
124
- tunnel source 192.0.2.1
125
- tunnel destination 192.0.2.2
126
- tunnel protection ipsec profile FOO
127
- !
128
- interface FastEthernet0/0
129
- description WAN
130
- ip address 192.0.2.1 255.255.255.0
131
- duplex full
103
+
104
+```
105
+crypto key pubkey-chain rsa
106
+ addressed-key 192.0.2.2
107
+ address 192.0.2.2
108
+ key-string
109
+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
110
+ 00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
111
+ 33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
112
+ FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
113
+ 065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
114
+ 0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
115
+ F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
116
+ F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
117
+ E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
118
+ D5020301 0001
119
+ quit
120
+ !
121
+ crypto isakmp policy 10
122
+ encr aes
123
+ group 5
124
+ lifetime 28800
125
+ !
126
+ crypto ipsec transform-set tset esp-aes esp-sha-hmac
127
+ mode transport
128
+ !
129
+ crypto ipsec profile FOO
130
+ set transform-set tset
131
+ set pfs group5
132
+ !
133
+ interface Tunnel0
134
+ ip address 10.1.2.0 255.255.255.254
135
+ ip mtu 1400
136
+ tunnel source 192.0.2.1
137
+ tunnel destination 192.0.2.2
138
+ tunnel protection ipsec profile FOO
139
+ !
140
+ interface FastEthernet0/0
141
+ description WAN
142
+ ip address 192.0.2.1 255.255.255.0
143
+ duplex full
144
+```
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
... ...
@@ -21,17 +21,17 @@ Change the direction on 5.6.7.8.
21 21
22 22
## Load the IPsec security policy into the IPsec security policy database
23 23
Load the policy with the setkey command.
24
-```
24
+```sh
25 25
setkey -f /etc/ipsec-tools.conf
26 26
```
27 27
Afterward check the policy database with:
28
-```
28
+```sh
29 29
setkey -DP
30 30
```
31 31
32 32
## Configure the racoon daemon
33 33
An example /etc/racoon/racoon.conf.
34
-```
34
+```conf
35 35
path pre_shared_key "/etc/racoon/psk.txt";
36 36
path certificate "/etc/racoon/certs";
37 37
log info;
howto/IPsecWithPublicKeys/OpenBSDExample.md
... ...
@@ -34,32 +34,40 @@ Next, add the right flow parameters to [`/etc/ipsec.conf`](http://man.openbsd.or
34 34
35 35
The configuration file should look like this:
36 36
37
- mymachine = "3.4.5.6"
38
- mypeer = "1.3.3.7"
39
- ike esp transport proto gre from $mymachine to $mypeer \
40
- main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
41
- quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
37
+```conf
38
+mymachine = "3.4.5.6"
39
+mypeer = "1.3.3.7"
40
+ike esp transport proto gre from $mymachine to $mypeer \
41
+ main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
42
+ quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
43
+```
42 44
43 45
Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once the connection is established, the IPSec flows can be listed with `ipsecctl -sa`:
44 46
45
- # ipsecctl -sa
46
- FLOWS:
47
- flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
48
- flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
47
+```
48
+# ipsecctl -sa
49
+FLOWS:
50
+flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
51
+flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
49 52
50
- SAD:
51
- esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
52
- esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
53
+SAD:
54
+esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
55
+esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
56
+```
53 57
54 58
# GRE Setup
55 59
Next, we will set up the GRE device. The [gre(4)](http://man.openbsd.org/gre.4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
56 60
57
- # ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
58
- # ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
59
- # ifconfig gre0 inet6 eui64
61
+```sh
62
+# ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
63
+# ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
64
+# ifconfig gre0 inet6 eui64
65
+```
60 66
61 67
These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd.org/hostname.if.5), .i.e.
62 68
63
- tunnel 3.4.5.6 1.3.3.7
64
- inet 10.20.30.0 10.20.30.1
65
- inet6 eui64
69
+```conf
70
+tunnel 3.4.5.6 1.3.3.7
71
+inet 10.20.30.0 10.20.30.1
72
+inet6 eui64
73
+```
howto/IPsecWithPublicKeys/RacoonExample.md
... ...
@@ -17,7 +17,7 @@ I'd probably go with 4096 bits.
17 17
18 18
19 19
in your racoon.conf:
20
-```
20
+```conf
21 21
path certificate "/etc/racoon/keys";
22 22
23 23
listen {
... ...
@@ -38,6 +38,6 @@ remote 192.168.255.2 {
38 38
}
39 39
```
40 40
41
-## Se also
41
+## See also
42 42
43 43
[Debian specific configuration](/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian)
howto/IPsecWithPublicKeys/RouterOSExample.md
... ...
@@ -2,34 +2,40 @@
2 2
## Setup
3 3
### Generate an RSA keypair
4 4
5
- [admin@mtk1] > /ip ipsec key
6
- [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
7
- For key bigger than 1024bit this may take a while..
8
- [admin@mtk1] /ip ipsec key> print
9
- Flags: P - private-key, R - rsa
10
- # NAME KEY-SIZE
11
- 0 PR mykey 4096-bit
5
+```
6
+[admin@mtk1] > /ip ipsec key
7
+[admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
8
+For key bigger than 1024bit this may take a while..
9
+[admin@mtk1] /ip ipsec key> print
10
+Flags: P - private-key, R - rsa
11
+ # NAME KEY-SIZE
12
+ 0 PR mykey 4096-bit
13
+```
12 14
13 15
## Exchange public keys with your peer
14 16
1. Export the public key to a file.
15 17
16
- [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
18
+```
19
+[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
17 20
18
- [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
19
- # NAME TYPE SIZE CREATION-TIME
20
- 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
21
+[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
22
+ # NAME TYPE SIZE CREATION-TIME
23
+ 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
24
+```
21 25
22 26
2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
23 27
24
- -----BEGIN PUBLIC KEY-----
25
- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
26
- TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
27
- +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
28
- 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
29
- 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
30
- QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
31
- 8QIDAQAB
32
- -----END PUBLIC KEY-----
28
+```
29
+-----BEGIN PUBLIC KEY-----
30
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
31
+TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
32
++xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
33
+23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
34
+4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
35
+QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
36
+8QIDAQAB
37
+-----END PUBLIC KEY-----
38
+```
33 39
34 40
3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
35 41
... ...
@@ -50,43 +56,49 @@ In this example, we'll use the following settings:
50 56
51 57
1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
52 58
53
- [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
54
- passphrase:
59
+```
60
+[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
61
+passphrase:
55 62
56
- [admin@mtk1] /ip ipsec key> print
57
- Flags: P - private-key, R - rsa
58
- # NAME KEY-SIZE
59
- 0 PR mykey 4096-bit
60
- 1 R peer-key 4096-bit
63
+[admin@mtk1] /ip ipsec key> print
64
+Flags: P - private-key, R - rsa
65
+ # NAME KEY-SIZE
66
+ 0 PR mykey 4096-bit
67
+ 1 R peer-key 4096-bit
68
+```
61 69
62 70
2. Configure your peer definition to use the public key
63 71
64
- [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
65
- [admin@mtk1] /ip ipsec peer> print
66
- Flags: X - disabled
67
- 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
68
- auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
69
- exchange-mode=main send-initial-contact=yes nat-traversal=no
70
- proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
71
- dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
72
- dpd-maximum-failures=5
72
+```
73
+[admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
74
+[admin@mtk1] /ip ipsec peer> print
75
+Flags: X - disabled
76
+ 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
77
+ auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
78
+ exchange-mode=main send-initial-contact=yes nat-traversal=no
79
+ proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
80
+ dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
81
+ dpd-maximum-failures=5
82
+```
73 83
74 84
3. All done! Configure the phase 2 parameters as you otherwise would.
75 85
76 86
## Full GRE/IPsec example
77
- # jul/20/2014 13:00:04 by RouterOS 6.15
78
- # software id = HBCA-0B2J
79
- #
80
- /interface gre
81
- add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
82
- remote-address=192.0.2.2
83
- /ip address
84
- add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
85
- /ip ipsec proposal
86
- set [ find default=yes ] lifetime=1h pfs-group=modp1536
87
- /ip ipsec peer
88
- add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
89
- lifetime=8h local-address=192.0.2.1 remote-key=peer-key
90
- /ip ipsec policy
91
- add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
92
- sa-src-address=192.0.2.1 src-address=192.0.2.1/32
87
+```
88
+# jul/20/2014 13:00:04 by RouterOS 6.15
89
+# software id = HBCA-0B2J
90
+#
91
+/interface gre
92
+add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
93
+ remote-address=192.0.2.2
94
+/ip address
95
+add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
96
+/ip ipsec proposal
97
+set [ find default=yes ] lifetime=1h pfs-group=modp1536
98
+/ip ipsec peer
99
+add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
100
+ lifetime=8h local-address=192.0.2.1 remote-key=peer-key
101
+/ip ipsec policy
102
+add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
103
+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32
104
+```
howto/IPsecWithPublicKeys/VyOSExample.md
... ...
@@ -2,22 +2,26 @@
2 2
## Setup
3 3
### Generate an RSA keypair
4 4
5
- ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
6
- Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
5
+```sh
6
+ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
7
+Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
7 8
8
- Your new local RSA key has been generated
9
- The public portion of the key is:
9
+Your new local RSA key has been generated
10
+The public portion of the key is:
10 11
11
- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
12
+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
13
+```
12 14
13 15
### Exchange public keys with your peer
14 16
1. Display the public key. Send the key data portion to your peer.
15 17
16
- ubnt@ubnt:~$ show vpn ike rsa-keys
18
+```sh
19
+ubnt@ubnt:~$ show vpn ike rsa-keys
17 20
18
- Local public key (/config/ipsec.d/rsa-keys/localhost.key):
21
+Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19 22
20
- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
23
+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
24
+```
21 25
22 26
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
23 27
... ...
@@ -38,98 +42,107 @@ In this example, we'll use the following settings:
38 42
39 43
1. Add your peer's public key
40 44
41
- vyos@vyos:~$ configure
42
- [edit]
43
- vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
45
+```sh
46
+vyos@vyos:~$ configure
47
+[edit]
48
+vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
49
+```
44 50
45 51
2. Configure an ISAKMP policy
46 52
47
- [edit]
48
- vyos@vyos# edit vpn ipsec ike-group FOO
49
- [edit vpn ipsec ike-group FOO]
50
- vyos@vyos# set lifetime 28800
51
- [edit vpn ipsec ike-group FOO]
52
- vyos@vyos# set proposal 1 encryption aes128
53
- [edit vpn ipsec ike-group FOO]
54
- vyos@vyos# set proposal 1 hash sha1
55
- [edit vpn ipsec ike-group FOO]
56
- vyos@vyos# set proposal 1 dh-group 5
57
- [edit vpn ipsec ike-group FOO]
58
- vyos@vyos# commit
53
+```sh
54
+[edit]
55
+vyos@vyos# edit vpn ipsec ike-group FOO
56
+[edit vpn ipsec ike-group FOO]
57
+vyos@vyos# set lifetime 28800
58
+[edit vpn ipsec ike-group FOO]
59
+vyos@vyos# set proposal 1 encryption aes128
60
+[edit vpn ipsec ike-group FOO]
61
+vyos@vyos# set proposal 1 hash sha1
62
+[edit vpn ipsec ike-group FOO]
63
+vyos@vyos# set proposal 1 dh-group 5
64
+[edit vpn ipsec ike-group FOO]
65
+vyos@vyos# commit
66
+```
59 67
60 68
3. Set your peer definition to use the public key
61 69
62
- [edit vpn ipsec ike-group FOO]
63
- vyos@vyos# up
64
- [edit vpn ipsec]
65
- vyos@vyos# edit site-to-site peer 192.0.2.2
66
- [edit vpn ipsec site-to-site peer 192.0.2.2]
67
- vyos@vyos# set authentication mode rsa
68
- [edit vpn ipsec site-to-site peer 192.0.2.2]
69
- vyos@vyos# set authentication rsa-key-name my-peer
70
+```sh
71
+[edit vpn ipsec ike-group FOO]
72
+vyos@vyos# up
73
+[edit vpn ipsec]
74
+vyos@vyos# edit site-to-site peer 192.0.2.2
75
+[edit vpn ipsec site-to-site peer 192.0.2.2]
76
+vyos@vyos# set authentication mode rsa
77
+[edit vpn ipsec site-to-site peer 192.0.2.2]
78
+vyos@vyos# set authentication rsa-key-name my-peer
79
+```
70 80
71 81
4. All done! Configure the phase 2 parameters as you otherwise would.
72 82
73 83
## Full GRE/IPsec example
74
- interfaces {
75
- ethernet eth0 {
76
- address 192.0.2.1/30
77
- description WAN
78
- duplex auto
79
- speed auto
80
- }
81
- tunnel tun0 {
82
- address 10.1.2.0/31
83
- encapsulation gre
84
- local-ip 192.0.2.1
85
- mtu 1400
86
- multicast disable
87
- remote-ip 192.0.2.2
88
- ttl 255
89
- }
84
+
85
+```conf
86
+interfaces {
87
+ ethernet eth0 {
88
+ address 192.0.2.1/30
89
+ description WAN
90
+ duplex auto
91
+ speed auto
90 92
}
91
- vpn {
92
- ipsec {
93
- esp-group BAR {
94
- compression disable
95
- lifetime 3600
96
- mode transport
97
- pfs dh-group5
98
- proposal 1 {
99
- encryption aes128
100
- hash sha1
101
- }
102
- }
103
- ike-group FOO {
104
- lifetime 28800
105
- proposal 1 {
106
- dh-group 5
107
- encryption aes128
108
- hash sha1
109
- }
93
+ tunnel tun0 {
94
+ address 10.1.2.0/31
95
+ encapsulation gre
96
+ local-ip 192.0.2.1
97
+ mtu 1400
98
+ multicast disable
99
+ remote-ip 192.0.2.2
100
+ ttl 255
101
+ }
102
+}
103
+vpn {
104
+ ipsec {
105
+ esp-group BAR {
106
+ compression disable
107
+ lifetime 3600
108
+ mode transport
109
+ pfs dh-group5
110
+ proposal 1 {
111
+ encryption aes128
112
+ hash sha1
110 113
}
111
- ipsec-interfaces {
112
- interface eth0
114
+ }
115
+ ike-group FOO {
116
+ lifetime 28800
117
+ proposal 1 {
118
+ dh-group 5
119
+ encryption aes128
120
+ hash sha1
113 121
}
114
- site-to-site {
115
- peer 192.0.2.2 {
116
- authentication {
117
- mode rsa
118
- rsa-key-name my-peer
119
- }
120
- connection-type initiate
121
- default-esp-group BAR
122
- ike-group FOO
123
- local-ip 192.0.2.1
124
- tunnel 0 {
125
- protocol gre
126
- }
122
+ }
123
+ ipsec-interfaces {
124
+ interface eth0
125
+ }
126
+ site-to-site {
127
+ peer 192.0.2.2 {
128
+ authentication {
129
+ mode rsa
130
+ rsa-key-name my-peer
131
+ }
132
+ connection-type initiate
133
+ default-esp-group BAR
134
+ ike-group FOO
135
+ local-ip 192.0.2.1
136
+ tunnel 0 {
137
+ protocol gre
127 138
}
128 139
}
129 140
}
130
- rsa-keys {
131
- rsa-key-name my-peer {
132
- rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
133
- }
141
+ }
142
+ rsa-keys {
143
+ rsa-key-name my-peer {
144
+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
134 145
}
135 146
}
147
+}
148
+```
howto/IPsecWithPublicKeys/strongSwan4Example.md
... ...
@@ -2,29 +2,33 @@
2 2
## Setup
3 3
### Generate an RSA keypair
4 4
5
- root@debian:~# mkdir /etc/ipsec.d/public
6
- root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
7
- root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
8
- root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
5
+```sh
6
+root@debian:~# mkdir /etc/ipsec.d/public
7
+root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
8
+root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
9
+root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
10
+```
9 11
10 12
### Exchange public keys with your peer
11 13
1. Display the public key. Send the key data to your peer.
12 14
13
- root@debian:~# more /etc/ipsec.d/public/mykey.pub
14
- -----BEGIN PUBLIC KEY-----
15
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
16
- nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
17
- 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
18
- +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
19
- fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
20
- 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
21
- tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
22
- JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
23
- MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
24
- rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
25
- PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
26
- ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
27
- -----END PUBLIC KEY-----
15
+```sh
16
+root@debian:~# more /etc/ipsec.d/public/mykey.pub
17
+-----BEGIN PUBLIC KEY-----
18
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
19
+nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
20
+9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
21
++Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
22
+fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
23
+7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
24
+tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
25
+JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
26
+MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
27
+rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
28
+PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
29
+ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
30
+-----END PUBLIC KEY-----
31
+```
28 32
29 33
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
30 34
... ...
@@ -47,58 +51,63 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
47 51
48 52
1. Configure a connection policy in ipsec.conf for your peer. The `leftrsasigkey` attribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, and `rightrsasigkey` is your peer's key.
49 53
50
- root@debian:~# cat << EOF >> /etc/ipsec.conf
51
- conn MYPEER
52
- # peer IPs
53
- left=192.0.2.1
54
- right=192.0.2.2
55
- # phase 1 parameters
56
- ike=aes128-sha1-modp1536!
57
- ikelifetime=28800s
58
- # authentication
59
- authby=pubkey
60
- leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
61
- rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
62
- EOF
54
+```sh
55
+root@debian:~# cat << EOF >> /etc/ipsec.conf
56
+conn MYPEER
57
+ # peer IPs
58
+ left=192.0.2.1
59
+ right=192.0.2.2
60
+ # phase 1 parameters
61
+ ike=aes128-sha1-modp1536!
62
+ ikelifetime=28800s
63
+ # authentication
64
+ authby=pubkey
65
+ leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
66
+ rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
67
+EOF
68
+```
63 69
64 70
2. All done! Configure the phase 2 parameters as you otherwise would.
65 71
66 72
## Full GRE/IPsec example
67
- root@debian:~# ip addr show dev gre1
68
- 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
69
- link/gre 192.0.2.1 peer 192.0.2.2
70
- inet 10.1.2.0/31 scope global gre1
71
- valid_lft forever preferred_lft forever
72
- inet6 fe80::200:5efe:6825:1c22/64 scope link
73
- valid_lft forever preferred_lft forever
74
- root@debian:~# more /etc/ipsec.conf
75
- # ipsec.conf - strongSwan IPsec configuration file
76
-
77
- config setup
78
-
79
- conn %default
80
- keyexchange=ikev1
81
- dpdaction=restart
82
-
83
- conn MYPEER
84
- # peer IPs
85
- left=192.0.2.1
86
- right=192.0.2.2
87
- # phase 1 parameters
88
- ike=aes128-sha1-modp1536!
89
- ikelifetime=28800s
90
- # authentication
91
- authby=pubkey
92
- leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
93
- rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
94
- # phase 2 parameters
95
- esp=aes128-sha1!
96
- pfs=yes
97
- pfsgroup=modp1536
98
- lifetime=3600s
99
- type=transport
100
- leftprotoport=gre
101
- rightprotoport=gre
102
- # startup
103
- auto=route
104
- keyingtries=%forever
73
+
74
+```sh
75
+root@debian:~# ip addr show dev gre1
76
+11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
77
+ link/gre 192.0.2.1 peer 192.0.2.2
78
+ inet 10.1.2.0/31 scope global gre1
79
+ valid_lft forever preferred_lft forever
80
+ inet6 fe80::200:5efe:6825:1c22/64 scope link
81
+ valid_lft forever preferred_lft forever
82
+root@debian:~# more /etc/ipsec.conf
83
+# ipsec.conf - strongSwan IPsec configuration file
84
+
85
+config setup
86
+
87
+conn %default
88
+ keyexchange=ikev1
89
+ dpdaction=restart
90
+
91
+conn MYPEER
92
+ # peer IPs
93
+ left=192.0.2.1
94
+ right=192.0.2.2
95
+ # phase 1 parameters
96
+ ike=aes128-sha1-modp1536!
97
+ ikelifetime=28800s
98
+ # authentication
99
+ authby=pubkey
100
+ leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
101
+ rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
102
+ # phase 2 parameters
103
+ esp=aes128-sha1!
104
+ pfs=yes
105
+ pfsgroup=modp1536
106
+ lifetime=3600s
107
+ type=transport
108
+ leftprotoport=gre
109
+ rightprotoport=gre
110
+ # startup
111
+ auto=route
112
+ keyingtries=%forever
113
+```
howto/IPsecWithPublicKeys/strongSwan5Example.md
... ...
@@ -6,29 +6,33 @@ For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ in
6 6
Don't forget to disable selinux :)
7 7
### Generate an RSA keypair
8 8
9
- root@debian:~# mkdir /etc/ipsec.d/public
10
- root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
11
- root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
12
- root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
9
+```sh
10
+root@debian:~# mkdir /etc/ipsec.d/public
11
+root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
12
+root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
13
+root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
14
+```
13 15
14 16
### Exchange public keys with your peer
15 17
1. Display the public key. Send the key data to your peer.
16 18
17
- root@debian:~# more /etc/ipsec.d/public/mykey.pem
18
- -----BEGIN PUBLIC KEY-----
19
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
20
- nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
21
- 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
22
- +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
23
- fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
24
- 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
25
- tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
26
- JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
27
- MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
28
- rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
29
- PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
30
- ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
31
- -----END PUBLIC KEY-----
19
+```sh
20
+root@debian:~# more /etc/ipsec.d/public/mykey.pem
21
+-----BEGIN PUBLIC KEY-----
22
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
23
+nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
24
+9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
25
++Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
26
+fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
27
+7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
28
+tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
29
+JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
30
+MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
31
+rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
32
+PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
33
+ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
34
+-----END PUBLIC KEY-----
35
+```
32 36
33 37
2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
34 38
... ...
@@ -49,82 +53,90 @@ In this example, we'll use the following settings:
49 53
50 54
1. Add your peer's public key
51 55
52
- root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
53
- -----BEGIN PUBLIC KEY-----
54
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
55
- IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
56
- 9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
57
- jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
58
- EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
59
- pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
60
- KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
61
- AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
62
- U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
63
- YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
64
- HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
65
- mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
66
- -----END PUBLIC KEY-----
67
- EOF
56
+```sh
57
+root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
58
+-----BEGIN PUBLIC KEY-----
59
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
60
+IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
61
+9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
62
+jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
63
+EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
64
+pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
65
+KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
66
+AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
67
+U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
68
+YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
69
+HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
70
+mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
71
+-----END PUBLIC KEY-----
72
+EOF
73
+```
68 74
69 75
2. Configure a connection policy in ipsec.conf for your peer
70 76
71
- root@debian:~# cat << EOF >> /etc/ipsec.conf
72
- conn MYPEER
73
- # peer IPs
74
- left=192.0.2.1
75
- right=192.0.2.2
76
- # phase 1 parameters
77
- ike=aes128-sha1-modp1536!
78
- ikelifetime=28800s
79
- # authentication
80
- authby=pubkey
81
- leftrsasigkey=/etc/ipsec.d/public/mykey.pem
82
- rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
83
- EOF
77
+```sh
78
+root@debian:~# cat << EOF >> /etc/ipsec.conf
79
+conn MYPEER
80
+ # peer IPs
81
+ left=192.0.2.1
82
+ right=192.0.2.2
83
+ # phase 1 parameters
84
+ ike=aes128-sha1-modp1536!
85
+ ikelifetime=28800s
86
+ # authentication
87
+ authby=pubkey
88
+ leftrsasigkey=/etc/ipsec.d/public/mykey.pem
89
+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
90
+EOF
91
+```
84 92
85 93
3. All done! Configure the phase 2 parameters as you otherwise would.
86 94
87 95
## Full GRE/IPsec example
88
- root@debian:~# ip addr show dev gre1
89
- 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
90
- link/gre 192.0.2.1 peer 192.0.2.2
91
- inet 10.1.2.0/31 scope global gre1
92
- valid_lft forever preferred_lft forever
93
- inet6 fe80::200:5efe:6825:1c22/64 scope link
94
- valid_lft forever preferred_lft forever
95
- root@debian:~# more /etc/ipsec.conf
96
- # ipsec.conf - strongSwan IPsec configuration file
97
-
98
- config setup
99
-
100
- conn %default
101
- keyexchange=ikev1
102
- dpdaction=restart
103
-
104
- conn MYPEER
105
- # peer IPs
106
- left=192.0.2.1
107
- right=192.0.2.2
108
- # phase 1 parameters
109
- ike=aes128-sha1-modp1536!
110
- ikelifetime=28800s
111
- # authentication
112
- authby=pubkey
113
- leftrsasigkey=/etc/ipsec.d/public/mykey.pem
114
- rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
115
- # phase 2 parameters
116
- esp=aes128-sha1-modp1536!
117
- lifetime=3600s
118
- type=transport
119
- leftprotoport=gre
120
- rightprotoport=gre
121
- # startup
122
- auto=route
123
- keyingtries=%forever
96
+```sh
97
+root@debian:~# ip addr show dev gre1
98
+11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
99
+ link/gre 192.0.2.1 peer 192.0.2.2
100
+ inet 10.1.2.0/31 scope global gre1
101
+ valid_lft forever preferred_lft forever
102
+ inet6 fe80::200:5efe:6825:1c22/64 scope link
103
+ valid_lft forever preferred_lft forever
104
+root@debian:~# more /etc/ipsec.conf
105
+# ipsec.conf - strongSwan IPsec configuration file
106
+
107
+config setup
108
+
109
+conn %default
110
+ keyexchange=ikev1
111
+ dpdaction=restart
112
+
113
+conn MYPEER
114
+ # peer IPs
115
+ left=192.0.2.1
116
+ right=192.0.2.2
117
+ # phase 1 parameters
118
+ ike=aes128-sha1-modp1536!
119
+ ikelifetime=28800s
120
+ # authentication
121
+ authby=pubkey
122
+ leftrsasigkey=/etc/ipsec.d/public/mykey.pem
123
+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
124
+ # phase 2 parameters
125
+ esp=aes128-sha1-modp1536!
126
+ lifetime=3600s
127
+ type=transport
128
+ leftprotoport=gre
129
+ rightprotoport=gre
130
+ # startup
131
+ auto=route
132
+ keyingtries=%forever
133
+```
124 134
125 135
If your peer is using a Cisco router and is behind NAT, then you might need to add the following option:
126 136
127
- rightid=NATIP
137
+```
138
+rightid=NATIP
139
+```
128 140
129 141
# See also
130 142
* [Network settings](/howto/networksettings)
howto/IPv6-Multicast.md
... ...
@@ -28,7 +28,7 @@ rfc8815 deprecated pim-sm, please take a look at the new multicast page about pi
28 28
29 29
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
30 30
31
- ```
31
+ ```conf
32 32
# /etc/network/interfaces.d/pim6sd
33 33
auto pim-router-id
34 34
iface pim-router-id inet manual
... ...
@@ -86,7 +86,7 @@ You can now switch into this test network namespace via "ip netns exec /bin/bash
86 86
87 87
### Creating a test multicast listener
88 88
89
-```
89
+```sh
90 90
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
91 91
```
92 92
... ...
@@ -94,7 +94,7 @@ $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::1
94 94
95 95
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
96 96
97
-```
97
+```sh
98 98
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
99 99
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
100 100
```
... ...
@@ -145,18 +145,18 @@ However you can usually just announce and use both RFC3306 and RFC3956 based mul
145 145
#### Bootstrap Router
146 146
147 147
If you want to be participate as a bootstrap router candidate, please read up on how PIM works first. If you join with a bootstrap router candidate add it here below with contact information and join #dn42-multicast on HackInt:
148
-* <BSR-ADDR1> - foo@example.com, foo@HackInt
149
-* <BSR-ADDR2> - ...
148
+* \<BSR-ADDR1> - foo@example.com, foo@HackInt
149
+* \<BSR-ADDR2> - ...
150 150
151 151
#### Shared multicast addresses
152 152
153 153
Next to personal multicast prefixes generated by network prefix (RFC3306 or RFC3956) there can also be multicast addresses not owned by a specific AS. In general any one can just set up a multicast sender or listener for those. However to work, they need a reliable RP for coordination.
154 154
155 155
If you want to offer an RP candidate for a shared multicast address, please read up on how PIM works first. If you join with an RP candidate for a shared multicast address add it here below with contact information and join #dn42-multicast on HackInt:
156
-* <multicast-address1>/128:
157
- - <RP-address1> - foo@example.com, foo@HackInt
158
- - <RP-address2> - bar@example.com, bar@HackInt
159
-* <multicast-address2>/128:
156
+* \<multicast-address1>/128:
157
+ - \<RP-address1> - foo@example.com, foo@HackInt
158
+ - \<RP-address2> - bar@example.com, bar@HackInt
159
+* \<multicast-address2>/128:
160 160
- ...
161 161
162 162
## Questions?
howto/IPv6.md
... ...
@@ -65,7 +65,7 @@ Enter NPT. Address your services using a reserved private block, and map that bl
65 65
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
66 66
67 67
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
68
-```
68
+```sh
69 69
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
70 70
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
71 71
```
howto/OpenBGPD.md
... ...
@@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
16 16
17 17
## local host
18 18
Information such as ASN, router ID and allocated networks are required:
19
-```
19
+```conf
20 20
# macros
21 21
ASN="4242421234"
22 22
... ...
@@ -31,7 +31,7 @@ prefix-set mynetworks {
31 31
32 32
These can be used in subsequent filter rules.
33 33
The local peer's announcements is then defined as follows:
34
-```
34
+```conf
35 35
# Generate routes for the networks our ASN will originate.
36 36
# The communities (read 'tags') are later used to match on what
37 37
# is announced to EBGP neighbors
... ...
@@ -41,7 +41,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
41 41
## neighbors
42 42
For each neighbor its ASN and transfer ULA is required.
43 43
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
44
-```
44
+```conf
45 45
# peer A, transport over IPSec/GRE
46 46
$A_local="fd00:12:34:A::1"
47 47
$A_remote="fd00:12:34:A::2"
... ...
@@ -61,7 +61,7 @@ The filter rules are evaluated in sequential order, form first to last.
61 61
The last matching allow or deny rule decides what action is taken.
62 62
63 63
Start off with basic protection and sanity rules:
64
-```
64
+```conf
65 65
# deny more-specifics of our own originated prefixes
66 66
deny quick from ebgp prefix-set mynetworks or-longer
67 67
... ...
@@ -72,7 +72,7 @@ deny quick from any max-as-len 8
72 72
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
73 73
74 74
Allow own announcements:
75
-```
75
+```conf
76 76
# Outbound EBGP: only allow self originated networks to ebgp peers
77 77
# Don't leak any routes from upstream or peering sessions. This is done
78 78
# by checking for routes that are tagged with the large-community $ASN:1:1
... ...
@@ -80,7 +80,7 @@ allow to ebgp prefix-set mynetworks large-community $ASN:1:1
80 80
```
81 81
82 82
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
83
-```
83
+```conf
84 84
# enforce ROA
85 85
allow from ebgp ovs valid
86 86
```
... ...
@@ -89,7 +89,7 @@ Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `
89 89
90 90
### path attributes
91 91
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
92
-```
92
+```conf
93 93
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
94 94
# https://tools.ietf.org/html/rfc7454#section-11
95 95
match from ebgp set { large-community delete $ASN:*:* }
... ...
@@ -123,7 +123,7 @@ roa-set {
123 123
```
124 124
125 125
Include it in `/etc/bgpd.conf`:
126
-```
126
+```conf
127 127
# defines roat-set, see _rpki-client crontab
128 128
include "/etc/dn42.roa-set"
129 129
```
howto/OpenWRT.md
... ...
@@ -28,9 +28,11 @@ This is needed so that OpenWRT is aware of the new interfaces (for firewall and
28 28
29 29
In `/etc/config/network`, add entries for each dn42 interface:
30 30
31
- config interface dn42peer1
32
- option ifname tun-peer1
33
- option proto none
31
+```conf
32
+config interface dn42peer1
33
+ option ifname tun-peer1
34
+ option proto none
35
+```
34 36
35 37
## Firewall
36 38
... ...
@@ -43,28 +45,36 @@ Everything is done in `/etc/config/firewall`.
43 45
44 46
### Zone declaration
45 47
46
- config zone
47
- option name dn42
48
- option network 'dn42peer1 dn42peer2 dn42peer3'
49
- option input REJECT
50
- option output ACCEPT
51
- option forward REJECT
48
+```conf
49
+config zone
50
+ option name dn42
51
+ option network 'dn42peer1 dn42peer2 dn42peer3'
52
+ option input REJECT
53
+ option output ACCEPT
54
+ option forward REJECT
55
+```
52 56
53 57
If you need to NAT your home network into dn42, you probably just need to add:
54 58
55
- option masq 1
59
+```conf
60
+option masq 1
61
+```
56 62
57 63
### dn42 ↔ LAN forwarding
58 64
59
- config forwarding
60
- option src lan
61
- option dest dn42
65
+```conf
66
+config forwarding
67
+ option src lan
68
+ option dest dn42
69
+```
62 70
63 71
If you're confident enough, you can also forward dn42 into your LAN:
64 72
65
- config forwarding
66
- option src dn42
67
- option dest lan
73
+```conf
74
+config forwarding
75
+ option src dn42
76
+ option dest lan
77
+```
68 78
69 79
Or you can forward only certain ports, to certain hosts, etc (standard `config rule` stuff)
70 80
... ...
@@ -72,7 +82,9 @@ Or you can forward only certain ports, to certain hosts, etc (standard `config r
72 82
73 83
This is more tricky. In theory, all you have to do is to set
74 84
75
- option forward ACCEPT
85
+```conf
86
+option forward ACCEPT
87
+```
76 88
77 89
in the definition of the zone. However, due to a bug in Attitude Adjustment (see <https://dev.openwrt.org/ticket/12945>), this will allow forwarding **everything everywhere**.
78 90
howto/Quagga.md
... ...
@@ -6,16 +6,20 @@ Quagga is probably one of the oldest software router around. It still works, of
6 6
7 7
Use this in your `zebra.conf`:
8 8
9
- route-map RM_SET_SRC permit 10
10
- set src 172.22.XX.XX
11
- ip protocol bgp route-map RM_SET_SRC
9
+```conf
10
+route-map RM_SET_SRC permit 10
11
+ set src 172.22.XX.XX
12
+ip protocol bgp route-map RM_SET_SRC
13
+```
12 14
13 15
Unfortunately, this is not possible with IPv6...
14 16
15 17
## Important bgp commands
16 18
To connect to bgpd use:
17 19
18
- $ vtysh
20
+```sh
21
+$ vtysh
22
+```
19 23
20 24
Which provides an interactive interface.
21 25
In this interface '?' can be used to list the available commands or subcommands.
... ...
@@ -23,82 +27,94 @@ In this interface '?' can be used to list the available commands or subcommands.
23 27
## Configure Quagga
24 28
a minimal config would look like this:
25 29
26
- vtysh> configure terminal
27
- vtysh(config)> router bgp <your-asn>
28
- vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
29
- vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
30
- vtysh(config-router)> exit
31
- vtysh(config)> exit
30
+```sh
31
+vtysh> configure terminal
32
+vtysh(config)> router bgp <your-asn>
33
+vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
34
+vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
35
+vtysh(config-router)> exit
36
+vtysh(config)> exit
37
+```
32 38
33 39
### IPv6
34 40
for IPv6 do something like
35 41
36
- vtysh> configure terminal
37
- vtysh(config)> router bgp <your-asn>
38
- vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
39
- vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
40
- vtysh(config-router)> no neighbor <neighbor-ip> activate
41
- vtysh(config-router)> address-family ipv6
42
- vtysh(config-router-af)> neighbor <neighbor-ip> activate
43
- vtysh(config-router-af)> exit
44
- vtysh(config-router)> exit
45
- vtysh(config)> exit
42
+```sh
43
+vtysh> configure terminal
44
+vtysh(config)> router bgp <your-asn>
45
+vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
46
+vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
47
+vtysh(config-router)> no neighbor <neighbor-ip> activate
48
+vtysh(config-router)> address-family ipv6
49
+vtysh(config-router-af)> neighbor <neighbor-ip> activate
50
+vtysh(config-router-af)> exit
51
+vtysh(config-router)> exit
52
+vtysh(config)> exit
53
+```
46 54
47 55
### peer groups, prefix lists and such
48 56
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
49 57
50 58
Define a peer group:
51 59
52
- vtysh(config-router)> neighbor <peer-group-name> peer-group
60
+```sh
61
+vtysh(config-router)> neighbor <peer-group-name> peer-group
62
+```
53 63
54 64
Apply to a neighbor:
55 65
56
- vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
66
+```sh
67
+vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
68
+```
57 69
58 70
Apply a prefix list for incoming prefixes to your peer group:
59 71
60
- vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
72
+```sh
73
+vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
74
+```
61 75
62 76
#### Example filter list
63 77
64
- ip prefix-list vpn-in description BGP IPv4 import filter
65
- !old network:
66
- ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
67
- !new dn42 allocation:
68
- ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
69
-
70
- ! Anycast /32s for Whois and DNS:
71
- ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
72
- ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
73
-
74
- ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
75
- ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
76
- ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
77
- ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
78
- ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
79
- ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
80
- ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
81
- ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
82
- ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
83
- ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
84
- ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
85
- ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
86
- ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
87
- ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
88
- ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
89
- ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
90
- ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
91
- ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
92
- ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
93
- ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
94
- ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
95
- ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
96
-
97
- ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
98
- ipv6 prefix-list vpn-in seq 15 deny any
78
+```sh
79
+ip prefix-list vpn-in description BGP IPv4 import filter
80
+!old network:
81
+ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
82
+!new dn42 allocation:
83
+ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
84
+
85
+! Anycast /32s for Whois and DNS:
86
+ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
87
+ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
88
+
89
+ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
90
+ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
91
+ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
92
+ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
93
+ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
94
+ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
95
+ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
96
+ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
97
+ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
98
+ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
99
+ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
100
+ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
101
+ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
102
+ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
103
+ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
104
+ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
105
+ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
106
+ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
107
+ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
108
+ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
109
+ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
110
+ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
111
+
112
+ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
113
+ipv6 prefix-list vpn-in seq 15 deny any
114
+```
99 115
100 116
#### Example filter list script
101
-```
117
+```sh
102 118
#!/bin/bash
103 119
104 120
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
howto/ROA-slash-RPKI.md
... ...
@@ -32,11 +32,12 @@ You can find a hosted example of dn42regsrv at <https://explorer.burble.com/>
32 32
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv).
33 33
34 34
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
35
-
36
- git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
37
- cd contrib/docker
38
- ./build.sh
39
- docker-compose up -d
35
+```sh
36
+git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
37
+cd contrib/docker
38
+./build.sh
39
+docker-compose up -d
40
+```
40 41
41 42
Documentation for the api endpoints can be found here: <https://git.burble.com/burble.dn42/dn42regsrv/src/master/API.md>
42 43
... ...
@@ -48,7 +49,9 @@ burble kindly provides ready-to-use files for gortr here:
48 49
49 50
You can use these to simply run gortr via docker:
50 51
51
- docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
52
+```sh
53
+docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
54
+```
52 55
53 56
### rtrtr
54 57
... ...
@@ -56,21 +59,25 @@ rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-J
56 59
57 60
NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file:
58 61
59
- docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
62
+```sh
63
+docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
64
+```
60 65
61 66
This is a working configuration file for dn42. Maybe change the listen addresses:
62 67
63
- log_level = "debug"
64
- log_target = "stderr"
65
- http-listen = []
66
- [units.dn42-json]
67
- type = "json"
68
- uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
69
- refresh = 600
70
- [targets.dn42-rtr]
71
- type = "rtr"
72
- listen = ["0.0.0.0:323", "[::]:323"]
73
- unit = "dn42-json"
68
+```conf
69
+log_level = "debug"
70
+log_target = "stderr"
71
+http-listen = []
72
+[units.dn42-json]
73
+type = "json"
74
+uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
75
+refresh = 600
76
+[targets.dn42-rtr]
77
+type = "rtr"
78
+listen = ["0.0.0.0:323", "[::]:323"]
79
+unit = "dn42-json"
80
+```
74 81
75 82
For more information cosult the official documentation: <https://rtrtr.docs.nlnetlabs.nl/en/stable/>
76 83
howto/Registry-Authentication.md
... ...
@@ -50,7 +50,7 @@ There are three options for doing this. but you only need to do **one** of these
50 50
### `auth` attribute format, when your public key is in gitea or a public keyserver
51 51
52 52
- Use the following `auth` attribute in your `mntner` object:
53
-```
53
+```conf
54 54
auth: pgp-fingerprint <fingerprint>
55 55
```
56 56
Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
... ...
@@ -62,7 +62,7 @@ Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
62 62
*Tip: look at the existing key-cert objects for examples of how to add your public key*
63 63
64 64
- In this case the `auth` attribute must refer to the new key-cert object so use the following in your `mntner` object:
65
-```
65
+```conf
66 66
auth: PGPKEY-<short fingerprint>
67 67
```
68 68
Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
... ...
@@ -76,7 +76,7 @@ Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
76 76
- Use `git commit -S` to commit and sign your change.
77 77
78 78
- If you have already committed your change without signing it, you can sign the existing commit using:
79
-```
79
+```sh
80 80
git commit --amend --no-edit -S
81 81
```
82 82
If you had already pushed your change to gitea, you must also do a force push (`git push --force`) to update the remote copy.
... ...
@@ -105,17 +105,17 @@ If you cannot get the above to work you may also:
105 105
### `auth` attribute format when using an ssh key
106 106
107 107
The generic format for authentication using an SSH key is as follows:
108
-```
108
+```conf
109 109
auth: ssh-<keytype> <pubkey>
110 110
```
111 111
112 112
Common examples:
113 113
114
-```
114
+```conf
115 115
auth: ssh-ed25519 <pubkey>
116 116
```
117 117
118
-```
118
+```conf
119 119
auth: ssh-rsa <pubkey>
120 120
```
121 121
... ...
@@ -131,13 +131,13 @@ Brief instructions are below, however there are also more detailed guides availa
131 131
132 132
- Set your git signature format to be SSH
133 133
134
-```
134
+```sh
135 135
git config --global gpg.format ssh
136 136
```
137 137
138 138
- Tell git which SSH key to use
139 139
140
-```
140
+```sh
141 141
git config --global user.signingKey '<ssh public key>'
142 142
```
143 143
... ...
@@ -167,13 +167,13 @@ The registry includes a script that uses ssh-keygen signatures to sign your chan
167 167
168 168
#### How to sign
169 169
170
-```
170
+```sh
171 171
./sign-my-commit --ssh --key <path to your SSH private key> --push <MNTNER>
172 172
```
173 173
174 174
e.g.
175 175
176
-```
176
+```sh
177 177
./sign-my-commit --ssh --key /home/foo/.ssh/id_ed25519 --push FOO-MNT
178 178
```
179 179
... ...
@@ -181,7 +181,7 @@ e.g.
181 181
182 182
The script can also verify your signature:
183 183
184
-```
184
+```sh
185 185
./sign-my-commit --ssh --verify <MNTNER>
186 186
```
187 187
... ...
@@ -231,7 +231,7 @@ Please try and upgrade your ssh-keygen version and use the generic ssh-keygen me
231 231
### Authentication with an SSH RSA key
232 232
233 233
- Use the following `auth` attribute in your `mntner` object:
234
-```
234
+```conf
235 235
auth: ssh-rsa <pubkey>
236 236
```
237 237
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
... ...
@@ -269,7 +269,7 @@ openssl pkeyutl \
269 269
### Authentication with an SSH ecdsa key
270 270
271 271
- Use the following `auth` attribute in your `mntner` object:
272
-```
272
+```conf
273 273
auth: ecdsa-sha2-nistp256 <pubkey>
274 274
```
275 275
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
howto/Static-routes-on-Windows.md
... ...
@@ -1,6 +1,6 @@
1 1
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
2 2
3
-```
3
+```sh
4 4
@echo off
5 5
REM fill in YOUR network information
6 6
REM right click and RUN AS ADMIN
howto/lglass.md
... ...
@@ -1,6 +1,8 @@
1 1
lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:
2 2
3
- $ git clone git://github.com/fritz0705/lglass.git
3
+```sh
4
+$ git clone git://github.com/fritz0705/lglass.git
5
+```
4 6
5 7
## Links
6 8
- [Fritz Gihub repo](https://github.com/fritz0705/lglass)
... ...
@@ -10,27 +12,31 @@ lglass is a Python software package designed for Internet Registries like the DN
10 12
11 13
lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:
12 14
13
- $ ./bin/lglass-whoisd
15
+```sh
16
+$ ./bin/lglass-whoisd
17
+```
14 18
15 19
without the configfile:
16 20
17
- $ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
18
-.
19
-
20
- usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
21
- [--cidr] [--no-cidr] [--inverse] [--no-inverse]
22
-
23
- optional arguments:
24
- -h, --help show this help message and exit
25
- -4 Listen on IPv4
26
- -6 Listen on IPv6
27
- --host HOST, -H HOST Listen on host
28
- --port PORT, -p PORT Listen on port
29
- --cidr, -c Perform CIDR matching on queries
30
- --no-cidr Do not perform CIDR matching on queries
31
- --inverse, -i Perform inverse matching on queries
32
- --no-inverse Do not perform inverse matching on queries
33
-
21
+```sh
22
+$ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
23
+```
24
+
25
+```
26
+usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
27
+ [--cidr] [--no-cidr] [--inverse] [--no-inverse]
28
+
29
+optional arguments:
30
+ -h, --help show this help message and exit
31
+ -4 Listen on IPv4
32
+ -6 Listen on IPv6
33
+ --host HOST, -H HOST Listen on host
34
+ --port PORT, -p PORT Listen on port
35
+ --cidr, -c Perform CIDR matching on queries
36
+ --no-cidr Do not perform CIDR matching on queries
37
+ --inverse, -i Perform inverse matching on queries
38
+ --no-inverse Do not perform inverse matching on queries
39
+```
34 40
35 41
## Generate zone files
36 42
... ...
@@ -38,32 +44,42 @@ lglass also provides a script to generate zone files from the registry. It's nam
38 44
39 45
To generate DNS zones:
40 46
41
- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
47
+```sh
48
+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
49
+```
42 50
43 51
To generate IPv4 rDNS zones:
44 52
45
- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
53
+```sh
54
+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
55
+```
46 56
47 57
To generate IPv6 rDNS zones:
48
-
49
- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
58
+```sh
59
+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
60
+```
50 61
51 62
## Reformat RPSL files
52 63
53 64
You can also reformat RPSL files using lglass by using the lglass.rpsl module:
54 65
55
- $ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
66
+```sh
67
+$ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
68
+```
56 69
57 70
lglass.rpsl also supports in-place operation:
58 71
59
- $ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
72
+```sh
73
+$ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
74
+```
60 75
61 76
This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.
62 77
Simple web interface
63 78
64 79
lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:
65
-
66
- $ ./bin/lglass-web
80
+```sh
81
+$ ./bin/lglass-web
82
+```
67 83
68 84
Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.
69 85
howto/networksettings.md
... ...
@@ -13,22 +13,22 @@ That is why `rp_filter` needs to be disabled.
13 13
14 14
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
15 15
16
-```
16
+```sh
17 17
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
18 18
```
19 19
20 20
Check that its really disabled:
21
-```
21
+```sh
22 22
sysctl -a | grep rp_filter
23 23
```
24 24
25 25
Also the following options must be set.
26
-```
26
+```sh
27 27
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
28 28
```
29 29
30 30
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
31
-```
31
+```sh
32 32
$ sysctl -a | grep forwarding
33 33
```
34 34
howto/nixos.md
... ...
@@ -15,7 +15,7 @@ If you still want to give it a try, here you'll find some inspiration from my se
15 15
Defining the container environment is the base part of the setup. Beginning with network setup, Private Network disables the passthrough of Host Interfaces into the container and adds a bridged Interface to the host default Interface (e.g. eth0). The localAddress is the container side address and the hostAddress is the one the Host gets. Inside the ```container.<name>.config```, you can basicly import the same nix expression as from the Host and don't need to add some special container parts.
16 16
17 17
```nix
18
- containers.dn42 = {
18
+containers.dn42 = {
19 19
hostAddress = "192.168.254.1"; # Transfer Network
20 20
hostAddress6 = "2001:db08::42"; # Transfer Network
21 21
localAddress = "116.203.1.5";
... ...
@@ -24,22 +24,22 @@ Defining the container environment is the base part of the setup. Beginning with
24 24
autoStart = true;
25 25
26 26
config = { config, pkgs, ... }: {
27
- imports = [
28
- ./peers # Folder with a config for every Peer
29
- ./dns.nix # Bind with the litschi.dn42 zone deligated
30
- ./bird.nix # Bird config for BGP Routing
31
- ./networking.nix # Static Network configuration (with firewall)
32
- ./nginx.nix # nginx config for litschi.dn42
33
- ];
34
- environment.systemPackages = with pkgs; [
35
- # Network debug tools
36
- dnsutils
37
- mtr
38
- tcpdump
39
- wireguard-tools
40
- ];
27
+ imports = [
28
+ ./peers # Folder with a config for every Peer
29
+ ./dns.nix # Bind with the litschi.dn42 zone deligated
30
+ ./bird.nix # Bird config for BGP Routing
31
+ ./networking.nix # Static Network configuration (with firewall)
32
+ ./nginx.nix # nginx config for litschi.dn42
33
+ ];
34
+ environment.systemPackages = with pkgs; [
35
+ # Network debug tools
36
+ dnsutils
37
+ mtr
38
+ tcpdump
39
+ wireguard-tools
40
+ ];
41 41
}
42
- }
42
+}
43 43
```
44 44
45 45
In theory the container should now be starting and you can get shell access with ```sudo nixos-container root-login <name> ```.
... ...
@@ -47,20 +47,20 @@ In theory the container should now be starting and you can get shell access wit
47 47
I mounted some host paths into the container for dns zone files and static homepage since the container is the only one providing .dn42 webservers.
48 48
49 49
```nix
50
- containers.dn42 = {
50
+containers.dn42 = {
51 51
bindMounts = {
52
- "/var/www/dn42" = {
53
- hostPath = "/var/www/dn42";
54
- isReadOnly = true;
55
- mountPoint = "/var/www/dn42";
56
- };
57
- "/var/dns/dn42" = {
58
- hostPath = "/var/dns/dn42";
59
- isReadOnly = true;
60
- mountPoint = "/var/dns";
61
- };
52
+ "/var/www/dn42" = {
53
+ hostPath = "/var/www/dn42";
54
+ isReadOnly = true;
55
+ mountPoint = "/var/www/dn42";
56
+ };
57
+ "/var/dns/dn42" = {
58
+ hostPath = "/var/dns/dn42";
59
+ isReadOnly = true;
60
+ mountPoint = "/var/dns";
61
+ };
62 62
};
63
- }
63
+}
64 64
```
65 65
66 66
### Network Setup
... ...
@@ -68,28 +68,28 @@ I mounted some host paths into the container for dns zone files and static homep
68 68
As mentioned above, I got a spare public IPv4 Address, but by adding it as ```localAddress```, the container Part is configured static enough. But to forward traffic between Intferfaces ```/proc/sys/net/``` should configured
69 69
70 70
```nix
71
- boot.kernel.sysctl = {
71
+boot.kernel.sysctl = {
72 72
"net.ipv4.ip_forward" = 1;
73 73
"net.ipv6.conf.all.forwarding" = 1;
74
- };
74
+};
75 75
```
76 76
This allows our firewall to configure forwarding between peers and other tunnels. What is allowed to be forwarded can be configured in the firewall. Ferm has only few NixOS Options, but is pretty basic. Its configured with the ```services.ferm.config``` options, that contains just a string. Within this string there's standard plain ferm config. Example config is attached below.
77 77
If the dn42 address is not bound at any other Interface, you need to add it to the lo Interface to use it as source IP when routing via peers with dedicated transfer net.
78 78
```nix
79
- networking.interfaces.lo = {
80
- ipv4.addresses = [
79
+networking.interfaces.lo = {
80
+ ipv4.addresses = [
81 81
{
82
- address = "172.23.73.65";
83
- prefixLength = 32;
82
+ address = "172.23.73.65";
83
+ prefixLength = 32;
84 84
}
85
- ];
86
- ipv6.addresses = [
85
+ ];
86
+ ipv6.addresses = [
87 87
{
88
- address = "fd67:24bd:a1ea::1";
89
- prefixLength = 128;
88
+ address = "fd67:24bd:a1ea::1";
89
+ prefixLength = 128;
90 90
}
91
- ];
92
- };
91
+ ];
92
+};
93 93
```
94 94
95 95
#### Ferm example
... ...
@@ -100,40 +100,40 @@ services.ferm = {
100 100
domain ip table filter chain INPUT proto icmp ACCEPT;
101 101
domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
102 102
domain (ip ip6) table filter {
103
- chain INPUT {
104
- policy DROP;
105
- interface lo ACCEPT;
106
- interface intern-+ ACCEPT;
107
- # website
108
- proto tcp dport (http https) ACCEPT;
109
- # wireguard
110
- proto udp dport ( <Wireguard Ports> ) ACCEPT;
111
- # bgp
112
- proto tcp dport (179) ACCEPT;
113
- # dns
114
- proto (udp tcp) dport domain ACCEPT;
115
- mod state state (INVALID) DROP;
116
- mod state state (ESTABLISHED RELATED) ACCEPT;
117
- }
118
- chain OUTPUT {
119
- policy ACCEPT;
120
- }
121
- chain FORWARD {
122
- policy DROP;
123
- # allow intern routing and dn42 forwarding
124
- interface dn42-+ outerface dn42-+ ACCEPT;
125
- interface intern-+ outerface intern-+ ACCEPT;
126
- interface intern-+ outerface dn42-+ ACCEPT;
127
- # but dn42 -> intern only with execptions
128
- interface dn42-+ outerface intern-+ {
129
- proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
130
- proto tcp dport (ssh) ACCEPT;
131
- mod state state (ESTABLISHED) ACCEPT;
103
+ chain INPUT {
104
+ policy DROP;
105
+ interface lo ACCEPT;
106
+ interface intern-+ ACCEPT;
107
+ # website
108
+ proto tcp dport (http https) ACCEPT;
109
+ # wireguard
110
+ proto udp dport ( <Wireguard Ports> ) ACCEPT;
111
+ # bgp
112
+ proto tcp dport (179) ACCEPT;
113
+ # dns
114
+ proto (udp tcp) dport domain ACCEPT;
115
+ mod state state (INVALID) DROP;
116
+ mod state state (ESTABLISHED RELATED) ACCEPT;
117
+ }
118
+ chain OUTPUT {
119
+ policy ACCEPT;
120
+ }
121
+ chain FORWARD {
122
+ policy DROP;
123
+ # allow intern routing and dn42 forwarding
124
+ interface dn42-+ outerface dn42-+ ACCEPT;
125
+ interface intern-+ outerface intern-+ ACCEPT;
126
+ interface intern-+ outerface dn42-+ ACCEPT;
127
+ # but dn42 -> intern only with execptions
128
+ interface dn42-+ outerface intern-+ {
129
+ proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
130
+ proto tcp dport (ssh) ACCEPT;
131
+ mod state state (ESTABLISHED) ACCEPT;
132
+ }
132 133
}
133
- }
134 134
}
135 135
'';
136
- };
136
+};
137 137
```
138 138
139 139
### Peering with wireguard
... ...
@@ -144,23 +144,23 @@ A sample wireguard config may look like this:
144 144
```nix
145 145
{config, pkgs, ...}:
146 146
{
147
- networking.wireguard.interfaces.dn42-peer = {
148
- privateKey = "";
149
- allowedIPsAsRoutes = false;
150
- listenPort = 42420;
151
-
152
- peers = [
153
- {
154
- publicKey = "";
155
- allowedIPs = [ "0.0.0.0/0" "::/0" ];
156
- endpoint = "42.42.42.42:42421";
157
- }
158
- ];
159
- postSetup = ''
160
- ${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
161
- ${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
162
- '';
163
- };
147
+ networking.wireguard.interfaces.dn42-peer = {
148
+ privateKey = "";
149
+ allowedIPsAsRoutes = false;
150
+ listenPort = 42420;
151
+
152
+ peers = [
153
+ {
154
+ publicKey = "";
155
+ allowedIPs = [ "0.0.0.0/0" "::/0" ];
156
+ endpoint = "42.42.42.42:42421";
157
+ }
158
+ ];
159
+ postSetup = ''
160
+ ${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
161
+ ${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
162
+ '';
163
+ };
164 164
}
165 165
```
166 166
... ...
@@ -176,41 +176,40 @@ Like ferm, Bird2 is configured by ```services.bird2.config``` containing a strin
176 176
Sample example to update ROA's :
177 177
```nix
178 178
{ pkgs, lib, ... }:
179
-let
180
- script = pkgs.writeShellScriptBin "update-roa" ''
179
+let script = pkgs.writeShellScriptBin "update-roa" ''
181 180
mkdir -p /etc/bird/
182 181
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
183 182
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
184 183
${pkgs.bird2}/bin/birdc c
185 184
${pkgs.bird2}/bin/birdc reload in all
186
- '';
185
+ '';
187 186
in
188 187
{
189
- systemd.timers.dn42-roa = {
190
- description = "Trigger a ROA table update";
188
+ systemd.timers.dn42-roa = {
189
+ description = "Trigger a ROA table update";
190
+
191
+ timerConfig = {
192
+ OnBootSec = "5m";
193
+ OnUnitInactiveSec = "1h";
194
+ Unit = "dn42-roa.service";
195
+ };
191 196
192
- timerConfig = {
193
- OnBootSec = "5m";
194
- OnUnitInactiveSec = "1h";
195
- Unit = "dn42-roa.service";
197
+ wantedBy = [ "timers.target" ];
198
+ before = [ "bird.service" ];
196 199
};
197 200
198
- wantedBy = [ "timers.target" ];
199
- before = [ "bird.service" ];
200
- };
201
-
202
- systemd.services = {
203
- dn42-roa = {
204
- after = [ "network.target" ];
205
- description = "DN42 ROA Updated";
206
- unitConfig = {
207
- Type = "one-shot";
208
- };
209
- serviceConfig = {
210
- ExecStart = "${script}/bin/update-roa";
211
- };
201
+ systemd.services = {
202
+ dn42-roa = {
203
+ after = [ "network.target" ];
204
+ description = "DN42 ROA Updated";
205
+ unitConfig = {
206
+ Type = "one-shot";
207
+ };
208
+ serviceConfig = {
209
+ ExecStart = "${script}/bin/update-roa";
210
+ };
211
+ };
212 212
};
213
- };
214 213
}
215 214
```
216 215
... ...
@@ -221,14 +220,14 @@ There is now (thanks to [Tchekda](https://github.com/NixOS/nixpkgs/pull/153481))
221 220
```nix
222 221
bird-lg = {
223 222
proxy = {
224
- enable = true;
225
- allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
223
+ enable = true;
224
+ allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
226 225
};
227 226
frontend = {
228
- enable = true;
229
- netSpecificMode = "dn42";
230
- servers = [ "node1" "node2" ];
231
- domain = "domain.dn42";
227
+ enable = true;
228
+ netSpecificMode = "dn42";
229
+ servers = [ "node1" "node2" ];
230
+ domain = "domain.dn42";
232 231
};
233 232
};
234 233
```
howto/openvpn.md
... ...
@@ -10,7 +10,7 @@
10 10
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
11 11
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
12 12
13
-```
13
+```conf
14 14
#/etc/openvpn/<PEER_NAME>
15 15
proto <PROTO>
16 16
mode p2p
... ...
@@ -39,7 +39,7 @@ secret /etc/openvpn/<PEER_NAME>.key
39 39
40 40
then create a new key and share it with your peer
41 41
42
-```
42
+```sh
43 43
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
44 44
```
45 45
... ...
@@ -47,7 +47,7 @@ $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
47 47
48 48
## peer with fixed ip
49 49
50
-```
50
+```conf
51 51
proto <PROTO>
52 52
mode p2p
53 53
dev-type tun
... ...
@@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
72 72
* `<REMOTE_HOST>` is the ip address of your peer
73 73
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
74 74
75
-```
75
+```conf
76 76
proto <PROTO>
77 77
mode p2p
78 78
remote <REMOTE_HOST>
... ...
@@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
99 99
100 100
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
101 101
102
-```
102
+```conf
103 103
mode server
104 104
tls-server
105 105
... ...
@@ -152,7 +152,7 @@ push "route 172.22.0.0 255.254.0.0"
152 152
153 153
Change `<SERVER>` and `<PORT>`.
154 154
155
-```
155
+```conf
156 156
client
157 157
158 158
ca ca.crt
howto/systemd-networkd-configuration-example.md
... ...
@@ -5,7 +5,7 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
5 5
# Configuration
6 6
7 7
## loopback device (lo.network)
8
-```
8
+```conf
9 9
[Match]
10 10
Name=lo
11 11
... ...
@@ -14,7 +14,7 @@ Address=fdff:b02d:2ef7::2/128
14 14
```
15 15
16 16
## wireguard netdev (dn42p1.netdev)
17
-```
17
+```conf
18 18
[NetDev]
19 19
Name = dn42p1
20 20
Kind = wireguard
... ...
@@ -31,7 +31,7 @@ AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
31 31
```
32 32
33 33
## wireguard network (dn42p1.network)
34
-```
34
+```conf
35 35
[Match]
36 36
Name = dn42p1
37 37
howto/tinc.md
... ...
@@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
10 10
11 11
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
12 12
13
-```
13
+```conf
14 14
Interface = dn42_yourpeer
15 15
Name = your_host
16 16
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
... ...
@@ -26,7 +26,7 @@ Tinc requires to add manually ip addresses and routes to the tap/tun interfaces.
26 26
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
27 27
28 28
**Linux/iproute2**
29
-```
29
+```sh
30 30
#!/bin/sh
31 31
32 32
# set the interface up
... ...
@@ -44,13 +44,13 @@ For authentication tinc uses public key authentication instead of certificates o
44 44
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
45 45
is required. To generate a public/private key pair use:
46 46
47
-```
47
+```sh
48 48
$ tincd -K
49 49
```
50 50
51 51
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
52 52
53
-```
53
+```conf
54 54
# address/port are optional, in case they're missing you only expect connections from that host
55 55
Address = <fqdn/ip_addr>
56 56
Port = <port|655>
... ...
@@ -74,19 +74,19 @@ Installation:
74 74
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
75 75
76 76
Set up a new tinc network
77
-```
77
+```sh
78 78
# tinc -n dn42_yourpeer init dn42_yourself
79 79
```
80 80
81 81
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
82
-```
82
+```sh
83 83
$ tinc invite yourpeer
84 84
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
85 85
```
86 86
87 87
On the other node you can join by using:
88 88
89
-```
89
+```sh
90 90
$ tinc join <invitation-url>
91 91
```
92 92
howto/wireguard.md
... ...
@@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
9 9
10 10
First generate on each peer public and private keys.
11 11
12
-```
12
+```sh
13 13
$ wg genkey | tee privatekey | wg pubkey > publickey
14 14
```
15 15
16 16
## Configuration
17 17
18
-```
18
+```conf
19 19
# tunnel.conf
20 20
[Interface]
21 21
PrivateKey = <private_key>
... ...
@@ -38,7 +38,7 @@ AllowedIPs = 0.0.0.0/0,::/0
38 38
Wireguard comes with its own interface type.
39 39
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
40 40
41
-```
41
+```sh
42 42
$ ip link add dev <interface_name> type wireguard
43 43
$ wg setconf <interface_name> tunnel.conf
44 44
# both side pick a different link-local ipv6 address
... ...
@@ -54,7 +54,7 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
54 54
55 55
## Testing
56 56
57
-```
57
+```sh
58 58
ping fe80::<your_peers_suffix>%<interface_name>
59 59
```
60 60
... ...
@@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
94 94
95 95
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
96 96
97
-```
97
+```conf
98 98
[Interface]
99 99
PrivateKey = <your private key>
100 100
Address = <your link-local address, if any>
... ...
@@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
114 114
Example configuration for systemd-networkd.
115 115
116 116
peer.netdev
117
-```text
117
+```conf
118 118
[NetDev]
119 119
Name=<ifname>
120 120
Kind=wireguard
... ...
@@ -134,7 +134,7 @@ AllowedIPs=0.0.0.0/0
134 134
```
135 135
136 136
peer.network
137
-```text
137
+```conf
138 138
[Match]
139 139
Name=<ifname>
140 140
... ...
@@ -172,6 +172,6 @@ Peer=<your peer's IPv4 address>/32
172 172
As wireguard are only resolving the hostname to IP only on start, dynamics DNS will stop working after a while without further configuration. The Following is a [script](https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh) from wireguard which will "re-resolve" the DNS and update the wireguard.
173 173
174 174
You can add cron entries to periodically "re-resolve" the DNS:
175
-```
175
+```sh
176 176
* * * * * /path-to-the-script/reresolve-dns.sh
177 177
```
internal/Internal-Services.md
... ...
@@ -186,9 +186,9 @@ Providers of shell access:
186 186
187 187
| Person | Hostname | Net | Description | Contact |
188 188
|:------------- |:-------------------------------------- |:---------------- |:---------------- |:------------- |
189
-| mc36 | telnet test.nop.dn42 | dn42 only |looking glass | - |
190
-| JerryXiao | ssh lg@lg.jerry.dn42 | dn42 and icvpn |looking glass | - |
191
-| burble | ssh <mntner>@shell.fr-rbx1.burble.dn42 <br/> ssh <mntner>@shell.ca-bhs2.burble.dn42 | dn42 |Full shell account| See below |
189
+| mc36 | `telnet test.nop.dn42` | dn42 only |looking glass | - |
190
+| JerryXiao | `ssh lg@lg.jerry.dn42` | dn42 and icvpn |looking glass | - |
191
+| burble | `ssh <mntner>@shell.fr-rbx1.burble.dn42` <br/> `ssh <mntner>@shell.ca-bhs2.burble.dn42` | dn42 | Full shell account | See below |
192 192
193 193
### burble.dn42 shell access
194 194
internal/ShowAndTell.md
... ...
@@ -22,7 +22,7 @@ Document your mad setups in the categories below, with links to a full write up,
22 22
- Wired: Token Ring/X.25/ATM/ISDN etc (encapsulation allowed, but bonus points for real physical networks)
23 23
- Wireless: dn42 via microwave/laser/satellite
24 24
25
-*... your stuff goes here*
25
+*... your stuff goes here*
26 26
27 27
## Things attached to dn42
28 28
- The thing must be pingable from dn42
services/Automatic-CA.md
... ...
@@ -55,7 +55,9 @@ Server certificates are signed for 45 days. To renew follow the steps above star
55 55
56 56
get the script here:
57 57
58
+```sh
58 59
curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
60
+```
59 61
60 62
available via git: anon@git.dn42:dn42/ca-client
61 63
... ...
@@ -106,7 +108,7 @@ Environtment Options:
106 108
107 109
Generate the user key
108 110
109
-```
111
+```sh
110 112
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
111 113
Generating a 2048 bit RSA private key
112 114
...............................+++
... ...
@@ -121,7 +123,7 @@ writing new private key to 'XUU-MNT.key'
121 123
122 124
### Sign the user key
123 125
124
-```
126
+```sh
125 127
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
126 128
== USER CERT ==
127 129
C:XD
... ...
@@ -138,7 +140,7 @@ Verifying - Enter Export Password:
138 140
139 141
### Generate the server key
140 142
141
-```
143
+```sh
142 144
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
143 145
144 146
Generating a 2048 bit RSA private key
... ...
@@ -162,7 +164,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
162 164
163 165
### Sign the server key
164 166
165
-```
167
+```sh
166 168
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
167 169
== USER CERT ==
168 170
C:XD
... ...
@@ -190,13 +192,13 @@ Verifying - Enter Export Password: ****
190 192
191 193
The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
192 194
193
-```
195
+```sh
194 196
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
195 197
```
196 198
197 199
or with a systemd timer:
198 200
199
-```
201
+```conf
200 202
# update-dn42-ca.timer
201 203
[Timer]
202 204
OnBootSec=1h
... ...
@@ -207,7 +209,7 @@ Persistent=yes
207 209
WantedBy=timers.target
208 210
```
209 211
210
-```
212
+```conf
211 213
[Service]
212 214
Type=oneshot
213 215
WorkingDirectory=/etc/ssl/dn42
... ...
@@ -219,7 +221,7 @@ ExecStart=/usr/bin/nginx -s reload
219 221
220 222
### Revoke a certificate.
221 223
222
-```
224
+```sh
223 225
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
224 226
== USER CERT ==
225 227
C:XD
services/Certificate-Authority.md
... ...
@@ -101,11 +101,11 @@ C0IKqQ==
101 101
## Testing constraints
102 102
103 103
The name constraints can be verified for example by using openssl:
104
-```
105
- openssl x509 -in dn42.crt -text -noout
104
+```sh
105
+openssl x509 -in dn42.crt -text -noout
106 106
```
107 107
which will show among other things:
108
-```
108
+```text
109 109
X509v3 Name Constraints:
110 110
Permitted:
111 111
DNS:.dn42
services/DNS.md
... ...
@@ -24,7 +24,7 @@ service and configure the other service as the secondary or backup nameserver.
24 24
25 25
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
26 26
27
-```text
27
+```conf
28 28
nameserver 172.20.0.53
29 29
nameserver 172.23.0.53
30 30
nameserver fd42:d42:d42:54::1
... ...
@@ -34,7 +34,7 @@ search dn42
34 34
35 35
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
36 36
37
-```text
37
+```conf
38 38
nameserver fd42:d42:d42:53::1
39 39
nameserver fd42:d42:d42:54::1
40 40
nameserver 172.23.0.53
services/Distributed-Wiki.md
... ...
@@ -39,9 +39,9 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
39 39
- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
40 40
- Setup cron for periodic pull/push jobs for the repo (simple example):
41 41
42
- + **wiki-sync.sh**:
42
+ + **wiki-sync.sh**:
43 43
44
- ```sh
44
+ ```sh
45 45
#!/bin/bash
46 46
47 47
WIKI_PATH=<repo path>
... ...
@@ -52,13 +52,13 @@ ${GIT} push
52 52
${GIT} pull
53 53
54 54
exit 0
55
- ```
55
+ ```
56 56
57
- + **Cron entry**:
57
+ + **Cron entry**:
58 58
59
- `*/10 * * * * <path>/wiki-sync.sh &> /dev/null`
59
+ `*/10 * * * * <path>/wiki-sync.sh &> /dev/null`
60 60
61
- Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
61
+ Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
62 62
63 63
## gollum
64 64
... ...
@@ -84,7 +84,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
84 84
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
85 85
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
86 86
87
-```
87
+```sh
88 88
./ca.dn42 tls-gen \
89 89
<AS>-<CC>(-<UID>).wiki.dn42 \
90 90
EXAMPLE-MNT \
... ...
@@ -109,13 +109,13 @@ A custom header `X-SiteID` identifies the site you're connecting to:
109 109
110 110
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
111 111
112
- ```
112
+ ```sh
113 113
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
114 114
```
115 115
116 116
- Configure Nginx to send the fingerprint in header (SSL block):
117 117
118
- ```
118
+ ```conf
119 119
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
120 120
```
121 121
... ...
@@ -137,7 +137,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
137 137
138 138
#### Config example
139 139
140
-```
140
+```conf
141 141
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
142 142
ssl_session_cache shared:SSL:2m;
143 143
... ...
@@ -196,7 +196,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
196 196
197 197
#### Configuration
198 198
199
-```
199
+```conf
200 200
# exabgp.conf
201 201
202 202
group gollum-watchdog {
services/IRC.md
... ...
@@ -3,7 +3,6 @@
3 3
4 4
We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 6697.
5 5
6
-
7 6
| Network | Hostname | SSL | IPv4 | IPv6 |
8 7
|:--------|:------------------------------------------|:------ |:-------------------------- |:------------ |
9 8
| DN42 | [irc.hackint.dn42](ircs://irc.hackint.dn42:6697) | Yes | 172.20.66.67 | fd42:d42:d42:6667::1 |
... ...
@@ -11,7 +10,7 @@ We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is
11 10
12 11
13 12
### via public internet
14
-| Hostname | Location |
13
+| Hostname | Location |
15 14
|:------------------------------------------------- |:-------------------------- |
16 15
| [irc.hackint.org](ircs://irc.hackint.org:6697) | Global |
17 16
| [irc.eu.hackint.org](ircs://irc.eu.hackint.org:6697) | European |
services/IXP-frnte.md
... ...
@@ -48,15 +48,19 @@ A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb
48 48
49 49
An example configuration for Debian based Linux distributions would be:
50 50
51
- iface ensXX inet6 static
52
- address fde0:93fa:7a0:2:0:fcde:3558:1/64
51
+```sh
52
+iface ensXX inet6 static
53
+ address fde0:93fa:7a0:2:0:fcde:3558:1/64
54
+```
53 55
54 56
Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:
55 57
56
- ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
57
- 1500 qdisc pfifo_fast state UP mode DEFAULT group
58
- default qlen 1000
59
- link/ether MAC brd ff:ff:ff:ff:ff:ff
58
+```sh
59
+ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
60
+ 1500 qdisc pfifo_fast state UP mode DEFAULT group
61
+ default qlen 1000
62
+ link/ether MAC brd ff:ff:ff:ff:ff:ff
63
+```
60 64
61 65
`MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.
62 66
Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.
... ...
@@ -71,17 +75,19 @@ You can now enter this configuration into your routing daemon and it will connec
71 75
72 76
An example configuration for bird2 would be the following:
73 77
74
- protocol bgp ixp_rs from dnpeers {
75
- neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
78
+```conf
79
+protocol bgp ixp_rs from dnpeers {
80
+ neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
76 81
77
- enable extended messages on;
78
- direct;
79
- enforce first as off;
82
+ enable extended messages on;
83
+ direct;
84
+ enforce first as off;
80 85
81
- ipv4 {
82
- extended next hop;
83
- };
84
- }
86
+ ipv4 {
87
+ extended next hop;
88
+ };
89
+}
90
+```
85 91
86 92
**What does this configuration do?**
87 93
... ...
@@ -107,8 +113,8 @@ Furthermore, you can display different routes (in case of bird with `birdc show
107 113
One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:
108 114
109 115
* Burble's pingable
110
- * 172.20.129.5
111
- * fd42:4242:2601:ac05::1
116
+ * `172.20.129.5`
117
+ * `fd42:4242:2601:ac05::1`
112 118
* Bandura's pingable:
113
- * 172.22.149.224
114
- * fd04:234e:fc31::
119
+ * `172.22.149.224`
120
+ * `fd04:234e:fc31::`
services/Route-Collector.md
... ...
@@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
25 25
26 26
Example bird2 config:
27 27
28
-```text
28
+```conf
29 29
protocol bgp ROUTE_COLLECTOR
30 30
{
31 31
local as ***YOUR_ASN***;
services/Statistics.md
... ...
@@ -11,7 +11,7 @@ Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stat
11 11
12 12
#### collectd.conf
13 13
14
-```
14
+```conf
15 15
LoadPlugin exec
16 16
<Plugin exec>
17 17
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
services/Whois.md
... ...
@@ -66,8 +66,10 @@ Mirrors are hosted at `asn.grmml.dn42` and `asn.lorkep.dn42`.
66 66
67 67
Example:
68 68
69
- $ dig +short AS4242420000.asn.dn42 TXT
70
- "4242420000 | DN42 | dn42 | | PYROPETER-AS PyroPeters AS"
69
+```sh
70
+$ dig +short AS4242420000.asn.dn42 TXT
71
+"4242420000 | DN42 | dn42 | | PYROPETER-AS PyroPeters AS"
72
+```
71 73
72 74
The Python code for generating the zone from the registry is available on the monotone repository.
73 75
services/dns/Configuration.md
... ...
@@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
27 27
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
28 28
by adding the following to /etc/bind/named.conf.local
29 29
30
-```
30
+```conf
31 31
zone "dn42" {
32 32
type forward;
33 33
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
... ...
@@ -71,7 +71,7 @@ options {
71 71
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
72 72
73 73
To disable DNSSEC validation only for certain TLDs include the following in the options section:
74
-```
74
+```conf
75 75
options {
76 76
# [...]
77 77
... ...
@@ -93,7 +93,7 @@ options {
93 93
94 94
If you are running dnsmasq under openwrt, you just have to add
95 95
96
-```
96
+```conf
97 97
config dnsmasq
98 98
option boguspriv '0'
99 99
option rebind_protection '1'
... ...
@@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
115 115
116 116
For normal dnsmasq use
117 117
118
-```
118
+```conf
119 119
server=/dn42/172.20.0.53
120 120
server=/20.172.in-addr.arpa/172.20.0.53
121 121
server=/21.172.in-addr.arpa/172.20.0.53
... ...
@@ -129,7 +129,7 @@ in `dnsmasq.conf`.
129 129
## PowerDNS recursor
130 130
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS).
131 131
132
-```
132
+```conf
133 133
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
134 134
forward-zones-recurse=dn42=172.20.0.53
135 135
forward-zones-recurse+=20.172.in-addr.arpa=172.20.0.53
... ...
@@ -143,7 +143,7 @@ forward-zones-recurse+=d.f.ip6.arpa=172.20.0.53
143 143
## MaraDNS
144 144
Put this in your mararc:
145 145
146
-```
146
+```conf
147 147
ipv4_alias["dn42_root"] = "172.20.0.53"
148 148
root_servers["dn42."] = "dn42_root"
149 149
root_servers["20.172.in-addr.arpa."] = "dn42_root"
... ...
@@ -158,7 +158,7 @@ root_servers["10.in-addr.arpa."] = "dn42_root"
158 158
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
159 159
point to a file with DNSKEY records for dn42.
160 160
161
-```
161
+```conf
162 162
server:
163 163
local-zone: "20.172.in-addr.arpa." nodefault
164 164
local-zone: "21.172.in-addr.arpa." nodefault
... ...
@@ -205,11 +205,11 @@ forward-zone:
205 205
206 206
## JunOS (SRX 12.1X46)
207 207
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
208
-```
208
+```sh
209 209
restart named-service
210 210
```
211 211
Config (vlan.0 is presumed to be your LAN/Trust interface)
212
-```
212
+```conf
213 213
system {
214 214
services {
215 215
dns {
... ...
@@ -289,17 +289,17 @@ All delegation servers have DNSSEC support and all record are signed, for more i
289 289
Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
290 290
291 291
This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
292
-```
292
+```conf
293 293
dn42. 86400 IN DS 1 2 3 456
294 294
```
295 295
296 296
This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456
297
-```
297
+```conf
298 298
20.172.in-addr.arpa. 86400 IN DS 1 2 3 456
299 299
```
300 300
301 301
This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456
302
-```
302
+```conf
303 303
d.f.ip6.arpa. 86400 IN DS 1 2 3 456
304 304
```
305 305
... ...
@@ -323,7 +323,7 @@ d.f.ip6.arpa. 86400 IN DS 1 2 3 456
323 323
324 324
325 325
## Unbound
326
-```
326
+```conf
327 327
trust-anchor-file: <path to key file>
328 328
329 329
server:
services/dns/Recursive-DNS-resolver.md
... ...
@@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/services/dns/
8 8
9 9
Configuration for `unbound.conf`
10 10
11
-```
11
+```conf
12 12
server:
13 13
local-zone: "22.172.in-addr.arpa." nodefault
14 14
local-zone: "23.172.in-addr.arpa." nodefault
... ...
@@ -35,7 +35,7 @@ stub-zone:
35 35
### Unbound with root-hints
36 36
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
37 37
38
-```
38
+```conf
39 39
# /etc/unbound/unbound.conf.d/dn42.conf
40 40
server:
41 41
# DNSSEC validation will fail
... ...
@@ -55,7 +55,7 @@ remote-control:
55 55
```
56 56
57 57
The `/etc/unbound/dn42.hints` file:
58
-```
58
+```conf
59 59
. NS a.root-servers.dn42.
60 60
a.root-servers.dn42. 3600000 A 172.22.177.6
61 61
. NS m.root-servers.dn42.