FORGOT YOUR DETAILS?

CREATE ACCOUNT

 

UNISON Help

Unison Help

  1. Unison Kernel
    1. Pthreads
      1. pthread_create()
      2. pthread_exit()
      3. pthread_self()
      4. pthread_equal()
      5. pthread_join()
      6. pthread_detach()
      7. pthread_setschedparam()
      8. pthread_getschedparam()
      9. pthread_attr_init()
      10. pthread_attr_destroy()
      11. pthread_attr_setstackaddr()
      12. pthread_attr_getstackaddr()
      13. pthread_attr_setstacksize()
      14. pthread_attr_getstacksize()
      15. pthread_attr_setschedparam()
      16. pthread_attr_getschedparam()
      17. pthread_attr_setdetachstate()
      18. pthread_attr_getdetachstate()
      19. pthread_stackinfo()
      20. pthread_setprio()
      21. pthread_getprio()
      22. sched_get_priority_max()
      23. sched_get_priority_min()
      24. sched_yield()
    2. Pthread Cancellation
      1. pthread_cleanup_pop()
      2. pthread_cleanup_push()
      3. pthread_cancel()
      4. pthread_setcanceltype()
      5. pthread_setcancelstate()
      6. pthread_testcancel()
    3. Mutex
      1. pthread_mutex_init()
      2. pthread_mutex_destroy()
      3. pthread_mutex_lock()
      4. pthread_mutex_trylock()
      5. pthread_mutex_unlock()
    4. Semaphores
      1. sem_open()
      2. sem_close()
      3. sem_unlink()
      4. sem_init()
      5. sem_destroy()
      6. sem_wait()
      7. sem_trywait()
      8. sem_timedwait()
      9. sem_post()
      10. sem_getvalue()
    5. Message Queues
      1. mq_open()
      2. mq_close()
      3. mq_unlink()
      4. mq_send()
      5. mq_receive()
      6. mq_notify()
      7. mq_setattr()
      8. mq_getattr()
      9. mq_timedreceive()
      10. mq_timedsend()
    6. Conditional Variables
      1. pthread_cond_init()
      2. pthread_cond_destroy()
      3. pthread_cond_wait()
      4. pthread_cond_timedwait()
      5. pthread_cond_signal()
      6. pthread_cond_broadcast()
      7. pthread_condattr_init()
      8. pthread_condattr_destroy()
    7. Barriers
      1. pthread_barrier_init()
      2. pthread_barrier_destroy()
      3. pthread_barrier_wait()
    8. Timers
      1. timer_create()
      2. timer_delete()
      3. timer_settime()
      4. timer_gettime()
      5. timer_getoverrun()
      6. timer_tick()
      7. nanosleep()
    9. Clocks
      1. time()
      2. uptime()
      3. sleep()
      4. clock_settime()
      5. clock_gettime()
      6. clock_getres()
      7. clock_init()
    10. Memory Allocation
      1. POSIX.1
        1. malloc()
        2. free()
      2. Variable Length (Pools)
        1. pool_create()
        2. pool_destroy()
        3. pool_alloc()
        4. pool_free()
      3. Fixed Length (Partitions)
        1. pt_create()
        2. pt_destroy()
        3. pt_getblock()
        4. pt_freeblock()
    11. Rendezvous
      1. mr_init()
      2. mr_send()
      3. mr_receive()
      4. mr_reply()
      5. mr_sigrecv()
      6. mr_sigpost()
    12. Interrupts
      1. interrupts
      2. i_disable()
      3. i_restore()
    13. Directory Services
      1. dir_register()
      2. dir_deregister()
      3. dir_lookup()
      4. dir_lookup_string()
    14. Miscellaneous
      1. checkIstack()
      2. NanoStart() or DSPexec_Start()
      3. _isrStackFill
      4. Kernel Scaling
      5. kfatal()
      6. kalloc()
      7. kfree()
      8. mpu or mmu
      9. pthreadStackFill
      10. thread_numb()
      11. thread_utilization_start()
      12. thread_utilization_stop()
      13. xprintf()
      14. xputs()
      15. xputchar()
  2. Unison I/O Library
    1. accept()
    2. bind()
    3. chmod()
    4. close()
    5. connect()
    6. creat()
    7. fstat()
    8. getpeername()
    9. getsockname()
    10. getsockopt()
    11. ioctl()
    12. link()
    13. listen()
    14. lseek()
    15. mkdir()
    16. mkfs()
    17. mount()
    18. open()
    19. read()
    20. recv()
    21. recvfrom()
    22. rename()
    23. renameat()
    24. rmdir()
    25. select()
    26. send()
    27. sendto()
    28. setsockopt()
    29. shutdown()
    30. socket()
    31. stat()
    32. sync()
    33. umount()
    34. unlink()
    35. write()
  3. Unison STDIO Library
    1. STDIO Library Calls
      1. clearerr()
      2. dprintf()
      3. fclose()
      4. fdopen()
      5. feof()
      6. ferror()
      7. fileno()
      8. fflush()
      9. fgetc()
      10. fgetpos()
      11. fgets()
      12. fopen()
      13. fprintf()
      14. fputc()
      15. fputs()
      16. fread()
      17. freopen()
      18. fscanf()
      19. fseek()
      20. fseeko()
      21. fsetpos()
      22. ftell()
      23. ftello()
      24. fwrite()
      25. getc()
      26. getc_unlocked()
      27. getchar()
      28. getchar_unlocked()
      29. getdelim()
      30. getline()
      31. gets()
      32. get_stderr_ptr()
      33. get_stdin_ptr()
      34. get_stdout_ptr()
      35. noperprintf()
      36. perprintf()
      37. perror()
      38. posix_compat()
      39. printf()
      40. putc()
      41. putc_unlocked()
      42. putchar()
      43. putchar_unlocked()
      44. puts()
      45. remove()
      46. rewind()
      47. scanf()
      48. setbuf()
      49. setvbuf()
      50. snprintf()
      51. sprintf()
      52. sscanf()
      53. stderr_init()
      54. stderr_close()
      55. stdin_init()
      56. stdin_close()
      57. stdout_init()
      58. stdout_close()
      59. vdprintf()
      60. vscanf()
      61. vsscanf()
      62. vfscanf()
      63. vprintf()
      64. vsnprintf()
      65. vsprintf()
      66. vfprintf()
      67. ungetc()
    2. Do-nothing Stubs
      1. ctermid()
      2. flockfile()
      3. fmemopen()
      4. ftrylockfile()
      5. open_memstream()
      6. pclose()
      7. popen()
      8. tempnam()
      9. tmpfile()
      10. tmpnam()
  4. Unison LIBC Library
    1. LIBC Library Calls
      1. assert()
      2. realloc()
      3. strcasecmp()
      4. strdup()
      5. strncasecmp()
      6. strftime()
    2. Do-nothing Stubs
      1. abort()
      2. execve()
      3. exit()
      4. _Exit()
      5. fork()
      6. getpid()
      7. isatty()
      8. kill()
      9. sbrk()
      10. times()
      11. wait()
    3. Do-nothing Wide-character Stubs
      1. <wchar.h>
      2. <wctype.h>
  5. Unison I/O Servers
    1. File Servers
      1. Multimedia File Server - fsys
      2. FAT File System - fatfs
      3. NAND File Server - nandfsys
      4. NOR File Server - norfsys
      5. Network File Server - nfs
  6. Graphics, Camera, Video, Audio
    1. Vendor Graphics
    2. Prism++ Graphics
    3. ADPCM Services - adpcmd
    4. Camera
  7. Network Protocols
    1. TCP and UDP Server - tcpd
      1. IPv4 only server
      2. IPv4/IPv6 server
    2. DHCP Client Service - dhcp client
    3. DHCP Server - dhcpd
    4. Telnet Server - telnetd
    5. Tiny FTP Server - tftpd
    6. Point to Point - pppd
    7. Network Translation - NAT with PAT
    8. Firewall
      1. Packet filter: pf
      2. Packet filter control: pfctl
      3. Fitler rules: pf.filtering
      4. Translation rules: pf.nat
    9. Tiny HTTP Server - thttpd
    10. Tiny HTTP Server with TLS
    11. POP3 Server
    12. Simple Mail Transfer Protocol Services (SMTP)
    13. Bootp Protocol
    14. File Transfer Protocol Server (FTP)
    15. File Transfer Client Services
    16. RPC / XDR
    17. DNS Client
    18. HTTP/HTTPS Client
    19. REST Client
    20. AutoIP Service - autoip client
    21. mDNS server - mdnsd
    22. SNTP Client
    23. SNMP Agent - Snmpd server
    24. SSL/TLS library
    25. SSH server
    26. IP security
      1. IPsec description
      2. IPsec administration: ipsecadm
      3. Virtual Private Network: VPN
    27. Power Control
      1. Motor and Motion Control Servers
      2. PWM, Encoders
    28. Serial I/O
      1. Asynchronous Serial I/O Server - ttyserver
      2. CAN Server - cand
      3. I2C Server - i2cd
      4. I2S Server - i2sd
    29. System Services
      1. Power Management Servers
      2. Login Service - login_services
      3. XML
      4. POSIX Shell and Login Service - posh
    30. Universal Serial Bus (USB)
      1. USB Server
      2. USB Device Server
      3. USB Embedded Host Server
    31. Wireless
      1. Wireless Servers and Drivers
      2. 802.15.4 Radio Servers
      3. TCP/v6 with 6loWPAN
      4. ZigBee
      5. BlueTooth Server
      6. 802.11 Wi-Fi
      7. GPRS, UHF and GPS Radio Servers
    32. Remedy Tools for Unison
      1. Remedy Data Logging and Event Display Tools
      2. Remedy Diagnostics
      3. Remedy Flash Downloader/Bootloader
      4. Remedy Power On Self Test - POST
      5. Remedy OS Object Viewer
      6. Remedy Remote Control Tools

7.26.3.Virtual Private Network: VPN #

NAME

vpn – configuring the system for virtual private networks

DESCRIPTION

A Virtual Private Network (VPN) is used to securely connect two or more subnets over the internet. For each subnet there is a security gateway which is linked via a cryptographically secured tunnel to the security gateway of the other subnet. ipsec is used to provide the necessary network-layer cryptographic services. This document describes the configuration process for setting up a VPN.

Briefly, creating a VPN consists of the following steps:
1. Setup the tcp-server.
2. Create the keys.
3. Create the Security Associations (SA).
4. Create the appropriate IPsec flows.
5. Configure firewall rules appropriately.
6. Enable the packet filter.

  Setup the tcp-server
To setup the tcp-server for VPN you need to define the following options in the file “tcpdconfig.h” from tcp-server project directory:

IP forwarding:
#define IP4_FORWARD 1
#define IP6_FORWARD 1

Packet filter:
#define PACKET_FILTER 1

IP Security:
#define IPSEC_ENABLE 1

When all necessary options are defined, you need to rebuild tcp-server project.
Also do not forget to enable ESP and AH protocols in your application code:

    extern int esp_enable;
    extern int ah_enable;

    esp_enable = 1;
    ah_enable = 1;
  Generating Manual Keys
The shared secret symmetric keys used to create a VPN can be any hexadecimal value, so long as both sides of the connection use the same values. Since the security of the VPN is based on these keys being unguessable, it is very important that the keys be chosen using a strong random source.
Different cipher types may require different sized keys.

    Cipher    Key Length
    DES       56 bits
    3DES      168 bits
    AES       Variable (128 bits recommended)

Note that DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes to form its 168-bit key. This is because the most significant bit of each byte is ignored by both algorithms.

 

  Creating Security Associations
Before the IPsec flows can be defined, two Security Associations (SAs) must be defined on each end of the VPN, e.g.:

    ipsecadm("new esp -spi SPI_AB -src A_EXTERNAL_IP \
        -dst B_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \
        -key ENCRYPTION_KEY \
        -authkey AUTHENTICATION_KEY");

    ipsecadm("new esp -spi SPI_BA -src B_EXTERNAL_IP \
        -dst A_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \
        -key ENCRYPTION_KEY \
        -authkey AUTHENTICATION_KEY");
  Creating IPsec Flows
Both IPsec gateways need to configure ipsec routes (flows) with the ipsecadm library. Two flows are created on each machine: the first is for outbound flows, the second is the ingress filter for the incoming security association.
On the security gateway of subnet A:

    ipsecadm("flow -out -require -proto esp \
        -src A_EXTERNAL_IP -dst B_EXTERNAL_IP \
        -addr A_INTERNAL_NETWORK B_INTERNAL_NETWORK");
    ipsecadm("flow -in -require -proto esp \
        -src A_EXTERNAL_IP -dst B_EXTERNAL_IP \
        -addr B_INTERNAL_NETWORK A_INTERNAL_NETWORK");

On the security gateway of subnet B:

    ipsecadm("flow -out -require -proto esp \
        -src B_EXTERNAL_IP -dst A_EXTERNAL_IP \
        -addr B_INTERNAL_NETWORK A_INTERNAL_NETWORK");
    ipsecadm("flow -in -require -proto esp \
        -src B_EXTERNAL_IP -dst A_EXTERNAL_IP \
        -addr A_INTERNAL_NETWORK B_INTERNAL_NETWORK");
  Configuring Firewall Rules
pf needs to be configured such that all packets from the outside are blocked by default. Only successfully IPsec-processed packets (from the enc0 interface) should be allowed to pass.
Additional filter rules may be present for other traffic, though care should be taken that other rules do not leak IPsec traffic. NAT rules can also be used on the enc0 interface.
The pf.filtering rules for a tunnel which uses encryption (the ESP IPsec protocol) on security gateway A might look like this:

     # default deny
     # eth0 is the only interface going to the outside.
     block in on { enc0, eth0 } all
     block out on { enc0, eth0 } all

     # Passing in encrypted traffic from security gateways
     pass in proto esp from B_EXTERNAL_IP to A_EXTERNAL_IP
     pass out proto esp from A_EXTERNAL_IP to B_EXTERNAL_IP

     # Need to allow ipencap traffic on enc0
     pass in on enc0 proto ipencap from B_EXTERNAL_IP to A_EXTERNAL_IP

     # Passing in traffic from the designated subnets
     pass in on enc0 from B_INTERNAL_NETWORK to A_INTERNAL_NETWORK
     pass out on enc0 from A_INTERNAL_NETWORK to B_INTERNAL_NETWORK

If IPv6 VPN is used, should be added rules for Neighbor Discovery protocol passing:

    # Passing ND
    pass in on eth0 inet6 proto ipv6-icmp all ipv6-icmp-type {neighbradv, neighbrsol}
    pass out on eth0 inet6 proto ipv6-icmp all ipv6-icmp-type {neighbradv, neighbrsol}

EXAMPLE

NOTES

There is a demo available for the Unison and DSPnano VPN which is found in installdir/demos.

SEE ALSO

tcpd_dual, ipsec, ipsecadm, pfctl, pf.filtering

« IPsec administration: ipsecadmPower Control »
Suggest Edit

CONTACT US

TO GET YOUR PROJECT STARTED

TOP