Unison Help

- Unison Kernel
- Pthreads
- pthread_create()
- pthread_exit()
- pthread_self()
- pthread_equal()
- pthread_join()
- pthread_detach()
- pthread_setschedparam()
- pthread_getschedparam()
- pthread_attr_init()
- pthread_attr_destroy()
- pthread_attr_setstackaddr()
- pthread_attr_getstackaddr()
- pthread_attr_setstacksize()
- pthread_attr_getstacksize()
- pthread_attr_setschedparam()
- pthread_attr_getschedparam()
- pthread_attr_setdetachstate()
- pthread_attr_getdetachstate()
- pthread_stackinfo()
- pthread_setprio()
- pthread_getprio()
- sched_get_priority_max()
- sched_get_priority_min()
- sched_yield()
- Pthread Cancellation
- Mutex
- Semaphores
- Message Queues
- Conditional Variables
- Barriers
- Timers
- Clocks
- Memory Allocation
- Rendezvous
- Interrupts
- Directory Services
- Miscellaneous
- Pthreads
- Unison I/O Library
- Unison STDIO Library
- STDIO Library Calls
- clearerr()
- dprintf()
- fclose()
- fdopen()
- feof()
- ferror()
- fileno()
- fflush()
- fgetc()
- fgetpos()
- fgets()
- fopen()
- fprintf()
- fputc()
- fputs()
- fread()
- freopen()
- fscanf()
- fseek()
- fseeko()
- fsetpos()
- ftell()
- ftello()
- fwrite()
- getc()
- getc_unlocked()
- getchar()
- getchar_unlocked()
- getdelim()
- getline()
- gets()
- get_stderr_ptr()
- get_stdin_ptr()
- get_stdout_ptr()
- noperprintf()
- perprintf()
- perror()
- posix_compat()
- printf()
- putc()
- putc_unlocked()
- putchar()
- putchar_unlocked()
- puts()
- remove()
- rewind()
- scanf()
- setbuf()
- setvbuf()
- snprintf()
- sprintf()
- sscanf()
- stderr_init()
- stderr_close()
- stdin_init()
- stdin_close()
- stdout_init()
- stdout_close()
- vdprintf()
- vscanf()
- vsscanf()
- vfscanf()
- vprintf()
- vsnprintf()
- vsprintf()
- vfprintf()
- ungetc()
- Do-nothing Stubs
- STDIO Library Calls
- Unison LIBC Library
- Unison I/O Servers
- Graphics, Camera, Video, Audio
- Network Protocols
- TCP and UDP Server - tcpd
- DHCP Client Service - dhcp client
- DHCP Server - dhcpd
- Telnet Server - telnetd
- Tiny FTP Server - tftpd
- Point to Point - pppd
- Network Translation - NAT with PAT
- Firewall
- Tiny HTTP Server - thttpd
- Tiny HTTP Server with TLS
- POP3 Server
- Simple Mail Transfer Protocol Services (SMTP)
- Bootp Protocol
- File Transfer Protocol Server (FTP)
- File Transfer Client Services
- RPC / XDR
- DNS Client
- HTTP/HTTPS Client
- REST Client
- AutoIP Service - autoip client
- mDNS server - mdnsd
- SNTP Client
- SNMP Agent - Snmpd server
- SSL/TLS library
- SSH server
- IP security
- Power Control
- Serial I/O
- System Services
- Universal Serial Bus (USB)
- Wireless
- Remedy Tools for Unison
7.26.3.Virtual Private Network: VPN #
NAME
vpn – configuring the system for virtual private networks
DESCRIPTION
A Virtual Private Network (VPN) is used to securely connect two or more subnets over the internet. For each subnet there is a security gateway which is linked via a cryptographically secured tunnel to the security gateway of the other subnet. ipsec is used to provide the necessary network-layer cryptographic services. This document describes the configuration process for setting up a VPN.
Briefly, creating a VPN consists of the following steps:
1. Setup the tcp-server.
2. Create the keys.
3. Create the Security Associations (SA).
4. Create the appropriate IPsec flows.
5. Configure firewall rules appropriately.
6. Enable the packet filter.
- Setup the tcp-server
- To setup the tcp-server for VPN you need to define the following options in the file “tcpdconfig.h” from tcp-server project directory:
IP forwarding:
#define IP4_FORWARD 1
#define IP6_FORWARD 1
Packet filter:
#define PACKET_FILTER 1
IP Security:
#define IPSEC_ENABLE 1
When all necessary options are defined, you need to rebuild tcp-server project.
Also do not forget to enable ESP and AH protocols in your application code:extern int esp_enable; extern int ah_enable; esp_enable = 1; ah_enable = 1;
- Generating Manual Keys
- The shared secret symmetric keys used to create a VPN can be any hexadecimal value, so long as both sides of the connection use the same values. Since the security of the VPN is based on these keys being unguessable, it is very important that the keys be chosen using a strong random source.
Different cipher types may require different sized keys.Cipher Key Length DES 56 bits 3DES 168 bits AES Variable (128 bits recommended)
Note that DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes to form its 168-bit key. This is because the most significant bit of each byte is ignored by both algorithms.
- Creating Security Associations
- Before the IPsec flows can be defined, two Security Associations (SAs) must be defined on each end of the VPN, e.g.:
ipsecadm("new esp -spi SPI_AB -src A_EXTERNAL_IP \ -dst B_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \ -key ENCRYPTION_KEY \ -authkey AUTHENTICATION_KEY"); ipsecadm("new esp -spi SPI_BA -src B_EXTERNAL_IP \ -dst A_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 \ -key ENCRYPTION_KEY \ -authkey AUTHENTICATION_KEY");
- Creating IPsec Flows
- Both IPsec gateways need to configure ipsec routes (flows) with the ipsecadm library. Two flows are created on each machine: the first is for outbound flows, the second is the ingress filter for the incoming security association.
On the security gateway of subnet A:ipsecadm("flow -out -require -proto esp \ -src A_EXTERNAL_IP -dst B_EXTERNAL_IP \ -addr A_INTERNAL_NETWORK B_INTERNAL_NETWORK"); ipsecadm("flow -in -require -proto esp \ -src A_EXTERNAL_IP -dst B_EXTERNAL_IP \ -addr B_INTERNAL_NETWORK A_INTERNAL_NETWORK");
On the security gateway of subnet B:
ipsecadm("flow -out -require -proto esp \ -src B_EXTERNAL_IP -dst A_EXTERNAL_IP \ -addr B_INTERNAL_NETWORK A_INTERNAL_NETWORK"); ipsecadm("flow -in -require -proto esp \ -src B_EXTERNAL_IP -dst A_EXTERNAL_IP \ -addr A_INTERNAL_NETWORK B_INTERNAL_NETWORK");
- Configuring Firewall Rules
- pf needs to be configured such that all packets from the outside are blocked by default. Only successfully IPsec-processed packets (from the enc0 interface) should be allowed to pass.
Additional filter rules may be present for other traffic, though care should be taken that other rules do not leak IPsec traffic. NAT rules can also be used on the enc0 interface.
The pf.filtering rules for a tunnel which uses encryption (the ESP IPsec protocol) on security gateway A might look like this:# default deny # eth0 is the only interface going to the outside. block in on { enc0, eth0 } all block out on { enc0, eth0 } all # Passing in encrypted traffic from security gateways pass in proto esp from B_EXTERNAL_IP to A_EXTERNAL_IP pass out proto esp from A_EXTERNAL_IP to B_EXTERNAL_IP # Need to allow ipencap traffic on enc0 pass in on enc0 proto ipencap from B_EXTERNAL_IP to A_EXTERNAL_IP # Passing in traffic from the designated subnets pass in on enc0 from B_INTERNAL_NETWORK to A_INTERNAL_NETWORK pass out on enc0 from A_INTERNAL_NETWORK to B_INTERNAL_NETWORK
If IPv6 VPN is used, should be added rules for Neighbor Discovery protocol passing:
# Passing ND pass in on eth0 inet6 proto ipv6-icmp all ipv6-icmp-type {neighbradv, neighbrsol} pass out on eth0 inet6 proto ipv6-icmp all ipv6-icmp-type {neighbradv, neighbrsol}
EXAMPLE
NOTES
There is a demo available for the Unison and DSPnano VPN which is found in installdir/demos.