仮想ネットワーク構築編

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次



Part 2 VPN


%% IPsecPPTP
%% :
%%


Part1





Part1LAN
LAN
Firewall
IP

(Virtual Private
Network; VPN)


VPN2
IP
Part2Part1


VPN

VPNVPN
VPN

VPN


()




VPN




VPN

LAN
IP

VPN


VPN

VPN200325 Setting Up FreeBSD 
FreeBSD
VPN 



VPN

Part1



	
			
			

VPN			IP
			2
			



VPNTCP/UDP




VPN

VPNIP
2
VPNPart1TCP/IP

 

---[ ]------------------------------------------------------------
 		[]
 		[|TCP/UDP]
 		[|TCP/UDP|IP]
	[|TCP/UDP|IP|PPP]

%%% 20032P106 2 
----------------------------------------------------------------------


VPN


VPN

(LAN) 

---[ ]------------------------------------------------------------



   +---------+                      +-----------------+
   |NAT(NAPT)|--------      ------|  Global address |
   |   |		Host1Host2	  |  Host-2         |
   +----+----+				  +-----------------+
        |					    10.1.0.1(private)
    ----+---+---+
       +----+----+
       |(Client) |
       |  Host-1 |
       +---------+
         10.2.0.50
	 (private)

20033 Setting Up FreeBSD p105 

----------------------------------------------------------------------


VPN Point to Point 



VPN
(
)
VPN


PPPVPN

PPP(Point to Point Protocol)Ethernet
ATMTCP/UDP VPN
VPN
 "PPP over SSH"  SSH



---[ ]--------------------------------------------------------

"PPP over SSH" SSHTCP/IPVPNSSH
TCPTCP


 cf) http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
       (Why TCP Over TCP Is A Bad Idea)
      20033 p112 VPN

TCP



TCPTCP



 "PPP over SSH" 
(Flets ADSL 1.5Mbps; 500Kbps) 


TCPTCP, UDP 

----------------------------------------------------------------------

SSHSSH
PPP

	 NAPT
	  IP1
	  
	PPPIP(saturn)
	  
	LAN1(venus)
	  SSH

LANVPNLAN-1 Firewall
venusLAN-2saturn PPP over SSH


---[ ]------------------------------------------------------------

        LAN-1                                  LAN-2
 +------------------------+             +---------------------------+
 | Private network        |             |                           |
 |  192.168.1.0/24      +------+        |   +-----------+           |
 |---+--------+------->-|NAPT  |----------->+ Global    |           |
 |   |        |         |Router|----------->+ 10.10.10.1|           |
 |+------+  +-------+   +------+        |   | [saturn]  +           |
 ||other |  |[venus]|     | 10.9.9.1    |   +----|------+           |
 |+------+  +-------+     |             | private|192.168.2.1       |
 |         192.168.1.1    |             |        |192.168.2.0/24    |
 +------------------------+             |  +-----+---+------+       |
                                                     |                  
                                                +----+--+            
                                                |client |               
                                                +-------+ ....           

----------------------------------------------------------------------

	VPNppp
	venusstarunSSH

PPP # 
root

VPN

   vpn (vpn)vpn
   /etc/ppp/vpn 
  

---------NetBSD, Solaris 
	 vpn 
	# groupadd vpn
	  ~~~~~~~~~~~~
	 vpn 
	# useradd -g vpn -d /etc/ppp/vpn vpn
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------Linux 
	 vpn 
	# groupadd vpn
	  ~~~~~~~~~~~~
	 vpn 
	# useradd -g vpn -M -d /etc/ppp/vpn vpn
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# mkdir /etc/ppp/vpn
	  ~~~~~~~~~~~~~~~~~~
	# chown vpn /etc/ppp/vpn
	  ~~~~~~~~~~~~~~~~~~~~~~
---------FreeBSD 
	 vpn 
	# pw groupadd vpn
	  ~~~~~~~~~~~~~~~
	 vpn 
	# pw useradd vpn -g vpn -d /etc/ppp/vpn
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   vpn /
  useradd 
   passwd  * 
  

SSHRSA

  (venus) vpn 
  

  venus# su vpn
         ~~~~~~
  venus% ssh-keygen -t dsa -f ~/.ssh/vpn
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Created directory '/etc/ppp/vpn/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/ppp/vpn/.ssh/vpn.
Your public key has been saved in /etc/ppp/vpn/.ssh/vpn.pub.
The key fingerprint is:
33:64:a5:3c:ac:05:02:f3:e9:17:42:b1:21:76:5c:f7 vpn@venus

  (~vpn/.ssh/vpn.pub)(saturn)
  ~vpn/.ssh/  authorized_keys ()
   scp 
   

---[ ]------------------------------------------------------------
vpnSSH~vpn/.ssh/known_hosts 
 vpn  scp 
----------------------------------------------------------------------


  venus% scp ~vpn/.ssh/vpn.pub @saturn:
	 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The authenticity of host 'saturn (10.10.10.1)' can't be established.
RSA key fingerprint is 75:f1:28:40:3f:fe:24:54:22:b3:3f:40:9a:cd:02:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added saturn,10.10.10.1' (RSA) to the list of known hosts.

  ()
  saturn# su vpn
	  ~~~~~~
  saturn% cd
	  ~~
  saturn% mkdir -m 700 .ssh
	  ~~~~~~~~~~~~~~~~~
  saturn% cat ~/vpn.pub  >> .ssh/authorized_keys
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  saturn% chmod 600 .ssh/authorized_keys
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	  (authorized_keys 
	   vpn.pub )

  (venus) vpn (saturn)
  SSH
  

  (vpn)
  venus% ssh -i ~/.ssh/vpn saturn
	 ~~~~~~~~~~~~~~~~~~~~~~~~
NetBSD 1.6Q (SATURN) #0: Wed Apr 2 01:56:16 JST 2003

Welcome to NetBSD!

  % whoami
    ~~~~~~
vpn
  % exit
    ~~~~

  

	SSH
	authorized_keys 

  
  IP(saturn)
  authorized_keys  from="IP" 
  

  (vpn)
  saturn% cd ~/.ssh
  saturn% vi authorized_keys

           +---- from="IP" 
  ---------+-----
  from="10.9.9.1" ssh-dss AAAAB3NzaC1kc3MDDDCBDPxDi48swWrI2w3ss1p7jsnprcXNVC93ossmMiI8xMwadqVQ0MYghrY8W0mG/bIOr32PjhJtC9eBWjHDbGD4P9KsgGHvhHkXGM5bmr1QKPJFd3rRDU8Fn3mVpw3rHKXNw5w+3dN5gRjVh8HB3te6p4Bp4Ovrn13jVruPtjkWCyrnDDDDFQDKsUj0YPguZQF6VzgITqT3FUM+MQDDDIEDm39ZQX7Dh5FOmIendRC3d/gI7YDmUrRDjPz295K0hQpzKBfNEDtZ7xOeJ5yUBvE0DaWJJHEqP3FfpQ3ht5pZXnzktRN3m5mYmyc+pj3NT/Z+NNkXhjOeuyU5V03pJJIJOggDFbKvg7DqP89hr78/wQQkUhWeJw01yDrfdu3HX3cDDDCBDJaOGO7phD9a03BdNtYcwjp+M8R4RGFj6KDdaIEryDvkixE4C4N3chuY/qO+6gtcwduVjYErOqOgHgOD7JzQuhmEfRrrdR+/25H6hQJBFXiE73Th822unqwGt1C5n53P9HMdsj3NO5Xw33+Emmg4r33pqGVzTP35HKQ3F8dsir3P vpn@venus

  from= 



PPP

   "PPP over SSH"  "over SSH" 
  PPPPPPPaul
  Mackerras  pppd (NetBSD, Linux, Solaris) iij-ppp
   FreeBSD user-ppp Unix
  

  PPP pppd  FreeBSD user-ppp( user-ppp) 
  /
  



()

  PPP(COM)
  pppd  user-ppp 
  PPP over SSH  SSH ppp
  

  pppd
  pppdptypty
  
  
  IP(
  /etc/ppp/vpn/vpn-saturn )

----------[ /etc/ppp/vpn/vpn-saturn (2) ]---------------------------
	pty 
	192.168.1.1:192.168.2.1
	----+-----  -----+-----
            |		 saturnIP
	     venusIP
----------------------------------------------------------------------


  pty  
  ppp
  
  
  
  ()IPPPP
  PPP
  

  user-ppp
  user-ppp  /etc/ppp/ppp.conf ppp.conf 
   ppp(8)
  ppp.conf 

	:
	   

   vpn 
  
  ()

	vpn:
	  set device !
	   :
	   :

  
  

	vpn:
            allow user vpn			#  vpn
            set device !		# 
	    set timeout 0			# 
            set log phase chat connect lcp ipcp command # 
            set dial				# chat script 
            set login				# login script 
            set ifaddr 192.168.1.1 192.168.2.1	# 
            set server /var/tmp/loop.2 "" 0177	# pppctl


vpn(pppd)
  
  SSHppp
   pppd pppd
   /etc/ppp/options 1

	privgroup	vpn

  Linuxpppd
  pppd root 
  pppdsuid-root

	# chmod u+s /usr/sbin/pppd

  suid-root  /etc/ppp/options  privgroup 
   vpn  options 
  


PPP()

  pppd
  SSH
  

	()
	saturn# su vpn
		~~~~~~
	saturn% cd
		~~
	saturn% vi vpn-option
		~~~~~~~~~~~~~
	( vpn-option )

	noauth                  # (SSH)
	notty                   # tty


  pppd

	/usr/sbin/pppd file vpn-option

  

  user-ppp
  /etc/ppp/ppp.conf 


	vpn-in: 
		allow user vpn 
		set timeout 0 
		set log phase chat connect lcp ipcp command 
		set escape 0xff 

  pppd

	/usr/sbin/ppp -direct vpn-in

  




  ppp
  PPP pppd  user-ppp 
  
   connect
  

	()
	venus% touch /ppp/vpn/connect
	       ~~~~~~~~~~~~~~~~~~~~~~
	venus% chmod +x /etc/ppp/vpn/connect
	       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	venus% vi /etc/ppp/vpn/connect
	       ~~~~~~~~~~~~~~~~~~~~~~~
	()

   pppd 
#!/bin/sh
exec ssh -x -i /etc/ppp/vpn/.ssh/vpn saturn /usr/sbin/pppd file vpn-option

   user-ppp 
#!/bin/sh
exec ssh -x -i /etc/ppp/vpn/.ssh/vpn saturn /usr/sbin/ppp -direct vpn-in

   user-ppp 
  /etc/ppp/ppp.conf  vpn 

	vpn:
	  set device !/etc/ppp/vpn/connect
	      :
	      :

  pppd



  
  pppd

	venus% pppd file /etc/ppp/vpn/vpn-saturn
	       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  user-ppp

	venus% ppp -ddial vpn
	       ~~~~~~~~~~~~~~

  pppd ppp0 user-ppp tun0 
  (ppp0) 

	venus% ifconfig ppp0
	       ~~~~~~~~~~~~~
ppp0      :Point-to-Point  
          inet:192.168.1.1 P-t-P:192.168.2.1 :255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          (Collisions):0 TX:3 
          RX bytes:1350 (1.3 Kb)  TX bytes:1703 (1.6 Kb)

	saturn% ifconfig ppp0
		~~~~~~~~~~~~~
ppp1: flags=8051 mtu 1500
        inet 192.168.2.1 -> 192.168.1.1 netmask 0xffffff00
        inet6 fe80::240:45ff:fe04:623%ppp1 ->  prefixlen 64 scopeid 0x4

---[ ]------------------------------------------------------------
pppppp1, ppp2 
----------------------------------------------------------------------

   "PPP over SSH" 
%%%%%% ping 

	venus% ping -c 1 192.168.2.1 
	       ~~~~~~~~~~~~~~~~~~~~
PING 192.168.2.1 (192.168.2.1)  192.168.1.1 : 56(84) bytes of data.
64   192.168.2.1: icmp_seq=0 ttl=255 =9.001

--- 192.168.2.1 ping  ---
 1,  1,  0%
Round-Trip ///mdev = 9.001/9.001/9.001/0.000

	saturn% ping -c 1 192.168.1.1
		~~~~~~~~~~~~~~~~~~~~~
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=12.935 ms

----192.168.1.1 PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.935/12.935/12.935/0.000 ms




  venussaturn LAN-1  LAN-2 
   

---[ ]------------------------------------------------------------
VPN

  +----- LAN-1 ------+              +------ LAN-2 -----------+
  |  192.168.1.0/24  |		    |    192.168.2.0/24      |
  |                  |		    |                        |
  |  -+-     +-----+ |		    | +---------+      -+-   |
  |   |      |venus| |		    | |saturn   |       |    |
  |   +------+     --------------------         +-------+    |
  |   |      |     --------------------         |       |    |
  |   |      +-----+ |		    | +---------+       |    |
  |   +              |		    |                   |    |
  |   |              |		    |                   |    |
  |   |              |		    |                   +    |
  |                  |		    |                   |    |
  |                  |		    |                        |
  +------------------+		    +------------------------+

----------------------------------------------------------------------

  
  LAN-1  LAN-2 

  LAN-1

	(*BSD, Solaris )
	venus# route add -net 192.168.2.0 -netmask 255.255.255.0 \
		192.168.2.1
	(Linux)
	venus# route add -net 192.168.2.0/24 gw 192.168.2.1

  LAN-2

	(*BSD, Solaris)
	venus# route add -net 192.168.1.0 -netmask 255.255.255.0 \
		192.168.1.1
	(Linux)
	venus# route add -net 192.168.1.0/24 gw 192.168.1.1

  ppp
  pppd /etc/ppp/ip-up 
  

	/etc/ppp/ip-up      \
		       IP  IP  \
		       IP

  65user-ppp
   /etc/ppp/ppp.linkup 

	vpn:
	   add  HISADDR

  HISADDRIP
   pppd(8), ppp(8) 
  

  VPN venus, saturn 
  

	FreeBSD, NetBSD
	# sysctl -w net.inet.ip.forwarding=1

	Linux
	# sysctl -w net.ipv4.ip_forward=1


	-	-	-	-	-	-	-	-	-

PPTPVPN

  PCLAN
  PCUnixPPTP
  PPTP(Point to Point Tunneling Protocol; cf. RFC2637)Microsoft
   MS-Windows 

  LANUnixPPTPWindows
  PPTPPPTP
   PoPToP 


PoPToP

  PoPToP pptpd-1.1.3.tar.gz  
   OS
  Linux

	# tar zxpf pptpd-1.1.3.tar.gz
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# ./configure --prefix=/usr/local
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# make all install
	  ~~~~~~~~~~~~~~~~
  FreeBSD ports  net/poptop  make

	# cd /usr/ports/net/poptop
	# make all install

  NetBSD  pkgsrc  net/poptop  make

	# cd /usr/pkgsrc/net/poptop
	# make all install

  NetBSD pkgsrc  PoPToP  pptpd-1.0.1 automake,
  autoconf 
  pptpd-1.1.3 

	# LIBS=-lintl ./configure  configure

  

--[   PoPToP PPTP  ]---------------------

200349 PoPToP  1.1.4-b3/1.1.3-20030409 
remote exploit Linux


cf.) PoPToP PPTP server remotely exploitable buffer overflow
http://archives.neohapsis.com/archives/bugtraq/2003-04/0144.html

1601
read(2)
pptpd-1.1.4-b3 
pptpd-1.1.3-200304-9 

URL Project PoPToP Web
http://sourceforge.net/projects/poptop/ 


Project PoPToP 



----[  ]----------------------------------------------------------
--- ctrlpacket.c.old 1999-12-23 23:43:33.000000000 +0200 
+++ ctrlpacket.c 2003-04-09 18:58:21.000000000 +0300 
      -254,8 +254,8  
         } 
         /* OK, we have (at least) the first 2 bytes, and there is data waiting */ 
         length = htons(*(u_int16_t *) packet); 
- if (length > PPTP_MAX_CTRL_PCKT_SIZE) { 
- syslog(LOG_ERR, "CTRL: Control packet > PPTP_MAX_CTRL_PCKT_SIZE (length =
%d)", length); 
+ if (length <= 10 || length > PPTP_MAX_CTRL_PCKT_SIZE) { 
+ syslog(LOG_ERR, "CTRL: 11 < Control packet (length=%d) < ", length); 
                 /* we loose sync (unless we malloc something big, which isn't a good 
                  * idea - potential DoS) so we must close connection (draft states that 
                  * if you loose sync you must close the control connection immediately) 
--------------------------------------------------------------------------

---------------------------------------------------------------------------

  PoPToP  PPTP  pptpd pptpd  1723/tcp 
  PPTP pppdPPTP
  pptpd(
  pptpd.conf)pppd(
  options.pptpd)



--------[ /etc/ppp/pptpd.conf ]---------------------------------------
option	/etc/ppp/options.pptpd
----------------------------------------------------------------------

--------[ /etc/ppp/options.pptpd ]------------------------------------
name pptpd			# chap-secrets
proxyarp
+chap
#mppe-128			# mppepppd
#mppe-stateless			# 
#+chapms-v2			# chapmspppd
----------------------------------------------------------------------

  CHAP /etc/ppp/chap-secrets 
  

--------[ /etc/ppp/chap-secrets ]-------------------------------------
#			IP
taro		pptpd		michadameyo	*
----------------------------------------------------------------------


  FreeBSD ports (./configure --with-bsdppp 
  make) user-ppp 
  /etc/ppp/ppp.conf  "pptp" 
  

         pptp:
           set speed sync
           enable chap

   /etc/ppp/ppp.secret 

	 TAB 

  

Windows

  Windows2000/XP 
  
  

---[ ]------------------------------------------------------------


%img img-02.png
----------------------------------------------------------------------

  VPN
---[ ]------------------------------------------------------------
: VPN

%img img-03.png img-04.png
----------------------------------------------------------------------

  ()
  
---[ ]------------------------------------------------------------
: VPN

%img img-05.png img-06.png
----------------------------------------------------------------------

  
  

---[ ]------------------------------------------------------------
: 

%img img-10.png
----------------------------------------------------------------------

   /var/log/messages 
  

 
---[ ]------------------------------------------------------------
mppe
 pppd mppeOS

----------------------------------------------------------------------

Unix

  UnixPPTP
  http://pptpclient.sourceforge.net/
   pptpclient  Linux, FreeBSD, NetBSD  PPTP 
  
  (Linux, NetBSD)

	# tar zxpf ppp-linux-1.2.0.tar.gz
	# cd ppp-linux-1.2.0
	# make all install

  FreeBSD ports/net/pptpclient 

	# cd /usr/ports/net/pptpclient
	# make all install

  pptpclient  pptp PPTP
  (1723/tcp)ppp
  pptp 

	# pptp  PPTP  [pptp]  [ppp]

  ppppppd
  CHAP
  /etc/ppp/chap-secrets PPTP
  (pptpd)chap-secrets 

	taro	*	himitsu		*

  

	# pptp PPTP user taro

  FreeBSD ports  pptp
   user-ppp 
  /etc/ppp/ppp.conf 

	pptpclient:
	  set authname 
	  set authkey  
	  set timeout 0

  

	# pptp PPTP pptpclient

  



--[  VPN Global IP  ]------------

VPN
IPv4

WWWIP

Dynamic DNSwww.
IP
IP
IP
WWW

SMTP


IP

IPVPN
IP
http://www.interlink.or.jp/myip/ PPTP
IPIP


  |                  |
        |                                |A
   +----+------------+                  [+]
   |                 |                   |e.f.g.h
   |                 |                   |     +------------+
   |                 -----------------+  |     |            |
   |               [h.j.k.l]    VPN   |  |     |            |
   |B-------------+   |  |NAPT |            |
   |     |            |   |  |a.b.c.d |
   |                 |            |   |  +[fxp0]            |
   |                 |            |   +---------            |
   |                 |            |     x.y.z.w             |
   |                 |            |     [tun0]              |
   |                 |            +-------------            |
   |                 |                         |            |
   +-----------------+                         +-----+------+
                                                     |    LAN
    IP  a.b.c.d     +------+-+-------+---------+
      IP  x.y.z.w            |         |
                                             [Client PC2]  [Client PC2]....


IP a.b.c.d VPN
 x,y.z.w 


	PPTP
	VPN
	  
	()LAN
	  ()

VPNIP defaultroute 
A(
 e.f.g.h)VPNx.y.z.w 
 defaultroute  e.f.g.h 
A( x.y.z.w)

 x.y.z.w 


 defaultroute VPN
LANVPN
AB

(fxp0)
 x.y.z.w VPN
 IP Filter ipf


	pass out quick on fxp0 to tun0:h.j.k.l. from x.y.z.w to any

 FreeBSD IPFW 

	ipfw add fwd h.j.k.l ip from x.y.z.w to any



2
ADSL




--------------------------------------------------------------------------






VPN
LAN


LAN
VPN
VPNVPN


VPNVPN

2Unix



%%%% Local Variables:
%%%% buffer-file-coding-system: euc-jp
%%%% End:


yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]