# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # Vladlen Popolitov , 2025. msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-01-17 20:35-0300\n" "PO-Revision-Date: 2025-11-12 04:45+0000\n" "Last-Translator: Vladlen Popolitov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" "X-Generator: Weblate 4.17\n" #. type: Title = #: documentation/content/en/articles/vpn-ipsec/_index.adoc:1 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:10 #, no-wrap msgid "VPN over IPsec" msgstr "VPN через IPsec" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:21 msgid "'''" msgstr "'''" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:27 msgid "" "Internet Protocol Security (IPsec) is a set of protocols which sit on top of " "the Internet Protocol (IP) layer. It allows two or more hosts to " "communicate in a secure manner by authenticating and encrypting each IP " "packet of a communication session. The FreeBSD IPsec network stack is based " "on the http://www.kame.net/[http://www.kame.net/] implementation and " "supports both IPv4 and IPv6 sessions." msgstr "" "Безопасность интернет-протокола (IPsec) — это набор протоколов, работающих " "поверх уровня интернет-протокола (IP). Он позволяет двум или более узлам " "обмениваться данными безопасным образом, аутентифицируя и шифруя каждый IP-" "пакет сеанса связи. Сетевой стек IPsec в FreeBSD основан на реализации " "http://www.kame.net/[http://www.kame.net/] и поддерживает сеансы как IPv4, " "так и IPv6." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:29 msgid "IPsec is comprised of the following sub-protocols:" msgstr "IPsec состоит из следующих подпротоколов:" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:31 msgid "" "_Encapsulated Security Payload (ESP)_: this protocol protects the IP packet " "data from third party interference by encrypting the contents using " "symmetric cryptography algorithms such as Blowfish and 3DES." msgstr "" "_Протокол Encapsulated Security Payload (ESP)_: этот протокол защищает " "данные IP-пакета от вмешательства третьих сторон, шифруя содержимое с " "использованием алгоритмов симметричной криптографии, таких как Blowfish и " "3DES." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:32 msgid "" "_Authentication Header (AH)_: this protocol protects the IP packet header " "from third party interference and spoofing by computing a cryptographic " "checksum and hashing the IP packet header fields with a secure hashing " "function. This is then followed by an additional header that contains the " "hash, to allow the information in the packet to be authenticated." msgstr "" "_Authentication Header (AH)_: этот протокол защищает заголовок IP-пакета от " "вмешательства третьих сторон и подмены путем вычисления криптографической " "контрольной суммы и хеширования полей заголовка IP-пакета с использованием " "безопасной хеш-функции. Затем следует дополнительный заголовок, содержащий " "хеш, что позволяет аутентифицировать информацию в пакете." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:33 msgid "" "_IP Payload Compression Protocol (IPComp_): this protocol tries to increase " "communication performance by compressing the IP payload in order to reduce " "the amount of data sent." msgstr "" "_Протокол сжатия передаваемых данных IP (IPComp — IP Payload Compression " "Protocol)_: этот протокол пытается повысить производительность связи за счёт " "сжатия передаваемых данных IP, чтобы уменьшить объём отправляемых данных." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:35 msgid "" "These protocols can either be used together or separately, depending on the " "environment." msgstr "" "Эти протоколы могут использоваться как вместе, так и по отдельности, в " "зависимости от окружения." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:40 msgid "" "IPsec supports two modes of operation. The first mode, _Transport Mode_, " "protects communications between two hosts. The second mode, _Tunnel Mode_, " "is used to build virtual tunnels, commonly known as Virtual Private Networks " "(VPNs). Consult man:ipsec[4] for detailed information on the IPsec " "subsystem in FreeBSD." msgstr "" "IPsec поддерживает два режима работы. Первый режим, _Transport Mode_ (" "Транспортный режим), защищает соединение между двумя хостами. Второй режим, " "_Tunnel Mode_ (Туннельный режим), используется для построения виртуальных " "туннелей, обычно известных как Virtual Private Networks (VPN, Виртуальные " "частные сети). Подробную информацию о подсистеме IPsec в FreeBSD можно найти " "в man:ipsec[4]." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:42 msgid "" "The article demonstrates the process of setting up an IPsecVPN between a " "home network and a corporate network." msgstr "" "В статье демонстрируется процесс настройки IPsecVPN между домашней сетью и " "корпоративной сетью." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:44 msgid "In the example scenario:" msgstr "В примере сценария:" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:46 msgid "" "Both sites are connected to the Internet through a gateway that is running " "FreeBSD." msgstr "" "Оба сайта подключены к Интернету через шлюз, на котором работает FreeBSD." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:47 msgid "" "The gateway on each network has at least one external IP address. In this " "example, the corporate LAN's external IP address is `172.16.5.4` and the " "home LAN's external IP address is `192.168.1.12`." msgstr "" "Шлюз в каждой сети имеет как минимум один внешний IP-адрес. В этом примере " "внешний IP-адрес корпоративной LAN — `172.16.5.4`, а внешний IP-адрес " "домашней LAN — `192.168.1.12`." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:48 msgid "" "The internal addresses of the two networks can be either public or private " "IP addresses. However, the address space must not overlap. In this example, " "the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's " "internal IP address is `10.0.0.5`." msgstr "" "Внутренние адреса двух сетей могут быть как публичными, так и частными IP-" "адресами. Однако их адресные пространства не должны пересекаться. В этом " "примере внутренний IP-адрес корпоративной LAN — `10.246.38.1`, а внутренний " "IP-адрес домашней LAN — `10.0.0.5`." #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:53 #, no-wrap msgid "" " corporate home\n" "10.246.38.1/24 -- 172.16.5.4 <--> 192.168.1.12 -- 10.0.0.5/24\n" msgstr "" " corporate home\n" "10.246.38.1/24 -- 172.16.5.4 <--> 192.168.1.12 -- 10.0.0.5/24\n" #. type: Title == #: documentation/content/en/articles/vpn-ipsec/_index.adoc:55 #, no-wrap msgid "Configuring a VPN on FreeBSD" msgstr "Настройка VPN на FreeBSD" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:59 msgid "" "To begin, package:security/ipsec-tools[] must be installed from the Ports " "Collection. This software provides a number of applications which support " "the configuration." msgstr "" "Для начала необходимо установить пакет package:security/ipsec-tools[] из " "Коллекции портов. Это программное обеспечение предоставляет ряд приложений, " "поддерживающих настройку." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:62 msgid "" "The next requirement is to create two man:gif[4] pseudo-devices which will " "be used to tunnel packets and allow both networks to communicate properly. " "As `root`, run the following command on each gateway:" msgstr "" "Следующее требование — создать два псевдоустройства man:gif[4], которые " "будут использоваться для туннелирования пакетов и обеспечения правильной " "связи между обеими сетями. От имени `root` выполните следующую команду на " "каждом шлюзе:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:68 #, no-wrap msgid "" "corp-gw# ifconfig gif0 create\n" "corp-gw# ifconfig gif0 10.246.38.1 10.0.0.5\n" "corp-gw# ifconfig gif0 tunnel 172.16.5.4 192.168.1.12\n" msgstr "" "corp-gw# ifconfig gif0 create\n" "corp-gw# ifconfig gif0 10.246.38.1 10.0.0.5\n" "corp-gw# ifconfig gif0 tunnel 172.16.5.4 192.168.1.12\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:75 #, no-wrap msgid "" "home-gw# ifconfig gif0 create\n" "home-gw# ifconfig gif0 10.0.0.5 10.246.38.1\n" "home-gw# ifconfig gif0 tunnel 192.168.1.12 172.16.5.4\n" msgstr "" "home-gw# ifconfig gif0 create\n" "home-gw# ifconfig gif0 10.0.0.5 10.246.38.1\n" "home-gw# ifconfig gif0 tunnel 192.168.1.12 172.16.5.4\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:79 msgid "" "Verify the setup on each gateway, using `ifconfig gif0`. Here is the output " "from the home gateway:" msgstr "" "Проверьте настройку на каждом шлюзе, используя `ifconfig gif0`. Вот вывод с " "домашнего шлюза:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:86 #, no-wrap msgid "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 172.16.5.4 --> 192.168.1.12\n" "inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6\n" "inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00\n" msgstr "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 172.16.5.4 --> 192.168.1.12\n" "inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6\n" "inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:89 msgid "Here is the output from the corporate gateway:" msgstr "Вот вывод с корпоративного шлюза:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:96 #, no-wrap msgid "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 192.168.1.12 --> 172.16.5.4\n" "inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00\n" "inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4\n" msgstr "" "gif0: flags=8051 mtu 1280\n" "tunnel inet 192.168.1.12 --> 172.16.5.4\n" "inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00\n" "inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:99 msgid "" "Once complete, both internal IP addresses should be reachable using " "man:ping[8]:" msgstr "" "После завершения оба внутренних IP-адреса должны быть доступны с " "использованием man:ping[8]:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:111 #, no-wrap msgid "" "home-gw# ping 10.0.0.5\n" "PING 10.0.0.5 (10.0.0.5): 56 data bytes\n" "64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms\n" "64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms\n" "64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms\n" "64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms\n" "--- 10.0.0.5 ping statistics ---\n" "4 packets transmitted, 4 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms\n" msgstr "" "home-gw# ping 10.0.0.5\n" "PING 10.0.0.5 (10.0.0.5): 56 data bytes\n" "64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms\n" "64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms\n" "64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms\n" "64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms\n" "--- 10.0.0.5 ping statistics ---\n" "4 packets transmitted, 4 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:122 #, no-wrap msgid "" "corp-gw# ping 10.246.38.1\n" "PING 10.246.38.1 (10.246.38.1): 56 data bytes\n" "64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms\n" "64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms\n" "64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms\n" "64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms\n" "64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms\n" "--- 10.246.38.1 ping statistics ---\n" "5 packets transmitted, 5 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms\n" msgstr "" "corp-gw# ping 10.246.38.1\n" "PING 10.246.38.1 (10.246.38.1): 56 data bytes\n" "64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms\n" "64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms\n" "64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms\n" "64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms\n" "64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms\n" "--- 10.246.38.1 ping statistics ---\n" "5 packets transmitted, 5 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:127 msgid "" "As expected, both sides have the ability to send and receive ICMP packets " "from the privately configured addresses. Next, both gateways must be told " "how to route packets in order to correctly send traffic from the networks " "behind each gateway. The following commands will achieve this goal:" msgstr "" "Как и ожидалось, обе стороны имеют возможность отправлять и получать ICMP-" "пакеты с приватно настроенных адресов. Далее, оба шлюза должны быть " "настроены для маршрутизации пакетов, чтобы корректно передавать трафик из " "сетей за каждым шлюзом. Следующие команды позволят достичь этой цели:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:134 #, no-wrap msgid "" "corp-gw# route add 10.0.0.0 10.0.0.5 255.255.255.0\n" "corp-gw# route add net 10.0.0.0: gateway 10.0.0.5\n" "home-gw# route add 10.246.38.0 10.246.38.1 255.255.255.0\n" "home-gw# route add host 10.246.38.0: gateway 10.246.38.1\n" msgstr "" "corp-gw# route add 10.0.0.0 10.0.0.5 255.255.255.0\n" "corp-gw# route add net 10.0.0.0: gateway 10.0.0.5\n" "home-gw# route add 10.246.38.0 10.246.38.1 255.255.255.0\n" "home-gw# route add host 10.246.38.0: gateway 10.246.38.1\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:138 msgid "" "Internal machines should be reachable from each gateway as well as from " "machines behind the gateways. Again, use man:ping[8] to confirm:" msgstr "" "Внутренние машины должны быть доступны с каждого шлюза, а также с машин за " "шлюзами. Снова используйте man:ping[8] для проверки:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:149 #, no-wrap msgid "" "corp-gw# ping -c 3 10.0.0.8\n" "PING 10.0.0.8 (10.0.0.8): 56 data bytes\n" "64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms\n" "64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms\n" "64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms\n" "--- 10.0.0.8 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms\n" msgstr "" "corp-gw# ping -c 3 10.0.0.8\n" "PING 10.0.0.8 (10.0.0.8): 56 data bytes\n" "64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms\n" "64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms\n" "64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms\n" "--- 10.0.0.8 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:158 #, no-wrap msgid "" "home-gw# ping -c 3 10.246.38.107\n" "PING 10.246.38.1 (10.246.38.107): 56 data bytes\n" "64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms\n" "64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms\n" "64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms\n" "--- 10.246.38.107 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms\n" msgstr "" "home-gw# ping -c 3 10.246.38.107\n" "PING 10.246.38.1 (10.246.38.107): 56 data bytes\n" "64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms\n" "64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms\n" "64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms\n" "--- 10.246.38.107 ping statistics ---\n" "3 packets transmitted, 3 packets received, 0% packet loss\n" "round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:163 msgid "" "At this point, traffic is flowing between the networks encapsulated in a gif " "tunnel but without any encryption. Next, use IPSec to encrypt traffic using " "pre-shared keys (PSK). Other than the IP addresses, " "[.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be " "identical and look similar to:" msgstr "" "На этом этапе трафик передаётся между сетями, инкапсулированный в туннель " "gif, но без какого-либо шифрования. Далее используйте IPSec для шифрования " "трафика с использованием предварительно согласованных ключей (PSK). За " "исключением IP-адресов, файл [.filename]#/usr/local/etc/racoon/racoon.conf# " "на обоих шлюзах будет идентичным и выглядеть примерно так:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:168 #, no-wrap msgid "" "path pre_shared_key \"/usr/local/etc/racoon/psk.txt\"; #location of " "pre-shared key file\n" "log debug;\t#log verbosity setting: set to 'notify' when testing and " "debugging is complete\n" msgstr "" "path pre_shared_key \"/usr/local/etc/racoon/psk.txt\"; #location of pre-" "shared key file\n" "log debug;\t#log verbosity setting: set to 'notify' when testing and " "debugging is complete\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:176 #, no-wrap msgid "" "padding\t# options are not to be changed\n" "{\n" " maximum_length 20;\n" " randomize off;\n" " strict_check off;\n" " exclusive_tail off;\n" "}\n" msgstr "" "padding\t# options are not to be changed\n" "{\n" " maximum_length 20;\n" " randomize off;\n" " strict_check off;\n" " exclusive_tail off;\n" "}\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:186 #, no-wrap msgid "" "timer\t# timing options. change as needed\n" "{\n" " counter 5;\n" " interval 20 sec;\n" " persend 1;\n" "# natt_keepalive 15 sec;\n" " phase1 30 sec;\n" " phase2 15 sec;\n" "}\n" msgstr "" "timer\t# timing options. change as needed\n" "{\n" " counter 5;\n" " interval 20 sec;\n" " persend 1;\n" "# natt_keepalive 15 sec;\n" " phase1 30 sec;\n" " phase2 15 sec;\n" "}\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:192 #, no-wrap msgid "" "listen\t# address [port] that racoon will listen on\n" "{\n" " isakmp 172.16.5.4 [500];\n" " isakmp_natt 172.16.5.4 [4500];\n" "}\n" msgstr "" "listen\t# address [port] that racoon will listen on\n" "{\n" " isakmp 172.16.5.4 [500];\n" " isakmp_natt 172.16.5.4 [4500];\n" "}\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:205 #, no-wrap msgid "" "remote 192.168.1.12 [500]\n" "{\n" " exchange_mode main,aggressive;\n" " doi ipsec_doi;\n" " situation identity_only;\n" " my_identifier address 172.16.5.4;\n" " peers_identifier address 192.168.1.12;\n" " lifetime time 8 hour;\n" " passive off;\n" " proposal_check obey;\n" "# nat_traversal off;\n" " generate_policy off;\n" msgstr "" "remote 192.168.1.12 [500]\n" "{\n" " exchange_mode main,aggressive;\n" " doi ipsec_doi;\n" " situation identity_only;\n" " my_identifier address 172.16.5.4;\n" " peers_identifier address 192.168.1.12;\n" " lifetime time 8 hour;\n" " passive off;\n" " proposal_check obey;\n" "# nat_traversal off;\n" " generate_policy off;\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:214 #, no-wrap msgid "" " proposal {\n" " encryption_algorithm blowfish;\n" " hash_algorithm md5;\n" " authentication_method pre_shared_key;\n" " lifetime time 30 sec;\n" " dh_group 1;\n" " }\n" "}\n" msgstr "" " proposal {\n" " encryption_algorithm blowfish;\n" " hash_algorithm md5;\n" " authentication_method pre_shared_key;\n" " lifetime time 30 sec;\n" " dh_group 1;\n" " }\n" "}\n" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:223 #, no-wrap msgid "" "sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any)\t# address " "$network/$netmask $type address $network/$netmask $type ( $type being any or " "esp)\n" "{\t\t\t\t\t\t\t\t# $network must be the two internal networks you are " "joining.\n" " pfs_group 1;\n" " lifetime time 36000 sec;\n" " encryption_algorithm blowfish,3des;\n" " authentication_algorithm hmac_md5,hmac_sha1;\n" " compression_algorithm deflate;\n" "}\n" msgstr "" "sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any)\t# address $" "network/$netmask $type address $network/$netmask $type ( $type being any or " "esp)\n" "{\t\t\t\t\t\t\t\t# $network must be the two internal networks you are " "joining.\n" " pfs_group 1;\n" " lifetime time 36000 sec;\n" " encryption_algorithm blowfish,3des;\n" " authentication_algorithm hmac_md5,hmac_sha1;\n" " compression_algorithm deflate;\n" "}\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:226 msgid "" "For descriptions of each available option, refer to the manual page for " "[.filename]#racoon.conf#." msgstr "" "Для описания каждой доступной опции обратитесь к справочной странице [." "filename]#racoon.conf#." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:228 msgid "" "The Security Policy Database (SPD) needs to be configured so that FreeBSD " "and racoon are able to encrypt and decrypt network traffic between the " "hosts." msgstr "" "База данных политики безопасности (SPD) должна быть настроена таким образом, " "чтобы FreeBSD и racoon могли шифровать и расшифровывать сетевой трафик между " "узлами." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:231 msgid "" "This can be achieved with a shell script, similar to the following, on the " "corporate gateway. This file will be used during system initialization and " "should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#." msgstr "" "Это может быть реализовано с помощью shell-скрипта, подобного приведённому " "ниже, на корпоративном шлюзе. Этот файл будет использоваться при " "инициализации системы и должен быть сохранён как [.filename]#/usr/local/etc/" "racoon/setkey.conf#." #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:239 #, no-wrap msgid "" "flush;\n" "spdflush;\n" "# To the home network\n" "spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec " "esp/tunnel/172.16.5.4-192.168.1.12/use;\n" "spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec " "esp/tunnel/192.168.1.12-172.16.5.4/use;\n" msgstr "" "flush;\n" "spdflush;\n" "# To the home network\n" "spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192." "168.1.12/use;\n" "spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172" ".16.5.4/use;\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:242 msgid "" "Once in place, racoon may be started on both gateways using the following " "command:" msgstr "" "После настройки racoon может быть запущен на обоих шлюзах с помощью " "следующей команды:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:246 #, no-wrap msgid "" "# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l " "/var/log/racoon.log\n" msgstr "" "# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/" "racoon.log\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:249 msgid "The output should be similar to the following:" msgstr "Вывод должен быть похож на следующий:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:264 #, no-wrap msgid "" "corp-gw# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf\n" "Foreground mode.\n" "2006-01-30 01:35:47: INFO: begin Identity Protection mode.\n" "2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:36:04: INFO: ISAKMP-SA established " "172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a\n" "2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: " "172.16.5.4[0]192.168.1.12[0]\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel " "192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel " "172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)\n" "2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: " "172.16.5.4[0]192.168.1.12[0]\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel " "192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel " "172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)\n" msgstr "" "corp-gw# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf\n" "Foreground mode.\n" "2006-01-30 01:35:47: INFO: begin Identity Protection mode.\n" "2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon\n" "2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1." "12[500] spi:623b9b3bd2492452:7deab82d54ff704a\n" "2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192" ".168.1.12[0]\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1." "12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)\n" "2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5." "4[0]->192.168.1.12[0] spi=47784998(0x2d92426)\n" "2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192." "168.1.12[0]\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1." "12[0]->172.16.5.4[0] spi=124397467(0x76a279b)\n" "2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5." "4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:268 msgid "" "To ensure the tunnel is working properly, switch to another console and use " "man:tcpdump[1] to view network traffic using the following command. Replace " "`em0` with the network interface card as required:" msgstr "" "Чтобы убедиться, что туннель работает правильно, переключитесь на другую " "консоль и используйте man:tcpdump[1] для просмотра сетевого трафика с " "помощью следующей команды. Замените `em0` на требуемую сетевую интерфейсную " "карту:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:272 #, no-wrap msgid "corp-gw# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12\n" msgstr "corp-gw# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:276 msgid "" "Data similar to the following should appear on the console. If not, there " "is an issue and debugging the returned data will be required." msgstr "" "На консоли должны появиться данные, аналогичные следующим. Если этого не " "произошло, возникла проблема, и потребуется отладка возвращённых данных." #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:282 #, no-wrap msgid "" "01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xa)\n" "01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xb)\n" "01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xc)\n" msgstr "" "01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xa)\n" "01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xb)\n" "01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: " "ESP(spi=0x02acbf9f,seq=0xc)\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:288 msgid "" "At this point, both networks should be available and seem to be part of the " "same network. Most likely both networks are protected by a firewall. To " "allow traffic to flow between them, rules need to be added to pass packets. " "For the man:ipfw[8] firewall, add the following lines to the firewall " "configuration file:" msgstr "" "На этом этапе обе сети должны быть доступны и казаться частью одной сети. " "Скорее всего, обе сети защищены межсетевым экраном. Чтобы разрешить передачу " "трафика между ними, необходимо добавить правила для пропуска пакетов. Для " "межсетевого экрана man:ipfw[8] добавьте следующие строки в файл конфигурации " "межсетевого экрана:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:295 #, no-wrap msgid "" "ipfw add 00201 allow log esp from any to any\n" "ipfw add 00202 allow log ah from any to any\n" "ipfw add 00203 allow log ipencap from any to any\n" "ipfw add 00204 allow log udp from any 500 to any\n" msgstr "" "ipfw add 00201 allow log esp from any to any\n" "ipfw add 00202 allow log ah from any to any\n" "ipfw add 00203 allow log ipencap from any to any\n" "ipfw add 00204 allow log udp from any 500 to any\n" #. type: delimited block = 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:300 msgid "" "The rule numbers may need to be altered depending on the current host " "configuration." msgstr "" "Номера правил могут потребовать изменения в зависимости от текущей " "конфигурации хоста." #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:303 msgid "" "For users of man:pf[4] or man:ipf[8], the following rules should do the " "trick:" msgstr "" "Для пользователей man:pf[4] или man:ipf[8] должны сработать следующие " "правила:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:316 #, no-wrap msgid "" "pass in quick proto esp from any to any\n" "pass in quick proto ah from any to any\n" "pass in quick proto ipencap from any to any\n" "pass in quick proto udp from any port = 500 to any port = 500\n" "pass in quick on gif0 from any to any\n" "pass out quick proto esp from any to any\n" "pass out quick proto ah from any to any\n" "pass out quick proto ipencap from any to any\n" "pass out quick proto udp from any port = 500 to any port = 500\n" "pass out quick on gif0 from any to any\n" msgstr "" "pass in quick proto esp from any to any\n" "pass in quick proto ah from any to any\n" "pass in quick proto ipencap from any to any\n" "pass in quick proto udp from any port = 500 to any port = 500\n" "pass in quick on gif0 from any to any\n" "pass out quick proto esp from any to any\n" "pass out quick proto ah from any to any\n" "pass out quick proto ipencap from any to any\n" "pass out quick proto udp from any port = 500 to any port = 500\n" "pass out quick on gif0 from any to any\n" #. type: Plain text #: documentation/content/en/articles/vpn-ipsec/_index.adoc:319 msgid "" "Finally, to allow the machine to start support for the VPN during system " "initialization, add the following lines to [.filename]#/etc/rc.conf#:" msgstr "" "Наконец, чтобы включить поддержку VPN при загрузке системы, добавьте " "следующие строки в [.filename]#/etc/rc.conf#:" #. type: delimited block . 4 #: documentation/content/en/articles/vpn-ipsec/_index.adoc:326 #, no-wrap msgid "" "ipsec_enable=\"YES\"\n" "ipsec_program=\"/usr/local/sbin/setkey\"\n" "ipsec_file=\"/usr/local/etc/racoon/setkey.conf\" # allows setting up spd " "policies on boot\n" "racoon_enable=\"yes\"\n" msgstr "" "ipsec_enable=\"YES\"\n" "ipsec_program=\"/usr/local/sbin/setkey\"\n" "ipsec_file=\"/usr/local/etc/racoon/setkey.conf\" # allows setting up spd " "policies on boot\n" "racoon_enable=\"yes\"\n"