tag:blogger.com,1999:blog-3502325466054494242011-08-12T12:48:36.232-07:00Online personality slackware notebookangereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.comBlogger141100tag:blogger.com,1999:blog-350232546605449424.post-86552333145813363752011-05-30T05:13:00.001-07:002011-05-30T05:13:35.129-07:00Example syntax for Secure Copy (scp)<br />What is Secure Copy?<br /><br />scp allows files to be copied to, from, or between different hosts. It uses ssh for data transfer and provides the same authentication and same level of security as ssh.<br />Examples<br />Copy the file "foobar.txt" from a remote host to the local host<br /><br /> $ scp your_username@remotehost.edu:foobar.txt /some/local/directory <br /><br />Copy the file "foobar.txt" from the local host to a remote host<br /><br /> $ scp foobar.txt your_username@remotehost.edu:/some/remote/directory <br /><br />Copy the directory "foo" from the local host to a remote host's directory "bar"<br /><br /> $ scp -r foo your_username@remotehost.edu:/some/remote/directory/bar <br /><br />Copy the file "foobar.txt" from remote host "rh1.edu" to remote host "rh2.edu"<br /><br /> $ scp your_username@rh1.edu:/some/remote/directory/foobar.txt \<br /> your_username@rh2.edu:/some/remote/directory/ <br /><br />Copying the files "foo.txt" and "bar.txt" from the local host to your home directory on the remote host<br /><br /> $ scp foo.txt bar.txt your_username@remotehost.edu:~ <br /><br />Copy multiple files from the remote host to your current directory on the local host<br /><br /> $ scp your_username@remotehost.edu:/some/remote/directory/\{a,b,c\} . <br /><br /> $ scp your_username@remotehost.edu:~/\{foo.txt,bar.txt\} . <br /><br />scp Performance<br /><br />By default scp uses the Triple-DES cipher to encrypt the data being sent. Using the Blowfish cipher has been shown to increase speed. This can be done by using option -c blowfish in the command line.<br /><br /> $ scp -c blowfish some_file your_username@remotehost.edu:~ <br /><br />It is often suggested that the -C option for compression should also be used to increase speed. The effect of compression, however, will only significantly increase speed if your connection is very slow. Otherwise it may just be adding extra burden to the CPU. An example of using blowfish and compression:<br /><br /> $ scp -c blowfish -C local_file your_username@remotehost.edu:~<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-8655233314581336375?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-74806648574744331082011-05-24T06:35:00.000-07:002011-05-24T06:51:53.748-07:00in this section we learn how to install MRTG program that help us to see network devices how use bandwidth,CPU usage ....<br />we need to configure and run 3 service that work directly by Mrtg : apache web server -running SNMP at least a password between MRTG <==(Community)==> SNMP that call it community!<br />------------------------------------<br />Step I <br /><br />for running apache web server :<br />1)chmod +x /etc/rc.d/rc.httpd<br />2) /etc/rc.d/rc.httpd start<br />3) ps -A | grep httpd <== check truely running<br />-------------------------------------<br />Step II <br /> in this step running SNMP ( Simple Network Monitoring Protocol )<br />on command line Write : <br />1)snmpconf push Enter<br />1.a-chose 1 (snmpd.conf)<br />1.b-chose 1 (Access control Setup)<br />1.c-chose 3 (snmp V1/V2 Read only community )<br />{tell which IP can access snmp : 127.0.0.1}<br />1.d- chose OIO and enter <br />for exit this part : finished,finished and Quit<br /> now Move snmp.conf /etc/snmp<br />mv snmp.conf /etc/snmp<br />chmod +x /etc/rc.d/rc.snmpd<br />/etc/rc.d/rc.snmpd start <br />ps -A | grep snmp<br />------------------------------------------------<br />Step III<br />Install MRTG with Source and compile it ;)<br />1-download it<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-7480664857474433108?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-84352278845239336222011-05-18T02:02:00.000-07:002011-05-18T02:04:31.812-07:00really simple :<br />Install "uTorrent" on terminal<br /><br /> <br />1. get the file:<br />wget http://download.utorrent.com/linux/utorrent-server-3.0-25053.tar.gz<br /> <br />2. extract it<br />tar zxvf utorrent-server-3.0-25053.tar.gz<br /> <br />3. go into the folder created<br />cd utorrent-server-3.0-21701<br /> <br />4. run the program<br />./utserver<br /> <br />5. open a website to the machine on port 8080<br />http://someip:8080/gui/<br /> <br />6. u:admin pass: by default does not have<br />Enjoy it<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-8435227884523933622?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com1tag:blogger.com,1999:blog-350232546605449424.post-49300546877746366632009-10-06T11:26:00.000-07:002009-10-06T11:27:05.222-07:00http://www.slackbasics.org/html-singlepage/slackware-basics.html#chap-procmgmt<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-4930054687774636663?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-34098583820185170152009-10-06T08:40:00.001-07:002009-10-06T08:40:35.099-07:00# iptraf - a command line tool, Interactive Colorful IP LAN Monitor<br /># netstat - a command line tool, print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-3409858382018517015?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-83776384647967684932009-10-06T08:33:00.001-07:002009-10-06T08:33:50.345-07:00# netconfig - A menu based program that will help in configuring your network.<br /># pppsetup - A menu based program that helps in connecting to the Internet via a dial up modem.<br /># xwmconfig - Choose your default window manager.<br /># liloconfig - Setup and install LiLO to the boot drive.<br /># xorgcfg - Setup the configuration for X Windows. It will automatically generate the xorg.conf file which is saved in the /etc/X11/ directory.<br /># alsaconf - Automatically detects the sound cards and configures the sound.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-8377638464796768493?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-13546971376726894672009-09-13T01:11:00.000-07:002009-09-13T01:13:00.171-07:00part I Windows VNC Injection :<br /><br />i all,<br /><br />When using a VNC Injection payload, and obtaining a full access on the<br />victim machine after an exploit, a command shell is spawned on the<br />remote machine with a pretty visible blue background. Is there anyway<br />to stop this ?. I tried modifying the following code in<br />framework\modules\payloads\stages\windows\vncinject.rb<br /><br />register_advanced_options(<br /> [<br /> OptBool.new('DisableCourtesyShell',<br /> [<br /> false,<br /> "Disables the Metasploit Courtesy shell",<br /> false<br /> ])<br /> ], VncInject)<br /><br />changing false parametres to true offcourse, but i cannot seem to hide<br />the command shell.<br />Any ideas ?<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-1354697137672689467?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-76875804995522655082009-08-13T06:03:00.001-07:002011-04-23T05:54:39.099-07:00TCPDUMP USE<span style="font-weight:bold;"><br />The following will record all raw traffic to a dump file for latter analysis. The -s 0 option specifies that the full packet should be saved without truncation; the -v option will report every 10 seconds the number of packets captured so far. <br />tcpdump -i eth0 -s 0 -v -w traffic.pcap<br />The following tcpdump example will dump raw binary Yahoo IM traffic to stdout. Note the '-w -' option to write binary to stdout. <br />tcpdump -i eth0 -n -l -w - "port mmcc"<br />This will dump Yahoo IM with filtering of unreadable binary characters. Note the -A, -q, and -s 0 options are used to filter and dump ASCII data. The -l option sets line-buffered output. You may also remove the -t option if you would like to see timestamps on each packet. <br />tcpdump -i eth0 -l -t -A -q -s 0 "port mmcc"<br />You may sometimes get a Permission denied error when working with tcpdump. This is probably caused by AppArmor. You can check by running this command: <br />grep tcpdump /sys/kernel/security/apparmor/profiles<br />If you see tcpdump in that file then you can set AppArmor to just complain instead of block by running the following: <br />aa-complain /usr/sbin/tcpdump<br />The following will dump mail traffic. <br />tcpdump -i eth0 -l -t -A -q -s 0 "port 25 or port 587 or port 110 or port 143"</span><br /><br /><br /><br />To display the Standard TCPdump output:<br /><br />#tcpdump<br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br /><br />21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1<br />21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)<br />21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36<br /><br />To display the verbose output:<br /><br />#tcpdump -v<br />tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br /><br />22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36<br />22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1<br />22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)<br />22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br /><br />Network interfaces available for the capture:<br /><br />#tcpdump -D<br />1.eth0<br />2.any (Pseudo-device that captures on all interfaces)<br />3.lo<br /><br />To display numerical addresses rather than symbolic (DNS) addresses:<br /><br />#tcpdump -n<br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br /><br />22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53<br />22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36<br />22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1<br />22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11<br />22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53<br />22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)<br />22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53<br />22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535<br /><br />To display the quick output:<br /><br />#tcpdump -q<br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br /><br />22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0<br />22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0<br />22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0<br />22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0<br />22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36<br />22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br />22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53<br /><br />Capture the traffic of a particular interface:<br /><br />tcpdump -i eth0<br />To capture the UDP traffic:<br /><br />#tcpdump udp<br />To capture the TCP port 80 traffic:<br /><br />#tcpdump port http<br />To capture the traffic from a filter stored in a file:<br /><br />#tcpdump -F file_name<br />To create a file where the filter is configured (here the TCP 80 port)<br /><br />#vim file_name<br />port 80<br />To stop the capture after 20 packets:<br /><br />#tcpdump -c 20<br />To send the capture output in a file instead of directly on the screen:<br /><br />#tcpdump -w capture.log<br />To read a capture file:<br /><br />#tcpdump -r capture.log<br />reading from file capture.log, link-type EN10MB (Ethernet)<br /><br />09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527<br />09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86<br />09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86<br />09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527<br /><br />The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.<br /><br />The capture.log file is opened with Wireshark.<br /><br /><br />To display the packets having "www.openmaniak.com" as their source or destination address:<br /><br />#tcpdump host www.openmaniak.com<br />To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:<br /><br />#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp<br />To display the packets content:<br /><br />#tcpdump -A<br />Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.<br /><br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes<br />20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840<br />....g....................<br />............<br />20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183<br />....g.I@.............<br />........<br />20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183<br />....g.I@.......8.....<br />......EN<br />20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183<br />....g.I@......`$.....<br />...=..ENUSER teddybear<br /><br />20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183<br />....h.I@.............<br />...>..E^<br />20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183<br />....h.I@......#c.....<br />......E^PASS wakeup<br /><br />20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183<br />....h.I@.,...........<br />......Ez<br />20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183<br />....h.I@.,...........<br />......EzSYST<br /><br />20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183<br />....h.I@.?.....j.....<br />......Ez<br />20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183<br />....h.I@.?...........<br />......EzQUIT<br /><br />20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183<br />....h.I@.g...........<br />......E.<br />20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183<br />....h.I@.h.....e.....<br />......E.<br /><br />We see in this capture the FTP username (teddybear) and password (wakeup).<br /><br />===============================<br />===============================<br /><br /><br />Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.<br /><br />Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.<br /><br />Basics<br /><br />Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.<br /><br />Basic Communication // See the basics without many options<br /><br /># tcpdump -nS<br />Basic Communication (very verbose) // see a good amount of traffic, with verbosity and no name help<br /><br /># tcpdump -nnvvS<br />A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet<br /><br /># tcpdump -nnvvXS<br />Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet<br /><br /># tcpdump -nnvvXSs 1514<br /><br />Recipes<br /><br /> 1. host // look for traffic based on IP address (also works with hostname if you're not using -n)<br /> # tcpdump host 1.2.3.4<br /><br /> 2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)<br /> # tcpdump src 2.3.4.5<br /> # tcpdump dst 3.4.5.6<br /><br /> 3. net // capture an entire network using CIDR notation<br /> # tcpdump net 1.2.3.0/24<br /><br /> 4. proto // works for tcp, udp, and icmp. Note that you don't have to type proto<br /> # tcpdump icmp<br /><br /> 5. port // see only traffic to or from a certain port<br /> # tcpdump port 3389<br /><br /> 6. src, dst port // filter based on the source or destination port<br /> # tcpdump src port 1025<br /> # tcpdump dst port 3389<br /><br /><br />Combinations<br /><br />TCP traffic from 10.5.2.3 destined for port 3389:<br /># tcpdump tcp and src 10.5.2.3 and dst port 3389<br /><br />Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:<br /># tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16<br /><br />Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:<br /># tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp<br /><br />Traffic originating from Mars or Pluto that isn't to the SSH port:<br /># tcpdump -vv src mars or pluto and not dst port 22<br /><br />Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22:<br /># tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'<br /><br /> Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.<br /><br />Finding Flags<br /><br />Hint: Use the following acronym to remember your flags: Unskilled Attackers Pester Real Security Folk<br /><br />Show me all URG packets:<br /># tcpdump 'tcp[13] & 32 != 0'<br /><br />Show me all ACK packets:<br /># tcpdump 'tcp[13] & 16 != 0'<br /><br />Show me all PSH packets:<br /># tcpdump 'tcp[13] & 8 != 0'<br /><br />Show me all RST packets:<br /># tcpdump 'tcp[13] & 4 != 0'<br /><br />Show me all SYN packets:<br /># tcpdump 'tcp[13] & 2 != 0'<br /><br />Show me all FIN packets:<br /># tcpdump 'tcp[13] & 1 != 0'<br /><br />Show me all SYN-ACK packets:<br /># tcpdump 'tcp[13] = 18'<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-7687580499552265508?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-43363821224015588982009-08-13T02:15:00.000-07:002011-05-18T02:06:40.459-07:00A little roll-yur-own walk through:<br /><br />This walkthrough works on non-system, user programs, not root-only programs: (For system programs the walk through is the same except you will want to be root and be in the /usr/src directrory)<br /><br />1. Make a directory under your username (optional) to build software in, from command line:<br />mkdir ~/src<br /><br />Then change directory into it:<br /><br />cd ~/src<br /><br />2. Get your source code. You can find this at sourceforge.net or freshmeat.net, and a few other places. Often on these sites they will list dependancies, pay close attention, if you dont have one of the programs that program you want "depends" on, it will either not compile or run after it is compiled. You may have to install the programs it depends on first. Save the source in the /home/YourUsername/src (this is the same as "~/src") These will have the extensions "tar.gz" or "tar.bz2" Side note: TAR is an acronym for Tape ARchive-- they are often called "tarballs"<br /><br />3. From command line, make sure your still in the "~/src" and make sure your file is saved in the correct location:<br /><br />ls -la ./<br /><br />Then lets un-compress the archive:<br />If it is a "tar.gz" then use this command:<br /><br />tar -zxvf ./NameOfFile.tar.gz<br /><br />If it is "tar.bz2" then:<br /><br />tar -xvjf ./NameOfFile.tar.bz2<br /><br />This will uncompress the tarball and put the data in a directory that it will create, the directory will have the same name as the original file only without the extension.<br /><br />Side note: the difference between them is the type of compession-- zip and bzip.<br /><br />4. Next read the README and INSTALL files. They may or may not exist and they may or may not contain anything usefull. First lets get into the right directory:<br /><br />cd ./NameOfFile/<br /><br />Then check to see if a README or INSTALL files exist:<br /><br />ls -la | less<br /><br />("|" is above your enter key)<br /><br />You can read them from the command line:<br /><br />vim ./README<br /><br />and<br /><br />vim ./INSTALL<br /><br />You can replace "vim" in the above with: nano pico elvis emacs<br />These are different editors. The editor you choose is a highly personal thing (I really dont know why, I could care less, I have seen may debates on which one is better....)<br /><br />If you are in gnome or kde -- just browse to it, use the default editor.<br /><br />It is hard to explain if these contain anything usefull-- this one you will have to use your judgement. If some info seems important and doesnt make any sense you could probably post it...<br /><br />5. Then we need to check configure options:<br /><br />./configure --help | less<br /><br />This will give you a list of options, read these carefully, the feature you want in the software may not be enabled by default. Also if you enable an option that clearly depends on other software you will need to make sure that software exists on you system. Common example is samba support.<br /><br />6. Lets configure:<br /><br />./configure --enable=Option --enable=oiption2<br /><br />The "--enable=option" is obtained from step 5 above-- your software may not need any options, and thats OK. Yours may simply look like:<br /><br />./configure<br /><br />If it gives you errors, most likely it is because of missing dependancies. You will need to resolve these before continueing.<br /><br />7. Compile software:<br /><br />./make<br /><br />If it gives you errors at this point:<br />A-- Make sure your depancies are met! and double check README, INSTALL and your compile options.<br />B-- Email the maintainer of the software with your very specific hardware, your distro/version, and compile option. Include the error from command line, it will many lines above were it crashes. Ask if he would like you to do a backtrace. (If he would like a backtrace-- ask for instructions) Dont expect an answer right away, people do these things in thier spare time. Be courtious!!!-- your getting (or will get) free software! If he wants any other info, try to provide it for him.<br />C-- If you are great at debuggin software-- by all means fix the problem. Then send a patch back to the maintainer.<br /><br />If you didnt have any troubles, gratz you've compiled some software.<br /><br />8. Make a package out of the software. This is very distro specific. If you want your package management software to be able to remove it. I unfortunatly cannot help much with this one, I'm sure many people here can help with this step. My distro of choice the line between package and source install is very thin (slackware). So I dont use this step.<br /><br />In Slackware it would be (you will need to be root):<br />makepkg name-version-arch-build.tgz<br /><br />9. Now we need root privlages to install the software:<br /><br />su<br /><br />(It will now ask for your root password)<br /><br />If you skipped 8 above:<br /><br />./make install<br /><br />If you made a package out of it, use your package installer (distro specific) to install the software.<br /><br />In slackware:<br />installpkg name-version-arch-build.tgz<br /><br />10. Try to run the software-- The first time run it from command line, if it crashes this will give you some hints as to what happened. You may be able to fix it, if not send the maintainer any information that can about the crash. Again be courtious (even if they are not!).<br /><br />11. If you need to re-compile (some software you may have to this many time lol):<br />First:<br /><br />./make clean<br /><br />Second (this may or may not work-- dont be too concerned if it doesnt)<br /><br />./make uninstall<br /><br />Then follow the steps again...<br /><br /><br /><br />I hope somebody finds this useful-- pretty slow day here in montana.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-4336382122401558898?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-51700375181261654582009-08-13T02:05:00.000-07:002009-08-13T02:12:17.822-07:00if we have some connection like :pppoe,lan,dialup etc.connection can be up,but remmeber we need to use that chosen connection Gateway to connected Net!<br />first :<br />route del default : for delete default gateway<br />route add default gw XXX.XXX.XXX.XXX<br />route -n view connections and their Gateway<br />cat /etc/resolve.conf :view DNS <br />if you connect PPPOE and you have Bridg connection so u need to use this Comand line<br />Route add default dev ppp0<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-5170037518126165458?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-5190792022577881412009-08-13T02:04:00.000-07:002009-08-13T02:05:44.775-07:00if it ends in .tar:<br /><br />tar -xvf filename.tar<br />(you don't need the v, it is for verbose, i like verbose though)<br /><br />if it ends in .tar.gz:<br />tar -zxvf filename.tar.gz<br /><br />if it ends in .tar.bz2:<br />tar -Ixvf filename.tar.bz2 or tar -jxvf filename.tar.bz2<br /><br />(many non debian systems don't have bzip2 integrated into<br />their tar yet.. debian 2.2 uses -Ixvf and debian 3.0<br />uses -jxvf)<br /><br />if it ends in .tar.Z:<br />tar -Zxvf filename.tar.Z<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-519079202257788141?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-26745015031537343072009-06-28T09:53:00.000-07:002009-06-28T10:03:13.509-07:00Chapter 23. IPsec <br /> <br />Table of Contents <br />23.1. Theory <br />23.2. Linux configuration <br />23.3. Installing IPsec-Tools <br />23.4. Setting up IPsec with manual keying <br />23.5. Setting up IPsec with automatic key exchanging <br />23.1. Theory <br /> <br />IPsec is a standard for securing IP communication through authentication, and encryption. Besides that it can compress packets, reducing traffic. The following protocols are part of the IPsec standard: <br /> <br />AH (Authentication Header) provides authenticity guarantee for transported packets. This is done by checksumming the packages using a cryptographic algorithm. If the checksum is found to be correct by the receiver, the receiver can be assured that the packet is not modified, and that the packet really originated from the reported sender (provided that the keys are only known by the sender and receiver). <br /> <br />ESP (Encapsulating Security Payload) is used to encrypt packets. This makes the data of the packet confident, and only readable by the host with the right decryption key. <br /> <br />IPcomp (IP payload compression) provides compression before a packet is encrypted. This is useful, because encrypted data generally compresses worse than unencrypted data. <br /> <br />IKE (Internet Key Exchange) provides the means to negotiate keys in secrecy. Please note that IKE is optional, keys can be configured manually. <br /> <br />There are actually two modes of operation: transport mode is used to encrypt normal connections between two hosts, tunnel mode encapsulates the original package in a new header. In this chapter we are going to look at the transport mode, because the primary goal of this chapter is to show how to set up a secure connection between two hosts. <br /> <br />There are also two major methods of authentication. You can use manual keys, or an Internet Key Exchange (IKE) daemon, like racoon, that automatically exchanges keys securely betwoon two hosts. In both cases you need to set up a policy in the Security Policy Database (SPD). This database is used by the kernel to decide what kind of security policy is needed to communicate with another host. If you use manual keying you also have to set up Security Association Database (SAD) entries, which specifies what encryption algorithmn and key should be used for secure communication with another host. If you use an IKE daemon the security associations are automatically established. <br />23.2. Linux configuration <br /> <br />Native IPsec support is only available in Linux 2.6.x kernels. Earlier kernels have no native IPsec support. So, make sure that you have a 2.6.x kernel. The 2.6 kernel is available in Slackware Linux 10.0, 10.1, and 10.2 from the testing directory on CD2 of the Slackware Linux CD sets, or any of the official Slackware Linux mirrors. The 2.6 kernel is the default kernel since Slackware Linux 12.0. The default Slackware Linux 2.6 kernel has support for AH, ESP and IPcomp in for both IPv4 and IPv6. If you are compiling a custom kernel enable use at least the following options in your kernel configuration: <br />CONFIG_INET_AH=y <br />CONFIG_INET_ESP=y <br />CONFIG_INET_IPCOMP=y <br /> <br /> <br />Or you can compile support for IPsec protocols as a module: <br />CONFIG_INET_AH=m <br />CONFIG_INET_ESP=m <br />CONFIG_INET_IPCOMP=m <br /> <br /> <br />In this chapter we are only going to use AH and ESP transformations, but it is not a bad idea to enable IPComp transformation for further configuration of IPsec. Besides support for the IPsec protocols, you have to compile kernel support for the encryption and hashing algorithms that will be used by AH or ESP. Linux or module support for these algorithms can be enabled by twiddling the various CONFIG_CRYPTO options. It does not hurt to compile all ciphers and hash algorithms as a module. <br /> <br />When you choose to compile IPsec support as a module, make sure that the required modules are loaded. For example, if you are going to use ESP for IPv4 connections, load the esp4 module. <br /> <br />Compile the kernel as usual and boot it. <br />23.3. Installing IPsec-Tools <br /> <br />The next step is to install the IPsec-Tools. These tools are ports of the KAME IPsec utilities. Download the latest sources and unpack, configure and install them: <br /># tar jxf ipsec-tools-x.y.z.tar.bz2 <br /># cd ipsec-tools-x.y.z <br /># CFLAGS="-O2 -march=i486 -mcpu=i686" \ <br /> ./configure --prefix=/usr \ <br /> --sysconfdir=/etc \ <br /> --localstatedir=/var \ <br /> --enable-hybrid \ <br /> --enable-natt \ <br /> --enable-dpd \ <br /> --enable-frag \ <br /> i486-slackware-linux <br /># make <br /># make install <br /> <br /> <br />Replace x.y.z with the version of the downloaded sources. The most notable flags that we specify during the configuration of the sources are: <br /> <br />--enable-dpd: enables dead peer detection (DPD). DPD is a method for detecting wether any of the hosts for which security associations are set up is unreachable. When this is the case the security associations to that host can be removed. <br /> <br />--enable-natt: enables NAT traversal (NAT-T). Since NAT alters the IP headers, this causes problems for guaranteeing authenticity of a packet. NAT-T is a method that helps overcoming this problem. Configuring NAT-T is beyond the scope of this article. <br />23.4. Setting up IPsec with manual keying <br />23.4.1. Introduction <br /> <br />We will use an example as the guideline for setting up an encrypted connection between to hosts. The hosts have the IP addresses 192.168.1.1 and 192.168.1.169. The “transport mode” of operation will be used with AH and ESP transformations and manual keys. <br />23.4.2. Writing the configuration file <br /> <br />The first step is to write a configuration file we will name /etc/setkey.conf. On the first host (192.168.1.1) the following /etc/setkey.conf configuration will be used: <br />#!/usr/sbin/setkey -f <br /> <br /># Flush the SAD and SPD <br />flush; <br />spdflush; <br /> <br />add 192.168.1.1 192.168.1.169 ah 0x200 -A hmac-md5 <br />0xa731649644c5dee92cbd9c2e7e188ee6; <br />add 192.168.1.169 192.168.1.1 ah 0x300 -A hmac-md5 <br />0x27f6d123d7077b361662fc6e451f65d8; <br /> <br />add 192.168.1.1 192.168.1.169 esp 0x201 -E 3des-cbc <br />0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224; <br />add 192.168.1.169 192.168.1.1 esp 0x301 -E 3des-cbc <br />0xc966199f24d095f3990a320d749056401e82b26570320292 <br /> <br />spdadd 192.168.1.1 192.168.1.169 any -P out ipsec <br /> esp/transport//require <br /> ah/transport//require; <br /> <br />spdadd 192.168.1.169 192.168.1.1 any -P in ipsec <br /> esp/transport//require <br /> ah/transport//require; <br /> <br /> <br />The first line (a line ends with a “;”) adds a key for the header checksumming for packets coming from 192.168.1.1 going to 192.168.1.169. The second line does the same for packets coming from 192.168.1.169 to 192.168.1.1. The third and the fourth line define the keys for the data encryption the same way as the first two lines. Finally the “spadd” lines define two policies, namely packets going out from 192.168.1.1 to 192.168.1.169 should be (require) encoded (esp) and “signed” with the authorization header. The second policy is for incoming packets and it is the same as outgoing packages. <br /> <br />Please be aware that you should not use these keys, but your own secretly kept unique keys. You can generate keys using the /dev/random device: <br /># dd if=/dev/random count=16 bs=1 | xxd -ps <br /> <br /> <br />This command uses dd to output 16 bytes from /dev/random. Don't forget to add “0x” at the beginning of the line in the configuration files. You can use the 16 byte (128 bits) for the hmac-md5 algorithm that is used for AH. The 3des-cbc algorithm that is used for ESP in the example should be fed with a 24 byte (192 bits) key. These keys can be generated with: <br /># dd if=/dev/random count=24 bs=1 | xxd -ps <br /> <br /> <br />Make sure that the /etc/setkey.conf file can only be read by the root user. If normal users can read the keys IPsec provides no security at all. You can do this with: <br /># chmod 600 /etc/setkey.conf <br /> <br /> <br />The same /etc/setkey.conf can be created on the 192.168.1.169 host, with inverted -P in and -P out options. So, the /etc/setkey.conf will look like this: <br />#!/usr/sbin/setkey -f <br /> <br /># Flush the SAD and SPD <br />flush; <br />spdflush; <br /> <br />add 192.168.1.1 192.168.1.169 ah 0x200 -A hmac-md5 <br />0xa731649644c5dee92cbd9c2e7e188ee6; <br />add 192.168.1.169 192.168.1.1 ah 0x300 -A hmac-md5 <br />0x27f6d123d7077b361662fc6e451f65d8; <br /> <br />add 192.168.1.1 192.168.1.169 esp 0x201 -E 3des-cbc <br />0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224; <br />add 192.168.1.169 192.168.1.1 esp 0x301 -E 3des-cbc <br />0xc966199f24d095f3990a320d749056401e82b26570320292 <br /> <br />spdadd 192.168.1.1 192.168.1.169 any -P in ipsec <br /> esp/transport//require <br /> ah/transport//require; <br /> <br />spdadd 192.168.1.169 192.168.1.1 any -P out ipsec <br /> esp/transport//require <br /> ah/transport//require; <br /> <br />23.4.3. Activating the IPsec configuration <br /> <br />The IPsec configuration can be activated with the setkey command: <br /># setkey -f /etc/setkey.conf <br /> <br /> <br />If you want to enable IPsec permanently you can add the following line to /etc/rc.d/rc.local on both hosts: <br />/usr/sbin/setkey -f /etc/setkey.conf <br /> <br /> <br />After configuring IPsec you can test the connection by running tcpdump and simultaneously pinging the other host. You can see if AH and ESP are actually used in the tcpdump output: <br /># tcpdump -i eth0 <br />tcpdump: listening on eth0 <br />11:29:58.869988 terrapin.taickim.net > 192.168.1.169: AH(spi=0x00000200,seq=0x40f): ESP(spi=0x00000201,seq=0x40f) (DF) <br />11:29:58.870786 192.168.1.169 > terrapin.taickim.net: AH(spi=0x00000300,seq=0x33d7): ESP(spi=0x00000301,seq=0x33d7) <br /> <br />23.5. Setting up IPsec with automatic key exchanging <br />23.5.1. Introduction <br /> <br />The subject of automatical key exchange is already touched shortly in the introduction of this chapter. Put simply, IPsec with IKE works in the following steps. <br /> <br />Some process on the host wants to connect to another host. The kernel checks whether there is a security policy set up for the other host. If there already is a security association corresponding with the policy the connection can be made, and will be authenticated, encrypted and/or compressed as defined in the security association. If there is no security association, the kernel will request a user-land IKE daemon to set up the necessary security association(s). <br /> <br />During the first phase of the key exchange the IKE daemon will try to verify the authenticity of the other host. This is usually done with a preshared key or certificate. If the authentication is successful a secure channel is set up between the two hosts, usually called a IKE security association, to continue the key exchange. <br /> <br />During the second phase of the key exchange the security associations for communication with the other host are set up. This involves choosing the encryption algorithm to be used, and generating keys that are used for encryption of the communication. <br /> <br />At this point the first step is repeated again, but since there are now security associations the communication can proceed. <br /> <br />The racoon IKE daemon is included with the KAME IPsec tools, the sections that follow explain how to set up racoon. <br />23.5.2. Using racoon with a preshared key <br /> <br />As usual the first step to set up IPsec is to define security policies. In contrast to the manual keying example you should not set up security associations, because racoon will make them for you. We will use the same host IPs as in the example above. The security policy rules look like this: <br />#!/usr/sbin/setkey -f <br /> <br /># Flush the SAD and SPD <br />flush; <br />spdflush; <br /> <br />spdadd 192.168.1.1 192.168.1.169 any -P out ipsec <br /> esp/transport//require; <br /> <br />spdadd 192.168.1.169 192.168.1.1 any -P in ipsec <br /> esp/transport//require; <br /> <br /> <br />Cautious souls have probably noticed that AH policies are missing in this example. In most situations this is no problem, ESP can provide authentication. But you should be aware that the authentication is more narrow; it does not protect information outside the ESP headers. But it is more efficient than encapsulating ESP packets in AH. <br /> <br />With the security policies set up you can configure racoon. Since the connection-specific information, like the authentication method is specified in the phase one configuration. We can use a general phase two configuration. It is also possible to make specific phase two settings for certain hosts. But generally speaking a general configuration will often suffice in simple setups. We will also add paths for the preshared key file, and certification directory. This is an example of /etc/racoon.conf with the paths and a general phase two policy set up: <br />path pre_shared_key "/etc/racoon/psk.txt"; <br />path certificate "/etc/racoon/certs"; <br /> <br />sainfo anonymous { <br />{ <br /> pfs_group 2; <br /> lifetime time 1 hour; <br /> encryption_algorithm 3des, blowfish 448, rijndael; <br /> authentication_algorithm hmac_sha1, hmac_md5; <br /> compression_algorithm deflate; <br />} <br /> <br /> <br />The sainfo identifier is used to make a block that specifies the settings for security associations. Instead of setting this for a specific host, the anonymous parameter is used to specify that these settings should be used for all hosts that do not have a specific configuration. The pfs_group specifies which group of Diffie-Hellman exponentiations should be used. The different groups provide different lengths of base prime numbers that are used for the authentication process. Group 2 provides a 1024 bit length if you would like to use a greater length, for increased security, you can use another group (like 14 for a 2048 bit length). The encryption_algorithm specifies which encryption algorithms this host is willing to use for ESP encryption. The authentication_algorithm specifies the algorithm to be used for ESP Authentication or AH. Finally, the compression_algorithm is used to specify which compression algorithm should be used when IPcomp is specified in an association. <br /> <br />The next step is to add a phase one configuration for the key exchange with the other host to the racoon.conf configuration file. For example: <br />remote 192.168.1.169 <br />{ <br /> exchange_mode aggressive, main; <br /> my_identifier address; <br /> proposal { <br /> encryption_algorithm 3des; <br /> hash_algorithm sha1; <br /> authentication_method pre_shared_key; <br /> dh_group 2; <br /> } <br />} <br /> <br /> <br />The remote block specifies a phase one configuration. The exchange_mode is used to configure what exchange mode should be used for phase. You can specify more than one exchange mode, but the first method is used if this host is the initiator of the key exchange. The my_identifier option specifies what identifier should be sent to the remote host. If this option committed address is used, which sends the IP address as the identifier. The proposal block specifies parameter that will be proposed to the other host during phase one authentication. The encryption_algorithm, and dh_group are explained above. The hash_algorithm option is mandatory, and configures the hash algorithm that should be used. This can be md5, or sha1. The authentication_method is crucial for this configuration, as this parameter is used to specify that a preshared key should be used, with pre_shared_key. <br /> <br />With racoon set up there is one thing left to do, the preshared key has to be added to /etc/racoon/psk.txt. The syntax is very simple, each line contains a host IP address and a key. These parameters are separated with a tab. For example: <br />192.168.1.169 somekey <br /> <br />23.5.3. Activating the IPsec configuration <br /> <br />At this point the configuration of the security policies and racoon is complete, and you can start to test the configuration. It is a good idea to start racoon with the -F parameter. This will run racoon in the foreground, making it easier to catch error messages. To wrap it up: <br /># setkey -f /etc/setkey.conf <br /># racoon -F <br /> <br /> <br />Now that you have added the security policies to the security policy database, and started racoon, you can test your IPsec configuration. For instance, you could ping the other host to start with. The first time you ping the other host, this will fail: <br />$ ping 192.168.1.169 <br />connect: Resource temporarily unavailable <br /> <br /> <br />The reason for this is that the security associations still have to be set up. But the ICMP packet will trigger the key exchange. ping will trigger the key exchange. You can see whether the exchange was succesful or not by looking at the racoon log messages in /var/log/messages, or the output on the terminal if you started racoon in the foreground. A succesful key exhange looks like this: <br /> Apr 4 17:14:58 terrapin racoon: INFO: IPsec-SA request for 192.168.1.169 queued due to no phase1 found. <br /> Apr 4 17:14:58 terrapin racoon: INFO: initiate new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.169[500] <br /> Apr 4 17:14:58 terrapin racoon: INFO: begin Aggressive mode. <br /> Apr 4 17:14:58 terrapin racoon: INFO: received Vendor ID: DPD <br /> Apr 4 17:14:58 terrapin racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. <br /> Apr 4 17:14:58 terrapin racoon: INFO: ISAKMP-SA established 192.168.1.1[500]-192.168.1.169[500] spi:58c4669f762abf10:60593eb9e3dd7406 <br /> Apr 4 17:14:59 terrapin racoon: INFO: initiate new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.169[0] <br /> Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.169->host1ip; spi=232781799(0xddff7e7) <br /> Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.1->192.168.1.169 spi=93933800(0x59950e8) <br /> <br /> <br />After the key exchange, you can verify that IPsec is set up correctly by analyzing the packets that go in and out with tcpdump. tcpdump is available in the n diskset. Suppose that the outgoing connection to the other host goes through the eth0 interface, you can analyze the packats that go though the eth0 interface with tcpdump -i eth0. If the outgoing packets are encrypted with ESP, you can see this in the tcpdump output. For example: <br /># tcpdump -i eth0 <br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode <br />listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes <br />17:27:50.241067 IP terrapin.taickim.net > 192.168.1.169: ESP(spi=0x059950e8,seq=0x9) <br />17:27:50.241221 IP 192.168.1.169 > terrapin.taickim.net: ESP(spi=0x0ddff7e7,seq=0x9) <br /> <br /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-2674501503153734307?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-37374860062994417982009-06-28T09:33:00.001-07:002009-06-28T09:44:34.007-07:00<div align="right"> <br /> <br /> <br /> <br /><meta name="ProgId" content="Word.Document"> <br /><meta name="Generator" content="Microsoft Word 11"> <br /><meta name="Originator" content="Microsoft Word 11"> <br /><link rel="File-List" href="VPN_files/filelist.xml"> <br /><title>VPN نظري و عملي </title> <br /><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"> <br /><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"> <br /><!--[if gte mso 9]><xml><br /> <o:documentproperties><br /> <o:author>Amir</o:Author><br /> <o:template>Normal</o:Template><br /> <o:lastauthor>Amir</o:LastAuthor><br /> <o:revision>2</o:Revision><br /> <o:totaltime>71</o:TotalTime><br /> <o:created>2009-06-28T17:23:00Z</o:Created><br /> <o:lastsaved>2009-06-28T17:23:00Z</o:LastSaved><br /> <o:pages>1</o:Pages><br /> <o:words>6519</o:Words><br /> <o:characters>37164</o:Characters><br /> <o:company>Rahanet</o:Company><br /> <o:lines>309</o:Lines><br /> <o:paragraphs>87</o:Paragraphs><br /> <o:characterswithspaces>43596</o:CharactersWithSpaces><br /> <o:version>11.5606</o:Version><br /> </o:DocumentProperties><br /></xml><![endif]--><!--[if gte mso 9]><xml><br /> <w:worddocument><br /> <w:grammarstate>Clean</w:GrammarState><br /> <w:punctuationkerning/><br /> <w:validateagainstschemas/><br /> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid><br /> <w:ignoremixedcontent>false</w:IgnoreMixedContent><br /> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText><br /> <w:compatibility><br /> <w:breakwrappedtables/><br /> <w:snaptogridincell/><br /> <w:wraptextwithpunct/><br /> <w:useasianbreakrules/><br /> <w:dontgrowautofit/><br /> </w:Compatibility><br /> <w:browserlevel>MicrosoftInternetExplorer4</w:BrowserLevel><br /> </w:WordDocument><br /></xml><![endif]--><!--[if gte mso 9]><xml><br /> <w:latentstyles deflockedstate="false" latentstylecount="156"><br /> </w:LatentStyles><br /></xml><![endif]--><!--[if !mso]><object classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id="ieooui"></object><br /><style><br />st1\:*{behavior:url(#ieooui) }<br /></style><br /><![endif]--> <br /><style><br /><!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; text-align:right; mso-pagination:widow-orphan; direction:rtl; unicode-bidi:embed; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:595.3pt 841.9pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0; mso-gutter-direction:rtl;} div.Section1 {page:Section1;} --><br /></style> <br /><!--[if gte mso 10]><br /><style><br /> /* Style Definitions */<br /> table.MsoNormalTable<br /> {mso-style-name:"Table Normal";<br /> mso-tstyle-rowband-size:0;<br /> mso-tstyle-colband-size:0;<br /> mso-style-noshow:yes;<br /> mso-style-parent:"";<br /> mso-padding-alt:0cm 5.4pt 0cm 5.4pt;<br /> mso-para-margin:0cm;<br /> mso-para-margin-bottom:.0001pt;<br /> mso-pagination:widow-orphan;<br /> font-size:10.0pt;<br /> font-family:"Times New Roman";<br /> mso-ansi-language:#0400;<br /> mso-fareast-language:#0400;<br /> mso-bidi-language:#0400;}<br /></style><br /><![endif]--> <br /> <br /> <br /> <br /> <br /><div class="Section1" dir="RTL"> <br /> <br /><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نظري و عملي <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">برقرار <br />كردن امنيت براي يك شبكه درون يك ساختمان كار ساده اي است . اما هنگامي كه بخواهيم <br />از نقاط دور رو ي داده هاي مشترك كار كنيم ايمني به مشكل بزرگي تبديل مي شود . در <br />اين بخش به اصول و ساختمان يك </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي سرويس گيرنده هاي ويندوز و لينوكس مي پردازيم . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اصول </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">فرستادن <br />حجم زيادي از داده از يك كامپيوتر به كامپيوتر ديگر مثلا” در به هنگام رساني بانك <br />اطلاعاتي يك مشكل شناخته شده و قديمي است . انجام اين كار از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Email</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به دليل محدوديت <br />گنجايش سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">Mail</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نشدني است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">استفاده <br />از </span><span dir="LTR" style="mso-bidi-language:FA">FTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هم به سرويس دهنده <br />مربوطه و همچنين ذخيره سازي موقت روي فضاي اينترنت نياز دارد كه اصلا” قابل <br />اطمينان نيست . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">يكي از <br />راه حل هاي اتصال مستقيم به كامپيوتر مقصد به كمك مودم است كه در اينجا هم علاوه <br />بر مودم ، پيكر بندي كامپيوتر به عنوان سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> لازم خواهد بود . از اين <br />گذشته ، هزينه ارتباط تلفني راه دور براي مودم هم قابل تامل است . اما اگر دو <br />كامپيوتر در دو جاي مختلف به اينترنت متصل باشند مي توان از طريق سرويس به اشتراك <br />گذاري فايل در ويندوز بسادگي فايل ها را رد و بدل كرد . در اين حالت ، كاربران مي <br />توانند به سخت ديسك كامپيوترهاي ديگر همچون سخت ديسك كامپيوتر خود دسترسي داشته <br />باشند . به اين ترتيب بسياري از راه هاي خرابكاري براي نفوذ كنندگان بسته مي شود . <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">شبكه هاي <br />شخصي مجاري يا </span><span dir="LTR" style="mso-bidi-language:FA">VPN ( Virtual <br />private Network</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> ) ها اينگونه مشكلات را حل مي كند . </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به كمك رمز گذاري روي <br />داده ها ، درون يك شبكه كوچك مي سازد و تنها كسي كه آدرس هاي لازم و رمز عبور را <br />در اختيار داشته باشد مي تواند به اين شبكه وارد <span class="GramE">شود .</span> <br /> <br />مديران شبكه اي كه بيش از اندازه وسواس داشته و محتاط هستند مي توانند </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را حتي روي شبكه محلي <br />هم پياده كنند . اگر چه نفوذ كنندگان مي توانند به كمك برنامه هاي </span><span dir="LTR" style="mso-bidi-language:FA">Packet sniffer</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> جريان داده ها را <br />دنبال كنند اما بدون داشتن كليد رمز نمي توانند آنها را بخوانند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">-4.1.1 </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> چيست ؟ <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />دو كامپيوتر يا دو شبكه را به كمك يك شبكه ديگر كه به عنوان مسير انتقال به كار مي <br />گيرد به هم متصل مي <span class="GramE">كند .</span> براي نمونه مي توان ب دو <br />كامپيوتر يكي در تهران و ديگري در مشهد كه در فضاي اينترنت به يك شبكه وصل شده اند <br />اشاره كرد . </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />از نگاه كاربر كاملا” مانند يك شبكه محلي به نظر مي <span class="GramE">رسد .</span> <br />براي پياده سازي چنين چيزي ، </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />به هر كاربر يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مجازي مي دهد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">داده هايي <br />كه روي اين ارتباط آمد و شد دارند را سرويس گيرنده نخست به رمز در آورده و در قالب <br />بسته ها بسته بندي كرده و به سوي سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي فرستد . اگر بستر اين <br />انتقال اينترنت باشد بسته ها همان بسته هاي </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> خواهند بود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />بسته ها را پس از دريافت رمز گشايي كرده و پردازش لازم را روي آن انجام مي دهد . <br />در آدرس </span><span dir="LTR" style="mso-bidi-language:FA">http://www.WOWN.COM\W-baeten\gifani\vpnani.gif</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />شكل بسيار جالبي وجود دارد كه چگونگي اين كار را نشان مي دهد . روشي كه شرح داده <br />شد را اغلب </span><span dir="LTR" style="mso-bidi-language:FA">Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />يا تونل زني مي نامند چون داده ها براي رسيدن به كامپيوتر مقصد از چيزي مانند تونل <br />مي گذرند . براي پياده سازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />راه هاي گوناگوني وجود دارد كه پر كاربرد ترين آنها عبارتند از <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Point to <br />point Tunneling protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كه براي انتقال </span><span dir="LTR" style="mso-bidi-language:FA">NetBEUI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> روي يك شبكه بر پايه </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مناسب <span class="GramE">است .</span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Layer 2 <br />Tunneling protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language: FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> كه براي انتقال </span><span dir="LTR" style="mso-bidi-language: FA">IP </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">IPX</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />يا </span><span dir="LTR" style="mso-bidi-language:FA">NetBEUI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي هر رسانه دلخواه كه توان انتقال </span><span dir="LTR" style="mso-bidi-language: FA">Datagram</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هاي نقطه به نقطه <span class="GramE">( <span lang="EN-US" dir="LTR">Point</span></span></span><span dir="LTR" style="mso-bidi-language: FA"> to point</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> ) را داشته باشد مناسب است . براي نمونه مي توان به </span><span dir="LTR" style="mso-bidi-language:FA">IP </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">X.25 </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">Frame Relay</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">ATM</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اشاره كرد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">IP <br />Security protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language: FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> كه براي انتقال داده هاي </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> روي يك شبكه بر پايه </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مناسب <span class="GramE">است .</span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">-4.1.2 <br />پروتكل هاي درون تونل <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را مي توان روي دو لايه از لايه هاي </span><span dir="LTR" style="mso-bidi-language: FA">OSI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پياده <span class="GramE">كرد .</span> </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> از لايه 2 يعني پيوند داده <br />استفاده كرده و داده ها را در قالب </span><span dir="LTR" style="mso-bidi-language: FA">Frame</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هاي پروتكل نقطه به نقطه <span class="GramE">( <span lang="EN-US" dir="LTR">PPP</span></span><span dir="RTL"></span><span dir="RTL"></span> <br /> <br />) بسته بندي مي كنند . در اين حالت مي توان از ويژگي هاي </span><span dir="LTR" style="mso-bidi-language:FA">PPP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> همچون تعيين اعتبار كاربر ، <br />تخصيص آدرس پويا ( مانند </span><span dir="LTR" style="mso-bidi-language:FA">DHCP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />) ، فشرده سازي داده ها يا رمز گذاري داده ها بهره برد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">با توجه <br />به اهميت ايمني انتقال داده ها در</span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ، دراين ميان تعيين اعتبار كاربر نقش بسيار مهمي دارد . براي اين <br />كار معمولا” از </span><span dir="LTR" style="mso-bidi-language:FA">CHAP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />استفاده مي شود كه مشخصات كاربر را در اين حالت رمز گذاري شده جابه جا ميكند . </span><span dir="LTR" style="mso-bidi-language:FA">Call back</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هم دسترسي به سطح <br />بعدي ايمني را ممكن مي <span class="GramE">سازد .</span> در اين روش پس از تعيين <br />اعتبار موفقيت آميز ، ارتباط قطع مي شود . سپس سرويس دهنده براي برقرار كردن <br />ارتباط جهت انتقال داده ها شماره گيري مي كند . هنگام انتقال داده ها ، </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">IP </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">IP X</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">NetBEUI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در قالب </span><span dir="LTR" style="mso-bidi-language:FA">Frame</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">PPP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بسته بندي شده و <br />فرستاده مي شوند . </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />هم </span><span dir="LTR" style="mso-bidi-language:FA">Frame</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">PPP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را پيش از ارسال روي <br />شبكه بر پايه </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />به سوي كامپيوتر مقصد ، در قالب </span><span dir="LTR" style="mso-bidi-language: FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بسته بندي مي <span class="GramE">كند .</span> اين پروتكل در سال <br />1996 از سوي شركت هايي چون مايكرو سافت ، </span><span dir="LTR" style="mso-bidi-language: FA">Ascend </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>، </span><span dir="LTR"></span><span dir="LTR" style="mso-bidi-language:FA"><span dir="LTR"></span>3 com</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">Robotics US</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پايه گذاري شد . <br />محدوديت </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />در كار تنها روي شبكه هاي </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />باعث ظهور ايده اي در سال 1998 شد .</span><span dir="LTR" style="mso-bidi-language: FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> روي </span><span dir="LTR" style="mso-bidi-language: FA">X.25 </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>،</span><span dir="LTR" style="mso-bidi-language:FA">Frame <br />Relay</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">ATM</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />هم كار مي كند . برتري </span><span dir="LTR" style="mso-bidi-language:FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />در برابر </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />اين است كه به طور مستقيم روي رسانه هاي گوناگون </span><span dir="LTR" style="mso-bidi-language:FA">WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> قابل انتقال است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">4.1.3 - </span><span dir="LTR" style="mso-bidi-language:FA">VPN-Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> فقط براي اينترنت <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />برخلاف</span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> روي لايه شبكه يعني <br />لايه سوم كار مي <span class="GramE">كند .</span> اين پروتكل داده هايي كه بايد <br />فرستاده شود را همراه با همه اطلاعات جانبي مانند گيرنده و پيغام هاي وضعيت رمز <br />گذاري كرده و به آن يك </span><span dir="LTR" style="mso-bidi-language:FA">IP <br />Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> معمولي اضافه كرده و به آن سوي تونل مي فرستد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">كامپيوتري <br />كه در آن سو قرار دارد </span><span dir="LTR" style="mso-bidi-language:FA">IP <br />Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را جدا كرده ، داده ها را رمز گشايي كرده و آن را به كامپيوتر <br />مقصد مي فرستد .</span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را مي توان با دو شيوه </span><span dir="LTR" style="mso-bidi-language:FA">Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />پيكر بندي كرد . در اين شيوه انتخاب اختياري تونل ، سرويس گيرنده نخست يك ارتباط <br />معمولي با اينترنت برقرار مي كند و سپس از اين مسير براي ايجاد اتصال مجازي به <br />كامپيوتر مقصد استفاده مي كند . براي اين منظور ، بايد روي كامپيوتر سرويس گيرنده <br />پروتكل تونل نصب شده باشد . معمولا” كاربر اينترنت است كه به اينترنت وصل مي شود . <br />اما كامپيوترهاي درون </span><span dir="LTR" style="mso-bidi-language:FA">LAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />هم مي توانند يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />برقرا كنند . از آنجا كه ارتباط </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> از پيش موجود است تنها برقرار كردن ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كافي است . در شيوه تونل <br />اجباري ، سرويس گيرنده نبايد تونل را ايجاد كند بلكه اين كار ار به عهده فراهم ساز <br />(</span><span dir="LTR" style="mso-bidi-language:FA">Service provider</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />) است . سرويس گيرنده تنها بايد به </span><span dir="LTR" style="mso-bidi-language: FA">ISP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> وصل شود . تونل به طور خودكار از فراهم ساز تا ايستگاه مقصد وجود <br />دارد . البته براي اين كار بايد همانگي هاي لازم با </span><span dir="LTR" style="mso-bidi-language:FA">ISP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> انجام بگيرد .ٍ <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ويژگي هاي <br />امنيتي در </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Authentication Header <br /><span class="GramE">( AH</span></span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ) مطمئن مي شود كه </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي دريافتي از سوي <br />فرستنده واقعي ( و نه از سوي يك نفوذ كننده كه قصد رخنه دارد ) رسيده و محتويات <br />شان تغيير نكرده . </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />اطلاعات مربوط به تعيين اعتبار و يك شماره توالي (</span><span dir="LTR" style="mso-bidi-language:FA">Seguence <span class="GramE">Number<span dir="RTL"></span><span lang="FA" dir="RTL"><span dir="RTL"></span> )</span></span></span><span lang="FA" style="mso-bidi-language:FA"> در خود دارد تا از حملات </span><span dir="LTR" style="mso-bidi-language:FA">Replay</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> جلوگيري كند . اما </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> رمز گذاري نمي شود . <br />رمز گذاري از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Encapsulation <br />Security Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language: FA">ESH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> انجام مي گيرد . در اين شيوه داده هاي اصلي رمز گذاري شده و </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اطلاعاتي را از طريق </span><span dir="LTR" style="mso-bidi-language:FA">ESH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ارسال مي كند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">ESH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />همچنين كاركرد هايي براي تعيين اعتبار و خطايابي <span class="GramE">دارد .</span> <br />به اين ترتيب ديگر به </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نيازي نيست . براي رمز گذاري و تعيين اعتبار روش مشخص و ثابتي وجود ندارد اما با <br />اين همه ، </span><span dir="LTR" style="mso-bidi-language:FA">IETF</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي حفظ سازگاري ميان محصولات مختلف ، الگوريتم هاي اجباري براي پياده سازي </span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تدارك ديده . براي <br />نمونه مي توان به </span><span dir="LTR" style="mso-bidi-language:FA">MD5 </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، <br /> <br /></span><span dir="LTR" style="mso-bidi-language:FA">DES</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">Secure Hash Algorithm</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اشاره كرد . مهمترين <br />استانداردها و روش هايي كه در </span><span dir="LTR" style="mso-bidi-language: FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به كار مي روند عبارتند از : <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• </span><span dir="LTR" style="mso-bidi-language:FA">Diffie-Hellman</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي مبادله كليد ها <br />ميان ايستگاه هاي دو سر ارتباط . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• رمز <br />گذاري </span><span dir="LTR" style="mso-bidi-language:FA">Public Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي ثبت و اطمينان از كليدهاي مبادله شده و همچنين اطمينان از هويت ايستگاه هاي <br />سهيم در ارتباط . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• <br />الگوريتم هاي رمز گذاري مانند </span><span dir="LTR" style="mso-bidi-language: FA">DES</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي اطمينان از درستي داده هاي انتقالي . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• <br />الگوريتم هاي درهم ريزي ( </span><span dir="LTR" style="mso-bidi-language:FA">Hash</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />) براي تعيين اعتبار تك تك </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />ها . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• امضاهاي <br />ديجيتال براي تعيين اعتبارهاي ديجيتالي . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">4.1.5 - </span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بدون تونل <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در مقايسه با ديگر روش ها يك برتري ديگر هم دارد و آن اينست كه مي تواند همچون يك <br />پروتكل انتقال معمولي به كار <span class="GramE">برود .</span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در اين <br />حالت برخلاف حالت </span><span dir="LTR" style="mso-bidi-language:FA">Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />همه </span><span dir="LTR" style="mso-bidi-language:FA">IP packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />رمز گذاري و دوباره بسته بندي نمي شود . بجاي آن ، تنها داده هاي اصلي رمزگذاري مي <br />شوند و </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />همراه با آدرس هاي فرستنده و گيرنده باقي مي ماند . اين باعث مي شود كه داده هاي <br />سرباز ( </span><span dir="LTR" style="mso-bidi-language:FA">Overhead</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />) كمتري جابجا شوند و بخشي از پهناي باند آزاد شود . اما روشن است كه در اين وضعيت <br />، خرابكاران مي توانند به مبدا و مقصد داده ها پي ببرند . از آنجا كه در مدل </span><span dir="LTR" style="mso-bidi-language:FA">OSI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> داده ها از لايه 3 به <br />بالا رمز گذاري مي شوند خرابكاران متوجه نمي شوند كه اين داده ها به ارتباط با <br />سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">Mail</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مربوط مي شود يا به چيز ديگر . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">4.1.6 – <br />جريان يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">بيش از آن <br />كه دو كامپيوتر بتوانند از طريق </span><span dir="LTR" style="mso-bidi-language: FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> داده ها را ميان خود جابجا كنند بايد يكسري كارها انجام <br />شود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• نخست <br />بايد ايمني برقرار شود . براي اين منظور ، كامپيوترها براي يكديگر مشخص مي كنند كه <br />آيا رمز گذاري ، تعيين اعتبار و تشخيص خطا يا هر سه آنها بايد انجام بگيرد يا نه . <br /> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• سپس <br />الگوريتم را مشخص مي كنند ، مثلا” </span><span dir="LTR" style="mso-bidi-language: FA">DEC</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي رمزگذاري و </span><span dir="LTR" style="mso-bidi-language: FA">MD5</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي خطايابي. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• در گام <br />بعدي ، كليدها را ميان خود مبادله مي كنند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي حفظ ايمني ارتباط از </span><span dir="LTR" style="mso-bidi-language:FA">Security <br />Association (<span class="GramE">SA<span dir="RTL"></span><span lang="FA" dir="RTL"><span dir="RTL"></span> )</span></span></span><span lang="FA" style="mso-bidi-language: FA"> استفاده مي كند . </span><span dir="LTR" style="mso-bidi-language:FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />چگونگي ارتباط ميان دو يا چند ايستگاه و سرويس هاي ايمني را مشخص مي <span class="GramE">كند .</span> </span><span dir="LTR" style="mso-bidi-language:FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ها از سوي </span><span dir="LTR" style="mso-bidi-language:FA">SPI <span class="GramE">( Security</span> parameter Index</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ) شناسايي مي شوند . </span><span dir="LTR" style="mso-bidi-language:FA">SPI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> از يك عدد تصادفي و <br />آدرس مقصد تشكيل مي <span class="GramE">شود .</span> اين به آن معني است كه همواره <br />ميان دو كامپيوتر دو </span><span dir="LTR" style="mso-bidi-language:FA">SPI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />وجود دارد : <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">يكي براي <br />ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">A</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">B</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و يكي براي ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">B</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به </span><span dir="LTR" style="mso-bidi-language:FA">A</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> . اگر يكي از كامپيوترها <br />بخواهد در حالت محافظت شده داده ها را منتقل كند نخست شيوه رمز گذاري مورد توافق <br />با كامپيوتر ديگر را بررسي كرده و آن شيوه را روي داده ها اعمال مي كند . سپس </span><span dir="LTR" style="mso-bidi-language:FA">SPI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نوشته و </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را به سوي مقصد مي <br />فرستد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">4.1.7 - <br />مديريت كليدهاي رمز در </span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اگر چه </span><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> فرض را بر اين مي <br />گذارد كه توافقي براي ايمني داده ها وجود دارد اما خودش براي ايجاد اين توافق نمي <br />تواند كاري انجام بدهد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Ipsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در اين كار به </span><span dir="LTR" style="mso-bidi-language:FA">IKE <span class="GramE">( Internet</span> Key Exchange</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ) تكيه مي كند كه <br />كاركردي همچون </span><span dir="LTR" style="mso-bidi-language:FA">IKMP ( Key <br />Management Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> ) دارد. براي ايجاد </span><span dir="LTR" style="mso-bidi-language:FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هر دو كامپيوتر بايد نخست <br />تعيين اعتبار شوند . در حال حاضر براي اين كار از راه هاي زير استفاده مي شود : <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• </span><span dir="LTR" style="mso-bidi-language:FA">Pre shared keys</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> : روي هر دو كامپيوتر <br />يك كليد نصب مي شود كه </span><span dir="LTR" style="mso-bidi-language:FA">IKE</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />از روي آن يك عدد </span><span dir="LTR" style="mso-bidi-language:FA">Hash</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ساخته و آن را به سوي كامپيوتر مقصد مي فرستد . اگر هر دو كامپيوتر بتوانند اين <br />عدد را بسازند پس هر دو اين كليد دارند و به اين ترتيب تعيين هويت انجام مي گيرد . <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• رمز <br />گذاري </span><span dir="LTR" style="mso-bidi-language:FA">Public Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />: هر كامپيوتر يك عدد تصادفي ساخته و پس از رمز گذاري آن با كليد عمومي كامپيوتر <br />مقابل ، آن را به كامپيوتر مقابل مي فرستد .اگر كامپيوتر مقابل بتواند با كليد <br />شخصي خود اين عدد را رمز گشايي كرده و باز پس بفرستد برا ي ارتباط مجاز است . در <br />حال حاضر تنها از روش </span><span dir="LTR" style="mso-bidi-language:FA">RSA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />براي اين كار پيشنهاد مي شود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">• امضاء <br />ديجيتال : در اين شيوه ، هر كامپيوتر يك رشته داده را علامت گذاري ( امضاء ) كرده <br />و به كامپيوتر مقصد مي فرستد . در حال حاضر براي اين كار از روش هاي </span><span dir="LTR" style="mso-bidi-language:FA">RSA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">DSS ( Digital Singature Standard</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />) استفاده مي شود . براي امنيت بخشيدن به تبادل داده ها بايد هر دو سر ارتبا طنخست <br />بر سر يك يك كليد به توافق مي رسند كه براي تبادل داده ها به كار مي رود . برا ي <br />اين منظور مي توان همان كليد به دست آمده از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Diffie Hellman</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را به كاربرد كه سريع <br />تر است يا يك كليد ديگر ساخت كه مطمئن تر است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">4.1.8 – <br />خلاصه <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">تبادل <br />داده ها روي اينرنت چندان ايمن نيست . تقريبا” هر كسي كه در جاي مناسب قرار داشته <br />باشد مي تواند جريان داده ها را زير نظر گرفته و از آنها سوء استفاده كند . شبكه <br />هاي شخصي مجازي يا </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ها كار نفوذ را برا ي خرابكاران خيلي سخت مي كند<o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />با ويندوز <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">استفاده <br />از اينترنت به عنوان بستر انتقال داده ها هر روزگسترش بيشتري پيدا مي كند . باعث <br />مي شود تا مراجعه به سرويس دهندگان وب و سرويس هاي </span><span dir="LTR" style="mso-bidi-language:FA">Email</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هر روز بيشتر شود . با كمي <br />كار مي توان حتي دو كامپيوتر را كه در دو قاره مختلف قرار دارند به هم مرتبط كرد . <br />پس از برقراري اين ارتباط ،‌هر كامپيوتر،كامپيوتر ديگر را طوري مي بيند كه گويا در <br />شبكه محلي خودش قرار دارد. از اين رهگذر ديگر نيازي به ارسال داده ها از طريق <br />سرويس هايي مانند </span><span dir="LTR" style="mso-bidi-language:FA">Email</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />نخواهند بود. تنها اشكال اين كار اين است كه در صورت عدم استفاده از كاركردهاي <br />امنيتي مناسب،‌كامپيوترها كاملا در اختيار خرابكارن قرار مي گيرند. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ها مجموعه اي از <br />سرويس هاي امنيتي ردر برابراين عمليات رافراهم مي كنند.</span></span><span lang="FA" style="mso-bidi-language:FA"> در بخش قبلي با چگونگي كار </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ها آشنا شديد و در <br />اينجا به شما نشان مي دهيم كه چگونه مي توان در ويندوز يك </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> شخصي راه انداخت. براي اين <br />كار به نرم افزار خاصي نياز نيست چون مايكروسافت همه چيزهاي لازم را در سيستم عامل <br />گنجانده يا در پايگاه اينترنتي خود به رايگان در اختيار همه گذاشته. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پيش <br />نيازها <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي <br />اينكه دو كامپيوتر بر پايه ويندوز بتواند از طريق </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به هم مرتبط شوند دست كم يكي <br />از آنها بايد به ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />يا 2000 كار كند تا نقش سرويس دهنده </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را به عهده بگيرد. ويندوز هاي 9</span><span dir="LTR" style="mso-bidi-language:FA">x</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">Me</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تنها مي توانند سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> باشند. سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بايد يك </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ثابت داشته باشد. <br />روشن است كه هر دو كامپيوتر بايد به اينترنت متصل باشند. فرقي نمي كند كه اين <br />اتصال از طريق خط تلفن و مودم باشد يا شبكه محلي. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بايد مجاز (</span><span dir="LTR" style="mso-bidi-language:FA">Valid</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) باشد تا سرويس <br />گيرنده بتواند يك مستقيما آن را ببيند.</span></span><span lang="FA" style="mso-bidi-language:FA"> در شبكه هاي محلي كه اغلب از </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي شخصي (192.168.</span><span dir="LTR" style="mso-bidi-language:FA">x.x</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) استفاده مي شود </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را بايد روي شبكه <br />ايجاد كرد تا ايمني ارتباط بين ميان كامپيوترها تامين شود. اگر سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> با ويندوز 95 كار مي <br />كند نخست بايد </span><span dir="LTR" style="mso-bidi-language:FA">Dial up <br />Networking Upgrade 1.3</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را از سايت مايكروسافت برداشت <br />كرده و نصب كنيد. اين مجموعه برنامه راه اندازهاي لازم براي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در خود دارد . البته <br />مايكروسافت پس از </span><span dir="LTR" style="mso-bidi-language:FA">Upgrade 1.3 <br />Networking Dial up</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> نگارش هاي تازه تري نيز عرضه كرده كه بنا بر گفته خودش <br />ايمني و سرعت ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را بهبود بخشيده است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نصب سرويس <br />دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">روي <br />كامپيوتر بر پايه ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نخست بايد در بخش تنظيمات شبكه، راه انداز </span><span dir="LTR" style="mso-bidi-language: FA">Point to Point Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را نصب كنيد. هنگام اين كار، <br />شمار ارتباط هاي همزمان </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />پرسيده مي شود. در سرويس دهنده هاي </span><span dir="LTR" style="mso-bidi-language: FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اين عدد مي تواند حداكثر 256 باشد. در ايستگاه كاري </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>،‌ اين عدد بايد 1 <br />باشد چون اين سيستم عامل تنها اجازه يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را مي دهد. از آنجا كه ارتباط <br /></span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در قالب </span><span dir="LTR" style="mso-bidi-language:FA">Remote Access</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> برقرار مي شود ويندوز <br /></span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به طور خودكار پنجره <br />پيكر بندي </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را باز مي كند. اگر </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />هنوز نصب نشده باشد ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />آن را نصب مي كند. هنگام پيكربندي بايد </span><span dir="LTR" style="mso-bidi-language: FA">VPN Adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> را به پورت هاي شماره گيري اضافه كنيد. اگر مي خواهيد <br />كه چند ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />داشته باشيد بايد اين كار را براي هر يك از </span><span dir="LTR" style="mso-bidi-language:FA">VPN Adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ها انجام دهيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پيكربندي <br />سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />بايد </span><span dir="LTR" style="mso-bidi-language:FA">VPN Adapter</span><span lang="FA" style="mso-bidi-language:FA">را به گونه اي پيكربندي كنيد كه ارتباطات به <br />سمت درون (</span><span dir="LTR" style="mso-bidi-language:FA">incoming</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />اجازه بدهد. نخست بايد پروتكل هاي مجاز براي اين ارتباط را مشخص كنيد . همچنين <br />بايد شيوه رمز گذاري را تعيين كرده و بگوييد كه آياسرويس دهنده تنها اجازه دسترسي <br />به كامپيوترهاي موجود در شبكه كامپيوتر ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، در اين وضيعت، سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي تواند كار مسير <br />يابي را هم انجام دهد. براي بالاتر بردن ايمني ارتباط، مي توانيد </span><span dir="LTR" style="mso-bidi-language:FA">NetBEUI</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را فعال كرده و از <br />طريق آن به كامپيوترهاي دور اجازدسترسي به شبكه خود را بدهيد. سرويس گيرنده، شبكه <br />و سرويس هاي اينترنتي مربوط به سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را نمي بينيد . براي راه <br />انداختن </span><span dir="LTR" style="mso-bidi-language:FA">TCP/IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />همراه با </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />چند تنظيم ديگر لازم است. اگر سرويس دهنده </span><span dir="LTR" style="mso-bidi-language: FA">DHCP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> نداريد بايد به طور دستي يك فضاي آدرس(</span><span dir="LTR" style="mso-bidi-language:FA">Adress Pool ) IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را مشخص كنيد. به <br />خاطر داشته باشيد كه تنها بايد از </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي شخصي (</span><span dir="LTR" style="mso-bidi-language:FA">Private</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />استفاده كنيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اين فضاي <br />آدرس بايد دست كم 2 آدرس داشته باشد ،‌يكي براي سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و ديگري براي سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> . هر كار بر بايد <br />براي دسترسي به سرويس دهنده از طريق </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مجوز داشته باشد. براي اين منظور بايد در </span><span dir="LTR" style="mso-bidi-language:FA">User Manager</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در بخش </span><span dir="LTR" style="mso-bidi-language:FA">Dialing</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اجازه دسترسي از دور <br />را بدهيد . به عنوان آخرين كار،</span><span dir="LTR" style="mso-bidi-language: FA">Remote Access Server</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را اجرا كنيد تا ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بتواند ايجاد شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نصب سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />شبيه راه اندازي سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />است بنابراين نخست بايد 4 مرحله گفته شده براي راه اندازي سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را انجام بدهيد،‌ <br />يعني: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">. نصب </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">. تعيين <br />شمار ارتباط ها <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">. اضافه <br />كردن </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به عنوان دستگاه <br />شماره گيري <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">. پيكر <br />بندي </span><span dir="LTR" style="mso-bidi-language:FA">VPN Adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در </span><span dir="LTR" style="mso-bidi-language:FA">RAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، تنها تفاوت در پيكر <br />بندي </span><span dir="LTR" style="mso-bidi-language:FA">VPN Adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />آن است كه بايد به جاي ارتباط هاي به سمت درون به ارتباط هاي به سمت بيرون (</span><span dir="LTR" style="mso-bidi-language:FA">out going</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) اجاز ه بدهيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">. سپس <br />تنظيمات را ذخيره كرده و كامپيوتر را بوت كنيد. در گام بعدي، در بخش </span><span dir="LTR" style="mso-bidi-language:FA">Networking</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يك ارتباط(</span><span dir="LTR" style="mso-bidi-language:FA">Connection</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) تلفني بسازيد . به <br />عنوان دستگاه شماره گير يا همان مودم بايد </span><span dir="LTR" style="mso-bidi-language: FA">VPN Adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> را انتخاب كرده و بجاي شماره تلفن تماس، </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به سرويس دهنده <br /> <br /></span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را وارد كنيد. در <br />اينجا پيكر بندي سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> روي ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />به پايان مي رسد و شبكه هاي شخصي مجازي ساخته مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي ويندوز 2000 <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">راه <br />اندازي سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ساده تر و كم زحمت تر از سرويس دهنده آن است. در ويندوز 2000 به بخش مربوط به <br />تنظيمات شبكه رفته يك </span><span dir="LTR" style="mso-bidi-language:FA">Connection</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />تازه بسازيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام نخست <br />: </span><span dir="LTR" style="mso-bidi-language:FA">Assistant</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در ويندوز 2000 پيكر بندي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را بسيار ساده كرده. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">به طور <br />معمول بايد آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مربوط به سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ر اداشته باشد. در اينجا بايد همان </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> معمولي را وارد كنيد و نه </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به شبكه </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span lang="FA" style="mso-bidi-language:FA">را، با اين كار ، </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پيكر بندي شده و <br />ارتباط بر قرار مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي <br />تعيين صلاحيت، بايد نام كاربري و رمز عبور را وارد كنيد كه اجازه دسترسي از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Remote Access</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را داشته باشيد. <br />ويندوز 2000 بي درنگ ارتباط برقرار كرده و شبكه مجازي كامل مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام دوم: <br />كافي است آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مربوط به سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را وارد كنيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام سوم: <br />در پايان فقط كافي است خود را معرفي كنيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي ويندوز 9</span><span dir="LTR" style="mso-bidi-language:FA">x</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نصب سرويس <br />گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />روي ويندوز هاي 95، 98 و </span><span dir="LTR" style="mso-bidi-language:FA">SE 98</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مانند هم است . نخست بايد پشتيباني از </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> فعال شود. در اينجا بر خلاف ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به جاي اضافه كردن پروتكل بايد <br />يك كارت شبكه نصب كنيد. ويندوز </span><span dir="LTR" style="mso-bidi-language: FA">x 9</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> همه عناصر لازم را نصب مي كند. به اين ترتيب كار نصب راه اندازاها <br />را هم كامل مي گردد. در قدم بعدي بايد </span><span dir="LTR" style="mso-bidi-language: FA">Dialup adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> يك </span><span dir="LTR" style="mso-bidi-language: FA">Connection</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> بسازيد. به عنوان دستگاه شمار گير بايد </span><span dir="LTR" style="mso-bidi-language:FA">VPN adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را معرفي كنيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام نخست: <br />نصب </span><span dir="LTR" style="mso-bidi-language:FA">VPN adapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام دوم: <br />يك </span><span dir="LTR" style="mso-bidi-language:FA">Connection</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />تازه روي </span><span dir="LTR" style="mso-bidi-language:FA">VPN dapter</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در ويندوز <br /></span><span dir="LTR" style="mso-bidi-language:FA">x9</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، سيستم عامل </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به سرويس 90 <br />دهنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را در خواست مي كند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گام سوم: <br />آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به سرويس دهنده <br /> <br /></span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را وارد كنيد. پيكر <br />بندي سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در اينجا پايان يافته و ارتباط مي تواند برقرار شود. تنها كافي است كه نام كاربري <br />و رمز عبور را وارد كنيد. اكنون ويندوز به اينترنت وصل شده و تونل را مي سازد و <br />داده هاي خصوصي مي تواند حركت خود را آغاز كنند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">برنامه <br />هاي كمكي <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اگر <br />بخواهيد براي نمونه از دفتر كار( سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) به كامپيوتر خود در خانه ( <br />سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />وصل بشويد با دو مشكل روبرو خواهيد شد. نخست اينكه كامپيوتري كه در خانه داريد <br />پيوسته به اينترنت متصل نيست و ديگري اينكه سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به يك آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نياز دارد. اين </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را هنگامي كه از يك <br />شركت فراهم ساز (</span><span dir="LTR" style="mso-bidi-language:FA">ISP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />سرويس مي گيريد از پيش نمي دانيد چون به صورت پويا(</span><span dir="LTR" style="mso-bidi-language:FA">dynamic</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) به شما تخصيص داده مي شود. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">Online Jack</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />برنامه اي است كه براي هر دو مشكل راه حل دارد.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">Online Jack</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> يك برنامه كوچك است كه بايد روي كامپيوتر خانه نصب شود.</span></span><span lang="FA" style="mso-bidi-language:FA"> از دفتر كار خود مي توانيد از طريق سايت </span><span dir="LTR" style="mso-bidi-language:FA">Online Jack</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و با نام كاربري و <br />رمز عبور به كامپيوتر خود در خانه متصل شويد. با اين كار، </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كه شركت فراهم ساز به شما <br />تخصيص داده مشخص مي شود كه از روي آن، سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پيكر بندي شده و كار خود را <br />آغاز مي كند. از اين دست برنامه هاي كمكي موارد زيادي وجود دارد كه با جستجو در <br />اينترنت مي توانيد آنها را بيابيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">خلاصه <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">دامنه <br />كاربردي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />گسترده و گوناگون است. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را مي توان براي متصل كردن كاربران بيروني به شبكه محلي،‌ارتباط <br />دو كامپيوتر يا دو شبكه در دو شهر مختلف يا دسترسي از دفتر كار به كامپيوتر منزل <br />بكار برد.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نه تنها داده ها را با ايمني بيشتر منتقل مي كند بلكه وقتي از آن <br />براي مرتبط كردن دو كامپيوتر دور از هم استفاده مي كنيم هزينه ها بسيار كاهش مي <br />يابد.</span></span><span lang="FA" style="mso-bidi-language:FA"> آخرين نكته اينكه <br />راه اندازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />ساده و رايگان است.<o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">با لينوكس <br />(1) <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">يكي از <br />توانايي هاي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />امكان كاربران دور از شبكه(</span><span dir="LTR" style="mso-bidi-language:FA">Remote</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />در دسترسي به آ ن است . </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />در اين ميان نقش مهمي در فراهم كردن ايمني لازم براي داده ها <span class="GramE">دارد <br />.</span> يكي از مناسب ترين و به صرفه ترين وسيله ها در پياده سازي اين امكانات <br />لينوكس و </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كه در اين بخش به آن مي پردازيم . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اگر چه <br />لينوكس هم به دليل توانايي هاي خوب</span><span dir="LTR" style="mso-bidi-language: FA">Firewall</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> بستر بسيار مناسبي براي يك دروازه امنيتي(</span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) برپايه </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> است مال خودش به طور <br />پيش فرض بخش هاي لازم براي </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را به همراه ندارد. اين برنامه ها را مي توانيد در مجموعه </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بيابيد. </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN (www.fresswan.org</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />در اصل مجمعي متشكل از برنامه نويسان زبده و تامين كنندگان مالي است كه برنامه هاي <br />ويژه لينوكس را فراهم مي كنند. برنامه </span><span dir="LTR" style="mso-bidi-language: FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> از دو بخش اصلي تشكيل شده يكي </span><span dir="LTR" style="mso-bidi-language:FA">KLIPS(Kernel IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ) است كه پروتكل هاي <br />لازم را به </span><span dir="LTR" style="mso-bidi-language:FA">Kernel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />اضافه مي كند و ديگري </span><span dir="LTR" style="mso-bidi-language:FA">Daemon</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كه وظيفهبرقراري ارتباط و رمز گذاري را بر عهده دارد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در اين <br />بخش مي بينيد كه </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />چگونه كار مي كند و چگونه بايد آن را به كمك </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در لينوكس براي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پيكر بندي كرد. در <br />ادامه خواهيم گفت كه با </span><span dir="LTR" style="mso-bidi-language:FA">X.509</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />چطور زير ساخت هاي لازم براي يك شركت پياده سازي مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نگاهي به </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> در اصل مجموعه اي از پروتكل ها و روش هايي است كه به <br />كمك آنها مي توان روي اينترنت يك ارتباط مطمئن و ايمن ايجاد كرد.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">جزييات </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">Internet Protocol Security</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />در </span><span dir="LTR" style="mso-bidi-language:FA">RFC</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي شماره 2401 تا <br />2410 آمده. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> براي اطمينان بخشيدن به ارتباط هاي اينترنتي از شيوه <br />هاي تعيين اعتبار و رمز گذاري داده ها استفاده مي كند.</span></span><span lang="FA" style="mso-bidi-language:FA"> براي اين منظور در لايه شبكه دو حالت <br />انتقال و دو لايه ايمني فراهم مي كند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Transport</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در مقايسه با </span><span dir="LTR" style="mso-bidi-language:FA">Tunnel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در حالت </span><span dir="LTR" style="mso-bidi-language:FA">Transport</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> دو ميزبان به طور <br />مستقيم روي اينترنت با هم گفتگو مي كنند. در اين حالت مي توان </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را براي تعيين اعتبار <br />و همچنين يكپارچگي و درستي داده ها به كار برد. به كمك </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نه تنها مي توان از هويت طرف <br />گفتگو مطمئن شدبلكه مي توان نسبت به درستي و دست نخوردگي داده هاهم اطمينان حاصل <br />كرد . به كمك عملكرد رمز گذاري مي توان افزون بر آن خوانده شدن داده ها از سوي <br />افراد غير مجاز جلوگيري كرد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اما از <br />آنجا كه در اين شيوه،‌ دو كامپيوتر به طور مستقيم داده ها را مبادله ميكنند نمي <br />توان مبدا و مقصد داده ها را پنهان كرد. از حالت </span><span dir="LTR" style="mso-bidi-language:FA">Tunnel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هنگامي كه استفاده مي شود كه <br />دست كم يكي از كامپيوترها به عنوان </span><span dir="LTR" style="mso-bidi-language: FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به كار برود. در اين وضعيت حداقل يكي از كامپيوترهايي <br />كه در گفتگو شركت مي كند در پشت </span><span dir="LTR" style="mso-bidi-language: FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> قراردارد و در نتيجه ناشناس مي ماند. حتي اگر دو شبكه <br />از از طريق </span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />هاي خود با هم داده مبادله كنند نمي توان از بيرون فهميد كه دقيقا كدام كامپيوتر <br />به تبادل داده مشغول است. در حالت </span><span dir="LTR" style="mso-bidi-language: FA">Tunnel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هم مي توان از كاركردهاي تعيين اعتبار ،كنترل درستي <br />داده ها و رمز گذاري بهره برد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Authentication <br />Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">وظيفه </span><span dir="LTR" style="mso-bidi-language:FA">Authentication Header IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />آن است كه داده هاي در حال انتقال بدون اجازه از سوي شخص سوم مورد دسترسي و تغيير <br />قرار نگيرد . براي اين منظور از روي </span><span dir="LTR" style="mso-bidi-language: FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و داده هاي اصلي يك عدد</span><span dir="LTR" style="mso-bidi-language: FA">Hash</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به دست آمده و به همراه فيلدهاي كنترلي ديگر به انتهاي </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اضافه مي شود. گيرنده <br />با آزمايش اين عدد مي تواند به دستكاري هاي احتمالي در </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا داده هاي اصلي پي ببرد. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">Authentication Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />هم در حالت </span><span dir="LTR" style="mso-bidi-language:FA">Transport</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و هم در حالت </span><span dir="LTR" style="mso-bidi-language:FA">Tunnel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كاربرد دارد.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در حالت </span><span dir="LTR" style="mso-bidi-language:FA">Transport</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ميان </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و داده هاي اصلي مي <span class="GramE">نشيند .</span> در مقابل، در حالت </span><span dir="LTR" style="mso-bidi-language:FA">Tunneling </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كل </span><span dir="LTR" style="mso-bidi-language:FA">Paket</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را همراه با </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به داده ها در <br />يك </span><span dir="LTR" style="mso-bidi-language:FA">IP Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />بسته بندي مي كند. در اين حالت، </span><span dir="LTR" style="mso-bidi-language: FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ميان </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />جديد و </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />اصلي قرار مي گيرد. </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در هر دو حالت، اعتبار و سلامت داده ها را نشان مي دهد اما دليلي بر قابل اطمينان <br />بودن آنها نيست چون عملكرد رمز گذاري ندارد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Encapsulated <br />Security Payload</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Encapsulated <br />Security Payload IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> براي اطمينان از ايمني داده ها به كار مي <span class="GramE">رود .</span> اين پروتكل داده ها در قالب يك </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و يك </span><span dir="LTR" style="mso-bidi-language:FA">Trailer</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> رمز گذاري مي كند. به طوري <br />اختياري مي توان به انتهاي </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />يك فيلد</span><span dir="LTR" style="mso-bidi-language:FA">ESP Auth</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />اضافه كرد كه مانند </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />اطلاعات لازم براي اطمينان از درستي داده ها رمز گذاري شده را در خود دارد. در <br />حالت </span><span dir="LTR" style="mso-bidi-language:FA">Transport</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، <br /></span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">Trailer</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تنها داده هاي اصلي </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> از پوشش مي دهند و </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بدون محافظ باقي مي <br />ماند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اما در <br />حالت </span><span dir="LTR" style="mso-bidi-language:FA">Tunneling</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />همه </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ارسالي از سوي فرستنده،‌ داده اصلي به شمار مي رود و </span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> آن را در قالب يك </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به همراه آدرس هاي <br />فرستنده و گيرنده رمز گذاري مي كند. در نتيجه،</span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نه تنها اطمينان از داده ها <br />بلكه اطمينان از ارتباط را هم تامين مي كند . در هر دوحالت،‌</span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در تركيب با </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ما را از درستي <br />بهترين داده هاي </span><span dir="LTR" style="mso-bidi-language:FA">Header</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مطمئن مي كند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Security <br />Association</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي <br />اينكه بتوان</span><span dir="LTR" style="mso-bidi-language:FA">ESP/AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را به كار برد بايد الگوريتم هاي مربوط به درهم ريزي(</span><span dir="LTR" style="mso-bidi-language:FA">Hashing</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>)، تعيين اعتبار و رمز گذاري <br />روي كامپيوترهاي طرف گفتگو يكسان باشد. همچنين دو طرف گفتگو بايد كليدهاي لازم و <br />طول مدت اعتبار آنها را بدانند. هر دو سر ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هر بار هنگام برقرار كردن <br />ارتباط به اين پارامترهاي نياز دارند. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">Security Association</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به عنوان يك شبه <br />استاندارد در اين بخش پذيرفته شده.</span></span><span lang="FA" style="mso-bidi-language: FA"> براي بالا بردن امنيت، از طريق </span><span dir="LTR" style="mso-bidi-language: FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي توان كليدها را تا زماني كه ارتباط برقرار است عوض كرد. اين <br />كار را مي توان در فاصله هاي زماني مشخص يا پس از انتقال حجم مشخصي از داده ها <br />انجام داد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Internet <br />Key Exchang</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پروتكل </span><span dir="LTR" style="mso-bidi-language:FA">Internet Key Exchang</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">IKE( RFC 2409</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ) روند كار روي </span><span dir="LTR" style="mso-bidi-language:FA">IPsec SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را تعريف مي كند. اين <br />روش را </span><span dir="LTR" style="mso-bidi-language:FA">Internet Security <br />Association and Key Management Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا </span><span dir="LTR" style="mso-bidi-language:FA">ISAKMP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نيز مي نامند. اين <br />پروتكل مشكل ايجاد ارتباط ميان دو كامپيوتر را كه هيچ چيز از هم نمي دانند و هيچ <br />كليدي ندارند حل مي كند. در نخستين مرحله </span><span dir="LTR" style="mso-bidi-language: FA">IKE(IKE Phase 1</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) كه به آن حالت اصلي(</span><span dir="LTR" style="mso-bidi-language:FA">Main Mode</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) هم گفته مي شود دو <br />طرف گفتگو نخست بر سر پيكر بندي ممكن براي </span><span dir="LTR" style="mso-bidi-language: FA">SA</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA">و الگوريتم هاي لازم براي درهم ريزي (</span></span><span dir="LTR" style="mso-bidi-language:FA">Hashing</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>)، تعيين اعتبار و <br />رمزگذاري به توافق مي رسند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">آغاز <br />كننده(</span><span dir="LTR" style="mso-bidi-language:FA">Initiator</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />ارتباط به طرف مقابل(يا همان </span><span dir="LTR" style="mso-bidi-language:FA">Responder</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />چند گزينه را پيشنهاد مي كند. </span><span dir="LTR" style="mso-bidi-language: FA">Responder</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هم مناسب ترين گزينه را انتخاب كرده و سپس هر دو طرف <br />گفتگو، از طريق الگوريتم </span><span dir="LTR" style="mso-bidi-language:FA">Diffie-Hellman</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />يك كليد <span class="GramE">رمز(</span></span><span dir="LTR" style="mso-bidi-language: FA">Secret Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) مي سازند كه پايه همه رمز گذاري هاي بعدي است. به اين <br />ترتيب صلاحيت طرف مقابل براي برقراري ارتباط تاييد مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />مرحله دوم </span><span dir="LTR" style="mso-bidi-language:FA">IKE(2 ( IKE Phase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />آغاز مي گردد كه حالت سريع (</span><span dir="LTR" style="mso-bidi-language:FA">Ouick <br />Mode</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) هم ناميده مي شود. اين مرحله </span><span dir="LTR" style="mso-bidi-language:FA">SA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را از روي پارامترهاي <br />مورد توافق برا ي </span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي سازد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گواهينامه <br /></span><span dir="LTR" style="mso-bidi-language:FA">x.506</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">همانطور <br />كه پيش از اين گفتيم بهترين راه براي تبادل </span><span dir="LTR" style="mso-bidi-language:FA">Public Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ها </span><span dir="LTR" style="mso-bidi-language:FA">x.509 Certificate(RFC</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> شماره 2495( است. يك <br />چنين گواهينامه اي يك </span><span dir="LTR" style="mso-bidi-language:FA">Public <br />Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي دارنده خود ايجاد مي كند. اين گواهينامه، داده هايي مربوط به <br />الگوريتم به كار رفته براي امضاء ايجاد كننده، دارنده و مدت اعتبار در خود دارد كه <br />در اين ميان، </span><span dir="LTR" style="mso-bidi-language:FA">Public Key</span><span lang="FA" style="mso-bidi-language:FA">مربوط به دارنده از بقيه مهمتر است. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هم گواهينامه را با <br />يك عدد ساخته شده از روي داده ها كه با </span><span dir="LTR" style="mso-bidi-language: FA">Public Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> خودش تركيب شده امضاء مي كند.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي <br />بررسي اعتبار يك گواهينامه موجود، گيرنده بايد اين امضاء را با </span><span dir="LTR" style="mso-bidi-language:FA">Public Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> رمز گشايي كرده و سپس <br />با عدد نخست مقايسه كند . نقطه ضعف اين روش در طول مدت اعتبار گواهينامه و امكان <br />دستكاري و افزايش آن است. اما استفاده از اين گواهينامه ها در ارتباطهاي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مشكل چنداني به همراه <br />ندارد چون مدير شبكه </span><span dir="LTR" style="mso-bidi-language:FA">Security <br />Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و همه ارتباط ها را زير نظر دارد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />يا </span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">همانطور <br />كه گفتيم </span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مجموعه كاملي براي راه اندازي </span><span dir="LTR" style="mso-bidi-language: FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> روي لينكوس است . البته بيشتر نگارش هاي لينوكس برنامه <br />هاي لازم براي اين كار را با خود دارند. اما بر اساس تجربه بهتر است </span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN</span><span lang="FA" style="mso-bidi-language:FA">را به كار ببريد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در اينجا <br />ما از </span><span dir="LTR" style="mso-bidi-language:FA">RedHatLinux</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نگارش 2/7 با هسته 2.4.18 و</span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN197 <br />(ftp://ftp.xs4all.nl/pub/cryypto/freesean</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>/ ) استفاده كرده ايم. <br />درصورت لزوم مي توان </span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را با هسته هسته هاي خانواده 2.2 هم به كار برد. البته در اين حالت دست كم به <br />نگارش 2.2.19 لينوكس نياز داريد. اين را هم بايد در نظر داشته باشيد كه راه <br />انداختن </span><span dir="LTR" style="mso-bidi-language:FA">VPN Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />همراه با ديواره آتش سودمنداست و هسته نگارش 2.4 امكانات خوبي براي راه انداختن <br />ديواره آتش دارد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نصب <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي نصب <br />بايد هسته را در/</span><span dir="LTR" style="mso-bidi-language:FA">usr/ser/linux</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را در /</span><span dir="LTR" style="mso-bidi-language:FA">usr/scr/freeswan-versionnumber</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />باز كنيد. سپس با فرمان هاي </span><span dir="LTR" style="mso-bidi-language:FA">make <br />menuconfig</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">make <br />xconfig</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پيكربندي هسته را انجام بدهيد. گزينه هاي لازم براي تنظيمات اضافي <br />را در </span><span dir="LTR" style="mso-bidi-language:FA">Networking <br />Options\IPsec Options</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي يابيد كه معمولا نيازي به <br />تغيير دادن تنظيمات پيش فرض آن نيست . براي راه انداختن </span><span dir="LTR" style="mso-bidi-language:FA">x.509 patch</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بايد بسته مربوطه را <br />باز كرده و فايل </span><span dir="LTR" style="mso-bidi-language:FA">freewan.diff</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را در فهرست </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كپي كنيد. پس از آن، فرمان </span><span dir="LTR" style="mso-bidi-language:FA">patch-p1 <br />&lt; freewan.diff</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> همه چيز را برايتان تنظيم مي كند. در پايان بايد هسته <br />را كه اكنون تغيير كرده كامپايل كنيد. اين مار را با صادر كردن فرمان </span><span dir="LTR" style="mso-bidi-language:FA">make kinstall</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> وقتي در فهرست </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هستيد انجام بدهيد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پس از <br />اضافه كردن هسته تازه به مدير بوت و راه اندازي كامپيوتر مي توانيد نتيجه كارهايي <br />كه انجام داديد را ببينيد. فرمان </span><span dir="LTR" style="mso-bidi-language: FA">dmesg</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> پيام هاي آغاز به كار </span><span dir="LTR" style="mso-bidi-language:FA">KLIPS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را نشان مي دهد. لازم است كه <br />روي </span><span dir="LTR" style="mso-bidi-language:FA">Runlevel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ها هم كارهايي انجام بدهيد. از آنجا كه </span><span dir="LTR" style="mso-bidi-language: FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> بع رابط هاي </span><span dir="LTR" style="mso-bidi-language: FA">eth0</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">eth1</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، <br /> <br /></span><span dir="LTR" style="mso-bidi-language:FA">ipsec0</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را اضافه مي كند، <br />سيستم نخست </span><span dir="LTR" style="mso-bidi-language:FA">Networking</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />سپس </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و در پايان </span><span dir="LTR" style="mso-bidi-language:FA">iptables</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را اجرا مي كند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پيكر بندي <br /> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ما قصد <br />داريم كه </span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />خود را به گونه اي پيكربندي كنيم كه يك </span><span dir="LTR" style="mso-bidi-language: FA">Firewall</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هم باشد. اين ديواره آتش بايد به هر كامپيوتر از فضاي <br />اينترنت با هر </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />دلخواه اجازه ارتباط با شبكه داخلي(172.16.0.0/16) را بدهد . اين كامپيوتر براي <br />اين كار دو رابط </span><span dir="LTR" style="mso-bidi-language:FA">Ethernet(eth0</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي شبكه داخلي (172.16.0.0/16) و </span><span dir="LTR" style="mso-bidi-language: FA">eth1</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> براي محيط بيروني)‌دارد . بايد ميان اين دو رابط عملكرد <br /> <br /></span><span dir="LTR" style="mso-bidi-language:FA">IP-Forwarding</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />فعال باشد. نخست بايد ديواره آتش را در اين </span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> طوري تنظيم كنيم كه </span><span dir="LTR" style="mso-bidi-language:FA">Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">AH</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را بپذيرد. به همين <br />دليل روي رابط بيروني(همان </span><span dir="LTR" style="mso-bidi-language:FA">eth1) <br />Packet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">UDP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را روي پورت 500(</span><span dir="LTR" style="mso-bidi-language:FA">ESP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />مي فرستيم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">تنظيمات </span><span dir="LTR" style="mso-bidi-language:FA">FreeS/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در فايل /</span><span dir="LTR" style="mso-bidi-language:FA">etc/ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ثبت مي شود . اين <br />تنظيمات به سه گروه تقسيم مي شوند. </span><span dir="LTR" style="mso-bidi-language: FA">Config setup</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به تنظيمات پايه اي مربوط مي شود و </span><span dir="LTR" style="mso-bidi-language:FA">conn%default</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تنظيمات مشترك براي <br />همه ارتباط ها را در خود دارد. گروه سوم كه با لغت كليدي </span><span dir="LTR" style="mso-bidi-language:FA">conn</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و يك نام دلخواه مشخص مي شود <br />پارامترهاي ارتباطي با همان نام را در خود دارد. در اين مثال ما نام اين بخش را </span><span dir="LTR" style="mso-bidi-language:FA">Roadwarrior</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> گذاشته ايم كه <br />كاربراني كه از بيرون با كامپيوترهاي همراه به شبكه متصل مي شوند مربوط مي شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">/</span><span dir="LTR" style="mso-bidi-language:FA">etc/ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در بخش </span><span dir="LTR" style="mso-bidi-language:FA">Config setup</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پيش از هر چيز بايد <br />رابطي كه درخواست ارتباط هاي </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي آن مي روند رامشخص كرد. براي اين منظور، فرمان </span><span dir="LTR" style="mso-bidi-language:FA">interfaces=%defaultroute</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كافي است كه البته مي <br />توانيد بجاي %</span><span dir="LTR" style="mso-bidi-language:FA">defaultroute</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به كارت را هم <br />وارد كنيد. با تنظيم كردن </span><span dir="LTR" style="mso-bidi-language:FA">kilpsdebug</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">plutodebug</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />روي </span><span dir="LTR" style="mso-bidi-language:FA">none</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> حالت </span><span dir="LTR" style="mso-bidi-language:FA">Debug</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را غير فعال مي كنيم <br />. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">Plutoload</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">plutostart</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را روي %</span><span dir="LTR" style="mso-bidi-language:FA">search</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />تنظيم مي كنيم تا ارتباط ها پس از درخواست از سمت مقابل ، ايجاد شوند.</span></span><span lang="FA" style="mso-bidi-language:FA"> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">دربخشي </span><span dir="LTR" style="mso-bidi-language:FA">conn %defqult</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> فرمان </span><span dir="LTR" style="mso-bidi-language:FA">keyingtries = 0</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي گويد كه در صورت <br />تغيير كليدهاي رمز تا پيدايش آنها صبر كند. براي انتخاب اين روش تعيين اعتبار <br />فرمان </span><span dir="LTR" style="mso-bidi-language:FA">authby = rsasig</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />باعث مي شود تا هر دو طرف گفتگو حتما ميان خود گواهينامه مبادله كنند: </span><span dir="LTR" style="mso-bidi-language:FA">leftrsasigkey = %cert rightsasigkey = <br />%cert</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي </span><span dir="LTR" style="mso-bidi-language:FA">left</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هم دوباره %</span><span dir="LTR" style="mso-bidi-language:FA">defaultroute</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را اعلام مي كنيم كه <br />به عنوان </span><span dir="LTR" style="mso-bidi-language:FA">left subnet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />شبكه داخلي(172.16.0.0/16) به كار مي رود. كمي بعد اين بخش رابا </span><span dir="LTR" style="mso-bidi-language:FA">leftid</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كامل مي كنيم كه <br />گواهينامه ما را براي </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مشخص مي كند. در بخش </span><span dir="LTR" style="mso-bidi-language:FA">conn <br />Roadwarrior</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> هم با فرمان </span><span dir="LTR" style="mso-bidi-language: FA">right = %any</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به همه كساني كه بتوانند گواهينامه ارائه كننداجازه <br />دسترسي مي دهيم. حالت ارتباط را هم با </span><span dir="LTR" style="mso-bidi-language: FA">type = tunnel</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مشخص مي كنيم كه در آن تبادل كليدها از طريق </span><span dir="LTR" style="mso-bidi-language:FA">IKE(key exchang = ike</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) با </span><span dir="LTR" style="mso-bidi-language:FA">Perfect Forwarding Secrecy (pfc = yes</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />انجام مي گيرد. </span><span dir="LTR" style="mso-bidi-language:FA">Auto = add</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />هم به </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />مي گويد كه ارتباط در پي در خواست از سوي كاربران بيرون از شبكه برقرار شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گواهينامه <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون </span><span dir="LTR" style="mso-bidi-language:FA">S/WAN Free</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي برقرار كردن <br />ارتباط با يك رمز گذاري قوي از طريق تبادل گواهينامه پيكربندي شده. گواهينامه لازم <br />براي </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و كاربران بيرون از شبكه را خودمان مي سازيم. براي اين كار از توانايي هاي </span><span dir="LTR" style="mso-bidi-language:FA">SSL open</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بهره مي گيريم. نخست <br />يك ساختار فهرست براي ايجاد گواهينامه مي سازيم. براي نمونه فهرست /</span><span dir="LTR" style="mso-bidi-language:FA">etc/fenrisCA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در نظر مي گيريم. <br />اينجا فهرست هاي </span><span dir="LTR" style="mso-bidi-language:FA">certs</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">private key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />ها مي سازيم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">فهرست </span><span dir="LTR" style="mso-bidi-language:FA">private</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به طور منطقي بايد در <br />دسترس </span><span dir="LTR" style="mso-bidi-language:FA">root</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />باشد. در فهرست/</span><span dir="LTR" style="mso-bidi-language:FA">etc/fenrisCA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />به دو فايل </span><span dir="LTR" style="mso-bidi-language:FA">index.txt</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">serial</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نياز داريم. با </span><span dir="LTR" style="mso-bidi-language:FA">touch</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">index.txt</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را خالي مي كنيم. </span><span dir="LTR" style="mso-bidi-language:FA">Open SSL</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بعدا در اين فايل <br />ليستي از گواهينامه هاي صادر شده ثبت مي كند. اكنون در فايل </span><span dir="LTR" style="mso-bidi-language:FA">OPENSSL.CNF</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> (كه در /</span><span dir="LTR" style="mso-bidi-language:FA">usr/ssl</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يا /</span><span dir="LTR" style="mso-bidi-language:FA">usr/share/ssl</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> قرار دارد) مسير <br />فهرست </span><span dir="LTR" style="mso-bidi-language:FA">CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را به عنوان پارامتر </span><span dir="LTR" style="mso-bidi-language:FA">dir</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> وارد مي كنيم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">RootCA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون به <br />سراغ </span><span dir="LTR" style="mso-bidi-language:FA">RootCA</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA">مي رويم . براي اين كار نخست يك </span></span><span dir="LTR" style="mso-bidi-language:FA">RSAPrivate</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به طول 2048 بيت مي <br />سازيم :</span><span dir="LTR" style="mso-bidi-language:FA">openssl gersa –des3 <br />–out private/caKey.pem2048</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> گزينه </span><span dir="LTR" style="mso-bidi-language:FA">des3</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> باعث مي شود كه از طريق روش </span><span dir="LTR" style="mso-bidi-language:FA">Triple DES</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ساخته شود تا افراد <br />غير مجاز نتوانند گواهينامه را درستكاري كنند. البته اكنون گواهينامه را درستكاري <br />كنند. البته اگر خودمان هم </span><span dir="LTR" style="mso-bidi-language:FA">Passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را فراموش كنيم امكان انجام اين كار را نخواهيم داشت. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />گواهينامه </span><span dir="LTR" style="mso-bidi-language:FA">RootCA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />خودمان را ايجاد كرده و آن را به يك بازه زماني محدوده مي كنيم: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Openssl <br />req –new-x509 –days = 1825 – key private/cakey.pem out caCert.pem</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA">به عنوان </span></span><span dir="LTR" style="mso-bidi-language:FA">passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />از همان چيزي كه براي </span><span dir="LTR" style="mso-bidi-language:FA">Private <br />Key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كار برديم استفاده كرده ايم. سپس </span><span dir="LTR" style="mso-bidi-language:FA">openssl</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تك تك عناصر مربوط به شناسايي <br />دارنده گواهينامه مي پرسد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در پايان <br />گواهينامه </span><span dir="LTR" style="mso-bidi-language:FA">Root CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را در /</span><span dir="LTR" style="mso-bidi-language:FA">eht/ipsec.d/cacerts</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كپي مي كنيم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گواهينامه <br /></span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ساختن <br />گواهينامه براي </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />دقيقا همانند روشي است كه براي گواهينامه </span><span dir="LTR" style="mso-bidi-language: FA">Root CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> شرح داديم. به كمك گواهينامه </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به كاربران بيرون از شبكه <br />اجازه ارتباط و استفاده از آن ر امي دهيم . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">نخست به <br />يك </span><span dir="LTR" style="mso-bidi-language:FA">Private key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />نياز داريم كه اين بار طول آن 1024 بيت است: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">openssl</span></span><span dir="LTR" style="mso-bidi-language:FA"> gersa <br />–des3 –out private/gwKey.pem1024</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون گام <br />بعدي را بر مي داريم: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">openssl</span></span><span dir="LTR" style="mso-bidi-language:FA"> req <br />–new-key private/gwKey.pem –out geReq.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون </span><span dir="LTR" style="mso-bidi-language:FA">Request</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را به عنوان </span><span dir="LTR" style="mso-bidi-language:FA">Root CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> امضاء مي كنيم: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Openssl <br />ca –notext –in gwReq.pem –out gwCert.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اين <br />گواهينامه را بايد در قالب فايل /</span><span dir="LTR" style="mso-bidi-language: FA">etc/x509cert.der</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> به شكل باينر روي </span><span dir="LTR" style="mso-bidi-language:FA">Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ذخيره كنيم . عمل تبديل با <br />فرمان زير انجام مي گيرد: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">openssl</span></span><span dir="LTR" style="mso-bidi-language:FA"> x509 –in <br />gwcwert.pem –outform der –out /etc/x509cert.der</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Private <br />key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> با نام </span><span dir="LTR" style="mso-bidi-language:FA">gwkey.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را براي </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در /</span><span dir="LTR" style="mso-bidi-language:FA">etc/ipsec.d/private</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />كپي مي كنيم. از اين گذشته بايد </span><span dir="LTR" style="mso-bidi-language: FA">Passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مربوطه به طور واضح در فايل /</span><span dir="LTR" style="mso-bidi-language:FA">etc/ipsec.secrets</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> آمده باشد. اگر </span><span dir="LTR" style="mso-bidi-language:FA">Passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به طور نمونه « </span><span dir="LTR" style="mso-bidi-language:FA">asample Passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> » باشد آن را در سطر <br />زير مي نويسيم : <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">« </span><span dir="LTR" style="mso-bidi-language:FA">asample Passphrase » :RAS gwkey.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">روشن است <br />كه تنها </span><span dir="LTR" style="mso-bidi-language:FA">root</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />بايد به </span><span dir="LTR" style="mso-bidi-language:FA">ipsec.secrets</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />دسترسي داشته باشد. اكنون آخرين جاي خالي را در /</span><span dir="LTR" style="mso-bidi-language:FA">etc/ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پر مي كنيم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Leftid = <br />"C = IR<span class="GramE">,ST</span> = <st1:city st="on">Tehran</st1:city>, <br />L = <st1:city st="on"><st1:place st="on">Tehran</st1:place></st1:city>, O = <br />Rayaneh Magazine, OU = Editorial,CN = fashkain, Email = fashkain@rayanehmag.net</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>" <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">گواهينامه <br />هاي كاربران <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />بايد عمل تعيين اعتبار را براي هر كاربر يكبار انجام بدهيم. در فرمان زير كه براي <br />ساختن </span><span dir="LTR" style="mso-bidi-language:FA">Private key</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي يك كاربر به كار مي رود: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">openssl</span></span><span dir="LTR" style="mso-bidi-language:FA"> genrsa <br />–des3 –out private/userkey.pem –out 1024</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">بايد براي <br />هر كاربر </span><span dir="LTR" style="mso-bidi-language:FA">Passphrase</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />جداگانه اي وارد كنيد. در گام بعدي فرمان زير را به كار ببريد: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span class="GramE"><span dir="LTR" style="mso-bidi-language: FA">openssl</span></span><span dir="LTR" style="mso-bidi-language:FA"> req <br />–new-key private/gwKey.pem –out geReq.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />بايد گواهينامه اي را كه آن را در قالب </span><span dir="LTR" style="mso-bidi-language: FA">Root CA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> امضاءخواهيد كرد بسازيد.-</span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">enddate</span></span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در اينجا براي مشخص <br />كردن مدت اعتبار به كار مي رود: <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Openssl <br />ca –notext –eddate 020931200z in gwReq.pem –out gwCert.pem</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در آخرين مرحله <br />روي اين گواهينامه يك فايل باينري با فرمت </span><span dir="LTR" style="mso-bidi-language: FA">PKCS#12</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مي سازيم كهدر ادامه براي سرويس گيرنده هاي ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">xp /2000</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> لازم داريم. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Openssl <br />pkcs12 –export –inusercert.pem –inkey private/userkey.pem –certfile <br />caCert.pem-out user.p12</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">چشم انداز <br /> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پيكربندي </span><span dir="LTR" style="mso-bidi-language:FA">Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را با موفقيت پشت سر <br />گذاشتيم. در بخش بعدي به سرويس گيرنده هاي </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در ويندوز مي پردازيم. براي اين كار از ابزارهاي موجود در ويندوز <br />2000 و </span><span dir="LTR" style="mso-bidi-language:FA">xp</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />بهره خواهيم برد.<o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">با لينوكس <br />(2) <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در بخش <br />پيش بر پايه لينوكس 2.4 و </span><span dir="LTR" style="mso-bidi-language:FA">Free <br />S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> يك </span><span dir="LTR" style="mso-bidi-language:FA">VPN <br />Security Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> راه انداختيم. با نصب </span><span dir="LTR" style="mso-bidi-language:FA">patch</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هاي </span><span dir="LTR" style="mso-bidi-language:FA">x.509 (www.strongsec.com/freewan/) Gateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را با تنامين اعتبار هاي مطمئن و رمز گذاري هاي قوي كامل كرديم. به اين ترتيب پيكر <br />بندي سرويس دهنده به پايان مي رسد. اكنون بايد سرويس گيرنده ها را براي دسترسي به </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> تنظيم كنيم. فرض مي <br />كنيم كه سيستم عامل مورد استفاده كاربران بيرون از شبكه ويندوز 2000 و </span><span dir="LTR" style="mso-bidi-language:FA">xp</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> است كه هر دوي آنها <br />برنامه هاي لازم براي ايجاد و مديريت ارتباط هاي </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در خود دارند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">البته <br />بايد اين احتمال را نيز در نظر گرفت كه شايد برخي كاربران با سيستم ويندوز 9</span><span dir="LTR" style="mso-bidi-language:FA">x/Me</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> قصد استفاده از </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را داشته باشند. در <br />اين حالت به يك برنامه سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language: FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> نياز داريم. يكبار معروفترين اين برنامه ها كه براي <br />كاربردهاي شخصي رايگان است </span><span dir="LTR" style="mso-bidi-language:FA">PGPnet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مي باشد. اين برنامه را مي توان حتي روي ويندوز هاي </span><span dir="LTR" style="mso-bidi-language:FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و 2000 هم بكار برد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ويندوز <br />2000 و </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ويندوز <br />هاي 2000و </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />با توجه به پشتيباني از </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي استفاده به عنوان سرويس گيرنده </span><span dir="LTR" style="mso-bidi-language: FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> بسيار مناسبند. اين دو سيستم عامل افزون بر سرويس هاي </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> امكاناتي هم براي <br />ايمني </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> دارند. براي ساختن يك <br />تونل </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، كافي است كه به <br />كاربر تنها سرويس </span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را اجرا كرده و گزينه هاي لازم را در آن تنظيم كند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">البته فرض <br />بر اين است كه تنظيمات امنيتي از پيش انجام شده باشد. انجام اين كار در ويندوز <br />چندان ساده نيست. در ويندوز 2000 بايد برنامه </span><span dir="LTR" style="mso-bidi-language:FA">IPsecPOL</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">http://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">را از </span><span dir="LTR" style="mso-bidi-language:FA">ResourceKit</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نصب كنيد. در ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بجاي آن به </span><span dir="LTR" style="mso-bidi-language:FA">IPsecCmd</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نياز داريم. براي <br />دستيابي به اين برنامه بايد </span><span dir="LTR" style="mso-bidi-language:FA">Support <br />Tools</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در ويندوز </span><span dir="LTR" style="mso-bidi-language: FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به طور كامل نصب كنيد(فهرست \</span><span dir="LTR" style="mso-bidi-language:FA">SUPPORT\TOOLS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> روي </span><span dir="LTR" style="mso-bidi-language:FA">CD</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>). <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">تنظيم </span><span dir="LTR" style="mso-bidi-language:FA">ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون </span><span dir="LTR" style="mso-bidi-language:FA">ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را كه قبلا آماده <br />كرده بوديم مطابق كاربردمان تنظيم كنيم. در </span><span dir="LTR" style="mso-bidi-language:FA">conn %default</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ارتباط هاي تلفني(</span><span dir="LTR" style="mso-bidi-language:FA">Dail up</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) كه بايد به طور <br />خودكار فعال شوند مشخص مي شوند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">سپس بخشي <br />قرار مي گيرد كه با </span><span dir="LTR" style="mso-bidi-language:FA">conn</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />آغاز مي شود و پارامترهاي ارتباط </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در خود دارد. آدرس هاي محلي كه به طور خودكار براي آدرس هاي <br />سرويس گيرنده ها به كار مي روند با با </span><span dir="LTR" style="mso-bidi-language: FA">left = %any</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مشخص مي شوند. در </span><span dir="LTR" style="mso-bidi-language:FA">right</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مربوط به </span><span dir="LTR" style="mso-bidi-language:FA">VPNGateway</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را واردكنيم. پارامتر</span><span dir="LTR" style="mso-bidi-language:FA">rightsubnet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> هم آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و ماسك شبكه اي كه <br />ارتباط با آن برقرار مي شود را در خود دارد. در اينجا مي توانيد از هر دو شيوه <br />نوشتن آدرس ها يعني 172.16.0.0/16 يا172.16.0.0/255.255.0.0 استفاده كنيد. </span><span dir="LTR" style="mso-bidi-language:FA">Network</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مشخص مي كند كه <br />ارتباط از طريق تماس تلفني (</span><span dir="LTR" style="mso-bidi-language:FA">network <br />= ras</span><span class="GramE"><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>)،</span></span><span lang="FA" style="mso-bidi-language:FA"> شبكه (</span><span dir="LTR" style="mso-bidi-language:FA">network = lan</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) يا هر دو (</span><span dir="LTR" style="mso-bidi-language:FA">network = both</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) برقرار شود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پيكر بندي <br />سرويس گيرنده <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اكنون <br />بايد فايل آرشيوي كه براي گواهينامه كاربر، رمز عبور،</span><span dir="LTR" style="mso-bidi-language:FA">IPsec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">ipsec.conf</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ساختيم را از يك راه <br />مطمئن (مثلا </span><span dir="LTR" style="mso-bidi-language:FA">Email</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />رمز گذاري شده) به كامپيوتر سرويس گيرنده بفرستيم. پس از باز كردن اين فايل، بايد <br />يك</span><span dir="LTR" style="mso-bidi-language:FA">Snap in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />را همان طور كه در شكل مي بينيد اضافه كنيد . براي اين منظور در "</span><span dir="LTR" style="mso-bidi-language:FA">Start,Run" </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">mmc</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را وارد كنيد. سپس از <br />طريق "</span><span dir="LTR" style="mso-bidi-language:FA">File,Add/Remove <br />Snap-in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>" يك </span><span dir="LTR" style="mso-bidi-language:FA">Plug <br />in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> از از جنس </span><span dir="LTR" style="mso-bidi-language:FA">Certificate</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />بسازيد. اين </span><span dir="LTR" style="mso-bidi-language:FA">Plug in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />بايد از جنس </span><span dir="LTR" style="mso-bidi-language:FA">Compeuter account</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي </span><span dir="LTR" style="mso-bidi-language:FA">Local computer</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />باشد. پس از اتمام كار و زدن كليدهاي </span><span dir="LTR" style="mso-bidi-language: FA">Finish </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">Close</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و</span><span dir="LTR" style="mso-bidi-language:FA">Ok </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>،</span><span dir="LTR" style="mso-bidi-language:FA">Plug in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را در پنجره </span><span dir="LTR" style="mso-bidi-language:FA">MMC</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> خواهيد ديد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">خلاصه <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">لينوكس و </span><span dir="LTR" style="mso-bidi-language:FA">Free S/WAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي ساختن </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> راه حل هايي هستند كه <br />در مقايسه با راه حل هاي سخت افزاري بسيار ساده تر و كم هزينه تر است. به ويژه <br />سرويس گيرنده هاي ويندوز 2000 و </span><span dir="LTR" style="mso-bidi-language: FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> با توجه به دسترس بودن برنامه هاي لازم بسيار ساده و سريع <br />پيكربندي مي شوند. اما هنگام راه اندازي </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> نبايد يك نكته فراموش كرد. </span><span class="GramE"><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> اگر چه مطمئن است اما <br />اين اطمينان تا وقتي است كه كامپيوترها در هماهنگي كامل با يكديگر باشند.</span></span><span lang="FA" style="mso-bidi-language:FA"> اگر از </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به درستي محافظت نشود بستر <br />بسيار مناسبي براي ويروس ها، كرم ها، اسب هاي تروآيي و كاربران غير مجاز خواهد <br />بود. بنابراين استفاده از برنامه هاي ضد ويروس و ديواره آتش را نبايد فراموش كنيد. <br /> <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">شبكه <br />خصوصي مجازي يا </span><span dir="LTR" style="mso-bidi-language:FA">VPN (Virtual <br />Private Network</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) در اذهان تصور يك مطلب پيچيده براي استفاده و پياده <br />كنندگان آن به وجود آورده است . اما اين پيچيدگي ، در مطالب بنيادين و مفهومي آن <br />است نه در پياده‌سازي . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اين نكته <br />را بايد بدانيد كه پياده‌سازي </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> داراي روش خاصي نبوده و هر سخت‌افزار و نرم‌افزاري روش پياده‌سازي <br />خود را داراست و نمي‌توان روش استانداردي را براي كليه موارد بيان نمود . اما اصول <br />كار همگي به يك روش است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">مختصري <br />درباره تئوري </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA"><o:p></o:p></span></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">مفهوم <br />اصلي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> چيزي جز برقراري يك <br />كانال ارتباطي خصوصي براي دسترسي كاربران راه دور به منابع شبكه نيست . در اين <br />كانال كه بين دو نقطه برقرار مي‌شود ، ممكن است كه مسيرهاي مختلفي عبور كند اما <br />كسي قادر به وارد شدن به اين شبكه خصوصي شما نخواهد بود . گرچه مي‌توان از </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در هر جايي استفاده <br />نمود اما استفاده آن در خطوط </span><span dir="LTR" style="mso-bidi-language:FA">Dialup</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">Leased</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كار غير ضروري است (در <br />ادامه به‌دليل آن پي خواهيد برد). <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در يك <br />ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />شبكه يا شبكه‌ها مي‌توانند به هم متصل شوند و از اين طريق كاربران از راه دور به <br />شبكه به راحتي دسترسي پيدا مي‌كنند. اگر اين روش از ارائه دسترسي كاربران از راه <br />دور را با روش خطوط اختصاصي فيزيكي (</span><span dir="LTR" style="mso-bidi-language: FA">Leased</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) مقايسه كنيم ، مي‌بينيد كه ارائه يك ارتباط خصوصي از <br />روي اينترنت به مراتب از هر روش ديگري ارزان‌تر تمام مي‌شود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">از اصول <br />ديگري كه در يك شبكه </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />در نظر گرفته شده بحث امنيت انتقال اطلاعات در اين كانال مجازي مي‌باشد . يك <br />ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مي‌تواند بين يك ايستگاه كاري و يك شبكه محلي و يا بين دو شبكه محلي صورت گيرد. در <br />بين هر دو نقطه يك تونل ارتباطي برقرار مي‌گردد و اطلاعات انتقال يافته در اين <br />كانال به صورت كد شده حركت مي‌كنند ، بنابراين حتي در صورت دسترسي مزاحمان و هكرها <br />به اين شبكه خصوصي نمي‌توانند به اطلاعات رد و بدل شده در آن دسترسي پيدا كنند. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">جهت <br />برقراري يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />، مي‌توان به كمك نرم‌افزار يا سخت‌افزار و يا تركيب هر دو ، آن را پياده‌سازي <br />نمود . به طور مثال اكثر ديواره‌هاي آتش تجاري و روترها از </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پشتيباني مي‌كنند . در زمينه <br />نرم‌افزاري نيز از زمان ارائه ويندوز </span><span dir="LTR" style="mso-bidi-language: FA">NT</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> ويرايش 4 به بعد كليه سيستم عامل‌ها داراي چنين قابليتي هستند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در اين <br />مقاله پياده‌سازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />بر مبناي ويندوز 2000 گفته خواهد شد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پياه‌سازي <br /></span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA"><o:p></o:p></span></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي <br />پياده‌سازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA">بر روي ويندوز 2000 كافيست كه از منوي </span></span><span dir="LTR" style="mso-bidi-language:FA">Program/AdministrativeTools</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>/ ، گزينه </span><span dir="LTR" style="mso-bidi-language:FA">Routing and Remote Access</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را انتخاب كنيد . از اين پنجره گزينه </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را انتخاب كنيد . پس از زدن دكمه </span><span dir="LTR" style="mso-bidi-language:FA">Next</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> وارد پنجره ديگري مي‌‌شويد كه <br />در آن كارت‌هاي شبكه موجود بر روي سيستم ليست مي‌شوند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">براي راه‌اندازي <br />يك سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مي‌بايست دو كارت شبكه نصب شده بر روي سيستم داشته باشيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">از يك <br />كارت شبكه براي ارتباط با اينترنت و از كارت ديگر جهت برقراري ارتباط با شبكه محلي <br />استفاده مي‌شود. در اين‌جا بر روي هر كارت به‌طور ثابت </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> قرار داده شده اما مي‌توان <br />اين </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span lang="FA" style="mso-bidi-language:FA">ها را به صورت پويا بر روي كارت‌هاي شبكه قرار داد . <br /><o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در پنجره <br />بعد نحوه آدرس‌دهي به سيستم راه دوري كه قصد اتصال به سرور ما را دارد پرسيده مي‌شود <br />. هر ايستگاه كاري مي‌ تواند يك آدرس </span><span dir="LTR" style="mso-bidi-language: FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي كار در شبكه محلي و يك </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> براي اتصال </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> داشته باشد . در منوي <br />بعد نحوه بازرسي كاربران پرسيده مي‌شود كه اين بازرسي مي‌ تواند از روي كاربران <br />تعريف شده در روي خود ويندوز باشد و يا آنكه از طريق يك سرويس دهنده </span><span dir="LTR" style="mso-bidi-language:FA">RADIUS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> صورت گيرد در صورت <br />داشتن چندين سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />استفاده از </span><span dir="LTR" style="mso-bidi-language:FA">RADIUS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را به شما پيشنهاد مي‌كنيم . با اين روش كاربران ، بين تمام سرورهاي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به اشتراك گذاشته شده <br />و نيازي به تعريف كاربران در تمامي سرورها نمي‌باشد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پروتكل‌هاي <br />استفاده شونده <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">عملياتي <br />كه در بالا انجام گرفت تنها پيكربندي‌هاي لازم جهت راه‌اندازي يك سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي‌باشد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اما (</span><span dir="LTR" style="mso-bidi-language:FA">Remote Routing Access Service) RRAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />داراي دو پروتكل جهت برقراري تونل ارتباطي </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي‌باشد. ساده‌ترين پروتكل آن </span><span dir="LTR" style="mso-bidi-language:FA">PPTP (Point to Point Tunneling Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />است ، اين پروتكل برگرفته از </span><span dir="LTR" style="mso-bidi-language:FA">PPP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />است كه در سرويس‌هاي </span><span dir="LTR" style="mso-bidi-language:FA">Dialup</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />مورد استفاده واقع مي‌شود ،‌ در واقع </span><span dir="LTR" style="mso-bidi-language: FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> همانند </span><span dir="LTR" style="mso-bidi-language: FA">PPP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> عمل مي‌كند . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پروتكل </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در بسياري از موارد <br />كافي و مناسب است ،‌ به كمك اين پروتكل كاربران مي‌توانند به روش‌هاي </span><span dir="LTR" style="mso-bidi-language:FA">PAP (Password Authentication Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />و </span><span dir="LTR" style="mso-bidi-language:FA">Chap (Challenge Handshake <br />Authentication Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) بازرسي شوند. جهت كد كردن <br />اطلاعات مي‌توان از روش كد سازي </span><span dir="LTR" style="mso-bidi-language: FA">RSA</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> استفاده نمود. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي كاربردهاي خانگي و دفاتر و افرادي كه در امر شبكه حرفه‌اي نيستند مناسب است <br />اما در جايگاه امنيتي داراي پايداري زيادي <span class="GramE">نيست .</span> پروتكل <br />ديگري به نام </span><span dir="LTR" style="mso-bidi-language:FA">L2TP (Layer2 Forwarding</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />به وسيله شركت </span><span dir="LTR" style="mso-bidi-language:FA">CISCO</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />ارائه شده كه به لحاظ امنيتي بسيار قدرتمندتر است. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اين <br />پروتكل با استفاده از پروتكل انتقال اطلاعات </span><span dir="LTR" style="mso-bidi-language:FA">UDP (User Datagram Protocol</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) به‌جاي استفاده از </span><span dir="LTR" style="mso-bidi-language:FA">TCP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به مزاياي زيادي دست <br />يافته است . اين روش باعث بهينه و ملموس‌تر شدن براي ديواره‌هاي آتش شده است ، اما <br />باز هم اين پروتكل در واقع چيزي جز يك كانال ارتباطي نيست . جهت حل اين مشكل و هر <br />چه بالاتر رفتن ضريب امنيتي در </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> شركت مايكروسافت پروتكل ديگري را به نام </span><span dir="LTR" style="mso-bidi-language:FA">IPSec (IP Security</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) مطرح نموده كه <br />پيكربندي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />با آن كمي دچار پيچيدگي مي‌گردد. <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اما در <br />صورتي كه پروتكل </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />را انتخاب كرده‌ايد و با اين پروتكل راحت‌تر هستيد تنها كاري كه بايد در روي سرور <br />انجام دهيد فعال كردن قابليت دسترسي </span><span dir="LTR" style="mso-bidi-language: FA">Dial in</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> مي‌باشد. اين كار را مي‌توانيد با كليك بر روي </span><span dir="LTR" style="mso-bidi-language:FA">Remote Access Polices</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> در </span><span dir="LTR" style="mso-bidi-language:FA">RRAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> انجام دهيد و با <br />تغيير سياست كاري آن ، آن را راه‌اندازي كنيد (به‌ طور كلي پيش‌فرض سياست كاري ، <br />رد كليه درخواست‌ها مي‌باشد). <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">دسترسي ايستگاه <br />كاري از طريق </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA"><o:p></o:p></span></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">حالا كه <br />سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> آماده سرويس‌دهي شده <br />، براي استفاده از آن بايد بر روي ايستگاه كاري نيز پيكربنديهايي را انجام دهيم . سيستم <br />عاملي كه ما در اين‌جا استفاده مي‌كنيم ويندوز </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مي‌باشد و روش پياده‌سازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را بر روي آن خواهيم <br />گفت اما انجام اين كار بر روي ويندوز 2000 نيز به همين شكل صورت مي‌گيرد . بر روي <br />ويندوزهاي 98 نيز مي‌توان ارتباط </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را برقرار نمود ، اما روش كار كمي متفاوت است و براي انجام آن <br />بهتر است به آدرس زير مراجعه كنيد : <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">www.support.microsot.com</span><span dir="RTL"></span><span style="mso-bidi-language:FA"><span dir="RTL"></span> <span lang="FA"><o:p></o:p></span></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">بر روي <br />ويندوزهاي </span><span dir="LTR" style="mso-bidi-language:FA">XP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />، يك نرم‌افزار جهت اتصال به </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />براي هر دو پروتكل </span><span dir="LTR" style="mso-bidi-language:FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و </span><span dir="LTR" style="mso-bidi-language:FA">L2TP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> وجود دارد. در صورت <br />انتخاب هر كدام ،‌ نحوه پيكربندي با پروتكل ديگر تفاوتي ندارد . راه‌اندازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كار بسيار ساده‌اي <br />است ، كافيست كه بر روي </span><span dir="LTR" style="mso-bidi-language:FA">Network <br />Connection</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> كليك نموده و از آن اتصال به شبكه خصوصي از طريق اينترنت <br />(</span><span dir="LTR" style="mso-bidi-language:FA">Private Network Through <br />Internet</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) را انتخاب كنيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در انجام <br />مرحله بالا از شما يك اسم پرسيده مي‌شود . در همين مرحله خواسته مي‌شود كه براي <br />اتصال به اينترنت يك ارتباط تلفني (</span><span dir="LTR" style="mso-bidi-language: FA">Dialup</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span>) تعريف نماييد ، پس از انجام اين مرحله نام و يا آدرس <br />سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> پرسيده مي‌شود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">مراحل <br />بالا تنها مراحلي است كه نياز براي پيكربندي يك ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بر روي ايستگاه‌هاي كاري مي‌باشد <br />. كليه عمليات لازمه براي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />به صورت خودكار انجام مي‌گيرد و نيازي به انجام هيچ عملي نيست . براي برقراري <br />ارتباط كافيست كه بر روي آيكوني كه بر روي ميز كاري ايجاد شده دو بار كليك كنيد پس <br />از وارد كردن كد كاربري و كلمه عبور چندين پيام را مشاهده خواهيد كرد كه نشان‌دهنده <br />روند انجام برقراري ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اگر همه <br />چيز به خوبي پيش رفته باشد مي‌توانيد به منابع موجود بر روي سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> دسترسي پيدا كنيد اين <br />دسترسي مانند آن است كه بر روي خود سرور قرار گرفته باشيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">ارتباط <br />سايت به سايت (</span><span dir="LTR" style="mso-bidi-language:FA">Site-to-Site <br />VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در صورتي <br />كه بخواهيد دو شبكه را از طريق يك سرور </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> دومي به يكديگر وصل كنيد علاوه بر مراحل بالا بايد چند كار اضافه‌تر <br />ديگري را نيز انجام دهيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">جزئيات <br />كار به پروتكلي كه مورد استفاده قرار مي‌گيرد . جهت اين كار بايد سرور را در پنجره <br /></span><span dir="LTR" style="mso-bidi-language:FA">RRAS</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> انتخاب كرده و منوي <br />خاص (</span><span dir="LTR" style="mso-bidi-language:FA">Properties</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />آن را بياوريد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در قسمت </span><span dir="LTR" style="mso-bidi-language:FA">General</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> مطمئن شويد كه گزينه‌هاي <br /></span><span dir="LTR" style="mso-bidi-language:FA">LAN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و </span><span dir="LTR" style="mso-bidi-language:FA">Demand Dial</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> انتخاب شده باشند (به <br />طور پيش گزيده انتخاب شده هستند). هم‌چنين اطمينان حاصل كنيد كه پروتكل را كه قصد <br />روت (</span><span dir="LTR" style="mso-bidi-language:FA">Route</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />كردن آن را داريد فعال است . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پس از <br />مراحل بالا نياز به ايجاد يك </span><span dir="LTR" style="mso-bidi-language:FA">Demand <br />Dial</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> داريد ، اين كار را مي‌توانيد با يك كليك راست بر روي واسط روت (</span><span dir="LTR" style="mso-bidi-language:FA">Routing Interface</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) انجام دهيد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">در پنجره <br />بعدي كه ظاهر مي‌شود بايد براي اين ارتباط </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> خود يك نام تعيين كنيد اين نام بايد همان اسمي باشد كه در طرف <br />ديگر كاربران با آن به اينترنت متصل مي‌شوند در صورتي كه اين مطلب را رعايت نكنيد <br />ارتباط </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />شما برقرار نخواهد شد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پس از اين <br />مرحله بايد آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br />و يا نام دامنه آن را مشخص كنيد و پس از آن نوع پروتكل ارتباطي را تعيين نمود . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">اما مرحله <br />نهايي تعريف يك مسير (</span><span dir="LTR" style="mso-bidi-language:FA">Route</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>) <br />بر روي سرور ديگر مي‌باشد بدين منظور بر روي آن سرور در قسمت </span><span dir="LTR" style="mso-bidi-language:FA">RRAS </span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span>، </span><span dir="LTR" style="mso-bidi-language:FA">Demand Dial</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> را انتخاب كنيد و <br />آدرس </span><span dir="LTR" style="mso-bidi-language:FA">IP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> و ساب‌نت را در آن <br />وارد كنيد و مطمئن شويد كه قسمت <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span dir="LTR" style="mso-bidi-language:FA">Use This <br />to Initate Demand</span><span dir="RTL"></span><span style="mso-bidi-language: FA"><span dir="RTL"></span> <span lang="FA"><o:p></o:p></span></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">انتخاب <br />شده باشد . پس از انجام مرحله بالا كار راه‌اندازي اين نوع </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> به پايان مي‌رسد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">پايان <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA">همان‌طور <br />كه ديديد راه‌اندازي يك سرور </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> <br /> <br />بر روي ويندوز 2000 تحت پروتكل </span><span dir="LTR" style="mso-bidi-language: FA">PPTP</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language: FA"><span dir="RTL"></span> كار ساده‌اي بود اما اگر بخواهيد از پروتكل </span><span dir="LTR" style="mso-bidi-language:FA">L2TP/IPSec</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> استفاده كنيد كمي كار <br />پيچيده خواهد شد . به خاطر بسپاريد كه راه‌اندازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> بار زيادي را بر روي پردازنده <br />سرور مي‌گذارد و هرچه تعداد ارتباطات </span><span dir="LTR" style="mso-bidi-language: FA">VPN</span><span lang="FA" style="mso-bidi-language:FA">بيشتر باشد بار زيادتري <br />بر روي سرور است كه مي‌توانيد از يك وسيله سخت‌افزاري مانند روتر جهت پياده‌سازي </span><span dir="LTR" style="mso-bidi-language:FA">VPN</span><span dir="RTL"></span><span lang="FA" style="mso-bidi-language:FA"><span dir="RTL"></span> كمك بگيرد . <o:p></o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p><div align="right"> <br /> <br /></div><p class="MsoNormal" dir="RTL" align="right"><span lang="FA" style="mso-bidi-language:FA"><o:p> </o:p></span></p> <br /> <br /></div> <br /> <br /> <br /> <br /> <br /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-3737486006299441798?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0tag:blogger.com,1999:blog-350232546605449424.post-26214349686173286862009-06-17T11:05:00.000-07:002009-06-17T11:16:00.666-07:00<a href="http://2.bp.blogspot.com/_Aw3rPsc6RV0/Sjkx6WipdzI/AAAAAAAAAAM/nqWir6xwNNQ/s1600-h/untitled.JPG"></a><br /><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div>Slackware Linux, Apache2, PHP, Build Apache<br /></div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div></div><div>cd /downloads<br />Create apache user and group if they don’t already exist:<br />groupadd apache<br />useradd -g apache -d /dev/null -s /bin/false apache<br />wget latest source from http://httpd.apache.org<br />tar zxvf httpd-2.2.3.tar.gz<br />cd httpd-2.2.3<br />./configure –prefix=/usr/local/apache –enable-mods-shared=most –enable-deflate –enable-ssl<br />make<br />make install<br />echo “/usr/local/apache/lib” >> /etc/ld.so.conf<br />ldconfig<br />cd /usr/local/apache/conf<br />mkdir ssl.crt ssl.key ssl.csr<br />openssl req -new -out server.csr<br />openssl rsa -in privkey.pem -out server.key<br />openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365<br />rm privkey.pem<br />mv server.crt ssl.crt/<br />mv server.key ssl.key/<br />mv server.csr ssl.csr/<br />edit httpd.conf and do the following:<br />Change User and Group to “apache”<br />Uncomment “Include conf/extra/httpd-default.conf”<br />Uncomment “Include conf/extra/httpd-ssl.conf”<br />edit extras/httpd-ssl.conf and change the following (the paths don’t have the ssl.* directories by default):<br />SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt<br />SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key<br />echo “/usr/local/apache/bin/apachectl start” >> /etc/rc.d/rc.local<br />/usr/local/apache/bin/apachectl start<br />go to http://your_server and https://your_server to make sure Apache is working on both ports 80 and 443# chmod +x /etc/rc.d/rc.httpd# /etc/rc.d/rc.httpd start</div><br /><div>-----------------------------------------------------------------------------<br />Build PHP<br />cd /downloads<br />wget latest source from http://www.php.net<br />tar zxvf php-5.1.4.tar.gz<br />cd php-5.1.4<br /><span style="color:#ff0000;">./configure –prefix=/usr/local –with-config-file-path=/etc –with-apxs2=/usr/local/apache/bin/apxs –with-mysql=/usr/local/mysql –with-mysql-sock=/var/run/mysql/mysql.sock –with-mysqli=/usr/local/mysql/bin/mysql_config –with-openssl –enable-ftp –disable-debug –enable-memory-limit –enable-inline-optimization –enable-magic-quotes –enable-mbstring –enable-track-vars –enable-xml –with-dom –with-xml</span> –enable-sockets –with-zlib –with-gettext –with-pear –with-apsell<br />make<br />make install<br /><span style="color:#33ff33;">cp php.ini-recommended /etc/php.ini</span><br /><span style="color:#3366ff;">Vi /etc/php.ini and do the following:<br />change “short_open_tag” to On</span><br />change include_path to <span style="color:#6600cc;">“.:/usr/local/lib/php”<br /></span>edit /usr/local/apache/conf/httpd.conf and do the following:<br />make sure install added “LoadModule php5_module modules/libphp5.so”<br />add “index.php” to DirectoryIndex directive<br />add “AddType application/x-httpd-php .php .inc .class” to the end of the file<br />/usr/local/apache/bin/apachectl restart<br />echo “<? phpinfo(); ?>” > /usr/local/apache/htdocs/test.php<br />go to http://your_server/test.php and see if your PHP is working</div><br /><div></div><br /><div>see this </div><br /><div><span style="color:#660000;">II) Downloading PHP<br />You can download from one of the PHP </span><a href="http://www.php.net/get/php-5.2.9.tar.bz2/from/a/mirror"><span style="color:#660000;">mirrors</span></a><span style="color:#660000;">. (PHP comes in both </span><a href="http://www.php.net/get/php-5.2.9.tar.gz/from/a/mirror"><span style="color:#660000;">gzip</span></a><span style="color:#660000;"> and </span><a href="http://www.php.net/get/php-5.2.9.tar.bz2/from/a/mirror"><span style="color:#660000;">bzip2</span></a><span style="color:#660000;"> archives. This document assumes the bzip2 type.)<br />In bzip2 form, PHP 5.2.x is around 9 MB, so if you're using dial-up this will take a while.<br />As of the time of this writing, the current PHP is version 5.2.9, so the file you get is called php-5.2.9.tar.bz2 or something similar.<br />Just store this somewhere that Linux can see it.<br />III) Installing PHP<br />cd to wherever you want the PHP source to live and extract it:cd /usr/srctar jxf /where_php_tarfile_is/php-5.2.9.tar.bz2<br />Change to the PHP top directory:cd /usr/src/php-5.2.9<br />Configure PHP:(This assumes that Apache is installed in /home/httpd. If it's not there, you'll need to figure out where apxs lives.)./configure --with-mysql --with-apxs2=/home/httpd/bin/apxs<br />(NOTE: Apache must be installed with mod_so enabled.)<br />Assuming there are no error messages from configure, it's time to make and install PHP. Just type:make ; make install<br />Now, we need a php.ini file to tell PHP how to act. I just use php.ini-recommended with one change.<br />First, put php.ini in the default location:cp php.ini-recommended /usr/local/lib/php.ini<br />The only change I make is to turn off allow_url_fopen:allow_url_fopen = Off<br />(NOTE: In the wrong hands, allow_url_fopen can be very dangerous! I write PHP code to avoid its use.)<br />All that's left to do is modify the Apache configuration file: /home/httpd/conf/httpd.conf by adding the line:AddType application/x-httpd-php .php<br />While you're there, you may want to add .php indexes to the DirectoryIndex line:DirectoryIndex index.html index.php index.shtml<br />To make it all work, stop the web server:/etc/rc.d/rc.httpd stop<br /></span><span style="color:#3333ff;">Then start it again:/etc/rc.d/rc.httpd start</span> </div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/350232546605449424-2621434968617328686?l=5lackware.blogspot.com' alt='' /></div>angereminohttp://www.blogger.com/profile/07909387683643703519noreply@blogger.com0