[apple/ipsec.git] / ipsec-tools / setkey / Sample / sample.cf

# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. Neither the name of the project nor the names of its contributors
#    may be used to endorse or promote products derived from this software
#    without specific prior written permission.
# 
# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.

# There are sample scripts for IPsec configuration by manual keying.
# A security association is uniquely identified by a triple consisting
# of a Security Parameter Index (SPI), an IP Destination Address, and a
# security protocol (AH or ESP) identifier.  You must take care of these
# parameters when you configure by manual keying.

# ESP transport mode is recommended for TCP port number 110 between
# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
# is "kamekame", and authentication algorithm is hmac-sha1 whose key
# is "this is the test key".
#
#       ============ ESP ============
#       |                           |
#    Host-A                        Host-B
#   fec0::10 -------------------- fec0::11
#
# At Host-A and Host-B,
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
	esp/transport//use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
	esp/transport//use ;
add fec0::10 fec0::11 esp 0x10001
	-m transport
	-E blowfish-cbc "kamekame"
	-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
	-m transport
	-E blowfish-cbc "kamekame"
	-A hmac-sha1 "this is the test key" ;

# "[any]" is wildcard of port number.  Note that "[0]" is the number of
# zero in port number.

# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
# whose key is "this is the test" as authentication algorithm.
# That protocol takes place between Gateway-A and Gateway-B.
#
#                        ======= AH =======
#                        |                |
#    Network-A       Gateway-A        Gateway-B        Network-B
#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
#
# At Gateway-A:
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
	ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
	ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
	-m any
	-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
	-m any
	-A keyed-md5 "this is the test" ;

# If port number field is omitted such above then "[any]" is employed.
# -m specifies the mode of SA to be used.  "-m any" means wildcard of
# mode of security protocol.  You can use this SAs for both tunnel and
# transport mode.

# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
	ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
	ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
	-m tunnel
	-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
	-m tunnel
	-A keyed-md5 "this is the test" ;

# AH transport mode followed by ESP tunnel mode is required between
# Gateway-A and Gateway-B.
# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
# is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
#
#                           ========== AH =========
#                           |  ======= ESP =====  |
#                           |  |               |  |
#      Network-A          Gateway-A        Gateway-B           Network-B
#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
#
# At Gateway-A:
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
	ah/transport//require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
	ah/transport//require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
	-m tunnel
	-E 3des-cbc "kamekame12341234kame1234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
	-m transport
	-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
	-m tunnel
	-E 3des-cbc "kamekame12341234kame1234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
	-m transport
	-A hmac-md5 "this is the test" ;

# ESP tunnel mode is required between Host-A and Gateway-A.
# Encryption algorithm is cast128-cbc, and authentication algorithm
# for ESP is hmac-sha1.
# ESP transport mode is recommended between Host-A and Host-B.
# Encryption algorithm is rc5-cbc,  and authentication algorithm
# for ESP is hmac-md5.
#
#       ================== ESP =================
#       |  ======= ESP =======                 |
#       |  |                 |                 |
#      Host-A            Gateway-A           Host-B
#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
#
# At Host-A:
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
	esp/transport//use
	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
	esp/transport//use
	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
	-m transport
	-E cast128-cbc "12341234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
	-E rc5-cbc "kamekame"
	-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
	-m transport
	-E cast128-cbc "12341234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
	-E rc5-cbc "kamekame"
	-A hmac-md5 "this is the test" ;

# By "get" command, you can get a entry of either SP or SA.
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;

# Also delete command, you can delete a entry of either SP or SA.
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;

# By dump command, you can dump all entry of either SP or SA.
dump ;
spddump ;
dump esp ;
flush esp ;

# By flush command, you can flush all entry of either SP or SA.
flush ;
spdflush ;

# "flush" and "dump" commands can specify a security protocol.
dump esp ;
flush ah ;

# XXX
add ::1 ::1 esp 10001 -m transport -E null ;
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
add ::1 ::1 esp 10004 -m transport -E null -A null ;
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
add ::1 ::1 esp 10018 -m transport -E null ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
#add ::1 ::1 ipcomp 30000 -C oui ;
add ::1 ::1 ipcomp 30001 -C deflate ;
#add ::1 ::1 ipcomp 30002 -C lzs ;

# enjoy.
Commit	Line	Data
52b7d2ce A	1	# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
	2	# All rights reserved.
	3	#
	4	# Redistribution and use in source and binary forms, with or without
	5	# modification, are permitted provided that the following conditions
	6	# are met:
	7	# 1. Redistributions of source code must retain the above copyright
	8	# notice, this list of conditions and the following disclaimer.
	9	# 2. Redistributions in binary form must reproduce the above copyright
	10	# notice, this list of conditions and the following disclaimer in the
	11	# documentation and/or other materials provided with the distribution.
	12	# 3. Neither the name of the project nor the names of its contributors
	13	# may be used to endorse or promote products derived from this software
	14	# without specific prior written permission.
	15	#
	16	# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	17	# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	18	# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	19	# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	20	# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	21	# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	22	# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	23	# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	24	# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	25	# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	26	# SUCH DAMAGE.
	27
	28	# There are sample scripts for IPsec configuration by manual keying.
	29	# A security association is uniquely identified by a triple consisting
	30	# of a Security Parameter Index (SPI), an IP Destination Address, and a
	31	# security protocol (AH or ESP) identifier. You must take care of these
	32	# parameters when you configure by manual keying.
	33
	34	# ESP transport mode is recommended for TCP port number 110 between
	35	# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
	36	# is "kamekame", and authentication algorithm is hmac-sha1 whose key
	37	# is "this is the test key".
	38	#
	39	# ============ ESP ============
	40	# \| \|
	41	# Host-A Host-B
	42	# fec0::10 -------------------- fec0::11
	43	#
	44	# At Host-A and Host-B,
	45	spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
	46	esp/transport//use ;
	47	spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
	48	esp/transport//use ;
	49	add fec0::10 fec0::11 esp 0x10001
	50	-m transport
	51	-E blowfish-cbc "kamekame"
	52	-A hmac-sha1 "this is the test key" ;
	53	add fec0::11 fec0::10 esp 0x10002
	54	-m transport
	55	-E blowfish-cbc "kamekame"
	56	-A hmac-sha1 "this is the test key" ;
	57
	58	# "[any]" is wildcard of port number. Note that "[0]" is the number of
	59	# zero in port number.
	60
	61	# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
	62	# whose key is "this is the test" as authentication algorithm.
	63	# That protocol takes place between Gateway-A and Gateway-B.
	64	#
65	# ======= AH =======
66	# \| \|
67	# Network-A Gateway-A Gateway-B Network-B
68	# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
69	#
70	# At Gateway-A:
71	spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
72	ah/tunnel/172.16.0.1-172.16.0.2/require ;
73	spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
74	ah/tunnel/172.16.0.2-172.16.0.1/require ;
75	add 172.16.0.1 172.16.0.2 ah-old 0x10003
76	-m any
77	-A keyed-md5 "this is the test" ;
78	add 172.16.0.2 172.16.0.1 ah-old 0x10004
79	-m any
80	-A keyed-md5 "this is the test" ;
81
82	# If port number field is omitted such above then "[any]" is employed.
83	# -m specifies the mode of SA to be used. "-m any" means wildcard of
84	# mode of security protocol. You can use this SAs for both tunnel and
85	# transport mode.
86
87	# At Gateway-B. Attention to the selector and peer's IP address for tunnel.
88	spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
89	ah/tunnel/172.16.0.2-172.16.0.1/require ;
90	spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
91	ah/tunnel/172.16.0.1-172.16.0.2/require ;
92	add 172.16.0.1 172.16.0.2 ah-old 0x10003
93	-m tunnel
94	-A keyed-md5 "this is the test" ;
95	add 172.16.0.2 172.16.0.1 ah-old 0x10004
96	-m tunnel
97	-A keyed-md5 "this is the test" ;
98
99	# AH transport mode followed by ESP tunnel mode is required between
100	# Gateway-A and Gateway-B.
101	# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
102	# is hmac-sha1. Authentication algorithm for AH is hmac-md5.
103	#
104	# ========== AH =========
105	# \| ======= ESP ===== \|
106	# \| \| \| \|
107	# Network-A Gateway-A Gateway-B Network-B
108	# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
109	#
110	# At Gateway-A:
111	spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
112	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
113	ah/transport//require ;
114	spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
115	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
116	ah/transport//require ;
117	add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
118	-m tunnel
119	-E 3des-cbc "kamekame12341234kame1234"
120	-A hmac-sha1 "this is the test key" ;
121	add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
122	-m transport
123	-A hmac-md5 "this is the test" ;
124	add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
125	-m tunnel
126	-E 3des-cbc "kamekame12341234kame1234"
127	-A hmac-sha1 "this is the test key" ;
128	add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
129	-m transport
130	-A hmac-md5 "this is the test" ;
131
132	# ESP tunnel mode is required between Host-A and Gateway-A.
133	# Encryption algorithm is cast128-cbc, and authentication algorithm
134	# for ESP is hmac-sha1.
135	# ESP transport mode is recommended between Host-A and Host-B.
136	# Encryption algorithm is rc5-cbc, and authentication algorithm
137	# for ESP is hmac-md5.
138	#
139	# ================== ESP =================
140	# \| ======= ESP ======= \|
141	# \| \| \| \|
142	# Host-A Gateway-A Host-B
143	# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
144	#
145	# At Host-A:
146	spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
147	esp/transport//use
148	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
149	spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
150	esp/transport//use
151	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
152	add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
153	-m transport
154	-E cast128-cbc "12341234"
155	-A hmac-sha1 "this is the test key" ;
156	add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
157	-E rc5-cbc "kamekame"
158	-A hmac-md5 "this is the test" ;
159	add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
160	-m transport
161	-E cast128-cbc "12341234"
162	-A hmac-sha1 "this is the test key" ;
163	add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
164	-E rc5-cbc "kamekame"
165	-A hmac-md5 "this is the test" ;
166
167	# By "get" command, you can get a entry of either SP or SA.
168	get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
169
170	# Also delete command, you can delete a entry of either SP or SA.
171	spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
172	delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
173
174	# By dump command, you can dump all entry of either SP or SA.
175	dump ;
176	spddump ;
177	dump esp ;
178	flush esp ;
179
180	# By flush command, you can flush all entry of either SP or SA.
181	flush ;
182	spdflush ;
183
184	# "flush" and "dump" commands can specify a security protocol.
185	dump esp ;
186	flush ah ;
187
188	# XXX
189	add ::1 ::1 esp 10001 -m transport -E null ;
190	add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
191	add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
192	add ::1 ::1 esp 10004 -m transport -E null -A null ;
193	add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
194	add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
195	add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
196	add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
197	add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
198	add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
199	add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
200	add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
201	add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
202	add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
203	add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
204	add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
205	add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
206	add ::1 ::1 esp 10018 -m transport -E null ;
207	#add ::1 ::1 ah 20000 -m transport -A null ;
208	add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
209	add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
210	add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
211	add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
212	add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
213	#add ::1 ::1 ipcomp 30000 -C oui ;
214	add ::1 ::1 ipcomp 30001 -C deflate ;
215	#add ::1 ::1 ipcomp 30002 -C lzs ;
216
217	# enjoy.