]>
Commit | Line | Data |
---|---|---|
1 | # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. | |
2 | # All rights reserved. | |
3 | # | |
4 | # Redistribution and use in source and binary forms, with or without | |
5 | # modification, are permitted provided that the following conditions | |
6 | # are met: | |
7 | # 1. Redistributions of source code must retain the above copyright | |
8 | # notice, this list of conditions and the following disclaimer. | |
9 | # 2. Redistributions in binary form must reproduce the above copyright | |
10 | # notice, this list of conditions and the following disclaimer in the | |
11 | # documentation and/or other materials provided with the distribution. | |
12 | # 3. Neither the name of the project nor the names of its contributors | |
13 | # may be used to endorse or promote products derived from this software | |
14 | # without specific prior written permission. | |
15 | # | |
16 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
20 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
21 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
22 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
23 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
24 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
25 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
26 | # SUCH DAMAGE. | |
27 | ||
28 | # There are sample scripts for IPsec configuration by manual keying. | |
29 | # A security association is uniquely identified by a triple consisting | |
30 | # of a Security Parameter Index (SPI), an IP Destination Address, and a | |
31 | # security protocol (AH or ESP) identifier. You must take care of these | |
32 | # parameters when you configure by manual keying. | |
33 | ||
34 | # ESP transport mode is recommended for TCP port number 110 between | |
35 | # Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key | |
36 | # is "kamekame", and authentication algorithm is hmac-sha1 whose key | |
37 | # is "this is the test key". | |
38 | # | |
39 | # ============ ESP ============ | |
40 | # | | | |
41 | # Host-A Host-B | |
42 | # fec0::10 -------------------- fec0::11 | |
43 | # | |
44 | # At Host-A and Host-B, | |
45 | spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec | |
46 | esp/transport//use ; | |
47 | spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec | |
48 | esp/transport//use ; | |
49 | add fec0::10 fec0::11 esp 0x10001 | |
50 | -m transport | |
51 | -E blowfish-cbc "kamekame" | |
52 | -A hmac-sha1 "this is the test key" ; | |
53 | add fec0::11 fec0::10 esp 0x10002 | |
54 | -m transport | |
55 | -E blowfish-cbc "kamekame" | |
56 | -A hmac-sha1 "this is the test key" ; | |
57 | ||
58 | # "[any]" is wildcard of port number. Note that "[0]" is the number of | |
59 | # zero in port number. | |
60 | ||
61 | # Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 | |
62 | # whose key is "this is the test" as authentication algorithm. | |
63 | # That protocol takes place between Gateway-A and Gateway-B. | |
64 | # | |
65 | # ======= AH ======= | |
66 | # | | | |
67 | # Network-A Gateway-A Gateway-B Network-B | |
68 | # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 | |
69 | # | |
70 | # At Gateway-A: | |
71 | spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec | |
72 | ah/tunnel/172.16.0.1-172.16.0.2/require ; | |
73 | spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec | |
74 | ah/tunnel/172.16.0.2-172.16.0.1/require ; | |
75 | add 172.16.0.1 172.16.0.2 ah-old 0x10003 | |
76 | -m any | |
77 | -A keyed-md5 "this is the test" ; | |
78 | add 172.16.0.2 172.16.0.1 ah-old 0x10004 | |
79 | -m any | |
80 | -A keyed-md5 "this is the test" ; | |
81 | ||
82 | # If port number field is omitted such above then "[any]" is employed. | |
83 | # -m specifies the mode of SA to be used. "-m any" means wildcard of | |
84 | # mode of security protocol. You can use this SAs for both tunnel and | |
85 | # transport mode. | |
86 | ||
87 | # At Gateway-B. Attention to the selector and peer's IP address for tunnel. | |
88 | spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec | |
89 | ah/tunnel/172.16.0.2-172.16.0.1/require ; | |
90 | spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec | |
91 | ah/tunnel/172.16.0.1-172.16.0.2/require ; | |
92 | add 172.16.0.1 172.16.0.2 ah-old 0x10003 | |
93 | -m tunnel | |
94 | -A keyed-md5 "this is the test" ; | |
95 | add 172.16.0.2 172.16.0.1 ah-old 0x10004 | |
96 | -m tunnel | |
97 | -A keyed-md5 "this is the test" ; | |
98 | ||
99 | # AH transport mode followed by ESP tunnel mode is required between | |
100 | # Gateway-A and Gateway-B. | |
101 | # Encryption algorithm is 3des-cbc, and authentication algorithm for ESP | |
102 | # is hmac-sha1. Authentication algorithm for AH is hmac-md5. | |
103 | # | |
104 | # ========== AH ========= | |
105 | # | ======= ESP ===== | | |
106 | # | | | | | |
107 | # Network-A Gateway-A Gateway-B Network-B | |
108 | # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 | |
109 | # | |
110 | # At Gateway-A: | |
111 | spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec | |
112 | esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require | |
113 | ah/transport//require ; | |
114 | spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec | |
115 | esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require | |
116 | ah/transport//require ; | |
117 | add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 | |
118 | -m tunnel | |
119 | -E 3des-cbc "kamekame12341234kame1234" | |
120 | -A hmac-sha1 "this is the test key" ; | |
121 | add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 | |
122 | -m transport | |
123 | -A hmac-md5 "this is the test" ; | |
124 | add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 | |
125 | -m tunnel | |
126 | -E 3des-cbc "kamekame12341234kame1234" | |
127 | -A hmac-sha1 "this is the test key" ; | |
128 | add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 | |
129 | -m transport | |
130 | -A hmac-md5 "this is the test" ; | |
131 | ||
132 | # ESP tunnel mode is required between Host-A and Gateway-A. | |
133 | # Encryption algorithm is cast128-cbc, and authentication algorithm | |
134 | # for ESP is hmac-sha1. | |
135 | # ESP transport mode is recommended between Host-A and Host-B. | |
136 | # Encryption algorithm is rc5-cbc, and authentication algorithm | |
137 | # for ESP is hmac-md5. | |
138 | # | |
139 | # ================== ESP ================= | |
140 | # | ======= ESP ======= | | |
141 | # | | | | | |
142 | # Host-A Gateway-A Host-B | |
143 | # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 | |
144 | # | |
145 | # At Host-A: | |
146 | spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec | |
147 | esp/transport//use | |
148 | esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; | |
149 | spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec | |
150 | esp/transport//use | |
151 | esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; | |
152 | add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 | |
153 | -m transport | |
154 | -E cast128-cbc "12341234" | |
155 | -A hmac-sha1 "this is the test key" ; | |
156 | add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 | |
157 | -E rc5-cbc "kamekame" | |
158 | -A hmac-md5 "this is the test" ; | |
159 | add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 | |
160 | -m transport | |
161 | -E cast128-cbc "12341234" | |
162 | -A hmac-sha1 "this is the test key" ; | |
163 | add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 | |
164 | -E rc5-cbc "kamekame" | |
165 | -A hmac-md5 "this is the test" ; | |
166 | ||
167 | # By "get" command, you can get a entry of either SP or SA. | |
168 | get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; | |
169 | ||
170 | # Also delete command, you can delete a entry of either SP or SA. | |
171 | spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; | |
172 | delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; | |
173 | ||
174 | # By dump command, you can dump all entry of either SP or SA. | |
175 | dump ; | |
176 | spddump ; | |
177 | dump esp ; | |
178 | flush esp ; | |
179 | ||
180 | # By flush command, you can flush all entry of either SP or SA. | |
181 | flush ; | |
182 | spdflush ; | |
183 | ||
184 | # "flush" and "dump" commands can specify a security protocol. | |
185 | dump esp ; | |
186 | flush ah ; | |
187 | ||
188 | # XXX | |
189 | add ::1 ::1 esp 10001 -m transport -E null ; | |
190 | add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; | |
191 | add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; | |
192 | add ::1 ::1 esp 10004 -m transport -E null -A null ; | |
193 | add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; | |
194 | add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; | |
195 | add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; | |
196 | add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; | |
197 | add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; | |
198 | add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; | |
199 | add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; | |
200 | add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; | |
201 | add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; | |
202 | add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; | |
203 | add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; | |
204 | add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; | |
205 | add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; | |
206 | add ::1 ::1 esp 10018 -m transport -E null ; | |
207 | #add ::1 ::1 ah 20000 -m transport -A null ; | |
208 | add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; | |
209 | add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; | |
210 | add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; | |
211 | add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; | |
212 | add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; | |
213 | #add ::1 ::1 ipcomp 30000 -C oui ; | |
214 | add ::1 ::1 ipcomp 30001 -C deflate ; | |
215 | #add ::1 ::1 ipcomp 30002 -C lzs ; | |
216 | ||
217 | # enjoy. |