]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/setkey/Sample/sample.cf
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-164.9.tar.gz
[apple/ipsec.git] / ipsec-tools / setkey / Sample / sample.cf
1 # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
2 # All rights reserved.
3 #
4 # Redistribution and use in source and binary forms, with or without
5 # modification, are permitted provided that the following conditions
6 # are met:
7 # 1. Redistributions of source code must retain the above copyright
8 # notice, this list of conditions and the following disclaimer.
9 # 2. Redistributions in binary form must reproduce the above copyright
10 # notice, this list of conditions and the following disclaimer in the
11 # documentation and/or other materials provided with the distribution.
12 # 3. Neither the name of the project nor the names of its contributors
13 # may be used to endorse or promote products derived from this software
14 # without specific prior written permission.
15 #
16 # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 # SUCH DAMAGE.
27
28 # There are sample scripts for IPsec configuration by manual keying.
29 # A security association is uniquely identified by a triple consisting
30 # of a Security Parameter Index (SPI), an IP Destination Address, and a
31 # security protocol (AH or ESP) identifier. You must take care of these
32 # parameters when you configure by manual keying.
33
34 # ESP transport mode is recommended for TCP port number 110 between
35 # Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
36 # is "kamekame", and authentication algorithm is hmac-sha1 whose key
37 # is "this is the test key".
38 #
39 # ============ ESP ============
40 # | |
41 # Host-A Host-B
42 # fec0::10 -------------------- fec0::11
43 #
44 # At Host-A and Host-B,
45 spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
46 esp/transport//use ;
47 spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
48 esp/transport//use ;
49 add fec0::10 fec0::11 esp 0x10001
50 -m transport
51 -E blowfish-cbc "kamekame"
52 -A hmac-sha1 "this is the test key" ;
53 add fec0::11 fec0::10 esp 0x10002
54 -m transport
55 -E blowfish-cbc "kamekame"
56 -A hmac-sha1 "this is the test key" ;
57
58 # "[any]" is wildcard of port number. Note that "[0]" is the number of
59 # zero in port number.
60
61 # Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
62 # whose key is "this is the test" as authentication algorithm.
63 # That protocol takes place between Gateway-A and Gateway-B.
64 #
65 # ======= AH =======
66 # | |
67 # Network-A Gateway-A Gateway-B Network-B
68 # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
69 #
70 # At Gateway-A:
71 spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
72 ah/tunnel/172.16.0.1-172.16.0.2/require ;
73 spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
74 ah/tunnel/172.16.0.2-172.16.0.1/require ;
75 add 172.16.0.1 172.16.0.2 ah-old 0x10003
76 -m any
77 -A keyed-md5 "this is the test" ;
78 add 172.16.0.2 172.16.0.1 ah-old 0x10004
79 -m any
80 -A keyed-md5 "this is the test" ;
81
82 # If port number field is omitted such above then "[any]" is employed.
83 # -m specifies the mode of SA to be used. "-m any" means wildcard of
84 # mode of security protocol. You can use this SAs for both tunnel and
85 # transport mode.
86
87 # At Gateway-B. Attention to the selector and peer's IP address for tunnel.
88 spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
89 ah/tunnel/172.16.0.2-172.16.0.1/require ;
90 spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
91 ah/tunnel/172.16.0.1-172.16.0.2/require ;
92 add 172.16.0.1 172.16.0.2 ah-old 0x10003
93 -m tunnel
94 -A keyed-md5 "this is the test" ;
95 add 172.16.0.2 172.16.0.1 ah-old 0x10004
96 -m tunnel
97 -A keyed-md5 "this is the test" ;
98
99 # AH transport mode followed by ESP tunnel mode is required between
100 # Gateway-A and Gateway-B.
101 # Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
102 # is hmac-sha1. Authentication algorithm for AH is hmac-md5.
103 #
104 # ========== AH =========
105 # | ======= ESP ===== |
106 # | | | |
107 # Network-A Gateway-A Gateway-B Network-B
108 # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
109 #
110 # At Gateway-A:
111 spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
112 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
113 ah/transport//require ;
114 spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
115 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
116 ah/transport//require ;
117 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
118 -m tunnel
119 -E 3des-cbc "kamekame12341234kame1234"
120 -A hmac-sha1 "this is the test key" ;
121 add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
122 -m transport
123 -A hmac-md5 "this is the test" ;
124 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
125 -m tunnel
126 -E 3des-cbc "kamekame12341234kame1234"
127 -A hmac-sha1 "this is the test key" ;
128 add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
129 -m transport
130 -A hmac-md5 "this is the test" ;
131
132 # ESP tunnel mode is required between Host-A and Gateway-A.
133 # Encryption algorithm is cast128-cbc, and authentication algorithm
134 # for ESP is hmac-sha1.
135 # ESP transport mode is recommended between Host-A and Host-B.
136 # Encryption algorithm is rc5-cbc, and authentication algorithm
137 # for ESP is hmac-md5.
138 #
139 # ================== ESP =================
140 # | ======= ESP ======= |
141 # | | | |
142 # Host-A Gateway-A Host-B
143 # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
144 #
145 # At Host-A:
146 spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
147 esp/transport//use
148 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
149 spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
150 esp/transport//use
151 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
152 add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
153 -m transport
154 -E cast128-cbc "12341234"
155 -A hmac-sha1 "this is the test key" ;
156 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
157 -E rc5-cbc "kamekame"
158 -A hmac-md5 "this is the test" ;
159 add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
160 -m transport
161 -E cast128-cbc "12341234"
162 -A hmac-sha1 "this is the test key" ;
163 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
164 -E rc5-cbc "kamekame"
165 -A hmac-md5 "this is the test" ;
166
167 # By "get" command, you can get a entry of either SP or SA.
168 get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
169
170 # Also delete command, you can delete a entry of either SP or SA.
171 spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
172 delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
173
174 # By dump command, you can dump all entry of either SP or SA.
175 dump ;
176 spddump ;
177 dump esp ;
178 flush esp ;
179
180 # By flush command, you can flush all entry of either SP or SA.
181 flush ;
182 spdflush ;
183
184 # "flush" and "dump" commands can specify a security protocol.
185 dump esp ;
186 flush ah ;
187
188 # XXX
189 add ::1 ::1 esp 10001 -m transport -E null ;
190 add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
191 add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
192 add ::1 ::1 esp 10004 -m transport -E null -A null ;
193 add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
194 add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
195 add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
196 add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
197 add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
198 add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
199 add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
200 add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
201 add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
202 add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
203 add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
204 add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
205 add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
206 add ::1 ::1 esp 10018 -m transport -E null ;
207 #add ::1 ::1 ah 20000 -m transport -A null ;
208 add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
209 add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
210 add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
211 add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
212 add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
213 #add ::1 ::1 ipcomp 30000 -C oui ;
214 add ::1 ::1 ipcomp 30001 -C deflate ;
215 #add ::1 ::1 ipcomp 30002 -C lzs ;
216
217 # enjoy.
mirror of ipsec