sample.cf (108533) | sample.cf (122108) |
---|---|
1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2# All rights reserved. 3# 4# Redistribution and use in source and binary forms, with or without 5# modification, are permitted provided that the following conditions 6# are met: 7# 1. Redistributions of source code must retain the above copyright 8# notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27# | 1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2# All rights reserved. 3# 4# Redistribution and use in source and binary forms, with or without 5# modification, are permitted provided that the following conditions 6# are met: 7# 1. Redistributions of source code must retain the above copyright 8# notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27# |
28# $FreeBSD: head/sbin/setkey/sample.cf 108533 2003-01-01 18:49:04Z schweikh $ | 28# $FreeBSD: head/sbin/setkey/sample.cf 122108 2003-11-05 09:47:54Z ume $ |
29 30# There are sample scripts for IPsec configuration by manual keying. 31# A security association is uniquely identified by a triple consisting 32# of a Security Parameter Index (SPI), an IP Destination Address, and a 33# security protocol (AH or ESP) identifier. You must take care of these 34# parameters when you configure by manual keying. 35 36# ESP transport mode is recommended for TCP port number 110 between 37# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key 38# is "kamekame", and authentication algorithm is hmac-sha1 whose key 39# is "this is the test key". 40# 41# ============ ESP ============ 42# | | 43# Host-A Host-B 44# fec0::10 -------------------- fec0::11 45# 46# At Host-A and Host-B, 47spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec | 29 30# There are sample scripts for IPsec configuration by manual keying. 31# A security association is uniquely identified by a triple consisting 32# of a Security Parameter Index (SPI), an IP Destination Address, and a 33# security protocol (AH or ESP) identifier. You must take care of these 34# parameters when you configure by manual keying. 35 36# ESP transport mode is recommended for TCP port number 110 between 37# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key 38# is "kamekame", and authentication algorithm is hmac-sha1 whose key 39# is "this is the test key". 40# 41# ============ ESP ============ 42# | | 43# Host-A Host-B 44# fec0::10 -------------------- fec0::11 45# 46# At Host-A and Host-B, 47spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec |
48 esp/transport/fec0::10-fec0::11/use ; | 48 esp/transport//use ; |
49spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec | 49spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec |
50 esp/transport/fec0::11-fec0::10/use ; | 50 esp/transport//use ; |
51add fec0::10 fec0::11 esp 0x10001 52 -m transport 53 -E blowfish-cbc "kamekame" 54 -A hmac-sha1 "this is the test key" ; 55add fec0::11 fec0::10 esp 0x10002 56 -m transport 57 -E blowfish-cbc "kamekame" 58 -A hmac-sha1 "this is the test key" ; --- 48 unchanged lines hidden (view full) --- 107# | ======= ESP ===== | 108# | | | | 109# Network-A Gateway-A Gateway-B Network-B 110# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 111# 112# At Gateway-A: 113spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 114 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require | 51add fec0::10 fec0::11 esp 0x10001 52 -m transport 53 -E blowfish-cbc "kamekame" 54 -A hmac-sha1 "this is the test key" ; 55add fec0::11 fec0::10 esp 0x10002 56 -m transport 57 -E blowfish-cbc "kamekame" 58 -A hmac-sha1 "this is the test key" ; --- 48 unchanged lines hidden (view full) --- 107# | ======= ESP ===== | 108# | | | | 109# Network-A Gateway-A Gateway-B Network-B 110# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 111# 112# At Gateway-A: 113spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 114 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require |
115 ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ; | 115 ah/transport//require ; |
116spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 117 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require | 116spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 117 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require |
118 ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ; | 118 ah/transport//require ; |
119add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 120 -m tunnel 121 -E 3des-cbc "kamekame12341234kame1234" 122 -A hmac-sha1 "this is the test key" ; 123add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 124 -m transport 125 -A hmac-md5 "this is the test" ; 126add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 --- 14 unchanged lines hidden (view full) --- 141# ================== ESP ================= 142# | ======= ESP ======= | 143# | | | | 144# Host-A Gateway-A Host-B 145# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 146# 147# At Host-A: 148spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec | 119add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 120 -m tunnel 121 -E 3des-cbc "kamekame12341234kame1234" 122 -A hmac-sha1 "this is the test key" ; 123add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 124 -m transport 125 -A hmac-md5 "this is the test" ; 126add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 --- 14 unchanged lines hidden (view full) --- 141# ================== ESP ================= 142# | ======= ESP ======= | 143# | | | | 144# Host-A Gateway-A Host-B 145# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 146# 147# At Host-A: 148spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec |
149 esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use | 149 esp/transport//use |
150 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 151spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec | 150 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 151spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec |
152 esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use | 152 esp/transport//use |
153 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 154add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 155 -m transport 156 -E cast128-cbc "12341234" 157 -A hmac-sha1 "this is the test key" ; 158add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 159 -E rc5-cbc "kamekame" 160 -A hmac-md5 "this is the test" ; 161add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 162 -m transport 163 -E cast128-cbc "12341234" 164 -A hmac-sha1 "this is the test key" ; 165add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 166 -E rc5-cbc "kamekame" 167 -A hmac-md5 "this is the test" ; 168 | 153 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 154add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 155 -m transport 156 -E cast128-cbc "12341234" 157 -A hmac-sha1 "this is the test key" ; 158add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 159 -E rc5-cbc "kamekame" 160 -A hmac-md5 "this is the test" ; 161add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 162 -m transport 163 -E cast128-cbc "12341234" 164 -A hmac-sha1 "this is the test key" ; 165add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 166 -E rc5-cbc "kamekame" 167 -A hmac-md5 "this is the test" ; 168 |
169# By "get" command, you can get an entry of either SP or SA. | 169# By "get" command, you can get a entry of either SP or SA. |
170get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 171 | 170get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 171 |
172# Also delete command, you can delete an entry of either SP or SA. | 172# Also delete command, you can delete a entry of either SP or SA. |
173spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; 174delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 175 176# By dump command, you can dump all entry of either SP or SA. 177dump ; 178spddump ; 179dump esp ; 180flush esp ; 181 182# By flush command, you can flush all entry of either SP or SA. 183flush ; 184spdflush ; 185 186# "flush" and "dump" commands can specify a security protocol. 187dump esp ; 188flush ah ; 189 190# XXX | 173spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; 174delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 175 176# By dump command, you can dump all entry of either SP or SA. 177dump ; 178spddump ; 179dump esp ; 180flush esp ; 181 182# By flush command, you can flush all entry of either SP or SA. 183flush ; 184spdflush ; 185 186# "flush" and "dump" commands can specify a security protocol. 187dump esp ; 188flush ah ; 189 190# XXX |
191add ::1 ::1 esp 10001 -m transport -E simple ; | 191add ::1 ::1 esp 10001 -m transport -E null ; |
192add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; 193add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; | 192add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; 193add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; |
194add ::1 ::1 esp 10004 -m transport -E simple -A null ; 195add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ; 196add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ; 197add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ; 198add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ; | 194add ::1 ::1 esp 10004 -m transport -E null -A null ; 195add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; 196add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; 197add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; 198add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; |
199add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; 200add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; 201add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; 202add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; 203add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; 204add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; | 199add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; 200add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; 201add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; 202add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; 203add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; 204add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; |
205add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ; 206add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ; 207add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ; 208add ::1 ::1 esp 10018 -m transport -E simple ; | 205add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; 206add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; 207add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; 208add ::1 ::1 esp 10018 -m transport -E null ; |
209#add ::1 ::1 ah 20000 -m transport -A null ; 210add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; 211add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; 212add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; 213add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; 214add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; 215#add ::1 ::1 ipcomp 30000 -C oui ; 216add ::1 ::1 ipcomp 30001 -C deflate ; 217#add ::1 ::1 ipcomp 30002 -C lzs ; 218 219# enjoy. | 209#add ::1 ::1 ah 20000 -m transport -A null ; 210add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; 211add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; 212add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; 213add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; 214add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; 215#add ::1 ::1 ipcomp 30000 -C oui ; 216add ::1 ::1 ipcomp 30001 -C deflate ; 217#add ::1 ::1 ipcomp 30002 -C lzs ; 218 219# enjoy. |