6 7This is a introduction of how to use the commands provided in the KAME 8kit. For more information, please refer to each man page. 9 10<<<ifconfig>>> 11 12A link-local address is automatically assigned to each interface, when 13the interface becomes up for the first time. Even if you find an interface 14without a link-local address, do not panic. The link-local address will be 15assigned when it becomes up (with "ifconfig IF up"). 16 17Some network drivers allow an interface to become up even without a 18hardware address (for example, PCMCIA network cards). In such cases, it is 19possible that an interface has no link-local address even if the 20interface is up. If you see such situation, please disable the 21interface once and then re-enable it (i.e. do `ifconfig IF down; 22ifconfig IF up'). 23 24Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface 25identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources, 26like ethernet cards. Pseudo interfaces will be able to get IPv6 link-local 27address, if you have other "real" interface configured beforehand. 28If you have no EUI64/IEEE802 sources on the node, you may need to configure 29link-local address manually. Though we have last-resort code in the kernel, 30which generates interface identifier from MD5(hostname), it may not suitable 31for your usage (for example, if you configure same hostname on both sides 32of gif tunnel, you will be doomed). 33 34If you have a router announcing Router Advertisement, 35global addresses will be assigned automatically. So, "ifconfig" is not 36necessary for your *host*. (Please refer to "sysctl" section for configuring 37a host to accept Router Advertisement.) 38 39If you want to set up a router, you need to assign global addresses 40for two or more interfaces by "ifconfig" or "prefix". (prefix command 41is described at next section) 42If you want to assign a global address by "ifconfig", don't forget to 43specify the "alias" argument to keep the link-local address. 44 45# ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias 46# ifconfig de0 47de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 48 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 49 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 50 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 51 inet6 fec0:0:0:1000:: prefixlen 64 anycast 52 ether 00:00:f8:01:63:17 53 media: autoselect (10baseT/UTP) status: active 54 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 55 56See also "/etc/rc.network6" for actual examples. 57 58<<prefix>> 59 60In IPv6 architecture, an IPv6 address of an interface can be generated 61from a prefix assigned to it, and a link-dependent identifier for the 62interface. Assigning a full IPv6 address by ifconfig is not 63necessary anymore, because, user can only take care of prefix, by letting 64system take care of interface identifier. 65 66The newly added "prefix" command enables user to just assign prefixes 67for interfaces, and let your system automatically generate IPv6 68addresses. Prefixes added by the "prefix" command is maintained in 69the kernel consistently with prefixes assigned by Router 70Renumbering(in case of routers). 71 72But "prefix" command can only be used on router, because host should be 73able to configure its addr automatically. Prefixes added by the "prefix" 74command are maintained independently from prefixes assigned by 75Router Advertisement. Those two type of prefixes should not coexist on 76a machine at the same time, and when it happens, it is considered to be 77miss configuration. 78 79Manual assignment of prefixes or change of prefix properties take 80precedence over ones assigned by Router Renumbering. 81 82If you want to assign a prefix(and consequently an address) manually, do 83as follows: 84 85# prefix de0 fec0:0:0:1000:: 86# ifconfig de0 87de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 88 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 89 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 90 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 91 inet6 fec0:0:0:1000:: prefixlen 64 anycast 92 ether 00:00:f8:01:63:17 93 media: autoselect (10baseT/UTP) status: active 94 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 95 96To check assigned prefix, use the "ndp" command. (See description of 97ndp command about its usage) 98 99# ndp -p 100fec0:0:0:1000::/64 if=de0 101 flags=LA, vltime=2592000, pltime=604800, expire=Never 102 No advertising router 103 104The "prefix" command also has node internal prefix renumbering 105ability. 106 107If you have multiple prefixes which have fec0:0:0:1000:/56 at the top, 108and would like to renumber them to fec0:0:0:2000:/56, then use the 109"prefix" command with the "matchpr" argument and the "usepr" argument. 110 111Suppose that current state of before renumbering as follows: 112 113# ifconfig de0 114de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 115 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 116 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 117 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 118 inet6 fec0:0:0:1000:: prefixlen 64 anycast 119 ether 00:00:f8:01:63:17 120 media: autoselect (10baseT/UTP) status: active 121 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 122 123# ifconfig de1 124de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 125 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255 126 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64 127 inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64 128 inet6 fec0:0:0:1001:: prefixlen 64 anycast 129 ether 00:00:f8:55:70:11 130 media: autoselect (10baseT/UTP) status: active 131 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 132 133# ndp -p 134fec0:0:0:1000::/64 if=de0 135 flags=LA, vltime=2592000, pltime=604800, expire=Never 136 No advertising router 137fec0:0:0:1001::/64 if=de1 138 flags=LA, vltime=2592000, pltime=604800, expire=Never 139 No advertising router 140 141Then do as follows: 142 143# prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change 144 145If command is successful, prefixes and addresses will be renumbered as 146follows. 147 148# ifconfig de0 149de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 150 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 151 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 152 inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64 153 inet6 fec0:0:0:2000:: prefixlen 64 anycast 154 ether 00:00:f8:01:63:17 155 media: autoselect (10baseT/UTP) status: active 156 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 157# ifconfig de1 158de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 159 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255 160 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64 161 inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64 162 inet6 fec0:0:0:2001:: prefixlen 64 anycast 163 ether 00:00:f8:55:70:11 164 media: autoselect (10baseT/UTP) status: active 165 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 166# ndp -p 167fec0:0:0:2000::/64 if=de0 168 flags=LA, vltime=2592000, pltime=604800, expire=Never 169 No advertising router 170fec0:0:0:2001::/64 if=de1 171 flags=LA, vltime=2592000, pltime=604800, expire=Never 172 No advertising router 173 174See also "/etc/rc.network6" for actual examples. 175 176<<<route>>> 177 178If there is a router announcing Router Advertisement on the subnet, 179you don't need to add a default route for your host by yourself. 180(Please refer to "sysctl" section to accept Router Advertisement.) 181 182If you want to add a default route manually, do as follows: 183 184# route add -inet6 default fe80::200:a2ff:fe0e:7543%de0 185 186"default" means ::/0. 187 188Note that, in IPv6, link-local address should be used as gateway 189("fe80::200:a2ff:fe0e:7543%de1" in the above). If you use global addresses, 190icmp6 redirect may not work properly. For ease of configuration we recommend 191you to avoid static routes and run a routing daemon (route6d for example) 192instead. 193 194<<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.) 195 196Reachability can be checked by "ping6". This "ping6" allows multicast 197for its argument. 198 199% ping6 -I xl0 ff02::1 200or 201% ping6 ff02::1%xl0 202 203PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1 20456 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms 20556 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!) 20656 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!) 20756 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!) 208 209<<<ping6 -w>>> 210 211Name resolution is possible by ICMPv6 node information query message. 212This is very convenient for link-local addresses whose host name cannot be 213resolved by DNS. Specify the "-w" option to "ping6". 214 215% ping6 -I xl0 -w ff02::1 216 21764 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net 21867 bytes from fe80::5254:ff:feda:d161: banana.kame.net 21969 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net 22066 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net 22166 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net 222 223<<<traceroute6>>> 224 225The route for a target host can be checked by "traceroute6". 226 227% traceroute6 tokyo.v6.wide.ad.jp 228 229traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 230 1 nr60.v6.kame.net 1.239 ms 0.924 ms 0.908 ms 231 2 otemachi.v6.wide.ad.jp 28.953 ms 31.451 ms 26.567 ms 232 3 tokyo.v6.wide.ad.jp 26.549 ms 26.58 ms 26.186 ms 233 234If the -l option is specified, both address and name are shown in each line. 235% traceroute6 -l tokyo.v6.wide.ad.jp 236 237traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 238 1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms 239 2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms 240 3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms 241 242<<<ndp>>> 243 244To display the current Neighbor cache, use "ndp": 245 246% ndp -a 247Neighbor Linklayer Address Netif Expire St Flgs Prbs 248nr60.v6.kame.net 0:60:97:c2:80:bf xl0 expired S R 249fec0:0:0:1000:2c0:cff:fe10 0:c0:c:10:3a:53 xl0 permanent R 250paradise.v6.kame.net 52:54:0:dc:52:17 xl0 expired S R 251fe80:1::200:eff:fe49:f929 0:0:e:49:f9:29 xl0 expired S R 252fe80:1::200:86ff:fe05:80da 0:0:86:5:80:da xl0 expired S 253fe80:1::200:86ff:fe05:c2d8 0:0:86:5:c2:d8 xl0 9s R 254 255To flush the all NDP cache, execute the following by root. 256 257# ndp -c 258 259To display the prefix list. 260 261% ndp -p 262fec0:0:0::1000::/64 if=xl0 263 flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s 264 advertised by 265 fe80::5254:ff:fedc:5217 266 fe80::260:97ff:fec2:80bf 267 fe80::200:eff:fe49:f929 268 269To display the default router list. 270 271% ndp -r 272fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s 273fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s 274fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s 275 276<<<rtsol>>> 277 278To generate a Router Solicitation message right now to get global 279addresses, use "rtsol". 280 281# ifconfig xl0 282xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 283 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64 284 ether 0:a0:24:ab:83:9b 285 media: autoselect (10baseT/UTP) status: active 286 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> 287 288# rtsol xl0 289# ifconfig xl0 290xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 291 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64 292 inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64 293 ether 0:a0:24:ab:83:9b 294 media: autoselect (10baseT/UTP) status: active 295 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> 296 297 298<<<rtsold>>> 299 300rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop 301computer and frequently move with it, the daemon is useful since it watches 302the interface and sends router solicitations when the status of the interface 303changes. Note, however, that the feature is disabled by default. Please 304add -m option at invocation of rtsold. 305 306rtsold also supports multiple interfaces. For example, you can 307invoke the daemon as follows: 308# rtsold -m ep0 cnw0 309 310<<<netstat>>> 311 312To see routing table: 313 314# netstat -nr 315# netstat -nrl (long format with Ref and Use) 316 317<<<sysctl>>> 318 319If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is 320accepted. This means that global addresses and default route are 321automatically set up. Otherwise, the announcement is rejected. The 322default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute 323as follows: 324 325# sysctl -w net.inet6.ip6.accept_rtadv=1 326 327<<<gifconfig>>> 328 329"gif" interface enables you to perform IPv{4,6} over IPv{4,6} 330protocol tunneling. To use this interface, you must specify the 331outer IPv{4,6} address by using gifconfig, like: 332 333# gifconfig gif0 172.16.198.61 172.16.11.21 334 335"ifconfig gif0" will configure the address pair used for inner 336IPv{4,6} header. 337 338It is not required to configure inner IPv{4,6} address pair. If 339you do not configure inner IPv{4,6} address pair, tunnel link is 340considered as un-numbered link and the source address of inner 341IPv{4,6} address pair will be borrowed from other interfaces. 342 343The following example configures un-numbered IPv6-over-IPv4 tunnel: 344# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 345 346The following example configures numbered IPv6-over-IPv4 tunnel: 347# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 348# ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias 349 350IPv6 spec allows you to use point-to-point link without global IPv6 351address assigned to the interface. Routing protocol (such as RIPng) 352uses link-local addresses only. If you are to configure IPv6-over-IPv4 353tunnel, you need not to configure an address pair for inner IPv6 354header. We suggest you to use the former example (un-numbered 355IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity, 356for router to router connection. 357 358Note that it is so easy to make an infinite routing loop using gif 359interface, if you configure a tunnel using the same protocol family 360for inner and outer header (i.e. IPv4-over-IPv4). 361 362Refer to gifconfig(8) for more details. 363 364<<<inetd>>> 365 366Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy 367configuration support. 368 369Refer to inetd(8) for more details. 370 371<<<IPsec>>> 372 373The current KAME supports both transport mode and tunnel mode. 374However, tunnel mode comes with some restrictions. 375http://www.kame.net/newsletter/ has more comprehensive examples. 376 377Let's setup security association to deploy a secure channel between 378HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little 379complicated example. From HOST A to HOST B, only old AH is used. 380From HOST B to HOST A, new AH and new ESP are combined. 381 382Now we should choose algorithm to be used corresponding to "AH"/"new 383AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know 384algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, 385and new-DES-expIV with 8 byte IV for new ESP. 386 387Key length highly depends on each algorithm. For example, key 388length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, 389and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", 390"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. 391 392OK, let's assign SPI (Security Parameter Index) for each protocol. 393Please note that we need 3 SPIs for this secure channel since three 394security headers are produced (one for from HOST A to HOST B, two for 395from HOST B to HOST A). Please also note that SPI MUST be greater 396than or equal to 256. We choose, 1000, 2000, and 3000, respectively. 397 398 399 (1) 400 HOST A ------> HOST B 401 402 (1)PROTO=AH 403 ALG=MD5(RFC1826) 404 KEY=MYSECRETMYSECRET 405 SPI=1000 406 407 (2.1) 408 HOST A <------ HOST B 409 <------ 410 (2.2) 411 412 (2.1) 413 PROTO=AH 414 ALG=new-HMAC-SHA1(new AH) 415 KEY=KAMEKAMEKAMEKAMEKAME 416 SPI=2000 417 418 (2.2) 419 PROTO=ESP 420 ALG=new-DES-expIV(new ESP) 421 IV length = 8 422 KEY=PASSWORD 423 SPI=3000 424 425Now, let's setup security association. Execute "setkey" on both HOST 426A and B: 427 428# setkey -c 429add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; 430add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; 431add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; 432^D 433 434Actually, IPsec communication doesn't process until security policy 435entries will be defined. In this case, you must setup each host. 436 437At A: 438# setkey -c 439spdadd 10.2.3.4 10.6.7.8 any -P out ipsec 440 ah/transport/10.2.3.4-10.6.7.8/require ; 441^D 442 443At B: 444spdadd 10.6.7.8 10.2.3.4 any -P out ipsec 445 esp/transport/10.6.7.8-10.2.3.4/require ; 446spdadd 10.6.7.8 10.2.3.4 any -P out ipsec 447 ah/transport/10.6.7.8-10.2.3.4/require ; 448^D 449 450To utilize the security associations installed into the kernel, you 451must set the socket security level by using setsockopt(). 452This is per-application (or per-socket) security. For example, 453the "ping" command has the -P option with parameter to enable AH and/or ESP. 454 455For example: 456% ping -P "out ipsec \ 457 ah/transport/10.0.1.1-10.0.2.2/use \ 458 esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 459 460If there are proper SAs, this policy specification causes ICMP packet 461to be AH transport mode inner ESP tunnel mode like below. 462 463 HOST C -----------> GATEWAY D ----------> HOST E 464 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 465 | | | | 466 | ======= ESP ======= | 467 ==================== AH ================== 468 469 470 471Another example using IPv6. 472 473ESP transport mode is recommended for TCP port number 110 between Host-A and 474Host-B. 475 476 ============ ESP ============ 477 | | 478 Host-A Host-B 479 fec0::10 -------------------- fec0::11 480 481Encryption algorithm is blowfish-cbc whose key is "kamekame", and 482authentication algorithm is hmac-sha1 whose key is "this is the test key". 483Configuration at Host-A: 484 485 # setkey -c <<EOF 486 spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec 487 esp/transport/fec0::10-fec0::11/use ; 488 spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec 489 esp/transport/fec0::11-fec0::10/use ; 490 add fec0::10 fec0::11 esp 0x10001 491 -m transport 492 -E blowfish-cbc "kamekame" 493 -A hmac-sha1 "this is the test key" ; 494 add fec0::11 fec0::10 esp 0x10002 495 -m transport 496 -E blowfish-cbc "kamekame" 497 -A hmac-sha1 "this is the test key" ; 498 EOF 499 500and at Host-B: 501 502 # setkey -c <<EOF 503 spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec 504 esp/transport/fec0::11-fec0::10/use ; 505 spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec 506 esp/transport/fec0::10-fec0::11/use ; 507 add fec0::10 fec0::11 esp 0x10001 -m transport 508 -E blowfish-cbc "kamekame" 509 -A hmac-sha1 "this is the test key" ; 510 add fec0::11 fec0::10 esp 0x10002 -m transport 511 -E blowfish-cbc "kamekame" 512 -A hmac-sha1 "this is the test key" ; 513 EOF 514 515Note the direction of SP. 516 517 518Tunnel mode between two security gateways 519 520Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with 521keyed-md5 whose key is "this is the test" as authentication algorithm. 522 523 ======= AH ======= 524 | | 525 Network-A Gateway-A Gateway-B Network-B 526 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 527 528Configuration at Gateway-A: 529 530 # setkey -c <<EOF 531 spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 532 ah/tunnel/172.16.0.1-172.16.0.2/require ; 533 spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 534 ah/tunnel/172.16.0.2-172.16.0.1/require ; 535 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any 536 -A keyed-md5 "this is the test" ; 537 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any 538 -A keyed-md5 "this is the test" ; 539 540If port number field is omitted such above then "[any]" is employed. `-m' 541specifies the mode of SA to be used. "-m any" means wild-card of mode of 542security protocol. You can use this SA for both tunnel and transport mode. 543 544and at Gateway-B: 545 546 # setkey -c <<EOF 547 spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 548 ah/tunnel/172.16.0.2-172.16.0.1/require ; 549 spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 550 ah/tunnel/172.16.0.1-172.16.0.2/require ; 551 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any 552 -A keyed-md5 "this is the test" ; 553 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any 554 -A keyed-md5 "this is the test" ; 555 556 557Making SA bundle between two security gateways 558 559AH transport mode and ESP tunnel mode is required between Gateway-A and 560Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport 561mode is next. 562 563 ========== AH ========= 564 | ======= ESP ===== | 565 | | | | 566 Network-A Gateway-A Gateway-B Network-B 567 fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 568 569Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is 570hmac-sha1. Authentication algorithm for AH is hmac-md5. 571Configuration at Gateway-A: 572 573 # setkey -c <<EOF 574 spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 575 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require 576 ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ; 577 spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 578 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require 579 ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ; 580 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel 581 -E 3des-cbc "kamekame12341234kame1234" 582 -A hmac-sha1 "this is the test key" ; 583 add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport 584 -A hmac-md5 "this is the test" ; 585 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel 586 -E 3des-cbc "kamekame12341234kame1234" 587 -A hmac-sha1 "this is the test key" ; 588 add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport 589 -A hmac-md5 "this is the test" ; 590 591 592Making SAs with the different end 593 594ESP tunnel mode is required between Host-A and Gateway-A. Encryption 595algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1. 596ESP transport mode is recommended between Host-A and Host-B. Encryption 597algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5. 598 599 ================== ESP ================= 600 | ======= ESP ======= | 601 | | | | 602 Host-A Gateway-A Host-B 603 fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 604 605Configuration at Host-A: 606 607 # setkey -c <<EOF 608 spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec 609 esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use 610 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 611 spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec 612 esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use 613 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 614 add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 615 -m transport 616 -E cast128-cbc "12341234" 617 -A hmac-sha1 "this is the test key" ; 618 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 619 -E rc5-cbc "kamekame" 620 -A hmac-md5 "this is the test" ; 621 add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 622 -m transport 623 -E cast128-cbc "12341234" 624 -A hmac-sha1 "this is the test key" ; 625 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 626 -E rc5-cbc "kamekame" 627 -A hmac-md5 "this is the test" ; 628
|