155505Sshin# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 255505Sshin# All rights reserved. 355505Sshin# 455505Sshin# Redistribution and use in source and binary forms, with or without 555505Sshin# modification, are permitted provided that the following conditions 655505Sshin# are met: 755505Sshin# 1. Redistributions of source code must retain the above copyright 855505Sshin# notice, this list of conditions and the following disclaimer. 955505Sshin# 2. Redistributions in binary form must reproduce the above copyright 1055505Sshin# notice, this list of conditions and the following disclaimer in the 1155505Sshin# documentation and/or other materials provided with the distribution. 1255505Sshin# 3. Neither the name of the project nor the names of its contributors 1355505Sshin# may be used to endorse or promote products derived from this software 1455505Sshin# without specific prior written permission. 1555505Sshin# 1655505Sshin# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 1755505Sshin# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1855505Sshin# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1955505Sshin# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 2055505Sshin# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2155505Sshin# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2255505Sshin# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2355505Sshin# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2455505Sshin# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2555505Sshin# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2655505Sshin# SUCH DAMAGE. 2755505Sshin# 2855505Sshin# $FreeBSD$ 2955505Sshin 3055505Sshin# There are sample scripts for IPsec configuration by manual keying. 3155505Sshin# A security association is uniquely identified by a triple consisting 3255505Sshin# of a Security Parameter Index (SPI), an IP Destination Address, and a 3355505Sshin# security protocol (AH or ESP) identifier. You must take care of these 3455505Sshin# parameters when you configure by manual keying. 3555505Sshin 3655505Sshin# ESP transport mode is recommended for TCP port number 110 between 3755505Sshin# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key 3855505Sshin# is "kamekame", and authentication algorithm is hmac-sha1 whose key 3955505Sshin# is "this is the test key". 4055505Sshin# 4155505Sshin# ============ ESP ============ 4255505Sshin# | | 4355505Sshin# Host-A Host-B 4455505Sshin# fec0::10 -------------------- fec0::11 4555505Sshin# 4655505Sshin# At Host-A and Host-B, 4755505Sshinspdadd fec0::10[any] fec0::11[110] tcp -P out ipsec 48122108Sume esp/transport//use ; 4955505Sshinspdadd fec0::11[110] fec0::10[any] tcp -P in ipsec 50122108Sume esp/transport//use ; 5155505Sshinadd fec0::10 fec0::11 esp 0x10001 5255505Sshin -m transport 5355505Sshin -E blowfish-cbc "kamekame" 5455505Sshin -A hmac-sha1 "this is the test key" ; 5555505Sshinadd fec0::11 fec0::10 esp 0x10002 5655505Sshin -m transport 5755505Sshin -E blowfish-cbc "kamekame" 5855505Sshin -A hmac-sha1 "this is the test key" ; 5955505Sshin 6055505Sshin# "[any]" is wildcard of port number. Note that "[0]" is the number of 6155505Sshin# zero in port number. 6255505Sshin 6355505Sshin# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 6455505Sshin# whose key is "this is the test" as authentication algorithm. 6555505Sshin# That protocol takes place between Gateway-A and Gateway-B. 6655505Sshin# 6755505Sshin# ======= AH ======= 6855505Sshin# | | 6955505Sshin# Network-A Gateway-A Gateway-B Network-B 7055505Sshin# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 7155505Sshin# 7255505Sshin# At Gateway-A: 7355505Sshinspdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 7455505Sshin ah/tunnel/172.16.0.1-172.16.0.2/require ; 7555505Sshinspdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 7655505Sshin ah/tunnel/172.16.0.2-172.16.0.1/require ; 7755505Sshinadd 172.16.0.1 172.16.0.2 ah-old 0x10003 7855505Sshin -m any 7955505Sshin -A keyed-md5 "this is the test" ; 8055505Sshinadd 172.16.0.2 172.16.0.1 ah-old 0x10004 8155505Sshin -m any 8255505Sshin -A keyed-md5 "this is the test" ; 8355505Sshin 8455505Sshin# If port number field is omitted such above then "[any]" is employed. 8555505Sshin# -m specifies the mode of SA to be used. "-m any" means wildcard of 8655505Sshin# mode of security protocol. You can use this SAs for both tunnel and 8755505Sshin# transport mode. 8855505Sshin 8955505Sshin# At Gateway-B. Attention to the selector and peer's IP address for tunnel. 9055505Sshinspdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 9155505Sshin ah/tunnel/172.16.0.2-172.16.0.1/require ; 9255505Sshinspdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 9355505Sshin ah/tunnel/172.16.0.1-172.16.0.2/require ; 9455505Sshinadd 172.16.0.1 172.16.0.2 ah-old 0x10003 9555505Sshin -m tunnel 9655505Sshin -A keyed-md5 "this is the test" ; 9755505Sshinadd 172.16.0.2 172.16.0.1 ah-old 0x10004 9855505Sshin -m tunnel 9955505Sshin -A keyed-md5 "this is the test" ; 10055505Sshin 10155505Sshin# AH transport mode followed by ESP tunnel mode is required between 10255505Sshin# Gateway-A and Gateway-B. 10355505Sshin# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP 10455505Sshin# is hmac-sha1. Authentication algorithm for AH is hmac-md5. 10555505Sshin# 10655505Sshin# ========== AH ========= 10755505Sshin# | ======= ESP ===== | 10855505Sshin# | | | | 10955505Sshin# Network-A Gateway-A Gateway-B Network-B 11055505Sshin# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 11155505Sshin# 11255505Sshin# At Gateway-A: 11355505Sshinspdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 11455505Sshin esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require 115122108Sume ah/transport//require ; 11655505Sshinspdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 11755505Sshin esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require 118122108Sume ah/transport//require ; 11955505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 12055505Sshin -m tunnel 12155505Sshin -E 3des-cbc "kamekame12341234kame1234" 12255505Sshin -A hmac-sha1 "this is the test key" ; 12355505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 12455505Sshin -m transport 12555505Sshin -A hmac-md5 "this is the test" ; 12655505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 12755505Sshin -m tunnel 12855505Sshin -E 3des-cbc "kamekame12341234kame1234" 12955505Sshin -A hmac-sha1 "this is the test key" ; 13055505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 13155505Sshin -m transport 13255505Sshin -A hmac-md5 "this is the test" ; 13355505Sshin 13455505Sshin# ESP tunnel mode is required between Host-A and Gateway-A. 13555505Sshin# Encryption algorithm is cast128-cbc, and authentication algorithm 13655505Sshin# for ESP is hmac-sha1. 13755505Sshin# ESP transport mode is recommended between Host-A and Host-B. 13855505Sshin# Encryption algorithm is rc5-cbc, and authentication algorithm 13955505Sshin# for ESP is hmac-md5. 14055505Sshin# 14155505Sshin# ================== ESP ================= 14255505Sshin# | ======= ESP ======= | 14355505Sshin# | | | | 14455505Sshin# Host-A Gateway-A Host-B 14555505Sshin# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 14655505Sshin# 14755505Sshin# At Host-A: 14855505Sshinspdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec 149122108Sume esp/transport//use 15055505Sshin esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 15155505Sshinspdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec 152122108Sume esp/transport//use 15355505Sshin esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 15455505Sshinadd fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 15555505Sshin -m transport 15655505Sshin -E cast128-cbc "12341234" 15755505Sshin -A hmac-sha1 "this is the test key" ; 15855505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 15955505Sshin -E rc5-cbc "kamekame" 16055505Sshin -A hmac-md5 "this is the test" ; 16155505Sshinadd fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 16255505Sshin -m transport 16355505Sshin -E cast128-cbc "12341234" 16455505Sshin -A hmac-sha1 "this is the test key" ; 16555505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 16655505Sshin -E rc5-cbc "kamekame" 16755505Sshin -A hmac-md5 "this is the test" ; 16855505Sshin 169122108Sume# By "get" command, you can get a entry of either SP or SA. 17055505Sshinget fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 17155505Sshin 172122108Sume# Also delete command, you can delete a entry of either SP or SA. 17362583Sitojunspddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; 17455505Sshindelete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 17555505Sshin 17655505Sshin# By dump command, you can dump all entry of either SP or SA. 17755505Sshindump ; 17855505Sshinspddump ; 17955505Sshindump esp ; 18055505Sshinflush esp ; 18155505Sshin 18255505Sshin# By flush command, you can flush all entry of either SP or SA. 18355505Sshinflush ; 18455505Sshinspdflush ; 18555505Sshin 18655505Sshin# "flush" and "dump" commands can specify a security protocol. 18755505Sshindump esp ; 18855505Sshinflush ah ; 18955505Sshin 19055505Sshin# XXX 191122108Sumeadd ::1 ::1 esp 10001 -m transport -E null ; 19255505Sshinadd ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; 19355505Sshinadd ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; 194122108Sumeadd ::1 ::1 esp 10004 -m transport -E null -A null ; 195122108Sumeadd ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; 196122108Sumeadd ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; 197122108Sumeadd ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; 198122108Sumeadd ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; 19955505Sshinadd ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; 20055505Sshinadd ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; 20155505Sshinadd ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; 20255505Sshinadd ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; 20355505Sshinadd ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; 20455505Sshinadd ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; 205122108Sumeadd ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; 206122108Sumeadd ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; 207122108Sumeadd ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; 208122108Sumeadd ::1 ::1 esp 10018 -m transport -E null ; 20955505Sshin#add ::1 ::1 ah 20000 -m transport -A null ; 21055505Sshinadd ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; 21155505Sshinadd ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; 21255505Sshinadd ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; 21355505Sshinadd ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; 21455505Sshinadd ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; 21555505Sshin#add ::1 ::1 ipcomp 30000 -C oui ; 21655505Sshinadd ::1 ::1 ipcomp 30001 -C deflate ; 21755505Sshin#add ::1 ::1 ipcomp 30002 -C lzs ; 21855505Sshin 21955505Sshin# enjoy. 220