1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2# All rights reserved. 3# 4# Redistribution and use in source and binary forms, with or without 5# modification, are permitted provided that the following conditions 6# are met: 7# 1. Redistributions of source code must retain the above copyright 8# notice, this list of conditions and the following disclaimer. 9# 2. Redistributions in binary form must reproduce the above copyright 10# notice, this list of conditions and the following disclaimer in the 11# documentation and/or other materials provided with the distribution. 12# 3. Neither the name of the project nor the names of its contributors 13# may be used to endorse or promote products derived from this software 14# without specific prior written permission. 15# 16# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28# There are sample scripts for IPsec configuration by manual keying. 29# A security association is uniquely identified by a triple consisting 30# of a Security Parameter Index (SPI), an IP Destination Address, and a 31# security protocol (AH or ESP) identifier. You must take care of these 32# parameters when you configure by manual keying. 33 34# ESP transport mode is recommended for TCP port number 110 between 35# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key 36# is "kamekame", and authentication algorithm is hmac-sha1 whose key 37# is "this is the test key". 38# 39# ============ ESP ============ 40# | | 41# Host-A Host-B 42# fec0::10 -------------------- fec0::11 43# 44# At Host-A and Host-B, 45spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec 46 esp/transport//use ; 47spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec 48 esp/transport//use ; 49add fec0::10 fec0::11 esp 0x10001 50 -m transport 51 -E blowfish-cbc "kamekame" 52 -A hmac-sha1 "this is the test key" ; 53add fec0::11 fec0::10 esp 0x10002 54 -m transport 55 -E blowfish-cbc "kamekame" 56 -A hmac-sha1 "this is the test key" ; 57 58# "[any]" is wildcard of port number. Note that "[0]" is the number of 59# zero in port number. 60 61# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 62# whose key is "this is the test" as authentication algorithm. 63# That protocol takes place between Gateway-A and Gateway-B. 64# 65# ======= AH ======= 66# | | 67# Network-A Gateway-A Gateway-B Network-B 68# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 69# 70# At Gateway-A: 71spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 72 ah/tunnel/172.16.0.1-172.16.0.2/require ; 73spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 74 ah/tunnel/172.16.0.2-172.16.0.1/require ; 75add 172.16.0.1 172.16.0.2 ah-old 0x10003 76 -m any 77 -A keyed-md5 "this is the test" ; 78add 172.16.0.2 172.16.0.1 ah-old 0x10004 79 -m any 80 -A keyed-md5 "this is the test" ; 81 82# If port number field is omitted such above then "[any]" is employed. 83# -m specifies the mode of SA to be used. "-m any" means wildcard of 84# mode of security protocol. You can use this SAs for both tunnel and 85# transport mode. 86 87# At Gateway-B. Attention to the selector and peer's IP address for tunnel. 88spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 89 ah/tunnel/172.16.0.2-172.16.0.1/require ; 90spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 91 ah/tunnel/172.16.0.1-172.16.0.2/require ; 92add 172.16.0.1 172.16.0.2 ah-old 0x10003 93 -m tunnel 94 -A keyed-md5 "this is the test" ; 95add 172.16.0.2 172.16.0.1 ah-old 0x10004 96 -m tunnel 97 -A keyed-md5 "this is the test" ; 98 99# AH transport mode followed by ESP tunnel mode is required between 100# Gateway-A and Gateway-B. 101# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP 102# is hmac-sha1. Authentication algorithm for AH is hmac-md5. 103# 104# ========== AH ========= 105# | ======= ESP ===== | 106# | | | | 107# Network-A Gateway-A Gateway-B Network-B 108# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 109# 110# At Gateway-A: 111spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 112 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require 113 ah/transport//require ; 114spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 115 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require 116 ah/transport//require ; 117add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 118 -m tunnel 119 -E 3des-cbc "kamekame12341234kame1234" 120 -A hmac-sha1 "this is the test key" ; 121add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 122 -m transport 123 -A hmac-md5 "this is the test" ; 124add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 125 -m tunnel 126 -E 3des-cbc "kamekame12341234kame1234" 127 -A hmac-sha1 "this is the test key" ; 128add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 129 -m transport 130 -A hmac-md5 "this is the test" ; 131 132# ESP tunnel mode is required between Host-A and Gateway-A. 133# Encryption algorithm is cast128-cbc, and authentication algorithm 134# for ESP is hmac-sha1. 135# ESP transport mode is recommended between Host-A and Host-B. 136# Encryption algorithm is rc5-cbc, and authentication algorithm 137# for ESP is hmac-md5. 138# 139# ================== ESP ================= 140# | ======= ESP ======= | 141# | | | | 142# Host-A Gateway-A Host-B 143# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 144# 145# At Host-A: 146spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec 147 esp/transport//use 148 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 149spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec 150 esp/transport//use 151 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 152add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 153 -m transport 154 -E cast128-cbc "12341234" 155 -A hmac-sha1 "this is the test key" ; 156add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 157 -E rc5-cbc "kamekame" 158 -A hmac-md5 "this is the test" ; 159add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 160 -m transport 161 -E cast128-cbc "12341234" 162 -A hmac-sha1 "this is the test key" ; 163add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 164 -E rc5-cbc "kamekame" 165 -A hmac-md5 "this is the test" ; 166 167# By "get" command, you can get a entry of either SP or SA. 168get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 169 170# Also delete command, you can delete a entry of either SP or SA. 171spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; 172delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 173 174# By dump command, you can dump all entry of either SP or SA. 175dump ; 176spddump ; 177dump esp ; 178flush esp ; 179 180# By flush command, you can flush all entry of either SP or SA. 181flush ; 182spdflush ; 183 184# "flush" and "dump" commands can specify a security protocol. 185dump esp ; 186flush ah ; 187 188# XXX 189add ::1 ::1 esp 10001 -m transport -E null ; 190add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; 191add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; 192add ::1 ::1 esp 10004 -m transport -E null -A null ; 193add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; 194add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; 195add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; 196add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; 197add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; 198add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; 199add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; 200add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; 201add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; 202add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; 203add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; 204add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; 205add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; 206add ::1 ::1 esp 10018 -m transport -E null ; 207#add ::1 ::1 ah 20000 -m transport -A null ; 208add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; 209add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; 210add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; 211add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; 212add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; 213#add ::1 ::1 ipcomp 30000 -C oui ; 214add ::1 ::1 ipcomp 30001 -C deflate ; 215#add ::1 ::1 ipcomp 30002 -C lzs ; 216 217# enjoy. 218