# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of the project nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # There are sample scripts for IPsec configuration by manual keying. # A security association is uniquely identified by a triple consisting # of a Security Parameter Index (SPI), an IP Destination Address, and a # security protocol (AH or ESP) identifier. You must take care of these # parameters when you configure by manual keying. # ESP transport mode is recommended for TCP port number 110 between # Host-A and Host-B. Encryption algorithm is aes-cbc whose key # is "kamekamekamekamekamekamekamekame", and authentication algorithm is # hmac-sha2-512 whose key is "this is the test key". # # ============ ESP ============ # | | # Host-A Host-B # fec0::10 -------------------- fec0::11 # # At Host-A and Host-B, spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec esp/transport//use ; spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec esp/transport//use ; add fec0::10 fec0::11 esp 0x10001 -m transport -E aes-cbc "kamekamekamekamekamekamekamekame" -A hmac-sha2-512 "this is the test key" ; add fec0::11 fec0::10 esp 0x10002 -m transport -E aes-cbc "kamekamekamekamekamekamekamekame" -A hmac-sha2-512 "this is the test key" ; # "[any]" is wildcard of port number. Note that "[0]" is the number of # zero in port number. # Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256 # whose key is "this is the test" as authentication algorithm. # That protocol takes place between Gateway-A and Gateway-B. # # ======= AH ======= # | | # Network-A Gateway-A Gateway-B Network-B # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 # # At Gateway-A: spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec ah/tunnel/172.16.0.1-172.16.0.2/require ; spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec ah/tunnel/172.16.0.2-172.16.0.1/require ; add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any -A hmac-sha2-256 "this is the test" ; add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any -A hmac-sha2-256 "this is the test" ; # If port number field is omitted such above then "[any]" is employed. # -m specifies the mode of SA to be used. "-m any" means wildcard of # mode of security protocol. You can use this SAs for both tunnel and # transport mode. # At Gateway-B. Attention to the selector and peer's IP address for tunnel. spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec ah/tunnel/172.16.0.2-172.16.0.1/require ; spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec ah/tunnel/172.16.0.1-172.16.0.2/require ; add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m tunnel -A hmac-sha2-256 "this is the test" ; add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m tunnel -A hmac-sha2-256 "this is the test" ; # AH transport mode followed by ESP tunnel mode is required between # Gateway-A and Gateway-B. # Encryption algorithm is aes-cbc, and authentication algorithm for ESP # is hmac-sha2-512. Authentication algorithm for AH is hmac-sha2-256. # # ========== AH ========= # | ======= ESP ===== | # | | | | # Network-A Gateway-A Gateway-B Network-B # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 # # At Gateway-A: spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ah/transport//require ; spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ah/transport//require ; add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel -E aes-cbc "kamekame12341234kamekame12341234" -A hmac-sha2-512 "this is the test key" ; add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport -A hmac-sha2-256 "this is the test" ; add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel -E aes-cbc "kamekame12341234kamekame12341234" -A hmac-sha2-512 "this is the test key" ; add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport -A hmac-sha2-256 "this is the test" ; # ESP tunnel mode is required between Host-A and Gateway-A. # Encryption algorithm is aes-cbc, and authentication algorithm # for ESP is hmac-sha2-256. # ESP transport mode is recommended between Host-A and Host-B. # Encryption algorithm is aes-ctr, and authentication algorithm # for ESP is hmac-sha2-512. # # ================== ESP ================= # | ======= ESP ======= | # | | | | # Host-A Gateway-A Host-B # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 # # At Host-A: spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec esp/transport//use esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec esp/transport//use esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 -m transport -E aes-cbc "kamekame12341234kamekame12341234" -A hmac-sha2-256 "this is the test key" ; add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 -E aes-ctr "kamekame12341234kamekame12341234f00f" -A hmac-sha2-512 "this is the test" ; add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 -m transport -E aes-cbc "kamekame12341234kamekame12341234" -A hmac-sha2-256 "this is the test key" ; add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 -E aes-ctr "kamekame12341234kamekame12341234f00f" -A hmac-sha2-512 "this is the test" ; # By "get" command, you can get a entry of either SP or SA. get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # Also delete command, you can delete a entry of either SP or SA. spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # By dump command, you can dump all entry of either SP or SA. dump ; spddump ; dump esp ; flush esp ; # By flush command, you can flush all entry of either SP or SA. flush ; spdflush ; # "flush" and "dump" commands can specify a security protocol. dump esp ; flush ah ; # XXX add ::1 ::1 esp 10001 -m transport -E null ; add ::1 ::1 esp 10004 -m transport -E null -A null ; add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; add ::1 ::1 esp 10018 -m transport -E null ; #add ::1 ::1 ah 20000 -m transport -A null ; add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; #add ::1 ::1 ipcomp 30000 -C oui ; add ::1 ::1 ipcomp 30001 -C deflate ; #add ::1 ::1 ipcomp 30002 -C lzs ; # enjoy.