xref: /freebsd/sbin/setkey/sample.cf (revision 2008043f386721d58158e37e0d7e50df8095942d)
1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
2# All rights reserved.
3#
4# Redistribution and use in source and binary forms, with or without
5# modification, are permitted provided that the following conditions
6# are met:
7# 1. Redistributions of source code must retain the above copyright
8#    notice, this list of conditions and the following disclaimer.
9# 2. Redistributions in binary form must reproduce the above copyright
10#    notice, this list of conditions and the following disclaimer in the
11#    documentation and/or other materials provided with the distribution.
12# 3. Neither the name of the project nor the names of its contributors
13#    may be used to endorse or promote products derived from this software
14#    without specific prior written permission.
15#
16# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27#
28
29# There are sample scripts for IPsec configuration by manual keying.
30# A security association is uniquely identified by a triple consisting
31# of a Security Parameter Index (SPI), an IP Destination Address, and a
32# security protocol (AH or ESP) identifier.  You must take care of these
33# parameters when you configure by manual keying.
34
35# ESP transport mode is recommended for TCP port number 110 between
36# Host-A and Host-B. Encryption algorithm is aes-cbc whose key
37# is "kamekamekamekamekamekamekamekame", and authentication algorithm is
38# hmac-sha2-512 whose key is "this is the test key".
39#
40#       ============ ESP ============
41#       |                           |
42#    Host-A                        Host-B
43#   fec0::10 -------------------- fec0::11
44#
45# At Host-A and Host-B,
46spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
47	esp/transport//use ;
48spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
49	esp/transport//use ;
50add fec0::10 fec0::11 esp 0x10001
51	-m transport
52	-E aes-cbc "kamekamekamekamekamekamekamekame"
53	-A hmac-sha2-512 "this is the test key" ;
54add fec0::11 fec0::10 esp 0x10002
55	-m transport
56	-E aes-cbc "kamekamekamekamekamekamekamekame"
57	-A hmac-sha2-512 "this is the test key" ;
58
59# "[any]" is wildcard of port number.  Note that "[0]" is the number of
60# zero in port number.
61
62# Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256
63# whose key is "this is the test" as authentication algorithm.
64# That protocol takes place between Gateway-A and Gateway-B.
65#
66#                        ======= AH =======
67#                        |                |
68#    Network-A       Gateway-A        Gateway-B        Network-B
69#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
70#
71# At Gateway-A:
72spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
73	ah/tunnel/172.16.0.1-172.16.0.2/require ;
74spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
75	ah/tunnel/172.16.0.2-172.16.0.1/require ;
76add 172.16.0.1 172.16.0.2 ah-old 0x10003
77	-m any
78	-A hmac-sha2-256 "this is the test" ;
79add 172.16.0.2 172.16.0.1 ah-old 0x10004
80	-m any
81	-A hmac-sha2-256 "this is the test" ;
82
83# If port number field is omitted such above then "[any]" is employed.
84# -m specifies the mode of SA to be used.  "-m any" means wildcard of
85# mode of security protocol.  You can use this SAs for both tunnel and
86# transport mode.
87
88# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
89spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
90	ah/tunnel/172.16.0.2-172.16.0.1/require ;
91spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
92	ah/tunnel/172.16.0.1-172.16.0.2/require ;
93add 172.16.0.1 172.16.0.2 ah-old 0x10003
94	-m tunnel
95	-A hmac-sha2-256 "this is the test" ;
96add 172.16.0.2 172.16.0.1 ah-old 0x10004
97	-m tunnel
98	-A hmac-sha2-256 "this is the test" ;
99
100# AH transport mode followed by ESP tunnel mode is required between
101# Gateway-A and Gateway-B.
102# Encryption algorithm is aes-cbc, and authentication algorithm for ESP
103# is hmac-sha2-512.  Authentication algorithm for AH is hmac-sha2-256.
104#
105#                           ========== AH =========
106#                           |  ======= ESP =====  |
107#                           |  |               |  |
108#      Network-A          Gateway-A        Gateway-B           Network-B
109#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
110#
111# At Gateway-A:
112spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
113	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
114	ah/transport//require ;
115spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
116	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
117	ah/transport//require ;
118add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
119	-m tunnel
120	-E aes-cbc "kamekame12341234kamekame12341234"
121	-A hmac-sha2-512 "this is the test key" ;
122add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
123	-m transport
124	-A hmac-sha2-256 "this is the test" ;
125add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
126	-m tunnel
127	-E aes-cbc "kamekame12341234kamekame12341234"
128	-A hmac-sha2-512 "this is the test key" ;
129add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
130	-m transport
131	-A hmac-sha2-256 "this is the test" ;
132
133# ESP tunnel mode is required between Host-A and Gateway-A.
134# Encryption algorithm is aes-cbc, and authentication algorithm
135# for ESP is hmac-sha2-256.
136# ESP transport mode is recommended between Host-A and Host-B.
137# Encryption algorithm is aes-ctr,  and authentication algorithm
138# for ESP is hmac-sha2-512.
139#
140#       ================== ESP =================
141#       |  ======= ESP =======                 |
142#       |  |                 |                 |
143#      Host-A            Gateway-A           Host-B
144#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
145#
146# At Host-A:
147spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
148	esp/transport//use
149	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
150spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
151	esp/transport//use
152	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
153add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
154	-m transport
155	-E aes-cbc "kamekame12341234kamekame12341234"
156	-A hmac-sha2-256 "this is the test key" ;
157add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
158	-E aes-ctr "kamekame12341234kamekame12341234f00f"
159	-A hmac-sha2-512 "this is the test" ;
160add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
161	-m transport
162	-E aes-cbc "kamekame12341234kamekame12341234"
163	-A hmac-sha2-256 "this is the test key" ;
164add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
165	-E aes-ctr "kamekame12341234kamekame12341234f00f"
166	-A hmac-sha2-512 "this is the test" ;
167
168# By "get" command, you can get a entry of either SP or SA.
169get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
170
171# Also delete command, you can delete a entry of either SP or SA.
172spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
173delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
174
175# By dump command, you can dump all entry of either SP or SA.
176dump ;
177spddump ;
178dump esp ;
179flush esp ;
180
181# By flush command, you can flush all entry of either SP or SA.
182flush ;
183spdflush ;
184
185# "flush" and "dump" commands can specify a security protocol.
186dump esp ;
187flush ah ;
188
189# XXX
190add ::1 ::1 esp 10001 -m transport -E null ;
191add ::1 ::1 esp 10004 -m transport -E null -A null ;
192add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
193add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
194add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
195add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
196add ::1 ::1 esp 10018 -m transport -E null ;
197#add ::1 ::1 ah 20000 -m transport -A null ;
198add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
199#add ::1 ::1 ipcomp 30000 -C oui ;
200add ::1 ::1 ipcomp 30001 -C deflate ;
201#add ::1 ::1 ipcomp 30002 -C lzs ;
202
203# enjoy.
204