1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2# All rights reserved. 3# 4# Redistribution and use in source and binary forms, with or without 5# modification, are permitted provided that the following conditions 6# are met: 7# 1. Redistributions of source code must retain the above copyright 8# notice, this list of conditions and the following disclaimer. 9# 2. Redistributions in binary form must reproduce the above copyright 10# notice, this list of conditions and the following disclaimer in the 11# documentation and/or other materials provided with the distribution. 12# 3. Neither the name of the project nor the names of its contributors 13# may be used to endorse or promote products derived from this software 14# without specific prior written permission. 15# 16# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27# 28# $FreeBSD$ 29 30# There are sample scripts for IPsec configuration by manual keying. 31# A security association is uniquely identified by a triple consisting 32# of a Security Parameter Index (SPI), an IP Destination Address, and a 33# security protocol (AH or ESP) identifier. You must take care of these 34# parameters when you configure by manual keying. 35 36# ESP transport mode is recommended for TCP port number 110 between 37# Host-A and Host-B. Encryption algorithm is aes-cbc whose key 38# is "kamekamekamekamekamekamekamekame", and authentication algorithm is 39# hmac-sha2-512 whose key is "this is the test key". 40# 41# ============ ESP ============ 42# | | 43# Host-A Host-B 44# fec0::10 -------------------- fec0::11 45# 46# At Host-A and Host-B, 47spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec 48 esp/transport//use ; 49spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec 50 esp/transport//use ; 51add fec0::10 fec0::11 esp 0x10001 52 -m transport 53 -E aes-cbc "kamekamekamekamekamekamekamekame" 54 -A hmac-sha2-512 "this is the test key" ; 55add fec0::11 fec0::10 esp 0x10002 56 -m transport 57 -E aes-cbc "kamekamekamekamekamekamekamekame" 58 -A hmac-sha2-512 "this is the test key" ; 59 60# "[any]" is wildcard of port number. Note that "[0]" is the number of 61# zero in port number. 62 63# Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256 64# whose key is "this is the test" as authentication algorithm. 65# That protocol takes place between Gateway-A and Gateway-B. 66# 67# ======= AH ======= 68# | | 69# Network-A Gateway-A Gateway-B Network-B 70# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 71# 72# At Gateway-A: 73spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 74 ah/tunnel/172.16.0.1-172.16.0.2/require ; 75spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 76 ah/tunnel/172.16.0.2-172.16.0.1/require ; 77add 172.16.0.1 172.16.0.2 ah-old 0x10003 78 -m any 79 -A hmac-sha2-256 "this is the test" ; 80add 172.16.0.2 172.16.0.1 ah-old 0x10004 81 -m any 82 -A hmac-sha2-256 "this is the test" ; 83 84# If port number field is omitted such above then "[any]" is employed. 85# -m specifies the mode of SA to be used. "-m any" means wildcard of 86# mode of security protocol. You can use this SAs for both tunnel and 87# transport mode. 88 89# At Gateway-B. Attention to the selector and peer's IP address for tunnel. 90spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 91 ah/tunnel/172.16.0.2-172.16.0.1/require ; 92spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 93 ah/tunnel/172.16.0.1-172.16.0.2/require ; 94add 172.16.0.1 172.16.0.2 ah-old 0x10003 95 -m tunnel 96 -A hmac-sha2-256 "this is the test" ; 97add 172.16.0.2 172.16.0.1 ah-old 0x10004 98 -m tunnel 99 -A hmac-sha2-256 "this is the test" ; 100 101# AH transport mode followed by ESP tunnel mode is required between 102# Gateway-A and Gateway-B. 103# Encryption algorithm is aes-cbc, and authentication algorithm for ESP 104# is hmac-sha2-512. Authentication algorithm for AH is hmac-sha2-256. 105# 106# ========== AH ========= 107# | ======= ESP ===== | 108# | | | | 109# Network-A Gateway-A Gateway-B Network-B 110# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 111# 112# At Gateway-A: 113spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 114 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require 115 ah/transport//require ; 116spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 117 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require 118 ah/transport//require ; 119add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 120 -m tunnel 121 -E aes-cbc "kamekame12341234kamekame12341234" 122 -A hmac-sha2-512 "this is the test key" ; 123add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 124 -m transport 125 -A hmac-sha2-256 "this is the test" ; 126add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 127 -m tunnel 128 -E aes-cbc "kamekame12341234kamekame12341234" 129 -A hmac-sha2-512 "this is the test key" ; 130add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 131 -m transport 132 -A hmac-sha2-256 "this is the test" ; 133 134# ESP tunnel mode is required between Host-A and Gateway-A. 135# Encryption algorithm is aes-cbc, and authentication algorithm 136# for ESP is hmac-sha2-256. 137# ESP transport mode is recommended between Host-A and Host-B. 138# Encryption algorithm is aes-ctr, and authentication algorithm 139# for ESP is hmac-sha2-512. 140# 141# ================== ESP ================= 142# | ======= ESP ======= | 143# | | | | 144# Host-A Gateway-A Host-B 145# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 146# 147# At Host-A: 148spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec 149 esp/transport//use 150 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 151spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec 152 esp/transport//use 153 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 154add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 155 -m transport 156 -E aes-cbc "kamekame12341234kamekame12341234" 157 -A hmac-sha2-256 "this is the test key" ; 158add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 159 -E aes-ctr "kamekame12341234kamekame12341234f00f" 160 -A hmac-sha2-512 "this is the test" ; 161add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 162 -m transport 163 -E aes-cbc "kamekame12341234kamekame12341234" 164 -A hmac-sha2-256 "this is the test key" ; 165add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 166 -E aes-ctr "kamekame12341234kamekame12341234f00f" 167 -A hmac-sha2-512 "this is the test" ; 168 169# By "get" command, you can get a entry of either SP or SA. 170get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 171 172# Also delete command, you can delete a entry of either SP or SA. 173spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; 174delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; 175 176# By dump command, you can dump all entry of either SP or SA. 177dump ; 178spddump ; 179dump esp ; 180flush esp ; 181 182# By flush command, you can flush all entry of either SP or SA. 183flush ; 184spdflush ; 185 186# "flush" and "dump" commands can specify a security protocol. 187dump esp ; 188flush ah ; 189 190# XXX 191add ::1 ::1 esp 10001 -m transport -E null ; 192add ::1 ::1 esp 10004 -m transport -E null -A null ; 193add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; 194add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; 195add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; 196add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; 197add ::1 ::1 esp 10018 -m transport -E null ; 198#add ::1 ::1 ah 20000 -m transport -A null ; 199add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; 200#add ::1 ::1 ipcomp 30000 -C oui ; 201add ::1 ::1 ipcomp 30001 -C deflate ; 202#add ::1 ::1 ipcomp 30002 -C lzs ; 203 204# enjoy. 205