xref: /freebsd/sbin/setkey/sample.cf (revision e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
2# All rights reserved.
3#
4# Redistribution and use in source and binary forms, with or without
5# modification, are permitted provided that the following conditions
6# are met:
7# 1. Redistributions of source code must retain the above copyright
8#    notice, this list of conditions and the following disclaimer.
9# 2. Redistributions in binary form must reproduce the above copyright
10#    notice, this list of conditions and the following disclaimer in the
11#    documentation and/or other materials provided with the distribution.
12# 3. Neither the name of the project nor the names of its contributors
13#    may be used to endorse or promote products derived from this software
14#    without specific prior written permission.
15#
16# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27#
28# $FreeBSD$
29
30# There are sample scripts for IPsec configuration by manual keying.
31# A security association is uniquely identified by a triple consisting
32# of a Security Parameter Index (SPI), an IP Destination Address, and a
33# security protocol (AH or ESP) identifier.  You must take care of these
34# parameters when you configure by manual keying.
35
36# ESP transport mode is recommended for TCP port number 110 between
37# Host-A and Host-B. Encryption algorithm is aes-cbc whose key
38# is "kamekamekamekamekamekamekamekame", and authentication algorithm is
39# hmac-sha2-512 whose key is "this is the test key".
40#
41#       ============ ESP ============
42#       |                           |
43#    Host-A                        Host-B
44#   fec0::10 -------------------- fec0::11
45#
46# At Host-A and Host-B,
47spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
48	esp/transport//use ;
49spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
50	esp/transport//use ;
51add fec0::10 fec0::11 esp 0x10001
52	-m transport
53	-E aes-cbc "kamekamekamekamekamekamekamekame"
54	-A hmac-sha2-512 "this is the test key" ;
55add fec0::11 fec0::10 esp 0x10002
56	-m transport
57	-E aes-cbc "kamekamekamekamekamekamekamekame"
58	-A hmac-sha2-512 "this is the test key" ;
59
60# "[any]" is wildcard of port number.  Note that "[0]" is the number of
61# zero in port number.
62
63# Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256
64# whose key is "this is the test" as authentication algorithm.
65# That protocol takes place between Gateway-A and Gateway-B.
66#
67#                        ======= AH =======
68#                        |                |
69#    Network-A       Gateway-A        Gateway-B        Network-B
70#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
71#
72# At Gateway-A:
73spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
74	ah/tunnel/172.16.0.1-172.16.0.2/require ;
75spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
76	ah/tunnel/172.16.0.2-172.16.0.1/require ;
77add 172.16.0.1 172.16.0.2 ah-old 0x10003
78	-m any
79	-A hmac-sha2-256 "this is the test" ;
80add 172.16.0.2 172.16.0.1 ah-old 0x10004
81	-m any
82	-A hmac-sha2-256 "this is the test" ;
83
84# If port number field is omitted such above then "[any]" is employed.
85# -m specifies the mode of SA to be used.  "-m any" means wildcard of
86# mode of security protocol.  You can use this SAs for both tunnel and
87# transport mode.
88
89# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
90spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
91	ah/tunnel/172.16.0.2-172.16.0.1/require ;
92spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
93	ah/tunnel/172.16.0.1-172.16.0.2/require ;
94add 172.16.0.1 172.16.0.2 ah-old 0x10003
95	-m tunnel
96	-A hmac-sha2-256 "this is the test" ;
97add 172.16.0.2 172.16.0.1 ah-old 0x10004
98	-m tunnel
99	-A hmac-sha2-256 "this is the test" ;
100
101# AH transport mode followed by ESP tunnel mode is required between
102# Gateway-A and Gateway-B.
103# Encryption algorithm is aes-cbc, and authentication algorithm for ESP
104# is hmac-sha2-512.  Authentication algorithm for AH is hmac-sha2-256.
105#
106#                           ========== AH =========
107#                           |  ======= ESP =====  |
108#                           |  |               |  |
109#      Network-A          Gateway-A        Gateway-B           Network-B
110#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
111#
112# At Gateway-A:
113spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
114	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
115	ah/transport//require ;
116spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
117	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
118	ah/transport//require ;
119add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
120	-m tunnel
121	-E aes-cbc "kamekame12341234kamekame12341234"
122	-A hmac-sha2-512 "this is the test key" ;
123add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
124	-m transport
125	-A hmac-sha2-256 "this is the test" ;
126add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
127	-m tunnel
128	-E aes-cbc "kamekame12341234kamekame12341234"
129	-A hmac-sha2-512 "this is the test key" ;
130add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
131	-m transport
132	-A hmac-sha2-256 "this is the test" ;
133
134# ESP tunnel mode is required between Host-A and Gateway-A.
135# Encryption algorithm is aes-cbc, and authentication algorithm
136# for ESP is hmac-sha2-256.
137# ESP transport mode is recommended between Host-A and Host-B.
138# Encryption algorithm is aes-ctr,  and authentication algorithm
139# for ESP is hmac-sha2-512.
140#
141#       ================== ESP =================
142#       |  ======= ESP =======                 |
143#       |  |                 |                 |
144#      Host-A            Gateway-A           Host-B
145#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
146#
147# At Host-A:
148spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
149	esp/transport//use
150	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
151spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
152	esp/transport//use
153	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
154add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
155	-m transport
156	-E aes-cbc "kamekame12341234kamekame12341234"
157	-A hmac-sha2-256 "this is the test key" ;
158add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
159	-E aes-ctr "kamekame12341234kamekame12341234f00f"
160	-A hmac-sha2-512 "this is the test" ;
161add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
162	-m transport
163	-E aes-cbc "kamekame12341234kamekame12341234"
164	-A hmac-sha2-256 "this is the test key" ;
165add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
166	-E aes-ctr "kamekame12341234kamekame12341234f00f"
167	-A hmac-sha2-512 "this is the test" ;
168
169# By "get" command, you can get a entry of either SP or SA.
170get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
171
172# Also delete command, you can delete a entry of either SP or SA.
173spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
174delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
175
176# By dump command, you can dump all entry of either SP or SA.
177dump ;
178spddump ;
179dump esp ;
180flush esp ;
181
182# By flush command, you can flush all entry of either SP or SA.
183flush ;
184spdflush ;
185
186# "flush" and "dump" commands can specify a security protocol.
187dump esp ;
188flush ah ;
189
190# XXX
191add ::1 ::1 esp 10001 -m transport -E null ;
192add ::1 ::1 esp 10004 -m transport -E null -A null ;
193add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
194add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
195add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
196add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
197add ::1 ::1 esp 10018 -m transport -E null ;
198#add ::1 ::1 ah 20000 -m transport -A null ;
199add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
200#add ::1 ::1 ipcomp 30000 -C oui ;
201add ::1 ::1 ipcomp 30001 -C deflate ;
202#add ::1 ::1 ipcomp 30002 -C lzs ;
203
204# enjoy.
205