1 # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
4 # Redistribution and use in source and binary forms, with or without
5 # modification, are permitted provided that the following conditions
7 # 1. Redistributions of source code must retain the above copyright
8 # notice, this list of conditions and the following disclaimer.
9 # 2. Redistributions in binary form must reproduce the above copyright
10 # notice, this list of conditions and the following disclaimer in the
11 # documentation and/or other materials provided with the distribution.
12 # 3. Neither the name of the project nor the names of its contributors
13 # may be used to endorse or promote products derived from this software
14 # without specific prior written permission.
16 # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 # There are sample scripts for IPsec configuration by manual keying.
31 # A security association is uniquely identified by a triple consisting
32 # of a Security Parameter Index (SPI), an IP Destination Address, and a
33 # security protocol (AH or ESP) identifier. You must take care of these
34 # parameters when you configure by manual keying.
36 # ESP transport mode is recommended for TCP port number 110 between
37 # Host-A and Host-B. Encryption algorithm is aes-cbc whose key
38 # is "kamekamekamekamekamekamekamekame", and authentication algorithm is
39 # hmac-sha2-512 whose key is "this is the test key".
41 # ============ ESP ============
44 # fec0::10 -------------------- fec0::11
46 # At Host-A and Host-B,
47 spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
49 spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
51 add fec0::10 fec0::11 esp 0x10001
53 -E aes-cbc "kamekamekamekamekamekamekamekame"
54 -A hmac-sha2-512 "this is the test key" ;
55 add fec0::11 fec0::10 esp 0x10002
57 -E aes-cbc "kamekamekamekamekamekamekamekame"
58 -A hmac-sha2-512 "this is the test key" ;
60 # "[any]" is wildcard of port number. Note that "[0]" is the number of
61 # zero in port number.
63 # Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256
64 # whose key is "this is the test" as authentication algorithm.
65 # That protocol takes place between Gateway-A and Gateway-B.
69 # Network-A Gateway-A Gateway-B Network-B
70 # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
73 spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
74 ah/tunnel/172.16.0.1-172.16.0.2/require ;
75 spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
76 ah/tunnel/172.16.0.2-172.16.0.1/require ;
77 add 172.16.0.1 172.16.0.2 ah-old 0x10003
79 -A hmac-sha2-256 "this is the test" ;
80 add 172.16.0.2 172.16.0.1 ah-old 0x10004
82 -A hmac-sha2-256 "this is the test" ;
84 # If port number field is omitted such above then "[any]" is employed.
85 # -m specifies the mode of SA to be used. "-m any" means wildcard of
86 # mode of security protocol. You can use this SAs for both tunnel and
89 # At Gateway-B. Attention to the selector and peer's IP address for tunnel.
90 spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
91 ah/tunnel/172.16.0.2-172.16.0.1/require ;
92 spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
93 ah/tunnel/172.16.0.1-172.16.0.2/require ;
94 add 172.16.0.1 172.16.0.2 ah-old 0x10003
96 -A hmac-sha2-256 "this is the test" ;
97 add 172.16.0.2 172.16.0.1 ah-old 0x10004
99 -A hmac-sha2-256 "this is the test" ;
101 # AH transport mode followed by ESP tunnel mode is required between
102 # Gateway-A and Gateway-B.
103 # Encryption algorithm is aes-cbc, and authentication algorithm for ESP
104 # is hmac-sha2-512. Authentication algorithm for AH is hmac-sha2-256.
106 # ========== AH =========
107 # | ======= ESP ===== |
109 # Network-A Gateway-A Gateway-B Network-B
110 # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
113 spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
114 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
115 ah/transport//require ;
116 spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
117 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
118 ah/transport//require ;
119 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
121 -E aes-cbc "kamekame12341234kamekame12341234"
122 -A hmac-sha2-512 "this is the test key" ;
123 add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
125 -A hmac-sha2-256 "this is the test" ;
126 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
128 -E aes-cbc "kamekame12341234kamekame12341234"
129 -A hmac-sha2-512 "this is the test key" ;
130 add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
132 -A hmac-sha2-256 "this is the test" ;
134 # ESP tunnel mode is required between Host-A and Gateway-A.
135 # Encryption algorithm is aes-cbc, and authentication algorithm
136 # for ESP is hmac-sha2-256.
137 # ESP transport mode is recommended between Host-A and Host-B.
138 # Encryption algorithm is aes-ctr, and authentication algorithm
139 # for ESP is hmac-sha2-512.
141 # ================== ESP =================
142 # | ======= ESP ======= |
144 # Host-A Gateway-A Host-B
145 # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
148 spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
150 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
151 spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
153 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
154 add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
156 -E aes-cbc "kamekame12341234kamekame12341234"
157 -A hmac-sha2-256 "this is the test key" ;
158 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
159 -E aes-ctr "kamekame12341234kamekame12341234f00f"
160 -A hmac-sha2-512 "this is the test" ;
161 add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
163 -E aes-cbc "kamekame12341234kamekame12341234"
164 -A hmac-sha2-256 "this is the test key" ;
165 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
166 -E aes-ctr "kamekame12341234kamekame12341234f00f"
167 -A hmac-sha2-512 "this is the test" ;
169 # By "get" command, you can get a entry of either SP or SA.
170 get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
172 # Also delete command, you can delete a entry of either SP or SA.
173 spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
174 delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
176 # By dump command, you can dump all entry of either SP or SA.
182 # By flush command, you can flush all entry of either SP or SA.
186 # "flush" and "dump" commands can specify a security protocol.
191 add ::1 ::1 esp 10001 -m transport -E null ;
192 add ::1 ::1 esp 10004 -m transport -E null -A null ;
193 add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
194 add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
195 add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
196 add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
197 add ::1 ::1 esp 10018 -m transport -E null ;
198 #add ::1 ::1 ah 20000 -m transport -A null ;
199 add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
200 #add ::1 ::1 ipcomp 30000 -C oui ;
201 add ::1 ::1 ipcomp 30001 -C deflate ;
202 #add ::1 ::1 ipcomp 30002 -C lzs ;