Annotation of embedaddon/ipsec-tools/src/setkey/sample.cf, revision 1.1
1.1 ! misho 1: # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
! 2: # All rights reserved.
! 3: #
! 4: # Redistribution and use in source and binary forms, with or without
! 5: # modification, are permitted provided that the following conditions
! 6: # are met:
! 7: # 1. Redistributions of source code must retain the above copyright
! 8: # notice, this list of conditions and the following disclaimer.
! 9: # 2. Redistributions in binary form must reproduce the above copyright
! 10: # notice, this list of conditions and the following disclaimer in the
! 11: # documentation and/or other materials provided with the distribution.
! 12: # 3. Neither the name of the project nor the names of its contributors
! 13: # may be used to endorse or promote products derived from this software
! 14: # without specific prior written permission.
! 15: #
! 16: # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 17: # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 18: # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 19: # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 20: # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 21: # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 22: # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 23: # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 24: # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 25: # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 26: # SUCH DAMAGE.
! 27:
! 28: # There are sample scripts for IPsec configuration by manual keying.
! 29: # A security association is uniquely identified by a triple consisting
! 30: # of a Security Parameter Index (SPI), an IP Destination Address, and a
! 31: # security protocol (AH or ESP) identifier. You must take care of these
! 32: # parameters when you configure by manual keying.
! 33:
! 34: # ESP transport mode is recommended for TCP port number 110 between
! 35: # Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
! 36: # is "kamekame", and authentication algorithm is hmac-sha1 whose key
! 37: # is "this is the test key".
! 38: #
! 39: # ============ ESP ============
! 40: # | |
! 41: # Host-A Host-B
! 42: # fec0::10 -------------------- fec0::11
! 43: #
! 44: # At Host-A and Host-B,
! 45: spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
! 46: esp/transport//use ;
! 47: spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
! 48: esp/transport//use ;
! 49: add fec0::10 fec0::11 esp 0x10001
! 50: -m transport
! 51: -E blowfish-cbc "kamekame"
! 52: -A hmac-sha1 "this is the test key" ;
! 53: add fec0::11 fec0::10 esp 0x10002
! 54: -m transport
! 55: -E blowfish-cbc "kamekame"
! 56: -A hmac-sha1 "this is the test key" ;
! 57:
! 58: # "[any]" is wildcard of port number. Note that "[0]" is the number of
! 59: # zero in port number.
! 60:
! 61: # Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
! 62: # whose key is "this is the test" as authentication algorithm.
! 63: # That protocol takes place between Gateway-A and Gateway-B.
! 64: #
! 65: # ======= AH =======
! 66: # | |
! 67: # Network-A Gateway-A Gateway-B Network-B
! 68: # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
! 69: #
! 70: # At Gateway-A:
! 71: spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
! 72: ah/tunnel/172.16.0.1-172.16.0.2/require ;
! 73: spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
! 74: ah/tunnel/172.16.0.2-172.16.0.1/require ;
! 75: add 172.16.0.1 172.16.0.2 ah-old 0x10003
! 76: -m any
! 77: -A keyed-md5 "this is the test" ;
! 78: add 172.16.0.2 172.16.0.1 ah-old 0x10004
! 79: -m any
! 80: -A keyed-md5 "this is the test" ;
! 81:
! 82: # If port number field is omitted such above then "[any]" is employed.
! 83: # -m specifies the mode of SA to be used. "-m any" means wildcard of
! 84: # mode of security protocol. You can use this SAs for both tunnel and
! 85: # transport mode.
! 86:
! 87: # At Gateway-B. Attention to the selector and peer's IP address for tunnel.
! 88: spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
! 89: ah/tunnel/172.16.0.2-172.16.0.1/require ;
! 90: spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
! 91: ah/tunnel/172.16.0.1-172.16.0.2/require ;
! 92: add 172.16.0.1 172.16.0.2 ah-old 0x10003
! 93: -m tunnel
! 94: -A keyed-md5 "this is the test" ;
! 95: add 172.16.0.2 172.16.0.1 ah-old 0x10004
! 96: -m tunnel
! 97: -A keyed-md5 "this is the test" ;
! 98:
! 99: # AH transport mode followed by ESP tunnel mode is required between
! 100: # Gateway-A and Gateway-B.
! 101: # Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
! 102: # is hmac-sha1. Authentication algorithm for AH is hmac-md5.
! 103: #
! 104: # ========== AH =========
! 105: # | ======= ESP ===== |
! 106: # | | | |
! 107: # Network-A Gateway-A Gateway-B Network-B
! 108: # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
! 109: #
! 110: # At Gateway-A:
! 111: spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
! 112: esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
! 113: ah/transport//require ;
! 114: spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
! 115: esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
! 116: ah/transport//require ;
! 117: add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
! 118: -m tunnel
! 119: -E 3des-cbc "kamekame12341234kame1234"
! 120: -A hmac-sha1 "this is the test key" ;
! 121: add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
! 122: -m transport
! 123: -A hmac-md5 "this is the test" ;
! 124: add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
! 125: -m tunnel
! 126: -E 3des-cbc "kamekame12341234kame1234"
! 127: -A hmac-sha1 "this is the test key" ;
! 128: add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
! 129: -m transport
! 130: -A hmac-md5 "this is the test" ;
! 131:
! 132: # ESP tunnel mode is required between Host-A and Gateway-A.
! 133: # Encryption algorithm is cast128-cbc, and authentication algorithm
! 134: # for ESP is hmac-sha1.
! 135: # ESP transport mode is recommended between Host-A and Host-B.
! 136: # Encryption algorithm is rc5-cbc, and authentication algorithm
! 137: # for ESP is hmac-md5.
! 138: #
! 139: # ================== ESP =================
! 140: # | ======= ESP ======= |
! 141: # | | | |
! 142: # Host-A Gateway-A Host-B
! 143: # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
! 144: #
! 145: # At Host-A:
! 146: spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
! 147: esp/transport//use
! 148: esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
! 149: spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
! 150: esp/transport//use
! 151: esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
! 152: add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
! 153: -m transport
! 154: -E cast128-cbc "12341234"
! 155: -A hmac-sha1 "this is the test key" ;
! 156: add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
! 157: -E rc5-cbc "kamekame"
! 158: -A hmac-md5 "this is the test" ;
! 159: add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
! 160: -m transport
! 161: -E cast128-cbc "12341234"
! 162: -A hmac-sha1 "this is the test key" ;
! 163: add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
! 164: -E rc5-cbc "kamekame"
! 165: -A hmac-md5 "this is the test" ;
! 166:
! 167: # By "get" command, you can get a entry of either SP or SA.
! 168: get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
! 169:
! 170: # Also delete command, you can delete a entry of either SP or SA.
! 171: spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
! 172: delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
! 173:
! 174: # By dump command, you can dump all entry of either SP or SA.
! 175: dump ;
! 176: spddump ;
! 177: dump esp ;
! 178: flush esp ;
! 179:
! 180: # By flush command, you can flush all entry of either SP or SA.
! 181: flush ;
! 182: spdflush ;
! 183:
! 184: # "flush" and "dump" commands can specify a security protocol.
! 185: dump esp ;
! 186: flush ah ;
! 187:
! 188: # XXX
! 189: add ::1 ::1 esp 10001 -m transport -E null ;
! 190: add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
! 191: add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
! 192: add ::1 ::1 esp 10004 -m transport -E null -A null ;
! 193: add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
! 194: add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
! 195: add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
! 196: add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
! 197: add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
! 198: add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
! 199: add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
! 200: add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
! 201: add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
! 202: add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
! 203: add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
! 204: add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
! 205: add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
! 206: add ::1 ::1 esp 10018 -m transport -E null ;
! 207: #add ::1 ::1 ah 20000 -m transport -A null ;
! 208: add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
! 209: add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
! 210: add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
! 211: add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
! 212: add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
! 213: #add ::1 ::1 ipcomp 30000 -C oui ;
! 214: add ::1 ::1 ipcomp 30001 -C deflate ;
! 215: #add ::1 ::1 ipcomp 30002 -C lzs ;
! 216:
! 217: # enjoy.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sample.cf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / setkey