Annotation of embedaddon/ipsec-tools/src/setkey/sample.cf, revision 1.1.1.1
1.1 misho 1: # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
2: # All rights reserved.
3: #
4: # Redistribution and use in source and binary forms, with or without
5: # modification, are permitted provided that the following conditions
6: # are met:
7: # 1. Redistributions of source code must retain the above copyright
8: # notice, this list of conditions and the following disclaimer.
9: # 2. Redistributions in binary form must reproduce the above copyright
10: # notice, this list of conditions and the following disclaimer in the
11: # documentation and/or other materials provided with the distribution.
12: # 3. Neither the name of the project nor the names of its contributors
13: # may be used to endorse or promote products derived from this software
14: # without specific prior written permission.
15: #
16: # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17: # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18: # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19: # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20: # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21: # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22: # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23: # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24: # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25: # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26: # SUCH DAMAGE.
27:
28: # There are sample scripts for IPsec configuration by manual keying.
29: # A security association is uniquely identified by a triple consisting
30: # of a Security Parameter Index (SPI), an IP Destination Address, and a
31: # security protocol (AH or ESP) identifier. You must take care of these
32: # parameters when you configure by manual keying.
33:
34: # ESP transport mode is recommended for TCP port number 110 between
35: # Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
36: # is "kamekame", and authentication algorithm is hmac-sha1 whose key
37: # is "this is the test key".
38: #
39: # ============ ESP ============
40: # | |
41: # Host-A Host-B
42: # fec0::10 -------------------- fec0::11
43: #
44: # At Host-A and Host-B,
45: spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
46: esp/transport//use ;
47: spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
48: esp/transport//use ;
49: add fec0::10 fec0::11 esp 0x10001
50: -m transport
51: -E blowfish-cbc "kamekame"
52: -A hmac-sha1 "this is the test key" ;
53: add fec0::11 fec0::10 esp 0x10002
54: -m transport
55: -E blowfish-cbc "kamekame"
56: -A hmac-sha1 "this is the test key" ;
57:
58: # "[any]" is wildcard of port number. Note that "[0]" is the number of
59: # zero in port number.
60:
61: # Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
62: # whose key is "this is the test" as authentication algorithm.
63: # That protocol takes place between Gateway-A and Gateway-B.
64: #
65: # ======= AH =======
66: # | |
67: # Network-A Gateway-A Gateway-B Network-B
68: # 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
69: #
70: # At Gateway-A:
71: spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
72: ah/tunnel/172.16.0.1-172.16.0.2/require ;
73: spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
74: ah/tunnel/172.16.0.2-172.16.0.1/require ;
75: add 172.16.0.1 172.16.0.2 ah-old 0x10003
76: -m any
77: -A keyed-md5 "this is the test" ;
78: add 172.16.0.2 172.16.0.1 ah-old 0x10004
79: -m any
80: -A keyed-md5 "this is the test" ;
81:
82: # If port number field is omitted such above then "[any]" is employed.
83: # -m specifies the mode of SA to be used. "-m any" means wildcard of
84: # mode of security protocol. You can use this SAs for both tunnel and
85: # transport mode.
86:
87: # At Gateway-B. Attention to the selector and peer's IP address for tunnel.
88: spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
89: ah/tunnel/172.16.0.2-172.16.0.1/require ;
90: spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
91: ah/tunnel/172.16.0.1-172.16.0.2/require ;
92: add 172.16.0.1 172.16.0.2 ah-old 0x10003
93: -m tunnel
94: -A keyed-md5 "this is the test" ;
95: add 172.16.0.2 172.16.0.1 ah-old 0x10004
96: -m tunnel
97: -A keyed-md5 "this is the test" ;
98:
99: # AH transport mode followed by ESP tunnel mode is required between
100: # Gateway-A and Gateway-B.
101: # Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
102: # is hmac-sha1. Authentication algorithm for AH is hmac-md5.
103: #
104: # ========== AH =========
105: # | ======= ESP ===== |
106: # | | | |
107: # Network-A Gateway-A Gateway-B Network-B
108: # fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
109: #
110: # At Gateway-A:
111: spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
112: esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
113: ah/transport//require ;
114: spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
115: esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
116: ah/transport//require ;
117: add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
118: -m tunnel
119: -E 3des-cbc "kamekame12341234kame1234"
120: -A hmac-sha1 "this is the test key" ;
121: add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
122: -m transport
123: -A hmac-md5 "this is the test" ;
124: add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
125: -m tunnel
126: -E 3des-cbc "kamekame12341234kame1234"
127: -A hmac-sha1 "this is the test key" ;
128: add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
129: -m transport
130: -A hmac-md5 "this is the test" ;
131:
132: # ESP tunnel mode is required between Host-A and Gateway-A.
133: # Encryption algorithm is cast128-cbc, and authentication algorithm
134: # for ESP is hmac-sha1.
135: # ESP transport mode is recommended between Host-A and Host-B.
136: # Encryption algorithm is rc5-cbc, and authentication algorithm
137: # for ESP is hmac-md5.
138: #
139: # ================== ESP =================
140: # | ======= ESP ======= |
141: # | | | |
142: # Host-A Gateway-A Host-B
143: # fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
144: #
145: # At Host-A:
146: spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
147: esp/transport//use
148: esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
149: spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
150: esp/transport//use
151: esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
152: add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
153: -m transport
154: -E cast128-cbc "12341234"
155: -A hmac-sha1 "this is the test key" ;
156: add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
157: -E rc5-cbc "kamekame"
158: -A hmac-md5 "this is the test" ;
159: add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
160: -m transport
161: -E cast128-cbc "12341234"
162: -A hmac-sha1 "this is the test key" ;
163: add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
164: -E rc5-cbc "kamekame"
165: -A hmac-md5 "this is the test" ;
166:
167: # By "get" command, you can get a entry of either SP or SA.
168: get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
169:
170: # Also delete command, you can delete a entry of either SP or SA.
171: spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
172: delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
173:
174: # By dump command, you can dump all entry of either SP or SA.
175: dump ;
176: spddump ;
177: dump esp ;
178: flush esp ;
179:
180: # By flush command, you can flush all entry of either SP or SA.
181: flush ;
182: spdflush ;
183:
184: # "flush" and "dump" commands can specify a security protocol.
185: dump esp ;
186: flush ah ;
187:
188: # XXX
189: add ::1 ::1 esp 10001 -m transport -E null ;
190: add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
191: add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
192: add ::1 ::1 esp 10004 -m transport -E null -A null ;
193: add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
194: add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
195: add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
196: add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
197: add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
198: add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
199: add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
200: add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
201: add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
202: add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
203: add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
204: add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
205: add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
206: add ::1 ::1 esp 10018 -m transport -E null ;
207: #add ::1 ::1 ah 20000 -m transport -A null ;
208: add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
209: add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
210: add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
211: add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
212: add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
213: #add ::1 ::1 ipcomp 30000 -C oui ;
214: add ::1 ::1 ipcomp 30001 -C deflate ;
215: #add ::1 ::1 ipcomp 30002 -C lzs ;
216:
217: # enjoy.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>