155505Sshin# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
255505Sshin# All rights reserved.
355505Sshin# 
455505Sshin# Redistribution and use in source and binary forms, with or without
555505Sshin# modification, are permitted provided that the following conditions
655505Sshin# are met:
755505Sshin# 1. Redistributions of source code must retain the above copyright
855505Sshin#    notice, this list of conditions and the following disclaimer.
955505Sshin# 2. Redistributions in binary form must reproduce the above copyright
1055505Sshin#    notice, this list of conditions and the following disclaimer in the
1155505Sshin#    documentation and/or other materials provided with the distribution.
1255505Sshin# 3. Neither the name of the project nor the names of its contributors
1355505Sshin#    may be used to endorse or promote products derived from this software
1455505Sshin#    without specific prior written permission.
1555505Sshin# 
1655505Sshin# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
1755505Sshin# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1855505Sshin# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1955505Sshin# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
2055505Sshin# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2155505Sshin# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2255505Sshin# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2355505Sshin# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2455505Sshin# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2555505Sshin# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2655505Sshin# SUCH DAMAGE.
2755505Sshin#
2855505Sshin# $FreeBSD$
2955505Sshin
3055505Sshin# There are sample scripts for IPsec configuration by manual keying.
3155505Sshin# A security association is uniquely identified by a triple consisting
3255505Sshin# of a Security Parameter Index (SPI), an IP Destination Address, and a
3355505Sshin# security protocol (AH or ESP) identifier.  You must take care of these
3455505Sshin# parameters when you configure by manual keying.
3555505Sshin
3655505Sshin# ESP transport mode is recommended for TCP port number 110 between
3755505Sshin# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
3855505Sshin# is "kamekame", and authentication algorithm is hmac-sha1 whose key
3955505Sshin# is "this is the test key".
4055505Sshin#
4155505Sshin#       ============ ESP ============
4255505Sshin#       |                           |
4355505Sshin#    Host-A                        Host-B
4455505Sshin#   fec0::10 -------------------- fec0::11
4555505Sshin#
4655505Sshin# At Host-A and Host-B,
4755505Sshinspdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
48122108Sume	esp/transport//use ;
4955505Sshinspdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
50122108Sume	esp/transport//use ;
5155505Sshinadd fec0::10 fec0::11 esp 0x10001
5255505Sshin	-m transport
5355505Sshin	-E blowfish-cbc "kamekame"
5455505Sshin	-A hmac-sha1 "this is the test key" ;
5555505Sshinadd fec0::11 fec0::10 esp 0x10002
5655505Sshin	-m transport
5755505Sshin	-E blowfish-cbc "kamekame"
5855505Sshin	-A hmac-sha1 "this is the test key" ;
5955505Sshin
6055505Sshin# "[any]" is wildcard of port number.  Note that "[0]" is the number of
6155505Sshin# zero in port number.
6255505Sshin
6355505Sshin# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
6455505Sshin# whose key is "this is the test" as authentication algorithm.
6555505Sshin# That protocol takes place between Gateway-A and Gateway-B.
6655505Sshin#
6755505Sshin#                        ======= AH =======
6855505Sshin#                        |                |
6955505Sshin#    Network-A       Gateway-A        Gateway-B        Network-B
7055505Sshin#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
7155505Sshin#
7255505Sshin# At Gateway-A:
7355505Sshinspdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
7455505Sshin	ah/tunnel/172.16.0.1-172.16.0.2/require ;
7555505Sshinspdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
7655505Sshin	ah/tunnel/172.16.0.2-172.16.0.1/require ;
7755505Sshinadd 172.16.0.1 172.16.0.2 ah-old 0x10003
7855505Sshin	-m any
7955505Sshin	-A keyed-md5 "this is the test" ;
8055505Sshinadd 172.16.0.2 172.16.0.1 ah-old 0x10004
8155505Sshin	-m any
8255505Sshin	-A keyed-md5 "this is the test" ;
8355505Sshin
8455505Sshin# If port number field is omitted such above then "[any]" is employed.
8555505Sshin# -m specifies the mode of SA to be used.  "-m any" means wildcard of
8655505Sshin# mode of security protocol.  You can use this SAs for both tunnel and
8755505Sshin# transport mode.
8855505Sshin
8955505Sshin# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
9055505Sshinspdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
9155505Sshin	ah/tunnel/172.16.0.2-172.16.0.1/require ;
9255505Sshinspdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
9355505Sshin	ah/tunnel/172.16.0.1-172.16.0.2/require ;
9455505Sshinadd 172.16.0.1 172.16.0.2 ah-old 0x10003
9555505Sshin	-m tunnel
9655505Sshin	-A keyed-md5 "this is the test" ;
9755505Sshinadd 172.16.0.2 172.16.0.1 ah-old 0x10004
9855505Sshin	-m tunnel
9955505Sshin	-A keyed-md5 "this is the test" ;
10055505Sshin
10155505Sshin# AH transport mode followed by ESP tunnel mode is required between
10255505Sshin# Gateway-A and Gateway-B.
10355505Sshin# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
10455505Sshin# is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
10555505Sshin#
10655505Sshin#                           ========== AH =========
10755505Sshin#                           |  ======= ESP =====  |
10855505Sshin#                           |  |               |  |
10955505Sshin#      Network-A          Gateway-A        Gateway-B           Network-B
11055505Sshin#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
11155505Sshin#
11255505Sshin# At Gateway-A:
11355505Sshinspdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
11455505Sshin	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
115122108Sume	ah/transport//require ;
11655505Sshinspdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
11755505Sshin	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
118122108Sume	ah/transport//require ;
11955505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
12055505Sshin	-m tunnel
12155505Sshin	-E 3des-cbc "kamekame12341234kame1234"
12255505Sshin	-A hmac-sha1 "this is the test key" ;
12355505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
12455505Sshin	-m transport
12555505Sshin	-A hmac-md5 "this is the test" ;
12655505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
12755505Sshin	-m tunnel
12855505Sshin	-E 3des-cbc "kamekame12341234kame1234"
12955505Sshin	-A hmac-sha1 "this is the test key" ;
13055505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
13155505Sshin	-m transport
13255505Sshin	-A hmac-md5 "this is the test" ;
13355505Sshin
13455505Sshin# ESP tunnel mode is required between Host-A and Gateway-A.
13555505Sshin# Encryption algorithm is cast128-cbc, and authentication algorithm
13655505Sshin# for ESP is hmac-sha1.
13755505Sshin# ESP transport mode is recommended between Host-A and Host-B.
13855505Sshin# Encryption algorithm is rc5-cbc,  and authentication algorithm
13955505Sshin# for ESP is hmac-md5.
14055505Sshin#
14155505Sshin#       ================== ESP =================
14255505Sshin#       |  ======= ESP =======                 |
14355505Sshin#       |  |                 |                 |
14455505Sshin#      Host-A            Gateway-A           Host-B
14555505Sshin#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
14655505Sshin#
14755505Sshin# At Host-A:
14855505Sshinspdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
149122108Sume	esp/transport//use
15055505Sshin	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
15155505Sshinspdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
152122108Sume	esp/transport//use
15355505Sshin	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
15455505Sshinadd fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
15555505Sshin	-m transport
15655505Sshin	-E cast128-cbc "12341234"
15755505Sshin	-A hmac-sha1 "this is the test key" ;
15855505Sshinadd fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
15955505Sshin	-E rc5-cbc "kamekame"
16055505Sshin	-A hmac-md5 "this is the test" ;
16155505Sshinadd fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
16255505Sshin	-m transport
16355505Sshin	-E cast128-cbc "12341234"
16455505Sshin	-A hmac-sha1 "this is the test key" ;
16555505Sshinadd fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
16655505Sshin	-E rc5-cbc "kamekame"
16755505Sshin	-A hmac-md5 "this is the test" ;
16855505Sshin
169122108Sume# By "get" command, you can get a entry of either SP or SA.
17055505Sshinget fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
17155505Sshin
172122108Sume# Also delete command, you can delete a entry of either SP or SA.
17362583Sitojunspddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
17455505Sshindelete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
17555505Sshin
17655505Sshin# By dump command, you can dump all entry of either SP or SA.
17755505Sshindump ;
17855505Sshinspddump ;
17955505Sshindump esp ;
18055505Sshinflush esp ;
18155505Sshin
18255505Sshin# By flush command, you can flush all entry of either SP or SA.
18355505Sshinflush ;
18455505Sshinspdflush ;
18555505Sshin
18655505Sshin# "flush" and "dump" commands can specify a security protocol.
18755505Sshindump esp ;
18855505Sshinflush ah ;
18955505Sshin
19055505Sshin# XXX
191122108Sumeadd ::1 ::1 esp 10001 -m transport -E null ;
19255505Sshinadd ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
19355505Sshinadd ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
194122108Sumeadd ::1 ::1 esp 10004 -m transport -E null -A null ;
195122108Sumeadd ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
196122108Sumeadd ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
197122108Sumeadd ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
198122108Sumeadd ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
19955505Sshinadd ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
20055505Sshinadd ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
20155505Sshinadd ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
20255505Sshinadd ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
20355505Sshinadd ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
20455505Sshinadd ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
205122108Sumeadd ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
206122108Sumeadd ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
207122108Sumeadd ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
208122108Sumeadd ::1 ::1 esp 10018 -m transport -E null ;
20955505Sshin#add ::1 ::1 ah 20000 -m transport -A null ;
21055505Sshinadd ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
21155505Sshinadd ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
21255505Sshinadd ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
21355505Sshinadd ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
21455505Sshinadd ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
21555505Sshin#add ::1 ::1 ipcomp 30000 -C oui ;
21655505Sshinadd ::1 ::1 ipcomp 30001 -C deflate ;
21755505Sshin#add ::1 ::1 ipcomp 30002 -C lzs ;
21855505Sshin
21955505Sshin# enjoy.
220