sbin/setkey/sample.cf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219

# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. Neither the name of the project nor the names of its contributors
#    may be used to endorse or promote products derived from this software
#    without specific prior written permission.
# 
# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$

# There are sample scripts for IPsec configuration by manual keying.
# A security association is uniquely identified by a triple consisting
# of a Security Parameter Index (SPI), an IP Destination Address, and a
# security protocol (AH or ESP) identifier.  You must take care of these
# parameters when you configure by manual keying.

# ESP transport mode is recommended for TCP port number 110 between
# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
# is "kamekame", and authentication algorithm is hmac-sha1 whose key
# is "this is the test key".
#
#       ============ ESP ============
#       |                           |
#    Host-A                        Host-B
#   fec0::10 -------------------- fec0::11
#
# At Host-A and Host-B,
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
	esp/transport//use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
	esp/transport//use ;
add fec0::10 fec0::11 esp 0x10001
	-m transport
	-E blowfish-cbc "kamekame"
	-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
	-m transport
	-E blowfish-cbc "kamekame"
	-A hmac-sha1 "this is the test key" ;

# "[any]" is wildcard of port number.  Note that "[0]" is the number of
# zero in port number.

# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
# whose key is "this is the test" as authentication algorithm.
# That protocol takes place between Gateway-A and Gateway-B.
#
#                        ======= AH =======
#                        |                |
#    Network-A       Gateway-A        Gateway-B        Network-B
#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
#
# At Gateway-A:
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
	ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
	ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
	-m any
	-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
	-m any
	-A keyed-md5 "this is the test" ;

# If port number field is omitted such above then "[any]" is employed.
# -m specifies the mode of SA to be used.  "-m any" means wildcard of
# mode of security protocol.  You can use this SAs for both tunnel and
# transport mode.

# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
	ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
	ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
	-m tunnel
	-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
	-m tunnel
	-A keyed-md5 "this is the test" ;

# AH transport mode followed by ESP tunnel mode is required between
# Gateway-A and Gateway-B.
# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
# is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
#
#                           ========== AH =========
#                           |  ======= ESP =====  |
#                           |  |               |  |
#      Network-A          Gateway-A        Gateway-B           Network-B
#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
#
# At Gateway-A:
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
	ah/transport//require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
	ah/transport//require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
	-m tunnel
	-E 3des-cbc "kamekame12341234kame1234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
	-m transport
	-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
	-m tunnel
	-E 3des-cbc "kamekame12341234kame1234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
	-m transport
	-A hmac-md5 "this is the test" ;

# ESP tunnel mode is required between Host-A and Gateway-A.
# Encryption algorithm is cast128-cbc, and authentication algorithm
# for ESP is hmac-sha1.
# ESP transport mode is recommended between Host-A and Host-B.
# Encryption algorithm is rc5-cbc,  and authentication algorithm
# for ESP is hmac-md5.
#
#       ================== ESP =================
#       |  ======= ESP =======                 |
#       |  |                 |                 |
#      Host-A            Gateway-A           Host-B
#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
#
# At Host-A:
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
	esp/transport//use
	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
	esp/transport//use
	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
	-m transport
	-E cast128-cbc "12341234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
	-E rc5-cbc "kamekame"
	-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
	-m transport
	-E cast128-cbc "12341234"
	-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
	-E rc5-cbc "kamekame"
	-A hmac-md5 "this is the test" ;

# By "get" command, you can get a entry of either SP or SA.
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;

# Also delete command, you can delete a entry of either SP or SA.
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;

# By dump command, you can dump all entry of either SP or SA.
dump ;
spddump ;
dump esp ;
flush esp ;

# By flush command, you can flush all entry of either SP or SA.
flush ;
spdflush ;

# "flush" and "dump" commands can specify a security protocol.
dump esp ;
flush ah ;

# XXX
add ::1 ::1 esp 10001 -m transport -E null ;
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
add ::1 ::1 esp 10004 -m transport -E null -A null ;
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
add ::1 ::1 esp 10018 -m transport -E null ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
#add ::1 ::1 ipcomp 30000 -C oui ;
add ::1 ::1 ipcomp 30001 -C deflate ;
#add ::1 ::1 ipcomp 30002 -C lzs ;

# enjoy.