# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of the project nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # There are sample scripts to configure IPsec. # Both src and dst are 127.0.0.1 and spi=0x10001. Serurity protocol is ESP # with blowfish-cbc whose key is "kamekame" as encryption algorithm, and # with hmac-sha1 whose key is "this is the test key" as authentication # algorithm. add 127.0.0.1 127.0.0.1 any 0x10001 -p esp -E blowfish-cbc "kamekame" -A hmac-sha1 "this is the test key" ; # Security protocol is old AH, i.e. RFC1826, with keyed-md5 whose key # is "test" as authentication algorithm. add 127.0.0.2 127.0.0.1 any 0x10002 -p ah-old -A keyed-md5 "this is the test" ; # This is how to specify the upper layer protocol. # This may not work as this has not been tested. add 127.0.0.1/24 10.0.2.0/24 udp 0x10003 -p ah -A hmac-md5 "this is the test" ; # On "get" command you can specify target entries. # This command needs src/dst, (upper layer protocol, src/dst port if any), # spi and security protocol. # For "delete" command one must specify the target in the same way. get 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ; delete 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ; # "flush" and "dump" commands can specify a security protocol. dump -p esp ; flush -p esp ; # By default, those commands will handle all entries. dump ; flush ; # This is planned to display the script for configuration. #dumpscript ; # NEVER to define with proxy address, i.g. 202.249.11.41, # that will cause kernel to hang up, may be.. # Those are near future available. #add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 # -p esp -E des-cbc "hogehoge" -A hmac-md5 "hogehogehogehoge" ; #add ::1 ::1 udp 0x20010 203.178.141.215 # -p esp-old -E des-cbc "hahahaha" ; #add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -p esp; # # There are some command for SPD management as follows: # "spdadd" is to add a new SPD entry following by a policy indicator # with `-P'. The policy indicator is the one of follows: # "discard" for discarding packet, "none" for nothing to do, and "ipsec" # for doing IPsec. "ipsec" is followed by the requests for IPsec protocol. # These requests is consisted, "protocol/level[/end-point]". # There are three directive for level as following: "default", "use" and # "require". spdadd 10.0.0.0/24 127.0.0.1 any -P discard ; spdadd 192.168.1.1 192.168.1.2 any -P bypass ; # To do IP|AH loosely, i.e. it doesn't do IPsec when there is no AH-SA. spdadd 172.16.10.1 172.16.11.1[21] tcp -P ipsec ah/use ; # To request IP1|ESP|IP2|AH|ESP, spdadd 172.16.10.0/24 172.16.11.0/24 any -P ipsec esp/require ah/require esp/require/203.178.141.194 ; # "spddelete" is to delete a SPD entry. spddelete 172.16.10.0/24 172.16.11.0/24 any ; # To dump and to flush all SPD entry, "spddump" and "spdflush" are ready. spddump ; spdflush ; # enjoy.