102 lines
2.5 KiB
Plaintext
102 lines
2.5 KiB
Plaintext
IPsec transport mode
|
|
|
|
HOST-A ================ HOST-B
|
|
(A) (B)
|
|
|
|
IKE negotiation: A <--> B
|
|
phase 1 ID payloads: <anything, anything>
|
|
SA addresses: A <--> B
|
|
outgoing packet: IP(A->B)
|
|
phase 2 ID payloads: none, or <A, B>
|
|
|
|
HOST-A's policy:
|
|
spdadd A B any -P out ipsec ah/transport//require;
|
|
spdadd B A any -P in ipsec ah/transport//require;
|
|
|
|
HOST-B's policy:
|
|
spdadd B A any -P out ipsec ah/transport//require;
|
|
spdadd A B any -P in ipsec ah/transport//require;
|
|
|
|
both racoon.conf:
|
|
no particular twists
|
|
|
|
IPsec tunnel mode
|
|
|
|
HOST-A --- Gateway-A =========== Gateway-B --- HOST-B
|
|
(A) (GA) (GB) (B)
|
|
|
|
IKE negotiation: GA <--> GB
|
|
phase 2 ID payloads: <anything, anything>
|
|
IDs should reflect GA and GB's authenticity.
|
|
SA addresses: GA <--> GB
|
|
outgoing packet: IP(GA->GB)
|
|
phase 2 ID payloads: A, B
|
|
|
|
Gateway-A's policy:
|
|
spdadd A B any -P out ipsec esp/tunnel/GA-GB/require;
|
|
spdadd B A any -P in ipsec esp/tunnel/GB-GA/require;
|
|
|
|
Gateway-B's policy:
|
|
spdadd B A any -P out ipsec esp/tunnel/GB-GA/require;
|
|
spdadd A B any -P in ipsec esp/tunnel/GA-GB/require;
|
|
|
|
both racoon.conf:
|
|
no particular twists
|
|
|
|
MIP6
|
|
|
|
MN ================ CN
|
|
(HA/COA) (CNA)
|
|
|
|
IKE negotiation: COA <--> CNA
|
|
* MN always initiate IKE session probably.
|
|
phase 1 ID payloads: <anything, anything>
|
|
SA addresses: HA <--> CNA
|
|
outgoing packet: IP(COA->CNA) | HAoption(HA)
|
|
phase 2 ID payloads: <HA, CNA>
|
|
|
|
MN's policy:
|
|
spdadd HA CNA any -P out ipsec ah/transport//require;
|
|
spdadd CNA HA any -P in ipsec ah/transport//require;
|
|
|
|
MN's racoon.conf:
|
|
remote CNA { support_mip6 on; }
|
|
|
|
CN's policy:
|
|
spdadd CNA HA any -P out ipsec ah/transport//require;
|
|
spdadd HA CNA any -P in ipsec ah/transport//require;
|
|
|
|
CN's racoon.conf:
|
|
support_mip6 on;
|
|
(generate_policy on;)
|
|
|
|
Accept anonymous client on IPsec transport mode
|
|
|
|
HOST-A =========== Server
|
|
(A) (S)
|
|
|
|
IKE negotiation: A <-> S
|
|
phase 1 ID payloads: anything,anything
|
|
SA addresses: A <--> S
|
|
phase 2 ID payloads: none
|
|
|
|
S accepts network connections from network range net/pl (like
|
|
1.0.0.0/8).
|
|
|
|
HOST-A's policy:
|
|
spdadd A S any -P out ipsec esp/transport//require;
|
|
spdadd S A any -P in ipsec esp/transport//require;
|
|
|
|
A's racoon.conf:
|
|
no particular twists
|
|
|
|
Server's policy:
|
|
spdadd S net/pl any -P out ipsec esp/transport//require;
|
|
spdadd net/pl S any -P in ipsec esp/transport//require;
|
|
|
|
Server's racoon.conf:
|
|
no particular twists
|
|
|
|
due to the absense of phase 2 ID, IPsec SA will be installed for
|
|
A <--> S, not for net/pl <--> S.
|