1# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
2# All rights reserved.
3#
4# Redistribution and use in source and binary forms, with or without
5# modification, are permitted provided that the following conditions
6# are met:
7# 1. Redistributions of source code must retain the above copyright
8#    notice, this list of conditions and the following disclaimer.
9# 2. Redistributions in binary form must reproduce the above copyright
10#    notice, this list of conditions and the following disclaimer in the
11#    documentation and/or other materials provided with the distribution.
12# 3. Neither the name of the project nor the names of its contributors
13#    may be used to endorse or promote products derived from this software
14#    without specific prior written permission.
15#
16# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28# There are sample scripts for IPsec configuration by manual keying.
29# A security association is uniquely identified by a triple consisting
30# of a Security Parameter Index (SPI), an IP Destination Address, and a
31# security protocol (AH or ESP) identifier.  You must take care of these
32# parameters when you configure by manual keying.
33
34# ESP transport mode is recommended for TCP port number 110 between
35# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
36# is "kamekame", and authentication algorithm is hmac-sha1 whose key
37# is "this is the test key".
38#
39#       ============ ESP ============
40#       |                           |
41#    Host-A                        Host-B
42#   fec0::10 -------------------- fec0::11
43#
44# At Host-A and Host-B,
45spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
46	esp/transport//use ;
47spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
48	esp/transport//use ;
49add fec0::10 fec0::11 esp 0x10001
50	-m transport
51	-E blowfish-cbc "kamekame"
52	-A hmac-sha1 "this is the test key" ;
53add fec0::11 fec0::10 esp 0x10002
54	-m transport
55	-E blowfish-cbc "kamekame"
56	-A hmac-sha1 "this is the test key" ;
57
58# "[any]" is wildcard of port number.  Note that "[0]" is the number of
59# zero in port number.
60
61# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
62# whose key is "this is the test" as authentication algorithm.
63# That protocol takes place between Gateway-A and Gateway-B.
64#
65#                        ======= AH =======
66#                        |                |
67#    Network-A       Gateway-A        Gateway-B        Network-B
68#   10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
69#
70# At Gateway-A:
71spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
72	ah/tunnel/172.16.0.1-172.16.0.2/require ;
73spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
74	ah/tunnel/172.16.0.2-172.16.0.1/require ;
75add 172.16.0.1 172.16.0.2 ah-old 0x10003
76	-m any
77	-A keyed-md5 "this is the test" ;
78add 172.16.0.2 172.16.0.1 ah-old 0x10004
79	-m any
80	-A keyed-md5 "this is the test" ;
81
82# If port number field is omitted such above then "[any]" is employed.
83# -m specifies the mode of SA to be used.  "-m any" means wildcard of
84# mode of security protocol.  You can use this SAs for both tunnel and
85# transport mode.
86
87# At Gateway-B.  Attention to the selector and peer's IP address for tunnel.
88spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
89	ah/tunnel/172.16.0.2-172.16.0.1/require ;
90spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
91	ah/tunnel/172.16.0.1-172.16.0.2/require ;
92add 172.16.0.1 172.16.0.2 ah-old 0x10003
93	-m tunnel
94	-A keyed-md5 "this is the test" ;
95add 172.16.0.2 172.16.0.1 ah-old 0x10004
96	-m tunnel
97	-A keyed-md5 "this is the test" ;
98
99# AH transport mode followed by ESP tunnel mode is required between
100# Gateway-A and Gateway-B.
101# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
102# is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
103#
104#                           ========== AH =========
105#                           |  ======= ESP =====  |
106#                           |  |               |  |
107#      Network-A          Gateway-A        Gateway-B           Network-B
108#   fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
109#
110# At Gateway-A:
111spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
112	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
113	ah/transport//require ;
114spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
115	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
116	ah/transport//require ;
117add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
118	-m tunnel
119	-E 3des-cbc "kamekame12341234kame1234"
120	-A hmac-sha1 "this is the test key" ;
121add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
122	-m transport
123	-A hmac-md5 "this is the test" ;
124add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
125	-m tunnel
126	-E 3des-cbc "kamekame12341234kame1234"
127	-A hmac-sha1 "this is the test key" ;
128add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
129	-m transport
130	-A hmac-md5 "this is the test" ;
131
132# ESP tunnel mode is required between Host-A and Gateway-A.
133# Encryption algorithm is cast128-cbc, and authentication algorithm
134# for ESP is hmac-sha1.
135# ESP transport mode is recommended between Host-A and Host-B.
136# Encryption algorithm is rc5-cbc,  and authentication algorithm
137# for ESP is hmac-md5.
138#
139#       ================== ESP =================
140#       |  ======= ESP =======                 |
141#       |  |                 |                 |
142#      Host-A            Gateway-A           Host-B
143#   fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
144#
145# At Host-A:
146spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
147	esp/transport//use
148	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
149spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
150	esp/transport//use
151	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
152add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
153	-m transport
154	-E cast128-cbc "12341234"
155	-A hmac-sha1 "this is the test key" ;
156add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
157	-E rc5-cbc "kamekame"
158	-A hmac-md5 "this is the test" ;
159add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
160	-m transport
161	-E cast128-cbc "12341234"
162	-A hmac-sha1 "this is the test key" ;
163add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
164	-E rc5-cbc "kamekame"
165	-A hmac-md5 "this is the test" ;
166
167# By "get" command, you can get a entry of either SP or SA.
168get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
169
170# Also delete command, you can delete a entry of either SP or SA.
171spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
172delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
173
174# By dump command, you can dump all entry of either SP or SA.
175dump ;
176spddump ;
177dump esp ;
178flush esp ;
179
180# By flush command, you can flush all entry of either SP or SA.
181flush ;
182spdflush ;
183
184# "flush" and "dump" commands can specify a security protocol.
185dump esp ;
186flush ah ;
187
188# XXX
189add ::1 ::1 esp 10001 -m transport -E null ;
190add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
191add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
192add ::1 ::1 esp 10004 -m transport -E null -A null ;
193add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
194add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
195add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
196add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
197add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
198add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
199add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
200add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
201add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
202add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
203add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
204add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
205add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
206add ::1 ::1 esp 10018 -m transport -E null ;
207#add ::1 ::1 ah 20000 -m transport -A null ;
208add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
209add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
210add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
211add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
212add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
213#add ::1 ::1 ipcomp 30000 -C oui ;
214add ::1 ::1 ipcomp 30001 -C deflate ;
215#add ::1 ::1 ipcomp 30002 -C lzs ;
216
217# enjoy.
218