USAGI IPv6 IPsec enhancement

Refer: USAGI Project,  RFC 2401

There are three patches, first one is for kernel, second one is for pfkey, and third one is for pluto. pluto patch support encryption algorithm AES too. These patches are for usagi 2002/07/08 snapshot.

Before build, extract and apply patches: ipsec-patch-for-usagi-s20020708-2.bz2 in the kernel directory "somewhere/usagi/kernel/linux24/", pfkey-patch-for-usagi-s20020708.bz2 in the pfkey directory "somewhere/usagi/usagi/pfkey/", and pluto-patch-for-usagi-s20020624.bz2 (no change from previous) in the freeswan directory "somewhere/usagi/src/freeswan/".

See "somewhere/usagi/doc/HOWTO/IPsec" for your kernel configuration. It's useful for trying ipsec.

using IPsec examples

                         (internet)
 network1---(gateway1)================(gateway2)---network2
 2001::/64           2000::1    3000::1           3001::/64

(set network1 ---> network2 flow at gateway1 and gateway2)

  pfkey -A sp -T esp -s 2001::/64 -d 3001::/64 \
        --tun-src 2000::1 --tun-dst 3000::1

  pfkey -A sa -T esp -s 2000::1 -d 3000::1 -S 0x20001 \
        --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
        --esp aes-cbc --espkey 0x456789abcdef0123456789abcdef0123

(set network1 <--- network2 flow at gateway1 and gateway2)

  pfkey -A sp -T esp -d 2001::/64 -s 3001::/64 \
        --tun-dst 2000::1 --tun-src 3000::1

  pfkey -A sa -T esp -d 2000::1 -s 3000::1 -S 0x30001 \
        --auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \
        --esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab

  whack --name test --ipv6 --host 2000::1 --client 2001::/64 \
        --to --host 3000::1 --client 3001::/64 --encrypt

case 2) Security Gateway (SG) type tunnel mode

(internet) (host1)===============(SG)-----(hosts in LAN) 2000::100 3000::1 3001::/64

 - manual keying

(set host1 ---> hosts in LAN flow at host1 and SG) pfkey -A sp -T esp -s 2000::100 -d 3001::/64 \ --tun-src 2000::100 --tun-dst 3000::1 pfkey -A sa -T esp -s 2000::100 -d 3000::1 -S 0x2000100 \ --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \ --esp aes-cbc --espkey 0x456789abcdef0123456789abcdef0123 (set host1 <--- hosts in LAN flow at host1 and SG) pfkey -A sp -T esp -d 2000::100 -s 3001::/64 \ --tun-dst 2000::100 --tun-src 3000::1 pfkey -A sa -T esp -d 2000::100 -s 3000::1 -S 0x3000001 \ --auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \ --esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab

 - using pluto, the specific command

whack --name test --ipv6 --host 2000::100 \ --to --host 3000::1 --client 3001::/64 --encrypt

case 3) Enhanced transport mode

3001::/64 (host1)-------(router)----+---(host2) 3001::2 2001::10 +---(host3) 3001::3 +---(host4) 3001::4 ...

 - only manual keying

(set host1 ---> host2,3,4 flow at host1) pfkey -A sp -T esp -s 2001::10 -d 3001::/64 pfkey -A sa -T esp -s 2001::10 -d 3001::2 -S 0xa30002 \ --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \ --esp aes-cbc --espkey 0x23456789abcdef0123456789abcdef01 pfkey -A sa -T esp -s 2001::10 -d 3001::3 -S 0xa30003 \ --auth hmac-md5 --authkey 0x456789abcdef0123456789abcdef0123 \ --esp aes-cbc --espkey 0x6789abcdef0123456789abcdef012345 pfkey -A sa -T esp -s 2001::10 -d 3001::4 -S 0xa30004 \ --auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \ --esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab (set host1 <--- host2,3,4 flow at host1) pfkey -A sp -T esp -d 2001::10 -s 3001::/64 pfkey -A sa -T esp -d 2001::10 -s 3001::2 -S 0xb30002 \ --auth hmac-md5 --authkey 0xfedcba9876543210fedcba9876543210 \ --esp aes-cbc --espkey 0xdcba9876543210fedcba9876543210fe pfkey -A sa -T esp -d 2001::10 -s 3001::3 -S 0xb30003 \ --auth hmac-md5 --authkey 0xba9876543210fedcba9876543210fedc \ --esp aes-cbc --espkey 0x9876543210fedcba9876543210fedcba pfkey -A sa -T esp -d 2001::10 -s 3001::4 -S 0xb30004 \ --auth hmac-md5 --authkey 0x76543210fedcba9876543210fedcba98 \ --esp aes-cbc --espkey 0x543210fedcba9876543210fedcba9876

One security policy (SP) which has range of addresses can have relation with one or more security associations (SA).

case 4) Combination of tunnel mode and transport mode.

|=============transport mode============| (host1)=====tunnel mode======(SG)----+----(host2) 3001::2 2000::100 3000::1 +----(host3) 3001::3 (internet) (LAN) 3001::/64 ...

 - only manual keying

(set host1 ---> SG and hosts in LAN flow at host1) pfkey -A sp -T esp -s 2000::100 -d 3001::/64 \ --tun-src 2000::100 --tun-dst 3000::1 pfkey -A sp -T esp -s 2000::100 -d 3001::/64 pfkey -A sa -T esp -s 2000::100 -d 3000::1 -S 0x2000100 \ --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \ --esp aes-cbc --espkey 0x123456789abcdef0123456789abcdef0 pfkey -A sa -T esp -s 2000::100 -d 3001::2 -S 0xa30002 \ --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \ --esp aes-cbc --espkey 0x23456789abcdef0123456789abcdef01 pfkey -A sa -T esp -s 2000::100 -d 3001::3 -S 0xa30003 \ --auth hmac-md5 --authkey 0x456789abcdef0123456789abcdef0123 \ --esp aes-cbc --espkey 0x6789abcdef0123456789abcdef012345 (set host1 <--- SG and hosts in LAN flow at host1) pfkey -A sp -T esp -d 2000::100 -s 3001::/64 \ --tun-dst 2000::100 --tun-src 3000::1 pfkey -A sp -T esp -d 2000::100 -s 3001::/64 pfkey -A sa -T esp -d 2000::100 -s 3000::1 -S 0x3000001 \ --auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \ --esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab pfkey -A sa -T esp -d 2000::100 -s 3001::2 -S 0xb30002 \ --auth hmac-md5 --authkey 0xfedcba9876543210fedcba9876543210 \ --esp aes-cbc --espkey 0xdcba9876543210fedcba9876543210fe pfkey -A sa -T esp -d 2000::100 -s 3001::3 -S 0xb30003 \ --auth hmac-md5 --authkey 0xba9876543210fedcba9876543210fedc \ --esp aes-cbc --espkey 0x9876543210fedcba9876543210fedcba

Setting at SG are like case 2). Setting at hosts in LAN are same as ordinary transport mode.

IPsec protocol AH is useful in all case of pfkey with `-T ah' argument rather than `-T esp'.
 

TODO
  Nested tunnel mode.

Comments and bug reports are welcome: h-yamamo@db3.so-net.ne.jp
Thank you.