| Top page | 19 July 2002 |
Refer: USAGI Project, RFC 2401
There are three patches, first one is for kernel, second one is for pfkey, and third one is for pluto. pluto patch support encryption algorithm AES too. These patches are for usagi 2002/07/08 snapshot.
Before build, extract and apply patches: ipsec-patch-for-usagi-s20020708-2.bz2 in the kernel directory "somewhere/usagi/kernel/linux24/", pfkey-patch-for-usagi-s20020708.bz2 in the pfkey directory "somewhere/usagi/usagi/pfkey/", and pluto-patch-for-usagi-s20020624.bz2 (no change from previous) in the freeswan directory "somewhere/usagi/src/freeswan/".
See "somewhere/usagi/doc/HOWTO/IPsec" for your kernel configuration. It's useful for trying ipsec.
(internet)
network1---(gateway1)================(gateway2)---network2
2001::/64 2000::1 3000::1 3001::/64
|
(set network1 ---> network2 flow at gateway1 and gateway2)
pfkey -A sp -T esp -s 2001::/64 -d 3001::/64 \
--tun-src 2000::1 --tun-dst 3000::1
pfkey -A sa -T esp -s 2000::1 -d 3000::1 -S 0x20001 \
--auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
--esp aes-cbc --espkey 0x456789abcdef0123456789abcdef0123
(set network1 <--- network2 flow at gateway1 and gateway2)
pfkey -A sp -T esp -d 2001::/64 -s 3001::/64 \
--tun-dst 2000::1 --tun-src 3000::1
pfkey -A sa -T esp -d 2000::1 -s 3000::1 -S 0x30001 \
--auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \
--esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab
|
whack --name test --ipv6 --host 2000::1 --client 2001::/64 \
--to --host 3000::1 --client 3001::/64 --encrypt
|
case 2) Security Gateway (SG) type tunnel mode
(internet)
(host1)===============(SG)-----(hosts in LAN)
2000::100 3000::1 3001::/64
|
(set host1 ---> hosts in LAN flow at host1 and SG)
pfkey -A sp -T esp -s 2000::100 -d 3001::/64 \
--tun-src 2000::100 --tun-dst 3000::1
pfkey -A sa -T esp -s 2000::100 -d 3000::1 -S 0x2000100 \
--auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
--esp aes-cbc --espkey 0x456789abcdef0123456789abcdef0123
(set host1 <--- hosts in LAN flow at host1 and SG)
pfkey -A sp -T esp -d 2000::100 -s 3001::/64 \
--tun-dst 2000::100 --tun-src 3000::1
pfkey -A sa -T esp -d 2000::100 -s 3000::1 -S 0x3000001 \
--auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \
--esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab
|
whack --name test --ipv6 --host 2000::100 \
--to --host 3000::1 --client 3001::/64 --encrypt
|
case 3) Enhanced transport mode
3001::/64
(host1)-------(router)----+---(host2) 3001::2
2001::10 +---(host3) 3001::3
+---(host4) 3001::4
...
|
(set host1 ---> host2,3,4 flow at host1)
pfkey -A sp -T esp -s 2001::10 -d 3001::/64
pfkey -A sa -T esp -s 2001::10 -d 3001::2 -S 0xa30002 \
--auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
--esp aes-cbc --espkey 0x23456789abcdef0123456789abcdef01
pfkey -A sa -T esp -s 2001::10 -d 3001::3 -S 0xa30003 \
--auth hmac-md5 --authkey 0x456789abcdef0123456789abcdef0123 \
--esp aes-cbc --espkey 0x6789abcdef0123456789abcdef012345
pfkey -A sa -T esp -s 2001::10 -d 3001::4 -S 0xa30004 \
--auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \
--esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab
(set host1 <--- host2,3,4 flow at host1)
pfkey -A sp -T esp -d 2001::10 -s 3001::/64
pfkey -A sa -T esp -d 2001::10 -s 3001::2 -S 0xb30002 \
--auth hmac-md5 --authkey 0xfedcba9876543210fedcba9876543210 \
--esp aes-cbc --espkey 0xdcba9876543210fedcba9876543210fe
pfkey -A sa -T esp -d 2001::10 -s 3001::3 -S 0xb30003 \
--auth hmac-md5 --authkey 0xba9876543210fedcba9876543210fedc \
--esp aes-cbc --espkey 0x9876543210fedcba9876543210fedcba
pfkey -A sa -T esp -d 2001::10 -s 3001::4 -S 0xb30004 \
--auth hmac-md5 --authkey 0x76543210fedcba9876543210fedcba98 \
--esp aes-cbc --espkey 0x543210fedcba9876543210fedcba9876
|
case 4) Combination of tunnel mode and transport mode.
|=============transport mode============|
(host1)=====tunnel mode======(SG)----+----(host2) 3001::2
2000::100 3000::1 +----(host3) 3001::3
(internet) (LAN) 3001::/64 ...
|
(set host1 ---> SG and hosts in LAN flow at host1)
pfkey -A sp -T esp -s 2000::100 -d 3001::/64 \
--tun-src 2000::100 --tun-dst 3000::1
pfkey -A sp -T esp -s 2000::100 -d 3001::/64
pfkey -A sa -T esp -s 2000::100 -d 3000::1 -S 0x2000100 \
--auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
--esp aes-cbc --espkey 0x123456789abcdef0123456789abcdef0
pfkey -A sa -T esp -s 2000::100 -d 3001::2 -S 0xa30002 \
--auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef \
--esp aes-cbc --espkey 0x23456789abcdef0123456789abcdef01
pfkey -A sa -T esp -s 2000::100 -d 3001::3 -S 0xa30003 \
--auth hmac-md5 --authkey 0x456789abcdef0123456789abcdef0123 \
--esp aes-cbc --espkey 0x6789abcdef0123456789abcdef012345
(set host1 <--- SG and hosts in LAN flow at host1)
pfkey -A sp -T esp -d 2000::100 -s 3001::/64 \
--tun-dst 2000::100 --tun-src 3000::1
pfkey -A sp -T esp -d 2000::100 -s 3001::/64
pfkey -A sa -T esp -d 2000::100 -s 3000::1 -S 0x3000001 \
--auth hmac-md5 --authkey 0x89abcdef0123456789abcdef01234567 \
--esp aes-cbc --espkey 0xcdef0123456789abcdef0123456789ab
pfkey -A sa -T esp -d 2000::100 -s 3001::2 -S 0xb30002 \
--auth hmac-md5 --authkey 0xfedcba9876543210fedcba9876543210 \
--esp aes-cbc --espkey 0xdcba9876543210fedcba9876543210fe
pfkey -A sa -T esp -d 2000::100 -s 3001::3 -S 0xb30003 \
--auth hmac-md5 --authkey 0xba9876543210fedcba9876543210fedc \
--esp aes-cbc --espkey 0x9876543210fedcba9876543210fedcba
|
IPsec protocol AH is useful in all case of pfkey with `-T ah' argument
rather than `-T esp'.
TODO
Nested tunnel mode.
Comments and bug reports are welcome:
h-yamamo@db3.so-net.ne.jp
Thank you.