1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-24 11:29:10 +00:00
freebsd/share/examples/IPv6/USAGE
Yoshinobu Inoue 80d21dc41b Add IPv6 related docs.
Reviewed by: phantom
2000-02-26 19:44:12 +00:00

630 lines
24 KiB
Plaintext

USAGE
KAME Project
http://www.kame.net/newsletter/
$FreeBSD$
This is a introduction of how to use the commands provided in the KAME
kit. For more information, please refer to each man page.
<<<ifconfig>>>
A link-local address is automatically assigned to each interface, when
the interface becomes up for the first time. Even if you find an interface
without a link-local address, do not panic. The link-local address will be
assigned when it becomes up (with "ifconfig IF up").
Some network drivers allow an interface to become up even without a
hardware address (for example, PCMCIA network cards). In such cases, it is
possible that an interface has no link-local address even if the
interface is up. If you see such situation, please disable the
interface once and then re-enable it (i.e. do `ifconfig IF down;
ifconfig IF up').
Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface
identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources,
like ethernet cards. Pseudo interfaces will be able to get IPv6 link-local
address, if you have other "real" interface configured beforehand.
If you have no EUI64/IEEE802 sources on the node, you may need to configure
link-local address manually. Though we have last-resort code in the kernel,
which generates interface identifier from MD5(hostname), it may not suitable
for your usage (for example, if you configure same hostname on both sides
of gif tunnel, you will be doomed).
If you have a router announcing Router Advertisement,
global addresses will be assigned automatically. So, "ifconfig" is not
necessary for your *host*. (Please refer to "sysctl" section for configuring
a host to accept Router Advertisement.)
If you want to set up a router, you need to assign global addresses
for two or more interfaces by "ifconfig" or "prefix". (prefix command
is described at next section)
If you want to assign a global address by "ifconfig", don't forget to
specify the "alias" argument to keep the link-local address.
# ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias
# ifconfig de0
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:1000:: prefixlen 64 anycast
ether 00:00:f8:01:63:17
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
See also "/etc/rc.network6" for actual examples.
<<prefix>>
In IPv6 architecture, an IPv6 address of an interface can be generated
from a prefix assigned to it, and a link-dependent identifier for the
interface. Assigning a full IPv6 address by ifconfig is not
necessary anymore, because, user can only take care of prefix, by letting
system take care of interface identifier.
The newly added "prefix" command enables user to just assign prefixes
for interfaces, and let your system automatically generate IPv6
addresses. Prefixes added by the "prefix" command is maintained in
the kernel consistently with prefixes assigned by Router
Renumbering(in case of routers).
But "prefix" command can only be used on router, because host should be
able to configure its addr automatically. Prefixes added by the "prefix"
command are maintained independently from prefixes assigned by
Router Advertisement. Those two type of prefixes should not coexist on
a machine at the same time, and when it happens, it is considered to be
miss configuration.
Manual assignment of prefixes or change of prefix properties take
precedence over ones assigned by Router Renumbering.
If you want to assign a prefix(and consequently an address) manually, do
as follows:
# prefix de0 fec0:0:0:1000::
# ifconfig de0
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:1000:: prefixlen 64 anycast
ether 00:00:f8:01:63:17
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
To check assigned prefix, use the "ndp" command. (See description of
ndp command about its usage)
# ndp -p
fec0:0:0:1000::/64 if=de0
flags=LA, vltime=2592000, pltime=604800, expire=Never
No advertising router
The "prefix" command also has node internal prefix renumbering
ability.
If you have multiple prefixes which have fec0:0:0:1000:/56 at the top,
and would like to renumber them to fec0:0:0:2000:/56, then use the
"prefix" command with the "matchpr" argument and the "usepr" argument.
Suppose that current state of before renumbering as follows:
# ifconfig de0
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:1000:: prefixlen 64 anycast
ether 00:00:f8:01:63:17
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
# ifconfig de1
de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64
inet6 fec0:0:0:1001:: prefixlen 64 anycast
ether 00:00:f8:55:70:11
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
# ndp -p
fec0:0:0:1000::/64 if=de0
flags=LA, vltime=2592000, pltime=604800, expire=Never
No advertising router
fec0:0:0:1001::/64 if=de1
flags=LA, vltime=2592000, pltime=604800, expire=Never
No advertising router
Then do as follows:
# prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change
If command is successful, prefixes and addresses will be renumbered as
follows.
# ifconfig de0
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64
inet6 fec0:0:0:2000:: prefixlen 64 anycast
ether 00:00:f8:01:63:17
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
# ifconfig de1
de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64
inet6 fec0:0:0:2001:: prefixlen 64 anycast
ether 00:00:f8:55:70:11
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
# ndp -p
fec0:0:0:2000::/64 if=de0
flags=LA, vltime=2592000, pltime=604800, expire=Never
No advertising router
fec0:0:0:2001::/64 if=de1
flags=LA, vltime=2592000, pltime=604800, expire=Never
No advertising router
See also "/etc/rc.network6" for actual examples.
<<<route>>>
If there is a router announcing Router Advertisement on the subnet,
you don't need to add a default route for your host by yourself.
(Please refer to "sysctl" section to accept Router Advertisement.)
If you want to add a default route manually, do as follows:
# route add -inet6 default fe80::200:a2ff:fe0e:7543%de0
"default" means ::/0.
Note that, in IPv6, link-local address should be used as gateway
("fe80::200:a2ff:fe0e:7543%de1" in the above). If you use global addresses,
icmp6 redirect may not work properly. For ease of configuration we recommend
you to avoid static routes and run a routing daemon (route6d for example)
instead.
<<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.)
Reachability can be checked by "ping6". This "ping6" allows multicast
for its argument.
% ping6 -I xl0 ff02::1
or
% ping6 ff02::1%xl0
PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1
56 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms
56 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!)
56 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!)
56 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!)
<<<ping6 -w>>>
Name resolution is possible by ICMPv6 node information query message.
This is very convenient for link-local addresses whose host name cannot be
resolved by DNS. Specify the "-w" option to "ping6".
% ping6 -I xl0 -w ff02::1
64 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net
67 bytes from fe80::5254:ff:feda:d161: banana.kame.net
69 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net
66 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net
66 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net
<<<traceroute6>>>
The route for a target host can be checked by "traceroute6".
% traceroute6 tokyo.v6.wide.ad.jp
traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
1 nr60.v6.kame.net 1.239 ms 0.924 ms 0.908 ms
2 otemachi.v6.wide.ad.jp 28.953 ms 31.451 ms 26.567 ms
3 tokyo.v6.wide.ad.jp 26.549 ms 26.58 ms 26.186 ms
If the -l option is specified, both address and name are shown in each line.
% traceroute6 -l tokyo.v6.wide.ad.jp
traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms
2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms
3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms
<<<ndp>>>
To display the current Neighbor cache, use "ndp":
% ndp -a
Neighbor Linklayer Address Netif Expire St Flgs Prbs
nr60.v6.kame.net 0:60:97:c2:80:bf xl0 expired S R
fec0:0:0:1000:2c0:cff:fe10 0:c0:c:10:3a:53 xl0 permanent R
paradise.v6.kame.net 52:54:0:dc:52:17 xl0 expired S R
fe80:1::200:eff:fe49:f929 0:0:e:49:f9:29 xl0 expired S R
fe80:1::200:86ff:fe05:80da 0:0:86:5:80:da xl0 expired S
fe80:1::200:86ff:fe05:c2d8 0:0:86:5:c2:d8 xl0 9s R
To flush the all NDP cache, execute the following by root.
# ndp -c
To display the prefix list.
% ndp -p
fec0:0:0::1000::/64 if=xl0
flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s
advertised by
fe80::5254:ff:fedc:5217
fe80::260:97ff:fec2:80bf
fe80::200:eff:fe49:f929
To display the default router list.
% ndp -r
fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s
fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s
fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s
<<<rtsol>>>
To generate a Router Solicitation message right now to get global
addresses, use "rtsol".
# ifconfig xl0
xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
ether 0:a0:24:ab:83:9b
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
# rtsol xl0
# ifconfig xl0
xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64
ether 0:a0:24:ab:83:9b
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
<<<rtsold>>>
rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop
computer and frequently move with it, the daemon is useful since it watches
the interface and sends router solicitations when the status of the interface
changes. Note, however, that the feature is disabled by default. Please
add -m option at invocation of rtsold.
rtsold also supports multiple interfaces. For example, you can
invoke the daemon as follows:
# rtsold -m ep0 cnw0
<<<netstat>>>
To see routing table:
# netstat -nr
# netstat -nrl (long format with Ref and Use)
<<<sysctl>>>
If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is
accepted. This means that global addresses and default route are
automatically set up. Otherwise, the announcement is rejected. The
default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute
as follows:
# sysctl -w net.inet6.ip6.accept_rtadv=1
<<<gifconfig>>>
"gif" interface enables you to perform IPv{4,6} over IPv{4,6}
protocol tunneling. To use this interface, you must specify the
outer IPv{4,6} address by using gifconfig, like:
# gifconfig gif0 172.16.198.61 172.16.11.21
"ifconfig gif0" will configure the address pair used for inner
IPv{4,6} header.
It is not required to configure inner IPv{4,6} address pair. If
you do not configure inner IPv{4,6} address pair, tunnel link is
considered as un-numbered link and the source address of inner
IPv{4,6} address pair will be borrowed from other interfaces.
The following example configures un-numbered IPv6-over-IPv4 tunnel:
# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
The following example configures numbered IPv6-over-IPv4 tunnel:
# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
# ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias
IPv6 spec allows you to use point-to-point link without global IPv6
address assigned to the interface. Routing protocol (such as RIPng)
uses link-local addresses only. If you are to configure IPv6-over-IPv4
tunnel, you need not to configure an address pair for inner IPv6
header. We suggest you to use the former example (un-numbered
IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity,
for router to router connection.
Note that it is so easy to make an infinite routing loop using gif
interface, if you configure a tunnel using the same protocol family
for inner and outer header (i.e. IPv4-over-IPv4).
Refer to gifconfig(8) for more details.
<<<inetd>>>
Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy
configuration support.
Refer to inetd(8) for more details.
<<<IPsec>>>
The current KAME supports both transport mode and tunnel mode.
However, tunnel mode comes with some restrictions.
http://www.kame.net/newsletter/ has more comprehensive examples.
Let's setup security association to deploy a secure channel between
HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.
Now we should choose algorithm to be used corresponding to "AH"/"new
AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know
algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH,
and new-DES-expIV with 8 byte IV for new ESP.
Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.
OK, let's assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
(1)
HOST A ------> HOST B
(1)PROTO=AH
ALG=MD5(RFC1826)
KEY=MYSECRETMYSECRET
SPI=1000
(2.1)
HOST A <------ HOST B
<------
(2.2)
(2.1)
PROTO=AH
ALG=new-HMAC-SHA1(new AH)
KEY=KAMEKAMEKAMEKAMEKAME
SPI=2000
(2.2)
PROTO=ESP
ALG=new-DES-expIV(new ESP)
IV length = 8
KEY=PASSWORD
SPI=3000
Now, let's setup security association. Execute "setkey" on both HOST
A and B:
# setkey -c
add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D
Actually, IPsec communication doesn't process until security policy
entries will be defined. In this case, you must setup each host.
At A:
# setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
To utilize the security associations installed into the kernel, you
must set the socket security level by using setsockopt().
This is per-application (or per-socket) security. For example,
the "ping" command has the -P option with parameter to enable AH and/or ESP.
For example:
% ping -P "out ipsec \
ah/transport/10.0.1.1-10.0.2.2/use \
esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
If there are proper SAs, this policy specification causes ICMP packet
to be AH transport mode inner ESP tunnel mode like below.
HOST C -----------> GATEWAY D ----------> HOST E
10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2
| | | |
| ======= ESP ======= |
==================== AH ==================
Another example using IPv6.
ESP transport mode is recommended for TCP port number 110 between Host-A and
Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the test key".
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
and at Host-B:
# setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
Note the direction of SP.
Tunnel mode between two security gateways
Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with
keyed-md5 whose key is "this is the test" as authentication algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
If port number field is omitted such above then "[any]" is employed. `-m'
specifies the mode of SA to be used. "-m any" means wild-card of mode of
security protocol. You can use this SA for both tunnel and transport mode.
and at Gateway-B:
# setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
Making SA bundle between two security gateways
AH transport mode and ESP tunnel mode is required between Gateway-A and
Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport
mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is
hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
Making SAs with the different end
ESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1.
ESP transport mode is recommended between Host-A and Host-B. Encryption
algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
<end of USAGE>