mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
80d21dc41b
Reviewed by: phantom
630 lines
24 KiB
Plaintext
630 lines
24 KiB
Plaintext
USAGE
|
|
|
|
KAME Project
|
|
http://www.kame.net/newsletter/
|
|
$FreeBSD$
|
|
|
|
This is a introduction of how to use the commands provided in the KAME
|
|
kit. For more information, please refer to each man page.
|
|
|
|
<<<ifconfig>>>
|
|
|
|
A link-local address is automatically assigned to each interface, when
|
|
the interface becomes up for the first time. Even if you find an interface
|
|
without a link-local address, do not panic. The link-local address will be
|
|
assigned when it becomes up (with "ifconfig IF up").
|
|
|
|
Some network drivers allow an interface to become up even without a
|
|
hardware address (for example, PCMCIA network cards). In such cases, it is
|
|
possible that an interface has no link-local address even if the
|
|
interface is up. If you see such situation, please disable the
|
|
interface once and then re-enable it (i.e. do `ifconfig IF down;
|
|
ifconfig IF up').
|
|
|
|
Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface
|
|
identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources,
|
|
like ethernet cards. Pseudo interfaces will be able to get IPv6 link-local
|
|
address, if you have other "real" interface configured beforehand.
|
|
If you have no EUI64/IEEE802 sources on the node, you may need to configure
|
|
link-local address manually. Though we have last-resort code in the kernel,
|
|
which generates interface identifier from MD5(hostname), it may not suitable
|
|
for your usage (for example, if you configure same hostname on both sides
|
|
of gif tunnel, you will be doomed).
|
|
|
|
If you have a router announcing Router Advertisement,
|
|
global addresses will be assigned automatically. So, "ifconfig" is not
|
|
necessary for your *host*. (Please refer to "sysctl" section for configuring
|
|
a host to accept Router Advertisement.)
|
|
|
|
If you want to set up a router, you need to assign global addresses
|
|
for two or more interfaces by "ifconfig" or "prefix". (prefix command
|
|
is described at next section)
|
|
If you want to assign a global address by "ifconfig", don't forget to
|
|
specify the "alias" argument to keep the link-local address.
|
|
|
|
# ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias
|
|
# ifconfig de0
|
|
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
|
|
inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64
|
|
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:1000:: prefixlen 64 anycast
|
|
ether 00:00:f8:01:63:17
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
|
|
See also "/etc/rc.network6" for actual examples.
|
|
|
|
<<prefix>>
|
|
|
|
In IPv6 architecture, an IPv6 address of an interface can be generated
|
|
from a prefix assigned to it, and a link-dependent identifier for the
|
|
interface. Assigning a full IPv6 address by ifconfig is not
|
|
necessary anymore, because, user can only take care of prefix, by letting
|
|
system take care of interface identifier.
|
|
|
|
The newly added "prefix" command enables user to just assign prefixes
|
|
for interfaces, and let your system automatically generate IPv6
|
|
addresses. Prefixes added by the "prefix" command is maintained in
|
|
the kernel consistently with prefixes assigned by Router
|
|
Renumbering(in case of routers).
|
|
|
|
But "prefix" command can only be used on router, because host should be
|
|
able to configure its addr automatically. Prefixes added by the "prefix"
|
|
command are maintained independently from prefixes assigned by
|
|
Router Advertisement. Those two type of prefixes should not coexist on
|
|
a machine at the same time, and when it happens, it is considered to be
|
|
miss configuration.
|
|
|
|
Manual assignment of prefixes or change of prefix properties take
|
|
precedence over ones assigned by Router Renumbering.
|
|
|
|
If you want to assign a prefix(and consequently an address) manually, do
|
|
as follows:
|
|
|
|
# prefix de0 fec0:0:0:1000::
|
|
# ifconfig de0
|
|
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
|
|
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:1000:: prefixlen 64 anycast
|
|
ether 00:00:f8:01:63:17
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
|
|
To check assigned prefix, use the "ndp" command. (See description of
|
|
ndp command about its usage)
|
|
|
|
# ndp -p
|
|
fec0:0:0:1000::/64 if=de0
|
|
flags=LA, vltime=2592000, pltime=604800, expire=Never
|
|
No advertising router
|
|
|
|
The "prefix" command also has node internal prefix renumbering
|
|
ability.
|
|
|
|
If you have multiple prefixes which have fec0:0:0:1000:/56 at the top,
|
|
and would like to renumber them to fec0:0:0:2000:/56, then use the
|
|
"prefix" command with the "matchpr" argument and the "usepr" argument.
|
|
|
|
Suppose that current state of before renumbering as follows:
|
|
|
|
# ifconfig de0
|
|
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
|
|
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:1000:: prefixlen 64 anycast
|
|
ether 00:00:f8:01:63:17
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
|
|
# ifconfig de1
|
|
de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
|
|
inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
|
|
inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64
|
|
inet6 fec0:0:0:1001:: prefixlen 64 anycast
|
|
ether 00:00:f8:55:70:11
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
|
|
# ndp -p
|
|
fec0:0:0:1000::/64 if=de0
|
|
flags=LA, vltime=2592000, pltime=604800, expire=Never
|
|
No advertising router
|
|
fec0:0:0:1001::/64 if=de1
|
|
flags=LA, vltime=2592000, pltime=604800, expire=Never
|
|
No advertising router
|
|
|
|
Then do as follows:
|
|
|
|
# prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change
|
|
|
|
If command is successful, prefixes and addresses will be renumbered as
|
|
follows.
|
|
|
|
# ifconfig de0
|
|
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
|
|
inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64
|
|
inet6 fec0:0:0:2000:: prefixlen 64 anycast
|
|
ether 00:00:f8:01:63:17
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
# ifconfig de1
|
|
de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
|
inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
|
|
inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
|
|
inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64
|
|
inet6 fec0:0:0:2001:: prefixlen 64 anycast
|
|
ether 00:00:f8:55:70:11
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
|
|
# ndp -p
|
|
fec0:0:0:2000::/64 if=de0
|
|
flags=LA, vltime=2592000, pltime=604800, expire=Never
|
|
No advertising router
|
|
fec0:0:0:2001::/64 if=de1
|
|
flags=LA, vltime=2592000, pltime=604800, expire=Never
|
|
No advertising router
|
|
|
|
See also "/etc/rc.network6" for actual examples.
|
|
|
|
<<<route>>>
|
|
|
|
If there is a router announcing Router Advertisement on the subnet,
|
|
you don't need to add a default route for your host by yourself.
|
|
(Please refer to "sysctl" section to accept Router Advertisement.)
|
|
|
|
If you want to add a default route manually, do as follows:
|
|
|
|
# route add -inet6 default fe80::200:a2ff:fe0e:7543%de0
|
|
|
|
"default" means ::/0.
|
|
|
|
Note that, in IPv6, link-local address should be used as gateway
|
|
("fe80::200:a2ff:fe0e:7543%de1" in the above). If you use global addresses,
|
|
icmp6 redirect may not work properly. For ease of configuration we recommend
|
|
you to avoid static routes and run a routing daemon (route6d for example)
|
|
instead.
|
|
|
|
<<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.)
|
|
|
|
Reachability can be checked by "ping6". This "ping6" allows multicast
|
|
for its argument.
|
|
|
|
% ping6 -I xl0 ff02::1
|
|
or
|
|
% ping6 ff02::1%xl0
|
|
|
|
PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1
|
|
56 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms
|
|
56 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!)
|
|
56 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!)
|
|
56 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!)
|
|
|
|
<<<ping6 -w>>>
|
|
|
|
Name resolution is possible by ICMPv6 node information query message.
|
|
This is very convenient for link-local addresses whose host name cannot be
|
|
resolved by DNS. Specify the "-w" option to "ping6".
|
|
|
|
% ping6 -I xl0 -w ff02::1
|
|
|
|
64 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net
|
|
67 bytes from fe80::5254:ff:feda:d161: banana.kame.net
|
|
69 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net
|
|
66 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net
|
|
66 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net
|
|
|
|
<<<traceroute6>>>
|
|
|
|
The route for a target host can be checked by "traceroute6".
|
|
|
|
% traceroute6 tokyo.v6.wide.ad.jp
|
|
|
|
traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
|
|
1 nr60.v6.kame.net 1.239 ms 0.924 ms 0.908 ms
|
|
2 otemachi.v6.wide.ad.jp 28.953 ms 31.451 ms 26.567 ms
|
|
3 tokyo.v6.wide.ad.jp 26.549 ms 26.58 ms 26.186 ms
|
|
|
|
If the -l option is specified, both address and name are shown in each line.
|
|
% traceroute6 -l tokyo.v6.wide.ad.jp
|
|
|
|
traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
|
|
1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms
|
|
2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms
|
|
3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms
|
|
|
|
<<<ndp>>>
|
|
|
|
To display the current Neighbor cache, use "ndp":
|
|
|
|
% ndp -a
|
|
Neighbor Linklayer Address Netif Expire St Flgs Prbs
|
|
nr60.v6.kame.net 0:60:97:c2:80:bf xl0 expired S R
|
|
fec0:0:0:1000:2c0:cff:fe10 0:c0:c:10:3a:53 xl0 permanent R
|
|
paradise.v6.kame.net 52:54:0:dc:52:17 xl0 expired S R
|
|
fe80:1::200:eff:fe49:f929 0:0:e:49:f9:29 xl0 expired S R
|
|
fe80:1::200:86ff:fe05:80da 0:0:86:5:80:da xl0 expired S
|
|
fe80:1::200:86ff:fe05:c2d8 0:0:86:5:c2:d8 xl0 9s R
|
|
|
|
To flush the all NDP cache, execute the following by root.
|
|
|
|
# ndp -c
|
|
|
|
To display the prefix list.
|
|
|
|
% ndp -p
|
|
fec0:0:0::1000::/64 if=xl0
|
|
flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s
|
|
advertised by
|
|
fe80::5254:ff:fedc:5217
|
|
fe80::260:97ff:fec2:80bf
|
|
fe80::200:eff:fe49:f929
|
|
|
|
To display the default router list.
|
|
|
|
% ndp -r
|
|
fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s
|
|
fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s
|
|
fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s
|
|
|
|
<<<rtsol>>>
|
|
|
|
To generate a Router Solicitation message right now to get global
|
|
addresses, use "rtsol".
|
|
|
|
# ifconfig xl0
|
|
xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
|
|
inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
|
|
ether 0:a0:24:ab:83:9b
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
|
|
|
|
# rtsol xl0
|
|
# ifconfig xl0
|
|
xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
|
|
inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
|
|
inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64
|
|
ether 0:a0:24:ab:83:9b
|
|
media: autoselect (10baseT/UTP) status: active
|
|
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
|
|
|
|
|
|
<<<rtsold>>>
|
|
|
|
rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop
|
|
computer and frequently move with it, the daemon is useful since it watches
|
|
the interface and sends router solicitations when the status of the interface
|
|
changes. Note, however, that the feature is disabled by default. Please
|
|
add -m option at invocation of rtsold.
|
|
|
|
rtsold also supports multiple interfaces. For example, you can
|
|
invoke the daemon as follows:
|
|
# rtsold -m ep0 cnw0
|
|
|
|
<<<netstat>>>
|
|
|
|
To see routing table:
|
|
|
|
# netstat -nr
|
|
# netstat -nrl (long format with Ref and Use)
|
|
|
|
<<<sysctl>>>
|
|
|
|
If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is
|
|
accepted. This means that global addresses and default route are
|
|
automatically set up. Otherwise, the announcement is rejected. The
|
|
default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute
|
|
as follows:
|
|
|
|
# sysctl -w net.inet6.ip6.accept_rtadv=1
|
|
|
|
<<<gifconfig>>>
|
|
|
|
"gif" interface enables you to perform IPv{4,6} over IPv{4,6}
|
|
protocol tunneling. To use this interface, you must specify the
|
|
outer IPv{4,6} address by using gifconfig, like:
|
|
|
|
# gifconfig gif0 172.16.198.61 172.16.11.21
|
|
|
|
"ifconfig gif0" will configure the address pair used for inner
|
|
IPv{4,6} header.
|
|
|
|
It is not required to configure inner IPv{4,6} address pair. If
|
|
you do not configure inner IPv{4,6} address pair, tunnel link is
|
|
considered as un-numbered link and the source address of inner
|
|
IPv{4,6} address pair will be borrowed from other interfaces.
|
|
|
|
The following example configures un-numbered IPv6-over-IPv4 tunnel:
|
|
# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
|
|
|
|
The following example configures numbered IPv6-over-IPv4 tunnel:
|
|
# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
|
|
# ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias
|
|
|
|
IPv6 spec allows you to use point-to-point link without global IPv6
|
|
address assigned to the interface. Routing protocol (such as RIPng)
|
|
uses link-local addresses only. If you are to configure IPv6-over-IPv4
|
|
tunnel, you need not to configure an address pair for inner IPv6
|
|
header. We suggest you to use the former example (un-numbered
|
|
IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity,
|
|
for router to router connection.
|
|
|
|
Note that it is so easy to make an infinite routing loop using gif
|
|
interface, if you configure a tunnel using the same protocol family
|
|
for inner and outer header (i.e. IPv4-over-IPv4).
|
|
|
|
Refer to gifconfig(8) for more details.
|
|
|
|
<<<inetd>>>
|
|
|
|
Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy
|
|
configuration support.
|
|
|
|
Refer to inetd(8) for more details.
|
|
|
|
<<<IPsec>>>
|
|
|
|
The current KAME supports both transport mode and tunnel mode.
|
|
However, tunnel mode comes with some restrictions.
|
|
http://www.kame.net/newsletter/ has more comprehensive examples.
|
|
|
|
Let's setup security association to deploy a secure channel between
|
|
HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
|
|
complicated example. From HOST A to HOST B, only old AH is used.
|
|
From HOST B to HOST A, new AH and new ESP are combined.
|
|
|
|
Now we should choose algorithm to be used corresponding to "AH"/"new
|
|
AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know
|
|
algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH,
|
|
and new-DES-expIV with 8 byte IV for new ESP.
|
|
|
|
Key length highly depends on each algorithm. For example, key
|
|
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
|
|
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
|
|
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.
|
|
|
|
OK, let's assign SPI (Security Parameter Index) for each protocol.
|
|
Please note that we need 3 SPIs for this secure channel since three
|
|
security headers are produced (one for from HOST A to HOST B, two for
|
|
from HOST B to HOST A). Please also note that SPI MUST be greater
|
|
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
|
|
|
|
|
|
(1)
|
|
HOST A ------> HOST B
|
|
|
|
(1)PROTO=AH
|
|
ALG=MD5(RFC1826)
|
|
KEY=MYSECRETMYSECRET
|
|
SPI=1000
|
|
|
|
(2.1)
|
|
HOST A <------ HOST B
|
|
<------
|
|
(2.2)
|
|
|
|
(2.1)
|
|
PROTO=AH
|
|
ALG=new-HMAC-SHA1(new AH)
|
|
KEY=KAMEKAMEKAMEKAMEKAME
|
|
SPI=2000
|
|
|
|
(2.2)
|
|
PROTO=ESP
|
|
ALG=new-DES-expIV(new ESP)
|
|
IV length = 8
|
|
KEY=PASSWORD
|
|
SPI=3000
|
|
|
|
Now, let's setup security association. Execute "setkey" on both HOST
|
|
A and B:
|
|
|
|
# setkey -c
|
|
add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
|
|
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
|
|
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
|
|
^D
|
|
|
|
Actually, IPsec communication doesn't process until security policy
|
|
entries will be defined. In this case, you must setup each host.
|
|
|
|
At A:
|
|
# setkey -c
|
|
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
|
|
ah/transport/10.2.3.4-10.6.7.8/require ;
|
|
^D
|
|
|
|
At B:
|
|
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
|
|
esp/transport/10.6.7.8-10.2.3.4/require ;
|
|
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
|
|
ah/transport/10.6.7.8-10.2.3.4/require ;
|
|
^D
|
|
|
|
To utilize the security associations installed into the kernel, you
|
|
must set the socket security level by using setsockopt().
|
|
This is per-application (or per-socket) security. For example,
|
|
the "ping" command has the -P option with parameter to enable AH and/or ESP.
|
|
|
|
For example:
|
|
% ping -P "out ipsec \
|
|
ah/transport/10.0.1.1-10.0.2.2/use \
|
|
esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
|
|
|
|
If there are proper SAs, this policy specification causes ICMP packet
|
|
to be AH transport mode inner ESP tunnel mode like below.
|
|
|
|
HOST C -----------> GATEWAY D ----------> HOST E
|
|
10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2
|
|
| | | |
|
|
| ======= ESP ======= |
|
|
==================== AH ==================
|
|
|
|
|
|
|
|
Another example using IPv6.
|
|
|
|
ESP transport mode is recommended for TCP port number 110 between Host-A and
|
|
Host-B.
|
|
|
|
============ ESP ============
|
|
| |
|
|
Host-A Host-B
|
|
fec0::10 -------------------- fec0::11
|
|
|
|
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
|
|
authentication algorithm is hmac-sha1 whose key is "this is the test key".
|
|
Configuration at Host-A:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
|
esp/transport/fec0::10-fec0::11/use ;
|
|
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
|
esp/transport/fec0::11-fec0::10/use ;
|
|
add fec0::10 fec0::11 esp 0x10001
|
|
-m transport
|
|
-E blowfish-cbc "kamekame"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0::11 fec0::10 esp 0x10002
|
|
-m transport
|
|
-E blowfish-cbc "kamekame"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
EOF
|
|
|
|
and at Host-B:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
|
|
esp/transport/fec0::11-fec0::10/use ;
|
|
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
|
|
esp/transport/fec0::10-fec0::11/use ;
|
|
add fec0::10 fec0::11 esp 0x10001 -m transport
|
|
-E blowfish-cbc "kamekame"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0::11 fec0::10 esp 0x10002 -m transport
|
|
-E blowfish-cbc "kamekame"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
EOF
|
|
|
|
Note the direction of SP.
|
|
|
|
|
|
Tunnel mode between two security gateways
|
|
|
|
Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with
|
|
keyed-md5 whose key is "this is the test" as authentication algorithm.
|
|
|
|
======= AH =======
|
|
| |
|
|
Network-A Gateway-A Gateway-B Network-B
|
|
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
|
|
|
|
Configuration at Gateway-A:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
|
|
ah/tunnel/172.16.0.1-172.16.0.2/require ;
|
|
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
|
|
ah/tunnel/172.16.0.2-172.16.0.1/require ;
|
|
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
|
|
-A keyed-md5 "this is the test" ;
|
|
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
|
|
-A keyed-md5 "this is the test" ;
|
|
|
|
If port number field is omitted such above then "[any]" is employed. `-m'
|
|
specifies the mode of SA to be used. "-m any" means wild-card of mode of
|
|
security protocol. You can use this SA for both tunnel and transport mode.
|
|
|
|
and at Gateway-B:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
|
|
ah/tunnel/172.16.0.2-172.16.0.1/require ;
|
|
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
|
|
ah/tunnel/172.16.0.1-172.16.0.2/require ;
|
|
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
|
|
-A keyed-md5 "this is the test" ;
|
|
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
|
|
-A keyed-md5 "this is the test" ;
|
|
|
|
|
|
Making SA bundle between two security gateways
|
|
|
|
AH transport mode and ESP tunnel mode is required between Gateway-A and
|
|
Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport
|
|
mode is next.
|
|
|
|
========== AH =========
|
|
| ======= ESP ===== |
|
|
| | | |
|
|
Network-A Gateway-A Gateway-B Network-B
|
|
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
|
|
|
|
Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is
|
|
hmac-sha1. Authentication algorithm for AH is hmac-md5.
|
|
Configuration at Gateway-A:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
|
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
|
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
|
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
|
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
|
|
-E 3des-cbc "kamekame12341234kame1234"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
|
|
-A hmac-md5 "this is the test" ;
|
|
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
|
|
-E 3des-cbc "kamekame12341234kame1234"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
|
|
-A hmac-md5 "this is the test" ;
|
|
|
|
|
|
Making SAs with the different end
|
|
|
|
ESP tunnel mode is required between Host-A and Gateway-A. Encryption
|
|
algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1.
|
|
ESP transport mode is recommended between Host-A and Host-B. Encryption
|
|
algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5.
|
|
|
|
================== ESP =================
|
|
| ======= ESP ======= |
|
|
| | | |
|
|
Host-A Gateway-A Host-B
|
|
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
|
|
|
|
Configuration at Host-A:
|
|
|
|
# setkey -c <<EOF
|
|
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
|
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
|
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
|
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
|
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
|
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
|
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
|
-m transport
|
|
-E cast128-cbc "12341234"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
|
|
-E rc5-cbc "kamekame"
|
|
-A hmac-md5 "this is the test" ;
|
|
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
|
|
-m transport
|
|
-E cast128-cbc "12341234"
|
|
-A hmac-sha1 "this is the test key" ;
|
|
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
|
-E rc5-cbc "kamekame"
|
|
-A hmac-md5 "this is the test" ;
|
|
|
|
<end of USAGE>
|