4 http://www.kame.net/newsletter/
7 This is a introduction of how to use the commands provided in the KAME
8 kit. For more information, please refer to each man page.
12 A link-local address is automatically assigned to each interface, when
13 the interface becomes up for the first time. Even if you find an interface
14 without a link-local address, do not panic. The link-local address will be
15 assigned when it becomes up (with "ifconfig IF up").
17 Some network drivers allow an interface to become up even without a
18 hardware address (for example, PCMCIA network cards). In such cases, it is
19 possible that an interface has no link-local address even if the
20 interface is up. If you see such situation, please disable the
21 interface once and then re-enable it (i.e. do `ifconfig IF down;
24 Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface
25 identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources,
26 like ethernet cards. Pseudo interfaces will be able to get IPv6 link-local
27 address, if you have other "real" interface configured beforehand.
28 If you have no EUI64/IEEE802 sources on the node, you may need to configure
29 link-local address manually. Though we have last-resort code in the kernel,
30 which generates interface identifier from MD5(hostname), it may not suitable
31 for your usage (for example, if you configure same hostname on both sides
32 of gif tunnel, you will be doomed).
34 If you have a router announcing Router Advertisement,
35 global addresses will be assigned automatically. So, "ifconfig" is not
36 necessary for your *host*. (Please refer to "sysctl" section for configuring
37 a host to accept Router Advertisement.)
39 If you want to set up a router, you need to assign global addresses
40 for two or more interfaces by "ifconfig" or "prefix". (prefix command
41 is described at next section)
42 If you want to assign a global address by "ifconfig", don't forget to
43 specify the "alias" argument to keep the link-local address.
45 # ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias
47 de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
48 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
49 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64
50 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
51 inet6 fec0:0:0:1000:: prefixlen 64 anycast
52 ether 00:00:f8:01:63:17
53 media: autoselect (10baseT/UTP) status: active
54 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
56 See also "/etc/rc.network6" for actual examples.
60 In IPv6 architecture, an IPv6 address of an interface can be generated
61 from a prefix assigned to it, and a link-dependent identifier for the
62 interface. Assigning a full IPv6 address by ifconfig is not
63 necessary anymore, because, user can only take care of prefix, by letting
64 system take care of interface identifier.
66 The newly added "prefix" command enables user to just assign prefixes
67 for interfaces, and let your system automatically generate IPv6
68 addresses. Prefixes added by the "prefix" command is maintained in
69 the kernel consistently with prefixes assigned by Router
70 Renumbering(in case of routers).
72 But "prefix" command can only be used on router, because host should be
73 able to configure its addr automatically. Prefixes added by the "prefix"
74 command are maintained independently from prefixes assigned by
75 Router Advertisement. Those two type of prefixes should not coexist on
76 a machine at the same time, and when it happens, it is considered to be
79 Manual assignment of prefixes or change of prefix properties take
80 precedence over ones assigned by Router Renumbering.
82 If you want to assign a prefix(and consequently an address) manually, do
85 # prefix de0 fec0:0:0:1000::
87 de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
88 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
89 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
90 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
91 inet6 fec0:0:0:1000:: prefixlen 64 anycast
92 ether 00:00:f8:01:63:17
93 media: autoselect (10baseT/UTP) status: active
94 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
96 To check assigned prefix, use the "ndp" command. (See description of
97 ndp command about its usage)
100 fec0:0:0:1000::/64 if=de0
101 flags=LA, vltime=2592000, pltime=604800, expire=Never
102 No advertising router
104 The "prefix" command also has node internal prefix renumbering
107 If you have multiple prefixes which have fec0:0:0:1000:/56 at the top,
108 and would like to renumber them to fec0:0:0:2000:/56, then use the
109 "prefix" command with the "matchpr" argument and the "usepr" argument.
111 Suppose that current state of before renumbering as follows:
114 de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
115 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
116 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
117 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
118 inet6 fec0:0:0:1000:: prefixlen 64 anycast
119 ether 00:00:f8:01:63:17
120 media: autoselect (10baseT/UTP) status: active
121 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
124 de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
125 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
126 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
127 inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64
128 inet6 fec0:0:0:1001:: prefixlen 64 anycast
129 ether 00:00:f8:55:70:11
130 media: autoselect (10baseT/UTP) status: active
131 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
134 fec0:0:0:1000::/64 if=de0
135 flags=LA, vltime=2592000, pltime=604800, expire=Never
136 No advertising router
137 fec0:0:0:1001::/64 if=de1
138 flags=LA, vltime=2592000, pltime=604800, expire=Never
139 No advertising router
143 # prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change
145 If command is successful, prefixes and addresses will be renumbered as
149 de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
150 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
151 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
152 inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64
153 inet6 fec0:0:0:2000:: prefixlen 64 anycast
154 ether 00:00:f8:01:63:17
155 media: autoselect (10baseT/UTP) status: active
156 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
158 de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
159 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
160 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
161 inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64
162 inet6 fec0:0:0:2001:: prefixlen 64 anycast
163 ether 00:00:f8:55:70:11
164 media: autoselect (10baseT/UTP) status: active
165 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
167 fec0:0:0:2000::/64 if=de0
168 flags=LA, vltime=2592000, pltime=604800, expire=Never
169 No advertising router
170 fec0:0:0:2001::/64 if=de1
171 flags=LA, vltime=2592000, pltime=604800, expire=Never
172 No advertising router
174 See also "/etc/rc.network6" for actual examples.
178 If there is a router announcing Router Advertisement on the subnet,
179 you don't need to add a default route for your host by yourself.
180 (Please refer to "sysctl" section to accept Router Advertisement.)
182 If you want to add a default route manually, do as follows:
184 # route add -inet6 default fe80::200:a2ff:fe0e:7543%de0
186 "default" means ::/0.
188 Note that, in IPv6, link-local address should be used as gateway
189 ("fe80::200:a2ff:fe0e:7543%de1" in the above). If you use global addresses,
190 icmp6 redirect may not work properly. For ease of configuration we recommend
191 you to avoid static routes and run a routing daemon (route6d for example)
194 <<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.)
196 Reachability can be checked by "ping6". This "ping6" allows multicast
199 % ping6 -I xl0 ff02::1
203 PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1
204 56 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms
205 56 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!)
206 56 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!)
207 56 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!)
211 Name resolution is possible by ICMPv6 node information query message.
212 This is very convenient for link-local addresses whose host name cannot be
213 resolved by DNS. Specify the "-w" option to "ping6".
215 % ping6 -I xl0 -w ff02::1
217 64 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net
218 67 bytes from fe80::5254:ff:feda:d161: banana.kame.net
219 69 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net
220 66 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net
221 66 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net
225 The route for a target host can be checked by "traceroute6".
227 % traceroute6 tokyo.v6.wide.ad.jp
229 traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
230 1 nr60.v6.kame.net 1.239 ms 0.924 ms 0.908 ms
231 2 otemachi.v6.wide.ad.jp 28.953 ms 31.451 ms 26.567 ms
232 3 tokyo.v6.wide.ad.jp 26.549 ms 26.58 ms 26.186 ms
234 If the -l option is specified, both address and name are shown in each line.
235 % traceroute6 -l tokyo.v6.wide.ad.jp
237 traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
238 1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms
239 2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms
240 3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms
244 To display the current Neighbor cache, use "ndp":
247 Neighbor Linklayer Address Netif Expire St Flgs Prbs
248 nr60.v6.kame.net 0:60:97:c2:80:bf xl0 expired S R
249 fec0:0:0:1000:2c0:cff:fe10 0:c0:c:10:3a:53 xl0 permanent R
250 paradise.v6.kame.net 52:54:0:dc:52:17 xl0 expired S R
251 fe80:1::200:eff:fe49:f929 0:0:e:49:f9:29 xl0 expired S R
252 fe80:1::200:86ff:fe05:80da 0:0:86:5:80:da xl0 expired S
253 fe80:1::200:86ff:fe05:c2d8 0:0:86:5:c2:d8 xl0 9s R
255 To flush the all NDP cache, execute the following by root.
259 To display the prefix list.
262 fec0:0:0::1000::/64 if=xl0
263 flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s
265 fe80::5254:ff:fedc:5217
266 fe80::260:97ff:fec2:80bf
267 fe80::200:eff:fe49:f929
269 To display the default router list.
272 fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s
273 fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s
274 fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s
278 To generate a Router Solicitation message right now to get global
279 addresses, use "rtsol".
282 xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
283 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
284 ether 0:a0:24:ab:83:9b
285 media: autoselect (10baseT/UTP) status: active
286 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
290 xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
291 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
292 inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64
293 ether 0:a0:24:ab:83:9b
294 media: autoselect (10baseT/UTP) status: active
295 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
300 rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop
301 computer and frequently move with it, the daemon is useful since it watches
302 the interface and sends router solicitations when the status of the interface
303 changes. Note, however, that the feature is disabled by default. Please
304 add -m option at invocation of rtsold.
306 rtsold also supports multiple interfaces. For example, you can
307 invoke the daemon as follows:
312 To see routing table:
315 # netstat -nrl (long format with Ref and Use)
319 If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is
320 accepted. This means that global addresses and default route are
321 automatically set up. Otherwise, the announcement is rejected. The
322 default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute
325 # sysctl -w net.inet6.ip6.accept_rtadv=1
329 "gif" interface enables you to perform IPv{4,6} over IPv{4,6}
330 protocol tunneling. To use this interface, you must specify the
331 outer IPv{4,6} address by using gifconfig, like:
333 # gifconfig gif0 172.16.198.61 172.16.11.21
335 "ifconfig gif0" will configure the address pair used for inner
338 It is not required to configure inner IPv{4,6} address pair. If
339 you do not configure inner IPv{4,6} address pair, tunnel link is
340 considered as un-numbered link and the source address of inner
341 IPv{4,6} address pair will be borrowed from other interfaces.
343 The following example configures un-numbered IPv6-over-IPv4 tunnel:
344 # gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
346 The following example configures numbered IPv6-over-IPv4 tunnel:
347 # gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
348 # ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias
350 IPv6 spec allows you to use point-to-point link without global IPv6
351 address assigned to the interface. Routing protocol (such as RIPng)
352 uses link-local addresses only. If you are to configure IPv6-over-IPv4
353 tunnel, you need not to configure an address pair for inner IPv6
354 header. We suggest you to use the former example (un-numbered
355 IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity,
356 for router to router connection.
358 Note that it is so easy to make an infinite routing loop using gif
359 interface, if you configure a tunnel using the same protocol family
360 for inner and outer header (i.e. IPv4-over-IPv4).
362 Refer to gifconfig(8) for more details.
366 Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy
367 configuration support.
369 Refer to inetd(8) for more details.
373 The current KAME supports both transport mode and tunnel mode.
374 However, tunnel mode comes with some restrictions.
375 http://www.kame.net/newsletter/ has more comprehensive examples.
377 Let's setup security association to deploy a secure channel between
378 HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
379 complicated example. From HOST A to HOST B, only old AH is used.
380 From HOST B to HOST A, new AH and new ESP are combined.
382 Now we should choose algorithm to be used corresponding to "AH"/"new
383 AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know
384 algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH,
385 and new-DES-expIV with 8 byte IV for new ESP.
387 Key length highly depends on each algorithm. For example, key
388 length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
389 and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
390 "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.
392 OK, let's assign SPI (Security Parameter Index) for each protocol.
393 Please note that we need 3 SPIs for this secure channel since three
394 security headers are produced (one for from HOST A to HOST B, two for
395 from HOST B to HOST A). Please also note that SPI MUST be greater
396 than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
400 HOST A ------> HOST B
408 HOST A <------ HOST B
414 ALG=new-HMAC-SHA1(new AH)
415 KEY=KAMEKAMEKAMEKAMEKAME
420 ALG=new-DES-expIV(new ESP)
425 Now, let's setup security association. Execute "setkey" on both HOST
429 add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
430 add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
431 add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
434 Actually, IPsec communication doesn't process until security policy
435 entries will be defined. In this case, you must setup each host.
439 spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
440 ah/transport/10.2.3.4-10.6.7.8/require ;
444 spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
445 esp/transport/10.6.7.8-10.2.3.4/require ;
446 spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
447 ah/transport/10.6.7.8-10.2.3.4/require ;
450 To utilize the security associations installed into the kernel, you
451 must set the socket security level by using setsockopt().
452 This is per-application (or per-socket) security. For example,
453 the "ping" command has the -P option with parameter to enable AH and/or ESP.
456 % ping -P "out ipsec \
457 ah/transport/10.0.1.1-10.0.2.2/use \
458 esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
460 If there are proper SAs, this policy specification causes ICMP packet
461 to be AH transport mode inner ESP tunnel mode like below.
463 HOST C -----------> GATEWAY D ----------> HOST E
464 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2
466 | ======= ESP ======= |
467 ==================== AH ==================
471 Another example using IPv6.
473 ESP transport mode is recommended for TCP port number 110 between Host-A and
476 ============ ESP ============
479 fec0::10 -------------------- fec0::11
481 Encryption algorithm is blowfish-cbc whose key is "kamekame", and
482 authentication algorithm is hmac-sha1 whose key is "this is the test key".
483 Configuration at Host-A:
486 spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
487 esp/transport/fec0::10-fec0::11/use ;
488 spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
489 esp/transport/fec0::11-fec0::10/use ;
490 add fec0::10 fec0::11 esp 0x10001
492 -E blowfish-cbc "kamekame"
493 -A hmac-sha1 "this is the test key" ;
494 add fec0::11 fec0::10 esp 0x10002
496 -E blowfish-cbc "kamekame"
497 -A hmac-sha1 "this is the test key" ;
503 spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
504 esp/transport/fec0::11-fec0::10/use ;
505 spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
506 esp/transport/fec0::10-fec0::11/use ;
507 add fec0::10 fec0::11 esp 0x10001 -m transport
508 -E blowfish-cbc "kamekame"
509 -A hmac-sha1 "this is the test key" ;
510 add fec0::11 fec0::10 esp 0x10002 -m transport
511 -E blowfish-cbc "kamekame"
512 -A hmac-sha1 "this is the test key" ;
515 Note the direction of SP.
518 Tunnel mode between two security gateways
520 Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with
521 keyed-md5 whose key is "this is the test" as authentication algorithm.
525 Network-A Gateway-A Gateway-B Network-B
526 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
528 Configuration at Gateway-A:
531 spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
532 ah/tunnel/172.16.0.1-172.16.0.2/require ;
533 spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
534 ah/tunnel/172.16.0.2-172.16.0.1/require ;
535 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
536 -A keyed-md5 "this is the test" ;
537 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
538 -A keyed-md5 "this is the test" ;
540 If port number field is omitted such above then "[any]" is employed. `-m'
541 specifies the mode of SA to be used. "-m any" means wild-card of mode of
542 security protocol. You can use this SA for both tunnel and transport mode.
547 spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
548 ah/tunnel/172.16.0.2-172.16.0.1/require ;
549 spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
550 ah/tunnel/172.16.0.1-172.16.0.2/require ;
551 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
552 -A keyed-md5 "this is the test" ;
553 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
554 -A keyed-md5 "this is the test" ;
557 Making SA bundle between two security gateways
559 AH transport mode and ESP tunnel mode is required between Gateway-A and
560 Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport
563 ========== AH =========
564 | ======= ESP ===== |
566 Network-A Gateway-A Gateway-B Network-B
567 fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
569 Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is
570 hmac-sha1. Authentication algorithm for AH is hmac-md5.
571 Configuration at Gateway-A:
574 spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
575 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
576 ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
577 spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
578 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
579 ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
580 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
581 -E 3des-cbc "kamekame12341234kame1234"
582 -A hmac-sha1 "this is the test key" ;
583 add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
584 -A hmac-md5 "this is the test" ;
585 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
586 -E 3des-cbc "kamekame12341234kame1234"
587 -A hmac-sha1 "this is the test key" ;
588 add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
589 -A hmac-md5 "this is the test" ;
592 Making SAs with the different end
594 ESP tunnel mode is required between Host-A and Gateway-A. Encryption
595 algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1.
596 ESP transport mode is recommended between Host-A and Host-B. Encryption
597 algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5.
599 ================== ESP =================
600 | ======= ESP ======= |
602 Host-A Gateway-A Host-B
603 fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
605 Configuration at Host-A:
608 spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
609 esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
610 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
611 spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
612 esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
613 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
614 add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
616 -E cast128-cbc "12341234"
617 -A hmac-sha1 "this is the test key" ;
618 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
619 -E rc5-cbc "kamekame"
620 -A hmac-md5 "this is the test" ;
621 add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
623 -E cast128-cbc "12341234"
624 -A hmac-sha1 "this is the test key" ;
625 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
626 -E rc5-cbc "kamekame"
627 -A hmac-md5 "this is the test" ;