> Hi all,
>
> Is there a howto/example guide for configuring IPSec for -current.
Hi, I prepared one and sent the patches to freebsd-doc yesterday.
I'll attach IPsec part from the document to end of this mail.
Also,
http://www.kame.net/newsletter/19991007/
might have better description about IPsec tunnel setup.
Thanks,
Yoshinobu Inoue
> Needless to say I've spent fruitless hours trying to convince "setkey"
> to sent an IPSec packet to my network's internet gateway w/o success.
> My setup is typical: mobile/dynamic-assigned-ip-address freebsd box
> trying to contact fixed address/private address network/(net 10)/ network
> via an Ascend router with IPSec support. But according to "tcpdump" my
> IPSec packets never leave. Help would be appreciated.
>
> Thanks a bunch.
>
> Kent
-------------------------------------------------------------------
+<<<IPsec>>>
+
+The current KAME supports both transport mode and tunnel mode.
+However, tunnel mode comes with some restrictions.
+
+IPsec requires fairly complex configuration, so here we show transport
+mode only. http://www.kame.net/newsletter/ has more comprehensive
+examples.
+
+Let's setup security association to deploy a secure channel between
+HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
+complicated example. From HOST A to HOST B, only old AH is used.
+From HOST B to HOST A, new AH and new ESP are combined.
+
+Now we should choose algorithm to be used corresponding to "AH"/"new
+AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know
+algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH,
+and new-DES-expIV with 8 byte IV for new ESP.
+
+Key length highly depends on each algorithm. For example, key
+length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
+and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
+"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.
+
+OK, let's assign SPI (Security Parameter Index) for each protocol.
+Please note that we need 3 SPIs for this secure channel since three
+security headers are produced (one for from HOST A to HOST B, two for
+from HOST B to HOST A). Please also note that SPI MUST be greater
+than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
+
+
+ (1)
+ HOST A ------> HOST B
+
+ (1)PROTO=AH
+ ALG=MD5(RFC1826)
+ KEY=MYSECRETMYSECRET
+ SPI=1000
+
+ (2.1)
+ HOST A <------ HOST B
+ <------
+ (2.2)
+
+ (2.1)
+ PROTO=AH
+ ALG=new-HMAC-SHA1(new AH)
+ KEY=KAMEKAMEKAMEKAMEKAME
+ SPI=2000
+
+ (2.2)
+ PROTO=ESP
+ ALG=new-DES-expIV(new ESP)
+ IV length = 8
+ KEY=PASSWORD
+ SPI=3000
+
+Now, let's setup security association. Execute "setkey" on both HOST
+A and B:
+
+# setkey -c
+add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
+add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
+add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
+^D
+
+Actually, IPsec communication doesn't process until security policy
+entries will be defined. In this case, you must setup each host.
+
+At A:
+# setkey -c
+spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
+ ah/transport/10.2.3.4-10.6.7.8/require ;
+^D
+
+At B:
+spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+ esp/transport/10.6.7.8-10.2.3.4/require ;
+spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+ ah/transport/10.6.7.8-10.2.3.4/require ;
+^D
+
+To utilize the security associations installed into the kernel, you
+must set the socket security level by using setsockopt().
+This is per-application (or per-socket) security. For example,
+the "ping" command has the -P option with parameter to enable AH and/or ESP.
+
+For example:
+% ping -P "out ipsec \
+ ah/transport/10.0.1.1-10.0.2.2/use \
+ esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
+
+If there are proper SAs, this policy specification causes ICMP packet
+to be AH transport mode inner ESP tunnel mode like below.
+
+ HOST C -----------> GATEWAY D ----------> HOST E
+ 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2
+ | | | |
+ | ======= ESP ======= |
+ ==================== AH ==================
+
+ <end of USAGE>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
