|
#!/sbin/setkey -f flush; spdflush; spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec ¬ esp/transport//require; spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec ¬ esp/transport//require;
#!/sbin/setkey -f flush; spdflush; spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec ¬ esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require; spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec ¬ esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;
# Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; listen { isakmp 2001:db8:1:1::1; } remote 2001:db8:2:2::2 { exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } # gateway-to-gateway sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; }
# file for pre-shared keys used for IKE authentication # format is: 'identifier' 'key' 2001:db8:2:2::2 verysecret
# racoon -F -v -f /etc/racoon/racoon.conf Foreground mode. 2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3 ¬ (http://ipsec-tools.sourceforge.net) 2005-01-01 20:30:15: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 ¬ 2003 (http://www.openssl.org/) 2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7) 2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2 queued due ¬ to no phase1 found. 2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation: ¬ 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500] 2005-01-01 20:31:06: INFO: begin Identity Protection mode. 2005-01-01 20:31:09: INFO: ISAKMP-SA established ¬ 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] ¬ spi:da3d3693289c9698:ac039a402b2db401 2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation: ¬ 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0] 2005-01-01 20:31:10: INFO: IPsec-SA established: ESP/Tunnel ¬ 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab) 2005-01-01 20:31:10: INFO: IPsec-SA established: ESP/Tunnel ¬ 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)
20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ¬ ESP(spi=0x0a6e53c4,seq=0x3) 20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ¬ ESP(spi=0x0f22bfab,seq=0x3)
# # setkey -D 2001:db8:1:1::1 2001:db8:2:2::2 esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000) E: 3des-cbc bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd A: hmac-md5 60c2c505 517dd8b7 c9609128 a5efc2db seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005 diff: 577(s) hard: 3600(s) soft: 2880(s) last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s) current: 540(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=22358 refcnt=0 2001:db8:2:2::2 2001:db8:1:1::1 esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000) E: 3des-cbc c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce A: hmac-md5 3f957db9 9adddc8c 44e5739d 3f53ca0e seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005 diff: 577(s) hard: 3600(s) soft: 2880(s) last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s) current: 312(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=0 pid=22358 refcnt=0
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf conn ipv6-p1-p2 connaddrfamily=ipv6 # Important for IPv6! left=2001:db8:1:1::1 right=2001:db8:2:2::2 authby=secret esp=aes128-sha1 ike=aes128-sha-modp1024 type=transport #type=tunnel compress=no #compress=yes auto=add #auto=start
2001:db8:1:1::1 2001:db8:2:2::2 : PSK "verysecret"
# /etc/rc.d/init.d/ipsec start
# ipsec auto --up ipv6-peer1-peer2 104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate 106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established 112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate 004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established ¬ {ESP=>0xa98b7710 <0xa51e1f22}
# setkey -D 2001:db8:1:1::1 2001:db8:2:2::2 esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001) E: aes-cbc 082ee274 2744bae5 7451da37 1162b483 A: hmac-sha1 b7803753 757417da 477b1c1a 64070455 ab79082c seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jan 1 21:16:32 2005 current: Jan 1 21:22:20 2005 diff: 348(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=23825 refcnt=0 2001:db8:2:2::2 2001:db8:1:1::1 esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001) E: aes-cbc 6f59cc30 8d856056 65e07b76 552cac18 A: hmac-sha1 c7c7d82b abfca8b1 5440021f e0c3b335 975b508b seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jan 1 21:16:31 2005 current: Jan 1 21:22:20 2005 diff: 349(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=23825 refcnt=0
|