荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: georgehill (人生不定式), 信区: Linux
标 题: Changed manual key configuration for IPsec(转寄)
发信站: BBS 荔园晨风站 (Sat Sep 16 11:32:16 2000), 站内信件
【 以下文字转载自 georgehill 的信箱 】
【 原文由 georgehill.bbs@smth.org 所发表 】
发信人: hhuu (什么是水,就是water啊), 信区: FreeBSD
标 题: Changed manual key configuration for IPsec(转寄)
发信站: BBS 水木清华站 (Sat Sep 16 00:17:11 2000)
Changed manual key configuration for IPsec
Shoichi Sakane, KAME Project
$Id: index.html,v 1.4 1999/10/06 16:41:13 sakane Exp $
Introduction
IPsec policy and key management on KAME stack has big difference from its old
version. If you use 19990906 snapshot or later, also stable,
YOU MUST TAKE SOME CARE OF IPSEC CONFIGURATION.
Points of the modification
SA configuration.
The parameters to specify a SA are both IP addresses of the end points
of SA, and security protocol. A mode of its security
protocol is not always necessarily. Hence prefix length for indicating
network and protocol specification for upper layer have vanished
from SA configuration. Also proxy address which was indicated the end of
tunnel for IPsec has vanished.
The new way of manual SA configuration is, for example of using ESP-SA
with 3des-cbc from node 10.0.0.1 to node 10.0.0.2,
# setkey -c <<EOF
add 10.0.0.1 10.0.0.2 esp 12345 -m any
-E 3des-cbc "12341234abcdabcd12341234" ;
EOF
Attention to `-m' option, this is the specifier of mode of security
protocol. `any' allows SA to be used as both transport and tunnel
mode. When you want to specify a mode of SA, you must use either
`transport' or `tunnel' instead of `any'.
SP specification. In order to making the kernel to select a proper SP,
system administrator must define the direction of SP explicitly by
using either `in' or `out'. And in order to making the kernel to select a
proper SA, system administrator must include SA identifier
into SP configuration. SA identifier is both IP addresses of the end
points of SA, and security protocol.
The new way of SP configuration is, for example of outgoing packet of POP3
from fec0::10 to fec0::11,
# setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
EOF
`fec0::10[any] fec0::11[110]' and `tcp' are selector for SP. This is used
to match a packet and select a proper SP. `any'
means wild card of port number. `0' which was used in the old type of
configuration means port number of zero. `transport' means
to use transport mode SA. You might think that it is troublesome to
specify the addresses such like `fec0::10-fec0::11'. I admit
this part to improve, for example allowing to omit the specification in
the case of transport mode.
Some Samples
There are sample scripts for IPsec configuration by manual keying. A security
association is uniquely identified by a triple consisting of a
Security Parameter Index (SPI), an IP Destination Address, and a security
protocol (AH or ESP) identifier. But IP Source Address is
necessary to specify a source address in IP header. It is important for
receiver to decide to accept a packet you sent. You must take care of
these parameters when you configure by manual keying.
Transport mode between two hosts
ESP transport mode is recommended for TCP port number 110 between Host-A and
Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the
test key".
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
and at Host-B:
# setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
Note the direction of SP.
Tunnel mode between two security gateways
Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with
keyed-md5 whose key is "this is the test" as authentication
algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
If port number field is omitted such above then "[any]" is employed. `-m'
specifies the mode of SA to be used. "-m any" means wild-card of
mode of security protocol. You can use this SA for both tunnel and transport
mode.
and at Gateway-B:
# setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
Making SA bundle between two security gateways
AH transport mode and ESP tunnel mode is required between Gateway-A and
Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 ---
fec0:0:0:2::/64
Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is
hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
Making SAs with the different end
ESP tunnel mode is required between Host-A and Gateway-A. Encryption algorithm
is cast128-cbc, and authentication algorithm for ESP
is hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication
algorithm for ESP is hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
--
行列中 作不朽文章
谈笑间 论古今英雄
痴狂里 诉红尘情爱
来去时 不枉一生风流
--------- bbs.ntu.edu.tw
※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.161.33]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店