czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.

Brak komentarzy: