2 RCSID $Id: modes.html,v 1.9 2001/04/19 18:54:53 rgb Exp $
7 <TITLE>Klips Manual Key Protected Connection Examples</TITLE>
10 <h1>Klips Manual Key Protected Connection Examples</h1>
12 <li><a href="#intro">Introduction</a>
13 <li><a href="#macros">Macros</a>
14 <li><a href="#setup">Setup</a>
15 <li><a href="#unload">Unload</a>
16 <li><a href="#transport">Transport mode</a>
17 <li><a href="#tunnel">Tunnel mode</a>
18 <li><a href="#transform">Transform examples</a>
19 <li><a href="#proc">IPSEC Status</a>
22 <a name="intro"><h2>Introduction</h2>
23 This document is intended to provide some background on what is most easily
24 accomplished with the existing tools. See 'man ipsec_auto' and 'man ipsec_manual'
27 It intended for practical use only beyond the capabilities of 'ipsec auto' and
28 'ipsec manual'. For now, (981127) that includes extruded subnets.
30 Note: Be warned that once a route(8) is set via an ipsec? device, packets without
31 an eroute(8) that are sent to that device will be dropped on the floor.
33 <a name="macros"><h2>Macros</h2>
34 These definitions of macros make the commands more readable and the scripts easier
35 to use by centralising the information. Obviously, the keys are
36 for example purposes only and cryptographically strong keys should be substituted.
43 nmask28=255.255.255.240
44 nmask29=255.255.255.248
46 local_public_ip=207.236.55.216
47 local_public_nexthop=207.236.55.1
48 local_public_bcast=207.236.55.255
49 local_public_nmask=$nmask24
50 local_private_net=192.168.2.0
51 local_private_nmask=$nmask24
53 remote_public_ip=209.157.90.146
54 remote_private_net=209.157.90.160
55 remote_private_nmask=$nmask29
57 ext_private_ip=209.157.90.198
58 ext_private_net=209.157.90.192
59 ext_private_bcast=209.157.90.199
60 ext_private_nmask=$nmask29
63 default_bcast=255.255.255.255
70 enckey8=0x0123456789abcdef
71 enckey24=0x0123456789abcdef0123456789abcdef0123456789abcdef
72 authkey16=0x0123456789abcdef0123456789abcdef
73 authkey20=0x0123456789abcdef0123456789abcdef01234567
76 <a name="setup"><h2>Setup</h2>
77 These commands must be run before any of the connection-specific commands
81 depmod -a # only if klips is compiled as a module
82 modprobe ipsec # only if klips is compiled as a module
83 ipsec tncfg --attach --virtual $ipsecdev --physical $physdev
84 ifconfig $ipsecdev $local_public_ip \
85 broadcast $local_public_bcast \
86 netmask $local_public_nmask
89 <a name="unload"><h2>Unload</h2>
90 These commands must be run before the module can be unloaded.
93 ipsec tncfg --detach --virtual $ipsecdev
94 ifconfig $ipsecdev down
95 rmmod ipsec # only if klips is compiled as a module
97 Warning: Each of the Setup scripts first deletes the route for the destinations it
98 needs to protect, if it exists. When the route gets deleted with the deletion
99 of the protected connection, that route will no longer exist. This route must be
100 put back manually, or reboot the network configuration if it was installed automatically.
102 <a name="transport"><h2>Transport mode</h2>
103 Transport mode is used between two hosts that each have IPSEC capabilities.
104 They don't rely on a security gateway since they are by definition same. This
105 mode has a lower overhead per packet and is therefore more efficient. The
106 outside header is protected against modification if authentication is used.
108 Assumptions: Both machines have had networking set up and can pass packets.
111 <li><a href="#transportsetup">Setup</a>
112 <li><a href="#transportdel">Delete</a>
115 <li><a name="transportsetup"><h3>Setup</h3>
118 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
123 ipsec eroute --add --src $local_public_ip/$hmask \
124 --dst $remote_public_ip/$hmask \
125 --edst $remote_public_ip --spi 0x225 --proto esp
127 route del $remote_public_ip
128 route add -host $remote_public_ip dev $ipsecdev \
129 gw $local_public_nexthop
132 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
137 <li><a name="transportdel"><h3>Delete</h3>
140 route del $remote_public_ip
142 ipsec eroute --del --src $local_public_ip/$hmask \
143 --dst $remote_public_ip/$hmask
145 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
148 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
152 <a name="tunnel"><h2>Tunnel mode</h2>
153 Tunnel mode is used between two security gateways to protect their own traffic
154 to another security gateway, or any combination of hosts behind it who may or
155 may not be IPSEC aware. Only the inner headers are protected if authentication
156 is enabled. There is extra overhead since there is an internal IP header. This
157 mode is often preferable to make traffic analysis more difficult.
159 Assumptions: Any subnets have been set up and all machines can see the internet.
162 <li><a href="#sg">Security Gateway to Security Gateway</a>
163 <li><a href="#subnet">Subnet to subnet</a>
164 <li><a href="#road">Road warrior mode (Security Gateway to Subnet)</a>
165 <li><a href="#subnetmasq">Subnet to subnet masqeraded</a>
166 <li><a href="#subnetextrude">Extruded Subnet to Internet</a>
170 <li><a name="sg"><h2>Security Gateway to Security Gateway</h2>
171 This configuration is essentially the same as tunnel mode, except that traffic
172 analysis is not as easy.
175 <li><a href="#sgsetup">Setup</a>
176 <li><a href="#sgdel">Delete</a>
180 <li><a name="sgsetup"><h3>Setup</h3>
183 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
184 --src $local_public_ip --dst $remote_public_ip
185 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
190 ipsec spigrp $remote_public_ip 0x223 tun \
191 $remote_public_ip 0x225 esp
193 ipsec eroute --add --src $local_public_ip/$hmask \
194 --dst $remote_public_ip/$hmask \
195 --edst $remote_public_ip --spi 0x223 --proto tun
197 route del $remote_public_ip
198 route add -host $remote_public_ip dev $ipsecdev \
199 gw $local_public_nexthop
202 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
207 <li><a name="sgdel"><h3>Delete</h3>
210 route del $remote_public_ip
212 ipsec eroute --del --src $local_public_ip/$hmask \
213 --dst $remote_public_ip/$hmask
215 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del
218 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
222 <li><a name="subnet"><h3>Subnet to Subnet</h3>
223 Valid internet subnet to valid internet subnet is the simplest subnet configuration.
224 It processes all traffic from one subnet behind a security gateway to another subnet
225 behind its security gateway with the selected encryption and/or authentication
226 transforms, effectively protecting all that traffic from interference from the internet.
229 <li><a href="#subnetsetup">Setup</a>
230 <li><a href="#subnetdel">Delete</a>
234 <li><a name="subnetsetup"><h4>Setup</h4>
237 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
238 --src $local_public_ip --dst $remote_public_ip
239 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
244 ipsec spigrp $remote_public_ip 0x223 tun\
245 $remote_public_ip 0x225 esp
247 ipsec eroute --add --src $local_private_net/$local_private_nmask \
248 --dst $remote_private_net/$remote_private_nmask \
249 --edst $remote_public_ip --spi 0x223 --proto tun
251 route del $remote_private_net
252 route add -net $remote_private_net netmask $remote_private_nmask \
253 dev $ipsecdev gw $local_public_nexthop
256 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
261 <li><a name="subnetdel"><h4>Delete</h4>
263 route del $remote_private_net
265 ipsec eroute --del --src $local_private_net/$local_private_nmask \
266 --dst $remote_private_net/$remote_private_nmask
268 ipsec spi --edst $remote_public_ip --spi 0x223 --proto esp --del
271 ipsec spi --edst $local_public_ip --spi 0x235 --proto tun --del
275 <li><a name="road"><h3>Road warrior mode (Subnet to Security Gateway)</h3>
276 "Road Warriors" are single machines that connect to a protected network via
277 the internet and must keep the tunnel secure. It acts as a security gateway
278 and speaks to the protected subnet via another security gateway. This is a
279 hybrid of the security_gateway-to-security_gateway and subnet-to-subnet
282 Assumptions: All machines are set up to see each other and the internet.
285 <li><a href="#roadme">Local road warrior to remote subnet</a>
286 <li><a href="#roadyou">Local subnet to remote road warrior</a>
290 <li><a name="roadme"><h4>Local road warrior to remote subnet</h4>
292 <li><a href="#roadmesetup">Setup</a>
293 <li><a href="#roadmedel">Delete</a>
297 <li><a name="roadmesetup"><h5>Setup</h5>
300 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
301 --src $local_public_ip --dst $remote_public_ip
302 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
307 ipsec spigrp $remote_public_ip 0x223 tun \
308 $remote_public_ip 0x225 esp
310 ipsec eroute --add --src $local_public_ip/$hmask \
311 --dst $remote_private_net/$remote_private_nmask \
312 --edst $remote_public_ip --spi 0x223 --proto tun
314 route del $remote_private_net
315 route add -net $remote_private_net netmask $remote_private_nmask \
316 dev $ipsecdev gw $local_public_nexthop
319 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
324 <li><a name="roadmedel"><h5>Delete</h5>
327 route del $remote_private_net
329 ipsec eroute --del --src $local_public_ip/$hmask \
330 --dst $remote_private_net/$remote_private_nmask
332 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del
335 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
339 <li><a name="roadyou"><h4>Local subnet to remote road warrior</h4>
341 <li><a href="#roadyousetup">Setup</a>
342 <li><a href="#roadyoudel">Delete</a>
346 <li><a name="roadyousetup"><h5>Setup</h5>
349 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
350 --src $local_public_ip --dst $remote_public_ip
351 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
356 ipsec spigrp $remote_public_ip 0x223 tun \
357 $remote_public_ip 0x225 esp
359 ipsec eroute --add --src $local_private_net/$local_private_nmask \
360 --dst $remote_public_ip/$hmask \
361 --edst $remote_public_ip --spi 0x223 --proto tun
363 route del $remote_public_ip
364 route add -host $remote_public_ip dev $ipsecdev \
365 gw $local_public_nexthop
368 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
373 <li><a name="roadyoudel"><h5>Delete</h5>
376 route del $remote_public_ip
378 ipsec eroute --del --src $local_private_net/$local_private_nmask \
379 --dst $remote_public_ip/$hmask
381 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del
384 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
389 <li><a name="subnetmasq"><h3>Subnet to Subnet masqueraded</h3>
390 Traffic from a valid internet subnet to a reserved address subnet can still
391 be protected by IPSEC so long as all the reserved subnets that the valid subnet
392 wishes to speak to are unique. Perhaps some IPMASQ work needs to be done to
393 make this independant.
395 Note: The ipfwadm command serves to knock a hole in the existing masquerading
398 Assumptions: The masqueraded subnet has been set up and all machines can see
402 <li><a href="#subnetmasqsetup">Setup</a>
403 <li><a href="#subnetmasqdel">Delete</a>
407 <li><a name="subnetmasqsetup"><h4>Setup</h4>
410 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
411 --src $local_public_ip --dst $remote_public_ip
412 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
417 ipsec spigrp $remote_public_ip 0x223 tun \
418 $remote_public_ip 0x225 esp
420 ipsec eroute --add --src $local_private_net/$local_private_nmask \
421 --dst $remote_private_net/$remote_private_nmask \
422 --edst $remote_public_ip --spi 0x223 --proto tun
424 route del $remote_private_net
425 route add -net $remote_private_net netmask $remote_private_nmask \
426 dev $ipsecdev gw $local_public_nexthop
428 ipfwadm -F -i accept -S $local_private_net/$local_private_nmask \
429 -D $remote_private_net/$remote_private_nmask
432 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
437 <li><a name="subnetmasqdel"><h4>Delete</h4>
440 ipfwadm -F -d accept -S $local_private_net/$local_private_nmask \
441 -D $remote_private_net/$remote_private_nmask
443 route del $remote_private_net
445 ipsec eroute --del --src $local_private_net/$local_private_nmask \
446 --dst $remote_private_net/$remote_private_nmask
448 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del
451 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
455 <li><a name="subnetextrude"><h3>Extruded Subnet to Internet</h3>
456 Subnet 'Extrusion' may be necessary if one site only has one IP routed to
457 it and more IP's are needed, but the access provider is unable or unwilling
458 to route more. This will extrude a valid subnet from another location (the
459 site of the other security gateway) to the site needing more valid addresses
460 and protect (encrypt or authenticate) all its traffic.
461 This example combines a masqueraded subnet and the extruded subnet on the
462 same physical media. Note that the traffic on the remote security gateway
463 will be at least double that of the extruded subnet traffic to the rest of
464 the internet and twice the turnaround time.
466 Assumptions: A masqueraded subnet has been set up and all machines can see
467 the internet. Each machine on the extruded subnet will need to route all
468 packets to the remote subnet (in this case the entire internet) via the
469 I/F (direct or aliased) that has been configured with an extruded valid
473 <li><a href="#subnetextrudesetup">Setup</a>
474 <li><a href="#subnetextrudedel">Delete</a>
478 <li><a name="subnetextrudesetup"><h4>Setup</h4>
480 # set up superimposed valid internet subnet with interface aliases
481 ifconfig $aliasdev $ext_private_ip broadcast $ext_private_bcast \
482 netmask $ext_private_nmask
484 route add -net $ext_private_net netmask $ext_private_nmask \
488 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
489 --src $local_public_ip --dst $remote_public_ip
490 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
495 ipsec spigrp $remote_public_ip 0x223 tun \
496 $remote_public_ip 0x225 esp
498 ipsec eroute --add --src $ext_private_net/$ext_private_nmask \
499 --dst $default_net/$default_nmask \
500 --edst $remote_public_ip --spi 0x223 --proto tun
502 route del $default_net
503 route add -net $default_net netmask $default_nmask \
504 dev $ipsecdev gw $local_public_nexthop
506 ipfwadm -F -i accept -S $ext_private_net/$ext_private_nmask \
507 -D $default_net/$default_nmask
510 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
515 <li><a name="subnetextrudedel"><h4>Delete</h4>
518 ipfwadm -F -d accept -S $ext_private_net/$ext_private_nmask \
519 -D $default_net/$default_nmask
521 route del $default_net
523 ipsec eroute --del --src $ext_private_net/$ext_private_nmask \
524 --dst $default_net/$default_nmask
526 ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del
529 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
533 <a name="transform"><h2>Transform Examples</h2>
534 A number of different transforms can be used to provide the protection intended
535 by the IPSEC protocol suite. All these examples are using transport mode, but the
536 techniques are equally applicable to tunnel mode, adding the extra SA to the spigrp
537 command as necessary.
539 Assumptions: Both machines have had networking set up and can pass packets.
542 <li><a href="#ah">Authentication</a>
543 <li><a href="#esp">Encryption</a>
547 <li><a name="ah"><h3>Authentication</h3>
548 Authentication provides the service of guaranteeing the identity of the sender.
549 It also provides protection against packet modification in transit. It does not
553 <li><a href="#ahmd5">AH-MD5</a>
554 <li><a href="#ahsha1">AH-SHA1</a>
555 <li><a href="#espnullmd5">ESP-NULL-MD5</a>
559 <li><a name="ahmd5"><h4>AH-MD5</h4>
560 Authentication Header, using Message Digest-5 can be used to authenticate the
561 contents of the packet and the immutable or predictable parts of the IP header
562 outside the Authentication Header with a 128-bit key.
565 <li><a href="#ahmd5setup">Setup</a>
566 <li><a href="#ahmd5del">Delete</a>
570 <li><a name="ahmd5setup"><h5>Setup</h5>
573 ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \
577 ipsec eroute --add --src $local_public_ip/$hmask \
578 --dst $remote_public_ip/$hmask \
579 --edst $remote_public_ip --spi 0x225 --proto ah
581 route del $remote_public_ip
582 route add -host $remote_public_ip dev $ipsecdev \
583 gw $local_public_nexthop
586 ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \
590 <li><a name="ahmd5del"><h5>Delete</h5>
593 route del $remote_public_ip
595 ipsec eroute --del --src $local_public_ip/$hmask \
596 --dst $remote_public_ip/$hmask
598 ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del
601 ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del
605 <li><a name="ahsha1"><h4>AH-SHA1</h4>
606 Authentication Header, using Secure Hash Algorithm-1 can be used to authenticate the
607 contents of the packet and the immutable or predictable parts of the IP header
608 outside the Authentication Header with a 160-bit key.
611 <li><a href="#ahsha1setup">Setup</a>
612 <li><a href="#ahsha1del">Delete</a>
616 <li><a name="ahsha1setup"><h5>Setup</h5>
619 ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \
623 ipsec eroute --add --src $local_public_ip/$hmask \
624 --dst $remote_public_ip/$hmask \
625 --edst $remote_public_ip --spi 0x225 --proto ah
627 route del $remote_public_ip
628 route add -host $remote_public_ip dev $ipsecdev \
629 gw $local_public_nexthop
632 ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \
636 <li><a name="ahsha1del"><h5>Delete</h5>
639 route del $remote_public_ip
641 ipsec eroute --del --src $local_public_ip/$hmask \
642 --dst $remote_public_ip/$hmask
644 ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del
647 ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del
651 <li><a name="espnullmd5"><h4>ESP-NULL-MD5</h4>
652 Encapsulation Security Protocol, using the NULL transform with Secure Hash Algorithm-1
653 can be used to authenticate the contents of the packet only with a 160-bit key.
656 <li><a href="#espnullmd5setup">Setup</a>
657 <li><a href="#espnullmd5del">Delete</a>
661 <li><a name="espnullmd5setup"><h5>Setup</h5>
664 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
668 ipsec eroute --add --src $local_public_ip/$hmask \
669 --dst $remote_public_ip/$hmask \
670 --edst $remote_public_ip --spi 0x225 --proto esp
672 route del $remote_public_ip
673 route add -host $remote_public_ip dev $ipsecdev \
674 gw $local_public_nexthop
677 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
681 <li><a name="espnullmd5del"><h5>Delete</h5>
684 route del $remote_public_ip
686 ipsec eroute --del --src $local_public_ip/$hmask \
687 --dst $remote_public_ip/$hmask
689 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
692 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
697 <li><a name="esp"><h3>Encryption</h3>
698 Encryption provides the service of data hiding using symmetric key methods.
701 <li><a href="#esp3desmd5">ESP-3DES-MD5</a>
702 <li><a href="#esp3desahmd5">ESP-3DES with AH-MD5</a>
703 <li><a href="#espdesmd5">ESP-DES-MD5</a>
704 <li><a href="#esp3dessha1">ESP-3DES-SHA1</a>
708 <li><a name="esp3desmd5"><h4>ESP-3DES-MD5</h4>
709 Encapsulation Security Payload, using triple-Data Encryption Standard for encryption
710 and Message Digest-5 can be used to hide the contents of the packet and authenticate
711 both the contents of the packet and the immutable or predictable parts of the IP header
712 outside the Encapsulation Security Payload with a 168-bit encryption key and a 128-bit
716 <li><a href="#esp3desmd5setup">Setup</a>
717 <li><a href="#esp3desmd5del">Delete</a>
721 <li><a name="esp3desmd5setup"><h5>Setup</h5>
724 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
729 ipsec eroute --add --src $local_public_ip/$hmask \
730 --dst $remote_public_ip/$hmask \
731 --edst $remote_public_ip --spi 0x225 --proto esp
733 route del $remote_public_ip
734 route add -host $remote_public_ip dev $ipsecdev \
735 gw $local_public_nexthop
738 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
743 <li><a name="esp3desmd5del"><h5>Delete</h5>
746 route del $remote_public_ip
748 ipsec eroute --del --src $local_public_ip/$hmask \
749 --dst $remote_public_ip/$hmask
751 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
754 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
758 <li><a name="esp3desahmd5"><h4>ESP-3DES with AH-MD5</h4>
759 The combination of Encapsulation Security Payload, using triple-Data Encryption Standard
760 for encryption with a 168-bit encryption key can be used to hide the contents of the
761 packet with an external Authentication Header using Message Digest-5 can authenticate
762 both the contents of the packet and the immutable or predictable parts of the IP header
763 outside the Encapsulation Security Payload with a 128-bit authentication key.
766 <li><a href="#esp3desahmd5setup">Setup</a>
767 <li><a href="#esp3desahmd5del">Delete</a>
771 <li><a name="esp3desahmd5setup"><h5>Setup</h5>
774 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
777 ipsec spi --edst $remote_public_ip --spi 0x226 --proto ah \
781 ipsec spigrp $local_public_ip 0x225 esp\
782 $local_public_ip 0x226 ah
784 ipsec eroute --add --src $local_public_ip/$hmask \
785 --dst $remote_public_ip/$hmask \
786 --edst $remote_public_ip --spi 0x225 --proto esp
788 route del $remote_public_ip
789 route add -host $remote_public_ip dev $ipsecdev \
790 gw $local_public_nexthop
793 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
796 ipsec spi --edst $local_public_ip --spi 0x236 --proto ah \
800 <li><a name="esp3desahmd5del"><h5>Delete</h5>
803 route del $remote_public_ip
805 ipsec eroute --del --src $local_public_ip/$hmask \
806 --dst $remote_public_ip/$hmask
808 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
811 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
815 <li><a name="espdesmd5"><h4>ESP-DES-MD5</h4>
816 Encapsulation Security Payload, using Data Encryption Standard for encryption
817 and Message Digest-5 can be used to hide the contents of the packet and authenticate
818 both the contents of the packet and the immutable or predictable parts of the IP header
819 outside the Encapsulation Security Payload with a 56-bit encryption key and a 128-bit
823 <li><a href="#espdesmd5setup">Setup</a>
824 <li><a href="#espdesmd5del">Delete</a>
828 <li><a name="espdesmd5setup"><h5>Setup</h5>
831 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
836 ipsec eroute --add --src $local_public_ip/$hmask \
837 --dst $remote_public_ip/$hmask \
838 --edst $remote_public_ip --spi 0x225 --proto esp
840 route del $remote_public_ip
841 route add -host $remote_public_ip dev $ipsecdev \
842 gw $local_public_nexthop
845 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
850 <li><a name="espdesmd5del"><h5>Delete</h5>
853 route del $remote_public_ip
855 ipsec eroute --del --src $local_public_ip/$hmask \
856 --dst $remote_public_ip/$hmask
858 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
861 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
865 <li><a name="esp3dessha1"><h4>ESP-3DES-SHA1</h4>
866 Encapsulation Security Payload, using triple-Data Encryption Standard for encryption
867 and Secure Hash Algorithm-1 can be used to hide the contents of the packet and authenticate
868 both the contents of the packet and the immutable or predictable parts of the IP header
869 outside the Encapsulation Security Payload with a 168-bit encryption key and a 160-bit
873 <li><a href="#esp3dessha1setup">Setup</a>
874 <li><a href="#esp3dessha1del">Delete</a>
878 <li><a name="esp3dessha1setup"><h5>Setup</h5>
881 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
886 ipsec eroute --add --src $local_public_ip/$hmask \
887 --dst $remote_public_ip/$hmask \
888 --edst $remote_public_ip --spi 0x225 --proto esp
890 route del $remote_public_ip
891 route add -host $remote_public_ip dev $ipsecdev \
892 gw $local_public_nexthop
895 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
900 <li><a name="esp3dessha1del"><h5>Delete</h5>
903 route del $remote_public_ip
905 ipsec eroute --del --src $local_public_ip/$hmask \
906 --dst $remote_public_ip/$hmask
908 ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del
911 ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
916 <a name="proc"><h3>IPSEC Status</h3>
917 The files in /proc/net/ipsec_* will reveal the current status of the Klips subsystem.
918 If they don't exist, then IPSEC is not available.
921 cat /proc/net/ipsec_*
928 Revision 1.9 2001/04/19 18:54:53 rgb
929 Fixed HTML comment terminator.
931 Revision 1.8 1999/04/06 04:54:23 rgb
932 Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes