It intended for practical use only beyond the capabilities of 'ipsec auto' and 'ipsec manual'. For now, (981127) that includes extruded subnets.
Note: Be warned that once a route(8) is set via an ipsec? device, packets without an eroute(8) that are sent to that device will be dropped on the floor.
hmask=255.255.255.255 nmask0=0.0.0.0 nmask16=255.255.0.0 nmask24=255.255.255.0 nmask28=255.255.255.240 nmask29=255.255.255.248 local_public_ip=207.236.55.216 local_public_nexthop=207.236.55.1 local_public_bcast=207.236.55.255 local_public_nmask=$nmask24 local_private_net=192.168.2.0 local_private_nmask=$nmask24 remote_public_ip=209.157.90.146 remote_private_net=209.157.90.160 remote_private_nmask=$nmask29 ext_private_ip=209.157.90.198 ext_private_net=209.157.90.192 ext_private_bcast=209.157.90.199 ext_private_nmask=$nmask29 default_net=0.0.0.0 default_bcast=255.255.255.255 default_nmask=$nmask0 ipsecdev=ipsec1 aliasdev=eth0:1 physdev=eth2 enckey8=0x0123456789abcdef enckey24=0x0123456789abcdef0123456789abcdef0123456789abcdef authkey16=0x0123456789abcdef0123456789abcdef authkey20=0x0123456789abcdef0123456789abcdef01234567
depmod -a # only if klips is compiled as a module modprobe ipsec # only if klips is compiled as a module ipsec tncfg --attach --virtual $ipsecdev --physical $physdev ifconfig $ipsecdev $local_public_ip \ broadcast $local_public_bcast \ netmask $local_public_nmask
ipsec tncfg --detach --virtual $ipsecdev ifconfig $ipsecdev down rmmod ipsec # only if klips is compiled as a moduleWarning: Each of the Setup scripts first deletes the route for the destinations it needs to protect, if it exists. When the route gets deleted with the deletion of the protected connection, that route will no longer exist. This route must be put back manually, or reboot the network configuration if it was installed automatically.
Assumptions: Both machines have had networking set up and can pass packets.
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
Assumptions: Any subnets have been set up and all machines can see the internet.
# forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun \ $remote_public_ip 0x225 esp ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun\ $remote_public_ip 0x225 esp ipsec eroute --add --src $local_private_net/$local_private_nmask \ --dst $remote_private_net/$remote_private_nmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $remote_private_net route add -net $remote_private_net netmask $remote_private_nmask \ dev $ipsecdev gw $local_public_nexthop # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
route del $remote_private_net ipsec eroute --del --src $local_private_net/$local_private_nmask \ --dst $remote_private_net/$remote_private_nmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto esp --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto tun --del
Assumptions: All machines are set up to see each other and the internet.
# forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun \ $remote_public_ip 0x225 esp ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_private_net/$remote_private_nmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $remote_private_net route add -net $remote_private_net netmask $remote_private_nmask \ dev $ipsecdev gw $local_public_nexthop # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path route del $remote_private_net ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_private_net/$remote_private_nmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun \ $remote_public_ip 0x225 esp ipsec eroute --add --src $local_private_net/$local_private_nmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_private_net/$local_private_nmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
Note: The ipfwadm command serves to knock a hole in the existing masquerading setup.
Assumptions: The masqueraded subnet has been set up and all machines can see the internet.
# forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun \ $remote_public_ip 0x225 esp ipsec eroute --add --src $local_private_net/$local_private_nmask \ --dst $remote_private_net/$remote_private_nmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $remote_private_net route add -net $remote_private_net netmask $remote_private_nmask \ dev $ipsecdev gw $local_public_nexthop ipfwadm -F -i accept -S $local_private_net/$local_private_nmask \ -D $remote_private_net/$remote_private_nmask # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path ipfwadm -F -d accept -S $local_private_net/$local_private_nmask \ -D $remote_private_net/$remote_private_nmask route del $remote_private_net ipsec eroute --del --src $local_private_net/$local_private_nmask \ --dst $remote_private_net/$remote_private_nmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
Assumptions: A masqueraded subnet has been set up and all machines can see the internet. Each machine on the extruded subnet will need to route all packets to the remote subnet (in this case the entire internet) via the I/F (direct or aliased) that has been configured with an extruded valid internet address.
# set up superimposed valid internet subnet with interface aliases ifconfig $aliasdev $ext_private_ip broadcast $ext_private_bcast \ netmask $ext_private_nmask route add -net $ext_private_net netmask $ext_private_nmask \ dev $aliasdev # forward path ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \ --src $local_public_ip --dst $remote_public_ip ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec spigrp $remote_public_ip 0x223 tun \ $remote_public_ip 0x225 esp ipsec eroute --add --src $ext_private_net/$ext_private_nmask \ --dst $default_net/$default_nmask \ --edst $remote_public_ip --spi 0x223 --proto tun route del $default_net route add -net $default_net netmask $default_nmask \ dev $ipsecdev gw $local_public_nexthop ipfwadm -F -i accept -S $ext_private_net/$ext_private_nmask \ -D $default_net/$default_nmask # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path ipfwadm -F -d accept -S $ext_private_net/$ext_private_nmask \ -D $default_net/$default_nmask route del $default_net ipsec eroute --del --src $ext_private_net/$ext_private_nmask \ --dst $default_net/$default_nmask ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del # return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
Assumptions: Both machines have had networking set up and can pass packets.
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \ --ah hmac-md5-96 \ --authkey $authkey16 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto ah route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \ --ah hmac-md5-96 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \ --ah hmac-sha1-96 \ --authkey $authkey20 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto ah route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \ --ah hmac-sha1-96 \ --authkey $authkey20
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp null-md5-96 \ --authkey $authkey20 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp null-md5-96 \ --authkey $authkey20
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-md5-96 \ --enckey $enckey24 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des \ --enckey $enckey24 ipsec spi --edst $remote_public_ip --spi 0x226 --proto ah \ --ah hmac-md5-96 \ --authkey $authkey16 ipsec spigrp $local_public_ip 0x225 esp\ $local_public_ip 0x226 ah ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des \ --enckey $enckey24 ipsec spi --edst $local_public_ip --spi 0x236 --proto ah \ --ah hmac-md5-96 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp des-md5-96 \ --enckey $enckey8 \ --authkey $authkey16 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp des-md5-96 \ --enckey $enckey8 \ --authkey $authkey16
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
# forward path ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \ --esp 3des-sha1-96 \ --enckey $enckey24 \ --authkey $authkey20 ipsec eroute --add --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask \ --edst $remote_public_ip --spi 0x225 --proto esp route del $remote_public_ip route add -host $remote_public_ip dev $ipsecdev \ gw $local_public_nexthop # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \ --esp 3des-sha1-96 \ --enckey $enckey24 \ --authkey $authkey20
# forward path route del $remote_public_ip ipsec eroute --del --src $local_public_ip/$hmask \ --dst $remote_public_ip/$hmask ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del # Return path ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del
cat /proc/net/ipsec_*