Changed manual key configuration for IPsec

Shoichi Sakane, KAME Project
$Id: index.html,v 1.2 2001/09/12 13:39:13 sakane Exp $

Introduction

IPsec policy and key management on KAME stack has big difference from its old version. If you use 19990906 snapshot or later, also stable, YOU MUST TAKE SOME CARE OF IPSEC CONFIGURATION.

Points of the modification


Some Samples

There are sample scripts for IPsec configuration by manual keying. A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. But IP Source Address is necessary to specify a source address in IP header. It is important for receiver to decide to accept a packet you sent. You must take care of these parameters when you configure by manual keying.

Transport mode between two hosts

ESP transport mode is recommended for TCP port number 110 between Host-A and Host-B.
	      ============ ESP ============
	      |                           |
	   Host-A                        Host-B
	  fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and authentication algorithm is hmac-sha1 whose key is "this is the test key".
Configuration at Host-A:
	# setkey -c <<EOF
	spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
		esp/transport/fec0::10-fec0::11/use ;
	spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
		esp/transport/fec0::11-fec0::10/use ;
	add fec0::10 fec0::11 esp 0x10001
		-m transport
		-E blowfish-cbc "kamekame"
		-A hmac-sha1 "this is the test key" ;
	add fec0::11 fec0::10 esp 0x10002
		-m transport
		-E blowfish-cbc "kamekame"
		-A hmac-sha1 "this is the test key" ;
	EOF
and at Host-B:
	# setkey -c <<EOF
	spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
		esp/transport/fec0::11-fec0::10/use ;
	spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
		esp/transport/fec0::10-fec0::11/use ;
	add fec0::10 fec0::11 esp 0x10001 -m transport
		-E blowfish-cbc "kamekame"
		-A hmac-sha1 "this is the test key" ;
	add fec0::11 fec0::10 esp 0x10002 -m transport
		-E blowfish-cbc "kamekame"
		-A hmac-sha1 "this is the test key" ;
	EOF
Note the direction of SP.

Tunnel mode between two security gateways

Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with keyed-md5 whose key is "this is the test" as authentication algorithm.
			       ======= AH =======
			       |                |
	   Network-A       Gateway-A        Gateway-B        Network-B
	  10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24

Configuration at Gateway-A:
	# setkey -c <<EOF
	spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
		ah/tunnel/172.16.0.1-172.16.0.2/require ;
	spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
		ah/tunnel/172.16.0.2-172.16.0.1/require ;
	add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
		-A keyed-md5 "this is the test" ;
	add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
		-A keyed-md5 "this is the test" ;
If port number field is omitted such above then "[any]" is employed. `-m' specifies the mode of SA to be used. "-m any" means wild-card of mode of security protocol. You can use this SA for both tunnel and transport mode.

and at Gateway-B:

	# setkey -c <<EOF
	spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
		ah/tunnel/172.16.0.2-172.16.0.1/require ;
	spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
		ah/tunnel/172.16.0.1-172.16.0.2/require ;
	add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
		-A keyed-md5 "this is the test" ;
	add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
		-A keyed-md5 "this is the test" ;

Making SA bundle between two security gateways

AH transport mode and ESP tunnel mode is required between Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport mode is next.
				  ========== AH =========
				  |  ======= ESP =====  |
				  |  |               |  |
	     Network-A          Gateway-A        Gateway-B           Network-B
	  fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
	# setkey -c <<EOF
	spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
		esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
		ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
	spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
		esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
		ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
	add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
		-E 3des-cbc "kamekame12341234kame1234"
		-A hmac-sha1 "this is the test key" ;
	add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
		-A hmac-md5 "this is the test" ;
	add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
		-E 3des-cbc "kamekame12341234kame1234"
		-A hmac-sha1 "this is the test key" ;
	add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
		-A hmac-md5 "this is the test" ;

Making SAs with the different end

ESP tunnel mode is required between Host-A and Gateway-A. Encryption algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1. ESP transport mode is recommended between Host-A and Host-B. Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5.
	      ================== ESP =================
	      |  ======= ESP =======                 |
	      |  |                 |                 |
	     Host-A            Gateway-A           Host-B
	  fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
	# setkey -c <<EOF
	spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
		esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
		esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
	spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
		esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
		esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
	add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
		-m transport
		-E cast128-cbc "12341234"
		-A hmac-sha1 "this is the test key" ;
	add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
		-E rc5-cbc "kamekame"
		-A hmac-md5 "this is the test" ;
	add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
		-m transport
		-E cast128-cbc "12341234"
		-A hmac-sha1 "this is the test key" ;
	add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
		-E rc5-cbc "kamekame"
		-A hmac-md5 "this is the test" ;

KAME top page
Copyright (c) 1998, 1999, 2000, 2001, 2002, and 2003 by the author (indicated separately). All rights reserved. Freely redistributable. Absolutely no warranty.