wiki'd

by JoKeru

IPSec Transport Mode with Manual Keys

Server_1 - 192.168.1.1

$ apt-get install ipsec-tools
$ cat <<'EOF' > /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f

## Flush the SAD and SPD
## SAD = Security Association Database
## SPD = Security Policy Database
flush;
spdflush;

## AH = Authentication Header
## AH SAs using 128 bit long keys - dd if=/dev/random count=16 bs=1 | xxd -ps
add 192.168.1.1 192.168.1.2 ah 0x100 -A hmac-md5 0xe30415cf6ce70bd6d38ebf203822d869;
add 192.168.1.2 192.168.1.1 ah 0x200 -A hmac-md5 0x5954d4400c8ef23b3025c6cb1a62894c;

## ESP = Encapsulated Security Payload
## ESP SAs using 192 bit long keys (168 + 24 parity) - dd if=/dev/random count=24 bs=1 | xxd -ps
add 192.168.1.1 192.168.1.2 esp 0x101 -E 3des-cbc 0x2fc9ec8da583ba15371d6ebfaef1344772720d61911e1e73;
add 192.168.1.2 192.168.1.1 esp 0x201 -E 3des-cbc 0x9d0ae2ed9b24798d705be82c15404bf00f56bd1537d37d07;

## Security Policies
spdadd 192.168.1.1 192.168.1.2 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec esp/transport//require ah/transport//require;
EOF
$ chmod 750 /etc/ipsec-tools.conf

$ /etc/init.d/setkey start
$ /etc/init.d/setkey stop

$ setkey -D
$ setkey -DP
$ setkey -F
$ setkey -FP

Server_2 - 192.168.1.2

$ apt-get install ipsec-tools
$ cat <<'EOF' > /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f

## Flush the SAD and SPD
## SAD = Security Association Database
## SPD = Security Policy Database
flush;
spdflush;

## AH = Authentication Header
## AH SAs using 128 bit long keys - dd if=/dev/random count=16 bs=1 | xxd -ps
add 192.168.1.1 192.168.1.2 ah 0x100 -A hmac-md5 0xe30415cf6ce70bd6d38ebf203822d869;
add 192.168.1.2 192.168.1.1 ah 0x200 -A hmac-md5 0x5954d4400c8ef23b3025c6cb1a62894c;

## ESP = Encapsulated Security Payload
## ESP SAs using 192 bit long keys (168 + 24 parity) - dd if=/dev/random count=24 bs=1 | xxd -ps
add 192.168.1.1 192.168.1.2 esp 0x101 -E 3des-cbc 0x2fc9ec8da583ba15371d6ebfaef1344772720d61911e1e73;
add 192.168.1.2 192.168.1.1 esp 0x201 -E 3des-cbc 0x9d0ae2ed9b24798d705be82c15404bf00f56bd1537d37d07;

## Security Policies
spdadd 192.168.1.2 192.168.1.1 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P in ipsec esp/transport//require ah/transport//require;
EOF
$ chmod 750 /etc/ipsec-tools.conf

$ /etc/init.d/setkey start
$ /etc/init.d/setkey stop

$ setkey -D
$ setkey -DP
$ setkey -F
$ setkey -FP

Source: http://www.linux360.ro/forum/tutoriale/rutare-avansata-in-linux-si-controlul-traficului-t8996.html

Comments