summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/samples
diff options
context:
space:
mode:
Diffstat (limited to 'keyexchange/isakmpd-20041012/samples')
-rw-r--r--keyexchange/isakmpd-20041012/samples/Makefile34
-rw-r--r--keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf116
-rw-r--r--keyexchange/isakmpd-20041012/samples/VPN-east.conf50
-rw-r--r--keyexchange/isakmpd-20041012/samples/VPN-west.conf50
-rw-r--r--keyexchange/isakmpd-20041012/samples/policy10
-rw-r--r--keyexchange/isakmpd-20041012/samples/singlehost-east.conf64
-rw-r--r--keyexchange/isakmpd-20041012/samples/singlehost-east.gdb1
-rw-r--r--keyexchange/isakmpd-20041012/samples/singlehost-setup.sh84
-rw-r--r--keyexchange/isakmpd-20041012/samples/singlehost-west.conf64
-rw-r--r--keyexchange/isakmpd-20041012/samples/singlehost-west.gdb1
10 files changed, 474 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/samples/Makefile b/keyexchange/isakmpd-20041012/samples/Makefile
new file mode 100644
index 0000000..558bd23
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/Makefile
@@ -0,0 +1,34 @@
+# $OpenBSD: Makefile,v 1.2 2003/06/03 14:39:50 ho Exp $
+# $EOM: Makefile,v 1.1 2000/05/01 20:04:53 niklas Exp $
+
+#
+# Copyright (c) 2000 Niklas Hallqvist. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+FILES= VPN-* policy singlehost-*
+TARGETDIR= /usr/share/ipsec/isakmpd
+
+# The mkdir below is for installation on OpenBSD pre 2.7
+install:
+ @-mkdir -p ${DESTDIR}${TARGETDIR}
+ $(INSTALL) -c -m 0444 ${FILES} ${DESTDIR}${TARGETDIR}
diff --git a/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf b/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf
new file mode 100644
index 0000000..b64c801
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf
@@ -0,0 +1,116 @@
+# $OpenBSD: VPN-3way-template.conf,v 1.11 2004/02/11 08:55:22 jmc Exp $
+# $EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $
+#
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+#
+# This is a template file of a VPN setup between three nodes in
+# a fully meshed 'three-way' configuration. Suggested use is to copy
+# this file to all three nodes and then edit them accordingly.
+#
+# These nodes are initially called XXX, YYY and ZZZ.
+#
+# In pseudographics: XXX --- YYY
+# \ /
+# ZZZ
+#
+# In cases where IP/network addresses should be defined values like
+# 192.168.XXX.nnn have been used.
+#
+
+# Incoming phase 1 negotiations are multiplexed on the source IP
+# address. In the three-way VPN, we have two possible peers.
+
+[Phase 1]
+192.168.YYY.nnn= ISAKMP-peer-node-YYY
+192.168.ZZZ.nnn= ISAKMP-peer-node-ZZZ
+
+# These connections are walked over after config file parsing and
+# told to the application layer so that it will inform us when
+# traffic wants to pass over them. This means we can do on-demand
+# keying. In the three-way VPN, each node knows two connections.
+
+[Phase 2]
+Connections= IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ
+
+# ISAKMP Phase 1 peer sections
+##############################
+
+[ISAKMP-peer-node-YYY]
+Phase= 1
+Transport= udp
+Address= 192.168.YYY.nnn
+Configuration= Default-main-mode
+Authentication= yoursharedsecretwithYYY
+
+[ISAKMP-peer-node-ZZZ]
+Phase= 1
+Transport= udp
+Address= 192.168.ZZZ.nnn
+Configuration= Default-main-mode
+Authentication= yoursharedsecretwithZZZ
+
+# IPsec Phase 2 sections
+########################
+
+[IPsec-Conn-XXX-YYY]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-node-YYY
+Configuration= Default-quick-mode
+Local-ID= MyNet-XXX
+Remote-ID= OtherNet-YYY
+
+[IPsec-Conn-XXX-ZZZ]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-node-ZZZ
+Configuration= Default-quick-mode
+Local-ID= MyNet-XXX
+Remote-ID= OtherNet-ZZZ
+
+# Client ID sections
+####################
+
+[MyNet-XXX]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.XXX.0
+Netmask= 255.255.255.0
+
+[OtherNet-YYY]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.YYY.0
+Netmask= 255.255.255.0
+
+[OtherNet-ZZZ]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.ZZZ.0
+Netmask= 255.255.255.0
+
+#
+# There is no more node-specific configuration below this point.
+#
+
+# Main mode descriptions
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA,3DES-MD5
+
+[Blowfish-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= BLF-SHA-M1024
+
+# Quick mode description
+########################
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-AES-SHA-PFS-SUITE
+
+[Blowfish-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-BLF-SHA-PFS-SUITE
+#Suites= QM-ESP-BLF-SHA-SUITE
+
diff --git a/keyexchange/isakmpd-20041012/samples/VPN-east.conf b/keyexchange/isakmpd-20041012/samples/VPN-east.conf
new file mode 100644
index 0000000..04d0bb9
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/VPN-east.conf
@@ -0,0 +1,50 @@
+# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
+# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
+
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+#
+# The network topology of the example net is like this:
+#
+# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
+#
+# "west" and "east" are the respective security gateways (aka VPN-nodes).
+
+[Phase 1]
+10.1.0.11= ISAKMP-peer-west
+
+[Phase 2]
+Connections= IPsec-east-west
+
+[ISAKMP-peer-west]
+Phase= 1
+Transport= udp
+Address= 10.1.0.11
+Configuration= Default-main-mode
+Authentication= mekmitasdigoat
+
+[IPsec-east-west]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-west
+Configuration= Default-quick-mode
+Local-ID= Net-east
+Remote-ID= Net-west
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.11.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.12.0
+Netmask= 255.255.255.0
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-AES-SHA-PFS-SUITE
diff --git a/keyexchange/isakmpd-20041012/samples/VPN-west.conf b/keyexchange/isakmpd-20041012/samples/VPN-west.conf
new file mode 100644
index 0000000..5b3a8f6
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/VPN-west.conf
@@ -0,0 +1,50 @@
+# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
+# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
+
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+#
+# The network topology of the example net is like this:
+#
+# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
+#
+# "west" and "east" are the respective security gateways (aka VPN-nodes).
+
+[Phase 1]
+10.1.0.12= ISAKMP-peer-east
+
+[Phase 2]
+Connections= IPsec-west-east
+
+[ISAKMP-peer-east]
+Phase= 1
+Transport= udp
+Address= 10.1.0.12
+Configuration= Default-main-mode
+Authentication= mekmitasdigoat
+
+[IPsec-west-east]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-east
+Configuration= Default-quick-mode
+Local-ID= Net-west
+Remote-ID= Net-east
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.11.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.12.0
+Netmask= 255.255.255.0
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-AES-SHA-PFS-SUITE
diff --git a/keyexchange/isakmpd-20041012/samples/policy b/keyexchange/isakmpd-20041012/samples/policy
new file mode 100644
index 0000000..0e194aa
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/policy
@@ -0,0 +1,10 @@
+KeyNote-Version: 2
+Comment: This policy accepts ESP SAs from a remote that uses the right password
+ $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
+ $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
+Authorizer: "POLICY"
+Licensees: "passphrase:mekmitasdigoat"
+Conditions: app_domain == "IPsec policy" &&
+ esp_present == "yes" &&
+ esp_enc_alg == "aes" &&
+ esp_auth_alg == "hmac-sha" -> "true";
diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.conf b/keyexchange/isakmpd-20041012/samples/singlehost-east.conf
new file mode 100644
index 0000000..f0afc46
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/singlehost-east.conf
@@ -0,0 +1,64 @@
+# $OpenBSD: singlehost-east.conf,v 1.10 2000/11/23 12:56:25 niklas Exp $
+# $EOM: singlehost-east.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $
+
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+
+[General]
+Listen-on= 10.1.0.12
+Shared-SADB= Defined
+Policy-File= policy
+
+[Phase 1]
+10.1.0.11= ISAKMP-peer-west
+Default= ISAKMP-peer-west-aggressive
+
+[Phase 2]
+Connections= IPsec-east-west
+
+[ISAKMP-peer-west]
+Phase= 1
+Transport= udp
+Local-address= 10.1.0.12
+Address= 10.1.0.11
+Configuration= Default-main-mode
+Authentication= mekmitasdigoat
+
+[ISAKMP-peer-west-aggressive]
+Phase= 1
+Transport= udp
+Local-address= 10.1.0.12
+Address= 10.1.0.11
+Configuration= Default-aggressive-mode
+Authentication= mekmitasdigoat
+
+[IPsec-east-west]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-west
+Configuration= Default-quick-mode
+Local-ID= Net-east
+Remote-ID= Net-west
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.11.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.12.0
+Netmask= 255.255.255.0
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+[Default-aggressive-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= AGGRESSIVE
+Transforms= 3DES-SHA-RSA
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-AES-SHA-PFS-SUITE
diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb
new file mode 100644
index 0000000..a41df0d
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb
@@ -0,0 +1 @@
+r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -feast.fifo -c../samples/singlehost-east.conf
diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh b/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh
new file mode 100644
index 0000000..818ce2d
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+# $OpenBSD: singlehost-setup.sh,v 1.5 2003/08/18 09:41:40 markus Exp $
+# $EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $
+
+# A script to test single-host VPNs
+
+# For the 'pf' variable
+. /etc/rc.conf
+
+# Default paths
+PFCTL=/sbin/pfctl
+ISAKMPD=/sbin/isakmpd
+
+do_routes()
+{
+ /sbin/route $1 -net 192.168.11.0/24 192.168.11.1 -iface >/dev/null
+ /sbin/route $1 -net 192.168.12.0/24 192.168.12.1 -iface >/dev/null
+ /sbin/route $1 -net 10.1.0.0/16 10.1.0.11 -iface >/dev/null
+}
+
+# Called on script exit
+cleanup () {
+ if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
+ ${PFCTL} -R -f ${pf_rules}
+ else
+ ${PFCTL} -qd
+ fi
+
+ USER=`id -p | grep ^login | cut -f2`
+ chown $USER singlehost-east.conf singlehost-west.conf policy
+ chmod 644 singlehost-east.conf singlehost-west.conf policy
+
+ [ -p east.fifo ] && echo "Q" >> east.fifo
+ [ -p west.fifo ] && echo "Q" >> west.fifo
+ rm -f east.fifo west.fifo
+
+ do_routes delete
+}
+
+# Start by initializing interfaces
+/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up
+/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up
+/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up
+/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up
+# ... and by adding the required routes
+do_routes add
+
+# Add rules
+(
+ cat <<EOF
+pass out quick on lo2 proto 50 all
+pass out quick on lo2 from 192.168.11.0/24 to any
+pass out quick on lo3 proto 50 all
+pass out quick on lo3 from 192.168.12.0/24 to any
+block out on lo2 all
+block out on lo3 all
+EOF
+ if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
+ cat ${pf_rules} | egrep -v '^(scrub|rdr|binat|nat)'
+ else
+ pfctl -qe >/dev/null
+ fi
+) | pfctl -R -f -
+
+trap cleanup 1 2 3 15
+
+# The configuration files needs proper owners and modes
+USER=`id -p | grep ^uid | cut -f2`
+chown $USER singlehost-east.conf singlehost-west.conf policy
+chmod 600 singlehost-east.conf singlehost-west.conf policy
+
+# Start the daemons
+rm -f east.fifo west.fifo
+${ISAKMPD} -c singlehost-east.conf -f east.fifo "$@"
+${ISAKMPD} -c singlehost-west.conf -f west.fifo "$@"
+
+# Give them some time to negotiate their stuff...
+SECS=3
+echo "Waiting $SECS seconds..."
+sleep $SECS
+echo "Running 'ping', using the tunnel..."
+ping -I 192.168.11.1 -c 5 192.168.12.1
+
+cleanup
diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.conf b/keyexchange/isakmpd-20041012/samples/singlehost-west.conf
new file mode 100644
index 0000000..40538a3
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/singlehost-west.conf
@@ -0,0 +1,64 @@
+# $OpenBSD: singlehost-west.conf,v 1.11 2003/08/20 14:43:36 ho Exp $
+# $EOM: singlehost-west.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $
+
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+
+[General]
+Listen-on= 10.1.0.11
+Shared-SADB= Defined
+Policy-File= policy
+
+[Phase 1]
+10.1.0.12= ISAKMP-peer-east
+Default= ISAKMP-peer-east-aggressive
+
+[Phase 2]
+Connections= IPsec-west-east
+
+[ISAKMP-peer-east]
+Phase= 1
+Transport= udp
+Local-address= 10.1.0.11
+Address= 10.1.0.12
+Configuration= Default-main-mode
+Authentication= mekmitasdigoat
+
+[ISAKMP-peer-east-aggressive]
+Phase= 1
+Transport= udp
+Local-address= 10.1.0.11
+Address= 10.1.0.12
+Configuration= Default-aggressive-mode
+Authentication= mekmitasdigoat
+
+[IPsec-west-east]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-east
+Configuration= Default-quick-mode
+Local-ID= Net-west
+Remote-ID= Net-east
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.11.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.12.0
+Netmask= 255.255.255.0
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+[Default-aggressive-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= AGGRESSIVE
+Transforms= 3DES-SHA-RSA
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-AES-SHA-PFS-SUITE
diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb
new file mode 100644
index 0000000..5315e46
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb
@@ -0,0 +1 @@
+r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -fwest.fifo -c../samples/singlehost-west.conf