diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/samples')
10 files changed, 474 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/samples/Makefile b/keyexchange/isakmpd-20041012/samples/Makefile new file mode 100644 index 0000000..558bd23 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/Makefile @@ -0,0 +1,34 @@ +# $OpenBSD: Makefile,v 1.2 2003/06/03 14:39:50 ho Exp $ +# $EOM: Makefile,v 1.1 2000/05/01 20:04:53 niklas Exp $ + +# +# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +FILES= VPN-* policy singlehost-* +TARGETDIR= /usr/share/ipsec/isakmpd + +# The mkdir below is for installation on OpenBSD pre 2.7 +install: + @-mkdir -p ${DESTDIR}${TARGETDIR} + $(INSTALL) -c -m 0444 ${FILES} ${DESTDIR}${TARGETDIR} diff --git a/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf b/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf new file mode 100644 index 0000000..b64c801 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf @@ -0,0 +1,116 @@ +# $OpenBSD: VPN-3way-template.conf,v 1.11 2004/02/11 08:55:22 jmc Exp $ +# $EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $ +# +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. +# +# This is a template file of a VPN setup between three nodes in +# a fully meshed 'three-way' configuration. Suggested use is to copy +# this file to all three nodes and then edit them accordingly. +# +# These nodes are initially called XXX, YYY and ZZZ. +# +# In pseudographics: XXX --- YYY +# \ / +# ZZZ +# +# In cases where IP/network addresses should be defined values like +# 192.168.XXX.nnn have been used. +# + +# Incoming phase 1 negotiations are multiplexed on the source IP +# address. In the three-way VPN, we have two possible peers. + +[Phase 1] +192.168.YYY.nnn= ISAKMP-peer-node-YYY +192.168.ZZZ.nnn= ISAKMP-peer-node-ZZZ + +# These connections are walked over after config file parsing and +# told to the application layer so that it will inform us when +# traffic wants to pass over them. This means we can do on-demand +# keying. In the three-way VPN, each node knows two connections. + +[Phase 2] +Connections= IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ + +# ISAKMP Phase 1 peer sections +############################## + +[ISAKMP-peer-node-YYY] +Phase= 1 +Transport= udp +Address= 192.168.YYY.nnn +Configuration= Default-main-mode +Authentication= yoursharedsecretwithYYY + +[ISAKMP-peer-node-ZZZ] +Phase= 1 +Transport= udp +Address= 192.168.ZZZ.nnn +Configuration= Default-main-mode +Authentication= yoursharedsecretwithZZZ + +# IPsec Phase 2 sections +######################## + +[IPsec-Conn-XXX-YYY] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-node-YYY +Configuration= Default-quick-mode +Local-ID= MyNet-XXX +Remote-ID= OtherNet-YYY + +[IPsec-Conn-XXX-ZZZ] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-node-ZZZ +Configuration= Default-quick-mode +Local-ID= MyNet-XXX +Remote-ID= OtherNet-ZZZ + +# Client ID sections +#################### + +[MyNet-XXX] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.XXX.0 +Netmask= 255.255.255.0 + +[OtherNet-YYY] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.YYY.0 +Netmask= 255.255.255.0 + +[OtherNet-ZZZ] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.ZZZ.0 +Netmask= 255.255.255.0 + +# +# There is no more node-specific configuration below this point. +# + +# Main mode descriptions + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA,3DES-MD5 + +[Blowfish-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= BLF-SHA-M1024 + +# Quick mode description +######################## + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-AES-SHA-PFS-SUITE + +[Blowfish-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-BLF-SHA-PFS-SUITE +#Suites= QM-ESP-BLF-SHA-SUITE + diff --git a/keyexchange/isakmpd-20041012/samples/VPN-east.conf b/keyexchange/isakmpd-20041012/samples/VPN-east.conf new file mode 100644 index 0000000..04d0bb9 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/VPN-east.conf @@ -0,0 +1,50 @@ +# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $ +# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $ + +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. +# +# The network topology of the example net is like this: +# +# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24 +# +# "west" and "east" are the respective security gateways (aka VPN-nodes). + +[Phase 1] +10.1.0.11= ISAKMP-peer-west + +[Phase 2] +Connections= IPsec-east-west + +[ISAKMP-peer-west] +Phase= 1 +Transport= udp +Address= 10.1.0.11 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[IPsec-east-west] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-west +Configuration= Default-quick-mode +Local-ID= Net-east +Remote-ID= Net-west + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.11.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.12.0 +Netmask= 255.255.255.0 + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/VPN-west.conf b/keyexchange/isakmpd-20041012/samples/VPN-west.conf new file mode 100644 index 0000000..5b3a8f6 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/VPN-west.conf @@ -0,0 +1,50 @@ +# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $ +# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $ + +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. +# +# The network topology of the example net is like this: +# +# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24 +# +# "west" and "east" are the respective security gateways (aka VPN-nodes). + +[Phase 1] +10.1.0.12= ISAKMP-peer-east + +[Phase 2] +Connections= IPsec-west-east + +[ISAKMP-peer-east] +Phase= 1 +Transport= udp +Address= 10.1.0.12 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[IPsec-west-east] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-east +Configuration= Default-quick-mode +Local-ID= Net-west +Remote-ID= Net-east + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.11.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.12.0 +Netmask= 255.255.255.0 + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/policy b/keyexchange/isakmpd-20041012/samples/policy new file mode 100644 index 0000000..0e194aa --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/policy @@ -0,0 +1,10 @@ +KeyNote-Version: 2 +Comment: This policy accepts ESP SAs from a remote that uses the right password + $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $ + $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $ +Authorizer: "POLICY" +Licensees: "passphrase:mekmitasdigoat" +Conditions: app_domain == "IPsec policy" && + esp_present == "yes" && + esp_enc_alg == "aes" && + esp_auth_alg == "hmac-sha" -> "true"; diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.conf b/keyexchange/isakmpd-20041012/samples/singlehost-east.conf new file mode 100644 index 0000000..f0afc46 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/singlehost-east.conf @@ -0,0 +1,64 @@ +# $OpenBSD: singlehost-east.conf,v 1.10 2000/11/23 12:56:25 niklas Exp $ +# $EOM: singlehost-east.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $ + +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. + +[General] +Listen-on= 10.1.0.12 +Shared-SADB= Defined +Policy-File= policy + +[Phase 1] +10.1.0.11= ISAKMP-peer-west +Default= ISAKMP-peer-west-aggressive + +[Phase 2] +Connections= IPsec-east-west + +[ISAKMP-peer-west] +Phase= 1 +Transport= udp +Local-address= 10.1.0.12 +Address= 10.1.0.11 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[ISAKMP-peer-west-aggressive] +Phase= 1 +Transport= udp +Local-address= 10.1.0.12 +Address= 10.1.0.11 +Configuration= Default-aggressive-mode +Authentication= mekmitasdigoat + +[IPsec-east-west] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-west +Configuration= Default-quick-mode +Local-ID= Net-east +Remote-ID= Net-west + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.11.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.12.0 +Netmask= 255.255.255.0 + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +[Default-aggressive-mode] +DOI= IPSEC +EXCHANGE_TYPE= AGGRESSIVE +Transforms= 3DES-SHA-RSA + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb new file mode 100644 index 0000000..a41df0d --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb @@ -0,0 +1 @@ +r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -feast.fifo -c../samples/singlehost-east.conf diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh b/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh new file mode 100644 index 0000000..818ce2d --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh @@ -0,0 +1,84 @@ +#!/bin/sh +# $OpenBSD: singlehost-setup.sh,v 1.5 2003/08/18 09:41:40 markus Exp $ +# $EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $ + +# A script to test single-host VPNs + +# For the 'pf' variable +. /etc/rc.conf + +# Default paths +PFCTL=/sbin/pfctl +ISAKMPD=/sbin/isakmpd + +do_routes() +{ + /sbin/route $1 -net 192.168.11.0/24 192.168.11.1 -iface >/dev/null + /sbin/route $1 -net 192.168.12.0/24 192.168.12.1 -iface >/dev/null + /sbin/route $1 -net 10.1.0.0/16 10.1.0.11 -iface >/dev/null +} + +# Called on script exit +cleanup () { + if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then + ${PFCTL} -R -f ${pf_rules} + else + ${PFCTL} -qd + fi + + USER=`id -p | grep ^login | cut -f2` + chown $USER singlehost-east.conf singlehost-west.conf policy + chmod 644 singlehost-east.conf singlehost-west.conf policy + + [ -p east.fifo ] && echo "Q" >> east.fifo + [ -p west.fifo ] && echo "Q" >> west.fifo + rm -f east.fifo west.fifo + + do_routes delete +} + +# Start by initializing interfaces +/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up +/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up +/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up +/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up +# ... and by adding the required routes +do_routes add + +# Add rules +( + cat <<EOF +pass out quick on lo2 proto 50 all +pass out quick on lo2 from 192.168.11.0/24 to any +pass out quick on lo3 proto 50 all +pass out quick on lo3 from 192.168.12.0/24 to any +block out on lo2 all +block out on lo3 all +EOF + if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then + cat ${pf_rules} | egrep -v '^(scrub|rdr|binat|nat)' + else + pfctl -qe >/dev/null + fi +) | pfctl -R -f - + +trap cleanup 1 2 3 15 + +# The configuration files needs proper owners and modes +USER=`id -p | grep ^uid | cut -f2` +chown $USER singlehost-east.conf singlehost-west.conf policy +chmod 600 singlehost-east.conf singlehost-west.conf policy + +# Start the daemons +rm -f east.fifo west.fifo +${ISAKMPD} -c singlehost-east.conf -f east.fifo "$@" +${ISAKMPD} -c singlehost-west.conf -f west.fifo "$@" + +# Give them some time to negotiate their stuff... +SECS=3 +echo "Waiting $SECS seconds..." +sleep $SECS +echo "Running 'ping', using the tunnel..." +ping -I 192.168.11.1 -c 5 192.168.12.1 + +cleanup diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.conf b/keyexchange/isakmpd-20041012/samples/singlehost-west.conf new file mode 100644 index 0000000..40538a3 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/singlehost-west.conf @@ -0,0 +1,64 @@ +# $OpenBSD: singlehost-west.conf,v 1.11 2003/08/20 14:43:36 ho Exp $ +# $EOM: singlehost-west.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $ + +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. + +[General] +Listen-on= 10.1.0.11 +Shared-SADB= Defined +Policy-File= policy + +[Phase 1] +10.1.0.12= ISAKMP-peer-east +Default= ISAKMP-peer-east-aggressive + +[Phase 2] +Connections= IPsec-west-east + +[ISAKMP-peer-east] +Phase= 1 +Transport= udp +Local-address= 10.1.0.11 +Address= 10.1.0.12 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[ISAKMP-peer-east-aggressive] +Phase= 1 +Transport= udp +Local-address= 10.1.0.11 +Address= 10.1.0.12 +Configuration= Default-aggressive-mode +Authentication= mekmitasdigoat + +[IPsec-west-east] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-east +Configuration= Default-quick-mode +Local-ID= Net-west +Remote-ID= Net-east + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.11.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.12.0 +Netmask= 255.255.255.0 + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +[Default-aggressive-mode] +DOI= IPSEC +EXCHANGE_TYPE= AGGRESSIVE +Transforms= 3DES-SHA-RSA + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb new file mode 100644 index 0000000..5315e46 --- /dev/null +++ b/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb @@ -0,0 +1 @@ +r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -fwest.fifo -c../samples/singlehost-west.conf |