blob: 299aa9e0611f1946287170082afa5cac3284c312 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
###########################################################################
# IPSEC-SECGW Endpoint sample configuration
#
# The main purpose of this file is to show how to configure two systems
# back-to-back that would forward traffic through an IPsec tunnel. This
# file is the Endpoint 0 configuration. To use this configuration file,
# add the following command-line option:
#
# -f ./ep0.cfg
#
###########################################################################
#SP IPv4 rules
sp ipv4 out esp protect 5 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 6 pri 1 dst 192.168.106.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 10 pri 1 dst 192.168.175.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 11 pri 1 dst 192.168.176.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 15 pri 1 dst 192.168.200.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 16 pri 1 dst 192.168.201.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 25 pri 1 dst 192.168.55.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 26 pri 1 dst 192.168.56.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.240.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.241.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 106 pri 1 dst 192.168.116.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 110 pri 1 dst 192.168.185.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass pri 1 dst 192.168.245.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass pri 1 dst 192.168.246.0/24 sport 0:65535 dport 0:65535
#SP IPv6 rules
sp ipv6 out esp protect 5 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 6 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 10 pri 1 dst 0000:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 11 pri 1 dst 0000:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 25 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 26 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 15 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 16 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 110 pri 1 dst ffff:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 111 pri 1 dst ffff:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
#SA rules
sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5
sa out 6 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
sa out 10 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
sa out 11 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport
sa out 15 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.5 \
dst 172.16.2.5
sa out 16 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.6 \
dst 172.16.2.6
sa out 25 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
src 1111:1111:1111:1111:1111:1111:1111:5555 \
dst 2222:2222:2222:2222:2222:2222:2222:5555
sa out 26 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
src 1111:1111:1111:1111:1111:1111:1111:6666 \
dst 2222:2222:2222:2222:2222:2222:2222:6666
sa in 105 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
sa in 106 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
sa in 110 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
sa in 111 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport
sa in 115 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.5 \
dst 172.16.1.5
sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
sa in 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
src 2222:2222:2222:2222:2222:2222:2222:5555 \
dst 1111:1111:1111:1111:1111:1111:1111:5555
sa in 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
src 2222:2222:2222:2222:2222:2222:2222:6666 \
dst 1111:1111:1111:1111:1111:1111:1111:6666
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 172.16.2.6/32 port 1
rt ipv4 dst 192.168.175.0/24 port 0
rt ipv4 dst 192.168.176.0/24 port 1
rt ipv4 dst 192.168.240.0/24 port 0
rt ipv4 dst 192.168.241.0/24 port 1
rt ipv4 dst 192.168.115.0/24 port 2
rt ipv4 dst 192.168.116.0/24 port 3
rt ipv4 dst 192.168.65.0/24 port 2
rt ipv4 dst 192.168.66.0/24 port 3
rt ipv4 dst 192.168.185.0/24 port 2
rt ipv4 dst 192.168.186.0/24 port 3
rt ipv4 dst 192.168.210.0/24 port 2
rt ipv4 dst 192.168.211.0/24 port 3
rt ipv4 dst 192.168.245.0/24 port 2
rt ipv4 dst 192.168.246.0/24 port 3
rt ipv6 dst 2222:2222:2222:2222:2222:2222:2222:5555/116 port 0
rt ipv6 dst 2222:2222:2222:2222:2222:2222:2222:6666/116 port 1
rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 0
rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 1
rt ipv6 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/116 port 2
rt ipv6 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/116 port 3
rt ipv6 dst ffff:0000:0000:0000:5555:5555:0000:0000/116 port 2
rt ipv6 dst ffff:0000:0000:0000:6666:6666:0000:0000/116 port 3
rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 2
rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 3
|