aboutsummaryrefslogtreecommitdiffstats
path: root/examples/ipsec-secgw/ep1.cfg
blob: 3f6ff8111bee32c316e1addc105a1c95d2eae5c8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

###########################################################################
#   IPSEC-SECGW Endpoint1 sample configuration
#
#   The main purpose of this file is to show how to configure two systems
#   back-to-back that would forward traffic through an IPsec tunnel. This
#   file is the Endpoint1 configuration. To use this configuration file,
#   add the following command-line option:
#
#       -f ./ep1.cfg
#
###########################################################################

#SP IPv4 rules
sp ipv4 in esp protect 5 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 6 pri 1 dst 192.168.106.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 10 pri 1 dst 192.168.175.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 11 pri 1 dst 192.168.176.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 15 pri 1 dst 192.168.200.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 16 pri 1 dst 192.168.201.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 25 pri 1 dst 192.168.55.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 26 pri 1 dst 192.168.56.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass dst 192.168.240.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass dst 192.168.241.0/24 sport 0:65535 dport 0:65535

sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 106 pri 1 dst 192.168.116.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 110 pri 1 dst 192.168.185.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.245.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.246.0/24 sport 0:65535 dport 0:65535

#SP IPv6 rules
sp ipv6 in esp protect 5 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 6 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 10 pri 1 dst 0000:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 11 pri 1 dst 0000:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 25 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 26 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535

sp ipv6 out esp protect 15 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 16 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 110 pri 1 dst ffff:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 111 pri 1 dst ffff:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535

#SA rules
sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5

sa in 6 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6

sa in 10 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport

sa in 11 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport

sa in 15 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.5 \
dst 172.16.2.5

sa in 16 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.6 \
dst 172.16.2.6

sa in 25 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
src 1111:1111:1111:1111:1111:1111:1111:5555 \
dst 2222:2222:2222:2222:2222:2222:2222:5555

sa in 26 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
src 1111:1111:1111:1111:1111:1111:1111:6666 \
dst 2222:2222:2222:2222:2222:2222:2222:6666

sa out 105 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5

sa out 106 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6

sa out 110 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport

sa out 111 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport

sa out 115 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.5 \
dst 172.16.1.5

sa out 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6

sa out 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
src 2222:2222:2222:2222:2222:2222:2222:5555 \
dst 1111:1111:1111:1111:1111:1111:1111:5555

sa out 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
src 2222:2222:2222:2222:2222:2222:2222:6666 \
dst 1111:1111:1111:1111:1111:1111:1111:6666

#Routing rules
rt ipv4 dst 172.16.1.5/32 port 0
rt ipv4 dst 172.16.1.6/32 port 1
rt ipv4 dst 192.168.185.0/24 port 0
rt ipv4 dst 192.168.186.0/24 port 1
rt ipv4 dst 192.168.245.0/24 port 0
rt ipv4 dst 192.168.246.0/24 port 1
rt ipv4 dst 192.168.105.0/24 port 2
rt ipv4 dst 192.168.106.0/24 port 3
rt ipv4 dst 192.168.55.0/24 port 2
rt ipv4 dst 192.168.56.0/24 port 3
rt ipv4 dst 192.168.175.0/24 port 2
rt ipv4 dst 192.168.176.0/24 port 3
rt ipv4 dst 192.168.200.0/24 port 2
rt ipv4 dst 192.168.201.0/24 port 3
rt ipv4 dst 192.168.240.0/24 port 2
rt ipv4 dst 192.168.241.0/24 port 3

rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0
rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:6666/116 port 1
rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 0
rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 1
rt ipv6 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/116 port 2
rt ipv6 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/116 port 3
rt ipv6 dst 0000:0000:0000:0000:5555:5555:0000:0000/116 port 2
rt ipv6 dst 0000:0000:0000:0000:6666:6666:0000:0000/116 port 3
rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 2
rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 3