Whitespace.

No content changes.
svn path=/head/; revision=13928
2002-08-18 17:22:15 +00:00 · 2002-08-18 17:22:15 +00:00 · 50abc8d6e5 · 2020-12-08 03:00:23 +00:00
commit 50abc8d6e5
parent bb4c4c0d75
1 changed files with 95 additions and 108 deletions
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@ -2875,13 +2875,11 @@ options          IPSEC_ESP          #IP security (crypto; define w/IPSEC)</progr
      <para>Now, let us setup security association.  Execute &man.setkey.8;
        on both HOST A and B:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c
-&prompt.root; <userinput>setkey -c
+    add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
-add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
+    add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
-add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
+    add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
-add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
+    ^D</userinput></screen>
 ^D</userinput>
 </screen>
     <para>Actually, IPsec communication does not process until security policy
       entries are defined.  In this case, you must setup each host.</para>
@ -2890,18 +2888,18 @@ add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
 At A:
 &prompt.root; <userinput>setkey -c
-spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
+    spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
 	ah/transport/10.2.3.4-10.6.7.8/require ;
-^D</userinput>
+    ^D</userinput>
 At B:
 &prompt.root; <userinput>setkey -c
-spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
 	esp/transport/10.6.7.8-10.2.3.4/require ;
-spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
 	ah/transport/10.6.7.8-10.2.3.4/require ;
-^D</userinput>
+    ^D</userinput>
   HOST A --------------------------------------> HOST E
@ -2934,38 +2932,35 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
 	whose key is <quote>this is the test key</quote>.
 	Configuration at Host-A:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        &prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
+    spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
-        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
+	esp/transport/fec0::10-fec0::11/use ;
-                esp/transport/fec0::10-fec0::11/use ;
+    spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
-        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
+	esp/transport/fec0::11-fec0::10/use ;
-                esp/transport/fec0::11-fec0::10/use ;
+    add fec0::10 fec0::11 esp 0x10001
-        add fec0::10 fec0::11 esp 0x10001
+	-m transport
-                -m transport
+	-E blowfish-cbc "kamekame"
-                -E blowfish-cbc "kamekame"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    add fec0::11 fec0::10 esp 0x10002
-        add fec0::11 fec0::10 esp 0x10002
+	-m transport
-                -m transport
+	-E blowfish-cbc "kamekame"
-                -E blowfish-cbc "kamekame"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    EOF</userinput></screen>
        EOF</userinput>
 </screen>
      <para>and at Host-B:</para>
      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
+    spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
-                esp/transport/fec0::11-fec0::10/use ;
+	esp/transport/fec0::11-fec0::10/use ;
-        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
+    spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
-                esp/transport/fec0::10-fec0::11/use ;
+	esp/transport/fec0::10-fec0::11/use ;
-        add fec0::10 fec0::11 esp 0x10001 -m transport
+    add fec0::10 fec0::11 esp 0x10001 -m transport
-                -E blowfish-cbc "kamekame"
+	-E blowfish-cbc "kamekame"
-                -A hmac-sha1 "this is the test key" ;
+	-A hmac-sha1 "this is the test key" ;
-        add fec0::11 fec0::10 esp 0x10002 -m transport
+    add fec0::11 fec0::10 esp 0x10002 -m transport
-                -E blowfish-cbc "kamekame"
+	-E blowfish-cbc "kamekame"
-                -A hmac-sha1 "this is the test key" ;
+	-A hmac-sha1 "this is the test key" ;
-        EOF</userinput>
+    EOF</userinput></screen>
 </screen>
      <para>Note the direction of SP.</para>
    </sect2>
@ -2988,19 +2983,17 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Configuration at Gateway-A:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        &prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
+    spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
-        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
+	ah/tunnel/172.16.0.1-172.16.0.2/require ;
-                ah/tunnel/172.16.0.1-172.16.0.2/require ;
+    spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
-        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
+	ah/tunnel/172.16.0.2-172.16.0.1/require ;
-                ah/tunnel/172.16.0.2-172.16.0.1/require ;
+    add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
+	-A keyed-md5 "this is the test" ;
-                -A keyed-md5 "this is the test" ;
+    add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
+	-A keyed-md5 "this is the test" ;
                -A keyed-md5 "this is the test" ;
-        EOF</userinput>
+EOF</userinput></screen>
 </screen>
      <para>If the port number field is omitted such as above then
 	<literal>[any]</literal> is employed. <literal>-m</literal>
@ -3010,19 +3003,17 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>and at Gateway-B:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        &prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
+    spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
-        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
+	ah/tunnel/172.16.0.2-172.16.0.1/require ;
-                ah/tunnel/172.16.0.2-172.16.0.1/require ;
+    spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
-        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
+	ah/tunnel/172.16.0.1-172.16.0.2/require ;
-                ah/tunnel/172.16.0.1-172.16.0.2/require ;
+    add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
+	-A keyed-md5 "this is the test" ;
-                -A keyed-md5 "this is the test" ;
+    add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
+	-A keyed-md5 "this is the test" ;
                -A keyed-md5 "this is the test" ;
-        EOF</userinput>
+EOF</userinput></screen>
 </screen>
      <para>Making SA bundle between two security gateways</para>
@ -3046,27 +3037,25 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
        for ESP is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
        Configuration at Gateway-A:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        &prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
+    spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
-        spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
+	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
-                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
+	ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
-                ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
+    spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
-        spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
+	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
-                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
+	ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
-                ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
+    add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
+	-E 3des-cbc "kamekame12341234kame1234"
-                -E 3des-cbc "kamekame12341234kame1234"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-        add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
+	-A hmac-md5 "this is the test" ;
-                -A hmac-md5 "this is the test" ;
+    add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
+	-E 3des-cbc "kamekame12341234kame1234"
-                -E 3des-cbc "kamekame12341234kame1234"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-        add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
+	-A hmac-md5 "this is the test" ;
                -A hmac-md5 "this is the test" ;
-        EOF</userinput>
+    EOF</userinput></screen>
 </screen>
      <para>Making SAs with the different end</para>
@ -3086,31 +3075,29 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Configuration at Host-A:</para>
-      <screen>
+      <screen>&prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
-        &prompt.root; <userinput>setkey -c &lt;&lt;<filename>EOF</filename>
+    spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
-        spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
+	esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
-                esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
+	esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
-                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
+    spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
-        spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
+	esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
-                esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
+	esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
-                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
+    add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-        add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
+	-m transport
-                -m transport
+	-E cast128-cbc "12341234"
-                -E cast128-cbc "12341234"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
+	-E rc5-cbc "kamekame"
-                -E rc5-cbc "kamekame"
+	-A hmac-md5 "this is the test" ;
-                -A hmac-md5 "this is the test" ;
+    add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-        add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
+	-m transport
-                -m transport
+	-E cast128-cbc "12341234"
-                -E cast128-cbc "12341234"
+	-A hmac-sha1 "this is the test key" ;
-                -A hmac-sha1 "this is the test key" ;
+    add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
+	-E rc5-cbc "kamekame"
-                -E rc5-cbc "kamekame"
+	-A hmac-md5 "this is the test" ;
                -A hmac-md5 "this is the test" ;
-        EOF</userinput>
+    EOF</userinput></screen>
 </screen>
    </sect2>
  </sect1>