some cmd for ipsec
Contents
Start IPsec:
ipsec setup start
Verify IPsec:
ipsec eroute ipsec verify ipsec barf ipset auto –status
Show IPsec stats
ip xfrm state ip xfrm policy
Set IPsec
On client: #!/bin/bash ip xfrm state flush ip xfrm policy flush ip addr add 2000::1/64 dev eth0
ip xfrm state add src 2000::1 dst 2000::2 proto esp spi 0x1000 mode transport
enc des3_ede enc_des3_ede_secret_key1 auth sha1 auth_sha1_secret_key1
ip xfrm state add src 2000::2 dst 2000::1 proto esp spi 0x2000 mode transport
enc des3_ede enc_des3_ede_secret_key1 auth sha1 auth_sha1_secret_key1
ip xfrm policy add dir out src 2000::1 dst 2000::2 proto any tmpl
src 2000::1 dst 2000::2 proto esp mode transport level required
ip xfrm policy add dir in src 2000::2 dst 2000::1 proto any tmpl
src 2000::2 dst 2000::1 proto esp mode transport level required
On Server: #!/bin/bash ip xfrm state flush ip xfrm policy flush ip addr add 2000::2/64 dev eth0
ip xfrm state add src 2000::1 dst 2000::2 proto esp spi 0x1000 mode transport
enc des3_ede enc_des3_ede_secret_key1 auth sha1 auth_sha1_secret_key1
ip xfrm state add src 2000::2 dst 2000::1 proto esp spi 0x2000 mode transport
enc des3_ede enc_des3_ede_secret_key1 auth sha1 auth_sha1_secret_key1
ip xfrm policy add dir in src 2000::1 dst 2000::2 proto any tmpl
src 2000::1 dst 2000::2 proto esp mode transport level required
ip xfrm policy add dir out src 2000::2 dst 2000::1 proto any tmpl
src 2000::2 dst 2000::1 proto esp mode transport level required
Set ah+esp
ip xfrm state flush ip xfrm policy flush
ip xfrm state add src 2001::100 dst 2001::101 proto ah spi 0x42 mode transport auth sha256 “ipv6readylogoph2ipsecsha2256in01” ip xfrm state add src 2001::101 dst 2001::100 proto ah spi 0x43 mode transport auth sha256 “ipv6readylogoph2ipsecsha2256in01” ip xfrm state add src 2001::100 dst 2001::101 proto esp spi 0x44 mode transport enc blowfish “blowfishtest.001” ip xfrm state add src 2001::101 dst 2001::100 proto esp spi 0x45 mode transport enc blowfish “blowfishtest.001”
ip xfrm policy add src 2001::100 dst 2001::101 dir out priority 0x80000000 tmpl proto esp mode transport tmpl proto ah mode transport ip xfrm policy add src 2001::100 dst 2001::101 dir fwd priority 0x80000000 tmpl proto esp mode transport tmpl proto ah mode transport ip xfrm policy add src 2001::101 dst 2001::100 dir in priority 0x80000000 tmpl proto esp mode transport tmpl proto ah mode transport ip xfrm policy add src 2001::101 dst 2001::100 dir fwd priority 0x80000000 tmpl proto esp mode transport tmpl proto ah mode transport
Set ah+esp transport
IPV6
ip xfrm policy add src fc00::1 dst fc00::2 dir out tmpl src fc00::1 dst fc00::2 proto esp spi 1 mode transport tmpl src fc00::1 dst fc00::2 proto ah spi 2 mode transport ip xfrm state add src fc00::1 dst fc00::2 proto esp spi 1 mode transport enc ‘aes’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ip xfrm state add src fc00::1 dst fc00::2 proto ah spi 2 mode transport auth ‘sha256’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
ip xfrm policy add src fc00::1 dst fc00::2 dir in tmpl src fc00::1 dst fc00::2 proto esp spi 1 mode transport tmpl src fc00::1 dst fc00::2 proto ah spi 2 mode transport ip xfrm state add src fc00::1 dst fc00::2 proto esp spi 1 mode transport enc ‘aes’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ip xfrm state add src fc00::1 dst fc00::2 proto ah spi 2 mode transport auth ‘sha256’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
IPV4
ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 mode transport enc ‘aes’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto ah spi 2 mode transport auth ‘sha256’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 mode transport enc ‘aes’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto ah spi 2 mode transport auth ‘sha256’ 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
ip xfrm policy add src 192.168.10.1 dst 192.168.10.2 dir out tmpl src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 mode transport tmpl src 192.168.10.1 dst 192.168.10.2 proto ah spi 2 mode transport ip xfrm policy add src 192.168.10.1 dst 192.168.10.2 dir in tmpl src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 mode transport tmpl src 192.168.10.1 dst 192.168.10.2 proto ah spi 2 mode transport
Author Hangbin Liu
LastMod 2018-12-13 (1672b97)