root@host:~# apt-get install ipsec-tools
$ dd if=/dev/random count=16 bs=1| xxd -ps a9b3d99cd41ed7bc51e1a007c1ccc97f 16+0 records in 16+0 records out $ dd if=/dev/random count=24 bs=1| xxd -ps 5e9acb64f38d4a9b76e6a6c28220c48f048955fa24104df6 24+0 records in 24+0 records out $ dd if=/dev/random count=28 bs=1 | xxd -ps d565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299 28+0 records in 28+0 records out
#!/usr/sbin/setkey -f ## Flush the SAD and SPD # flush; spdflush; ## AH security association (SA) #alice et bob add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; #ESP #alice et bob add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; #on peut choisir des clés différentes (entre Alice et Bob et Bob et Alice) : add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr "0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244"; ## security policy #alice et bob spdadd 192.168.0.84 192.168.0.85 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.0.85 192.168.0.84 any -P in ipsec esp/transport//require ah/transport//require;
#!/usr/sbin/setkey -f ## Flush the SAD and SPD # flush; spdflush; ## AH security association (SA) add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; #ESP add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr 0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244; spdadd 192.168.0.85 192.168.0.84 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.0.84 192.168.0.85 any -P in ipsec esp/transport//require ah/transport//require;
We can see ESP and AH frames.
root@host:~# tcpdump -i br0 11:59:39.230708 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68d): ESP(spi=0x00004e21,seq=0x68d), length 88 11:59:39.328125 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x746): ESP(spi=0x00002711,seq=0x746), length 88 11:59:39.328307 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68e): ESP(spi=0x00004e21,seq=0x68e), length 88 11:59:40.230594 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x747): ESP(spi=0x00002711,seq=0x747), length 88 11:59:40.230949 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68f): ESP(spi=0x00004e21,seq=0x68f), length 88 11:59:40.327423 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x748): ESP(spi=0x00002711,seq=0x748), length 88 11:59:40.327760 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x690): ESP(spi=0x00004e21,seq=0x690), length 88 11:59:41.231482 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x749): ESP(spi=0x00002711,seq=0x749), length 88 11:59:41.231717 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x691): ESP(spi=0x00004e21,seq=0x691), length 88 11:59:41.326445 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74a): ESP(spi=0x00002711,seq=0x74a), length 88 11:59:41.326686 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x692): ESP(spi=0x00004e21,seq=0x692), length 88 11:59:42.230489 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74b): ESP(spi=0x00002711,seq=0x74b), length 88
setkey -f /etc/ipsec-tools.conf
racoon -F -f /etc/racoon/racoon.conf
setkey -F
setkey -D
setkey -DP
Contact :