ip xfrm state add \
src 172.21.46.133 dst 172.21.33.235 \
proto esp spi 0xc1764476 mode tunnel \
auth md5 0xbde367f6722286d104212c864d3041ff \
enc blowfish \
0xb860a53627435c27c5862ebf7e2e2de15e2fd2786db612eff0ce4b181a9373c34dd1b6ca17b1ffb2d118a575b9f8a9aa865783500b2cd38a
ip xfrm stat delete src 172.21.46.133 dst 172.21.33.235 proto esp spi 0xc1764476
也可以用sha1加aes
ip xfrm state add src 172.21.46.131 dst 172.21.33.235 proto esp spi 0x4db377c8 reqid 16385 mode tunnel auth sha1 0xe0a21cb441a0790188f8d5a7573608ae1e75af07 enc aes 0x86e4685642435deb2b53bee6c23723974d0207a4abed037c5028a310ef355a6etwofish
ip xfrm state delete src 172.21.46.131 dst 172.21.33.235 proto esp spi 0x4db377c8
ip xfrm state add src 172.21.46.131 dst 172.21.33.235 proto esp spi 0x4db377c8 reqid 16385 mode tunnel auth sha1 0xe0a21cb441a0790188f8d5a7573608ae1e75af07 enc twofish 0x86e4685642435deb2b53bee6c23723974d0207a4abed037c5028a310ef355a6eIPSec manual mode by iproute2
ip xfrm state delete src 172.21.46.131 dst 172.21.33.235 proto esp spi 0x4db377c8
ip xfrm st add src 172.21.46.131 dst 172.21.33.235 proto esp spi 0x12345678 mode tunnel auth md5 0xbde367f6722286d104212c864d3041ff enc aes 0xf82bbcccc0e01308e9a8edba1f2c058be3af44bfde5c26657d4a6609ca488ac2----------------------------------------------------------------------------------------------
其它可以參考的url
http://lwn.net/Articles/375829/
http://osdir.com/ml/linux.kernel.cryptoapi/2008-04/msg00017.html
[lho@svdclab161 sec]$ cat ip-start-transport-ccm
#!/bin/sh
NODE=$1
echo "Starting IPSec transport mode using CCM..."
./ip xfrm policy flush
./ip xfrm state flush
#
# SA
./ip xfrm state add src 10.66.21.164 dst 10.66.21.166 proto esp spi
0x201 mode transport aead "rfc4309(ccm(aes))"
0x0102037aeaca3f87d060a12f4a4487d5a5c335 96
./ip xfrm state add src 10.66.21.166 dst 10.66.21.164 proto esp spi
0x301 mode transport aead "rfc4309(ccm(aes))"
0x010203f6ddb555acfd9d77b03ea3843f265325 96
#
# Policy
if [ "${NODE}" = "A" ]; then
./ip xfrm policy add dir out src 10.66.21.164 dst 10.66.21.166
tmpl proto esp mode transport
./ip xfrm policy add dir in src 10.66.21.166 dst 10.66.21.164
tmpl proto esp mode transport
fi
if [ "${NODE}" = "B" ]; then
./ip xfrm policy add dir in src 10.66.21.164 dst 10.66.21.166
tmpl proto esp mode transport
./ip xfrm policy add dir out src 10.66.21.166 dst 10.66.21.164
tmpl proto esp mode transport
fi
[lho@svdclab161 sec]$ cat ip-start-transport-gcm
#!/bin/sh
NODE=$1
echo "Starting IPSec transport mode using GCM..."
./ip xfrm policy flush
./ip xfrm state flush
#
# SA
./ip xfrm state add src 10.66.21.164 dst 10.66.21.166 proto esp spi
0x201 mode transport aead "rfc4106(gcm(aes))"
0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
./ip xfrm state add src 10.66.21.166 dst 10.66.21.164 proto esp spi
0x301 mode transport aead "rfc4106(gcm(aes))"
0x01020304f6ddb555acfd9d77b03ea3843f265325 96
#
# Policy
if [ "${NODE}" = "A" ]; then
./ip xfrm policy add dir out src 10.66.21.164 dst 10.66.21.166
tmpl proto esp mode transport
./ip xfrm policy add dir in src 10.66.21.166 dst 10.66.21.164
tmpl proto esp mode transport
fi
if [ "${NODE}" = "B" ]; then
./ip xfrm policy add dir in src 10.66.21.164 dst 10.66.21.166
tmpl proto esp mode transport
./ip xfrm policy add dir out src 10.66.21.166 dst 10.66.21.164
tmpl proto esp mode transport
fi
沒有留言:
張貼留言