Change Details

I used these two configuration for tests: Host1: #!/sbin/setkey -f flush; spdflush; # Host configuration: # ifconfig wlan0 inet 10.9.8.3/24 # ifconfig wlan0 inet 10.9.9.3/24 alias # ifconfig wlan0 inet 10.9.10.3/24 alias # ifconfig wlan0 inet 10.9.11.3/24 alias # ifconfig wlan0 inet 10.9.12.3/24 alias # ifconfig wlan0 inet 10.9.13.3/24 alias # ifconfig wlan0 inet 10.9.14.3/24 alias # ifconfig wlan0 inet6 fe80::3/64 # ifconfig wlan0 inet6 fe80::1:3/64 # ifconfig wlan0 inet6 fe80::11:3/64 # ifconfig wlan0 inet6 fc00::3/64 # ifconfig wlan0 inet6 fc00:10::3/64 # ifconfig wlan0 inet6 fc00:11::3/64 # ifconfig wlan0 inet6 fc00:12::3/64 # ifconfig wlan0 inet6 fc00:13::3/64 # ifconfig gif1 create inet 192.168.0.3/24 192.168.0.11 tunnel 10.9.9.3 10.9.9.11 up # ifconfig gif1 inet6 fc00:1::3/64 # ifconfig gif1 inet6 fe80::1:3/64 # ifconfig gif2 create inet 172.16.0.3/24 172.16.0.11 # ifconfig gif2 inet6 tunnel fe80::1:3%wlan0 fe80::1:11%wlan0 # ifconfig gif2 inet6 fc00:2::3/64 # ifconfig gif3 create inet 192.168.1.3/24 192.168.1.11 tunnel 10.9.14.3 10.9.14.11 up # ifconfig gif3 inet6 fc00:14::3/64 # spdadd -6 ::/0 ::/0 icmp6 135,0 -P out none; spdadd -6 ::/0 ::/0 icmp6 136,0 -P out none; # Test 1: IPv4 + transport mode # 10.9.8.3 <- transport mode IPSec -> 10.9.8.11 # # ping -c1 -S 10.9.8.3 10.9.8.11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d55: IP 10.9.8.3 > 10.9.8.11: ICMP echo request, id 62307, seq 0, length 64 # SPI 0x00003d55: IP 10.9.8.3 > 10.9.8.11: ICMP echo request, id 62307, seq 0, length 64 # SPI 0x00005fb5: IP 10.9.8.11 > 10.9.8.3: ICMP echo reply, id 62307, seq 0, length 64 # # tcpdump -ni wlan0 esp # IP 10.9.8.3 > 10.9.8.11: ESP(spi=0x00003d55,seq=0xd3), length 104 # IP 10.9.8.11 > 10.9.8.3: ESP(spi=0x00005fb5,seq=0x207), length 104 spdadd 10.9.8.3 10.9.8.11 any -P out ipsec esp/transport//default; spdadd 10.9.8.11 10.9.8.3 any -P in ipsec esp/transport//default; add 10.9.8.3 10.9.8.11 esp 15701 -m transport -E rijndael-cbc "1111111111111111" ; add 10.9.8.11 10.9.8.3 esp 24501 -m transport -E rijndael-cbc "1111111111111111" ; # Test 2: IPv4 + gif + transport mode # 192.168.0.3 <- transport mode IPSec -> 192.168.0.11 # # ping -c1 -S 192.168.0.3 192.168.0.11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d56: IP 192.168.0.3 > 192.168.0.11: ICMP echo request, id 63331, seq 0, length 64 # SPI 0x00003d56: IP 192.168.0.3 > 192.168.0.11: ICMP echo request, id 63331, seq 0, length 64 # SPI 0x00005fb6: IP 192.168.0.11 > 192.168.0.3: ICMP echo reply, id 63331, seq 0, length 64 # # tcpdump -ni wlan0 # IP 10.9.9.3 > 10.9.9.11: IP 192.168.0.3 > 192.168.0.11: ESP(spi=0x00003d56,seq=0x6), length 104 (ipip-proto-4) # IP 10.9.9.11 > 10.9.9.3: IP 192.168.0.11 > 192.168.0.3: ESP(spi=0x00005fb6,seq=0x7), length 104 (ipip-proto-4) spdadd 192.168.0.3 192.168.0.11 any -P out ipsec esp/transport//default; spdadd 192.168.0.11 192.168.0.3 any -P in ipsec esp/transport//default; add 192.168.0.3 192.168.0.11 esp 15702 -m transport -E rijndael-cbc "1111111111111111" ; add 192.168.0.11 192.168.0.3 esp 24502 -m transport -E rijndael-cbc "1111111111111111" ; # Test 3: IPv6 + transport mode # fc00::3 <- transport mode IPSec -> fc00::11 # # ping6 -c1 fc00::11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d57: IP6 fc00::3 > fc00::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d57: IP6 fc00::3 > fc00::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fb7: IP6 fc00::11 > fc00::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 esp # IP6 fc00::3 > fc00::11: ESP(spi=0x00003d57,seq=0x1), length 56 # IP6 fc00::11 > fc00::3: ESP(spi=0x00005fb7,seq=0x2), length 56 spdadd -6 fc00::3 fc00::11 any -P out ipsec esp/transport//default; spdadd -6 fc00::11 fc00::3 any -P in ipsec esp/transport//default; add -6 fc00::3 fc00::11 esp 15703 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fc00::11 fc00::3 esp 24503 -m transport -E rijndael-cbc "1111111111111111" ; # Test 4: IPv6 LLA + transport mode # fe80::3%wlan0 <- transport mode IPSec -> fe80::11%wlan0 # # ping6 -c1 fe80::11%wlan0 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d58: IP6 fe80:5::3 > fe80:5::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d58: IP6 fe80:5::3 > fe80:5::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fb8: IP6 fe80:5::11 > fe80:5::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 esp # IP6 fe80::3 > fe80::11: ESP(spi=0x00003d58,seq=0x2), length 56 # IP6 fe80::11 > fe80::3: ESP(spi=0x00005fb8,seq=0x1b), length 56 spdadd -6 fe80::3%wlan0 fe80::11%wlan0 any -P out ipsec esp/transport//default; spdadd -6 fe80::11%wlan0 fe80::3%wlan0 any -P in ipsec esp/transport//default; add -6 fe80::3%wlan0 fe80::11%wlan0 esp 15704 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fe80::11%wlan0 fe80::3%wlan0 esp 24504 -m transport -E rijndael-cbc "1111111111111111" ; # Test 5: IPv6 LLA + gif + transport mode # fe80::1:3%gif1 <- transport mode IPSec -> fe80::1:11%gif1 # # ping6 -c1 fe80::1:11%gif1 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d59: IP6 fe80:7::1:3 > fe80:7::1:11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d59: IP6 fe80:7::1:3 > fe80:7::1:11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fb9: IP6 fe80:7::1:11 > fe80:7::1:3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 # IP 10.9.9.3 > 10.9.9.11: IP6 fe80::1:3 > fe80::1:11: ESP(spi=0x00003d59,seq=0x3), length 56 # IP 10.9.9.11 > 10.9.9.3: IP6 fe80::1:11 > fe80::1:3: ESP(spi=0x00005fb9,seq=0x4), length 56 spdadd -6 fe80::1:3%gif1 fe80::1:11%gif1 any -P out ipsec esp/transport//default; spdadd -6 fe80::1:11%gif1 fe80::1:3%gif1 any -P in ipsec esp/transport//default; add -6 fe80::1:3%gif1 fe80::1:11%gif1 esp 15705 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fe80::1:11%gif1 fe80::1:3%gif1 esp 24505 -m transport -E rijndael-cbc "1111111111111111" ; # Test 6: IPv6 + gif + transport mode # fc00:1::3 <- transport mode IPSec -> fc00:1::11 # # ping6 -c1 fc00:1::11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d5a: IP6 fc00:1::3 > fc00:1::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d5a: IP6 fc00:1::3 > fc00:1::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fba: IP6 fc00:1::11 > fc00:1::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 # IP 10.9.9.3 > 10.9.9.11: IP6 fc00:1::3 > fc00:1::11: ESP(spi=0x00003d5a,seq=0x1), length 56 # IP 10.9.9.11 > 10.9.9.3: IP6 fc00:1::11 > fc00:1::3: ESP(spi=0x00005fba,seq=0x2), length 56 spdadd -6 fc00:1::3 fc00:1::11 any -P out ipsec esp/transport//default; spdadd -6 fc00:1::11 fc00:1::3 any -P in ipsec esp/transport//default; add -6 fc00:1::3 fc00:1::11 esp 15706 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fc00:1::11 fc00:1::3 esp 24506 -m transport -E rijndael-cbc "1111111111111111" ; # Test 7: IPv4 tunnel mode 10.9.11.3 <-> 10.9.11.11 # 10.9.10.3 <- tunnel mode IPSec -> 10.9.10.11 # fc00:10::3 <- -> fc00:10::11 # # ping -c1 -S 10.9.10.3 10.9.10.11 # ping6 -c1 fc00:10::11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d5b: IP 10.9.10.3 > 10.9.10.11: ICMP echo request, id 7780, seq 0, length 64 # SPI 0x00003d5b: IP 10.9.11.3 > 10.9.11.11: IP 10.9.10.3 > 10.9.10.11: ICMP echo request, id 7780, seq 0, length 64 (ipip-proto-4) # SPI 0x00005fbb: IP 10.9.11.11 > 10.9.11.3: IP 10.9.10.11 > 10.9.10.3: ICMP echo reply, id 7780, seq 0, length 64 (ipip-proto-4) # SPI 0x00003d5b: IP6 fc00:10::3 > fc00:10::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d5b: IP 10.9.11.3 > 10.9.11.11: IP6 fc00:10::3 > fc00:10::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fbb: IP 10.9.11.11 > 10.9.11.3: IP6 fc00:10::11 > fc00:10::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 esp # IP 10.9.11.3 > 10.9.11.11: ESP(spi=0x00003d5b,seq=0x1), length 120 # IP 10.9.11.11 > 10.9.11.3: ESP(spi=0x00005fbb,seq=0x3), length 120 # IP 10.9.11.3 > 10.9.11.11: ESP(spi=0x00003d5b,seq=0x2), length 88 # IP 10.9.11.11 > 10.9.11.3: ESP(spi=0x00005fbb,seq=0x4), length 88 spdadd 10.9.10.3 10.9.10.11 any -P out ipsec esp/tunnel/10.9.11.3-10.9.11.11/default; spdadd 10.9.10.11 10.9.10.3 any -P in ipsec esp/tunnel/10.9.11.11-10.9.11.3/default; spdadd -6 fc00:10::3 fc00:10::11 any -P out ipsec esp/tunnel/10.9.11.3-10.9.11.11/default; spdadd -6 fc00:10::11 fc00:10::3 any -P in ipsec esp/tunnel/10.9.11.11-10.9.11.3/default; add 10.9.11.3 10.9.11.11 esp 15707 -m tunnel -E rijndael-cbc "1111111111111111" ; add 10.9.11.11 10.9.11.3 esp 24507 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 8: IPv6 tunnel mode fc00:11::3 <-> fc00:11::11 # 10.9.12.3 <- tunnel mode IPSec -> 10.9.12.11 # fc00:12::3 <- -> fc00:12::11 # # ping -c1 -S 10.9.12.3 10.9.12.11 # ping6 -c1 fc00:12::11 # tcpdump -ni enc0 # Expected result: # SPI 0x00003d5c: IP 10.9.12.3 > 10.9.12.11: ICMP echo request, id 8548, seq 0, length 64 # SPI 0x00003d5c: IP6 fc00:11::3 > fc00:11::11: IP 10.9.12.3 > 10.9.12.11: ICMP echo request, id 8548, seq 0, length 64 # SPI 0x00005fbc: IP6 fc00:11::11 > fc00:11::3: IP 10.9.12.11 > 10.9.12.3: ICMP echo reply, id 8548, seq 0, length 64 # SPI 0x00003d5c: IP6 fc00:12::3 > fc00:12::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d5c: IP6 fc00:11::3 > fc00:11::11: IP6 fc00:12::3 > fc00:12::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fbc: IP6 fc00:11::11 > fc00:11::3: IP6 fc00:12::11 > fc00:12::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 esp # IP6 fc00:11::3 > fc00:11::11: ESP(spi=0x00003d5c,seq=0x1), length 120 # IP6 fc00:11::11 > fc00:11::3: ESP(spi=0x00005fbc,seq=0x3), length 120 # IP6 fc00:11::3 > fc00:11::11: ESP(spi=0x00003d5c,seq=0x2), length 88 # IP6 fc00:11::11 > fc00:11::3: ESP(spi=0x00005fbc,seq=0x4), length 88 spdadd 10.9.12.3 10.9.12.11 any -P out ipsec esp/tunnel/fc00:11::3-fc00:11::11/default; spdadd 10.9.12.11 10.9.12.3 any -P in ipsec esp/tunnel/fc00:11::11-fc00:11::3/default; spdadd -6 fc00:12::3 fc00:12::11 any -P out ipsec esp/tunnel/fc00:11::3-fc00:11::11/default; spdadd -6 fc00:12::11 fc00:12::3 any -P in ipsec esp/tunnel/fc00:11::11-fc00:11::3/default; add -6 fc00:11::3 fc00:11::11 esp 15708 -m tunnel -E rijndael-cbc "1111111111111111" ; add -6 fc00:11::11 fc00:11::3 esp 24508 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 9: IPv6 tunnel mode + LLA fe80::11:3 <-> fe80::11:11 # 10.9.13.3 <- tunnel mode IPSec -> 10.9.13.11 # fc00:13::3 <- -> fc00:13::11 # # ping -c1 -S 10.9.13.3 10.9.13.11 # ping6 -c1 fc00:13::11 # tcpdump -ni enc0 # SPI 0x00003d5d: IP 10.9.13.3 > 10.9.13.11: ICMP echo request, id 12388, seq 0, length 64 # SPI 0x00003d5d: IP6 fe80:5::11:3 > fe80:5::11:11: IP 10.9.13.3 > 10.9.13.11: ICMP echo request, id 12388, seq 0, length 64 # SPI 0x00005fbd: IP6 fe80:5::11:11 > fe80:5::11:3: IP 10.9.13.11 > 10.9.13.3: ICMP echo reply, id 12388, seq 0, length 64 # SPI 0x00003d5d: IP6 fc00:13::3 > fc00:13::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d5d: IP6 fe80:5::11:3 > fe80:5::11:11: IP6 fc00:13::3 > fc00:13::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fbd: IP6 fe80:5::11:11 > fe80:5::11:3: IP6 fc00:13::11 > fc00:13::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 esp # IP6 fe80::11:3 > fe80::11:11: ESP(spi=0x00003d5d,seq=0x1), length 120 # IP6 fe80::11:11 > fe80::11:3: ESP(spi=0x00005fbd,seq=0x3), length 120 # IP6 fe80::11:3 > fe80::11:11: ESP(spi=0x00003d5d,seq=0x2), length 88 # IP6 fe80::11:11 > fe80::11:3: ESP(spi=0x00005fbd,seq=0x4), length 88 spdadd 10.9.13.3 10.9.13.11 any -P out ipsec esp/tunnel/fe80::11:3%wlan0-fe80::11:11%wlan0/default; spdadd 10.9.13.11 10.9.13.3 any -P in ipsec esp/tunnel/fe80::11:11%wlan0-fe80::11:3%wlan0/default; spdadd -6 fc00:13::3 fc00:13::11 any -P out ipsec esp/tunnel/fe80::11:3%wlan0-fe80::11:11%wlan0/default; spdadd -6 fc00:13::11 fc00:13::3 any -P in ipsec esp/tunnel/fe80::11:11%wlan0-fe80::11:3%wlan0/default; add -6 fe80::11:3%wlan0 fe80::11:11%wlan0 esp 15709 -m tunnel -E rijndael-cbc "1111111111111111" ; add -6 fe80::11:11%wlan0 fe80::11:3%wlan0 esp 24509 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 10: IPv4 tunnel mode + gif 10.9.14.3 <-> 10.9.14.11 # 10.9.14.3 <- tunnel mode IPSec -> 10.9.14.11 # 192.168.1.3 <- -> 192.168.1.11 # fc00:14::3 <- -> fc00:14::11 # # ping -c1 -S 10.9.14.3 10.9.14.11 # ping -c1 -S 192.168.1.3 192.168.1.11 # ping6 -c1 fc00:14::11 # tcpdump -ni enc0 # SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: ICMP echo request, id 13668, seq 0, length 64 # SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP 10.9.14.3 > 10.9.14.11: ICMP echo request, id 13668, seq 0, length 64 (ipip-proto-4) # SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP 10.9.14.11 > 10.9.14.3: ICMP echo reply, id 13668, seq 0, length 64 (ipip-proto-4) # SPI 0x00003d5e: IP 192.168.1.3 > 192.168.1.11: ICMP echo request, id 14692, seq 0, length 64 # SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP 192.168.1.3 > 192.168.1.11: ICMP echo request, id 14692, seq 0, length 64 (ipip-proto-4) # SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP 192.168.1.11 > 192.168.1.3: ICMP echo reply, id 14692, seq 0, length 64 (ipip-proto-4) # SPI 0x00003d5e: IP6 fc00:14::3 > fc00:14::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP6 fc00:14::3 > fc00:14::11: ICMP6, echo request, seq 0, length 16 # SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP6 fc00:14::11 > fc00:14::3: ICMP6, echo reply, seq 0, length 16 # # tcpdump -ni wlan0 # IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x1), length 120 # IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x4), length 120 # IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x2), length 120 # IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x5), length 120 # IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x3), length 88 # IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x6), length 88 spdadd 10.9.14.3 10.9.14.11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd 10.9.14.11 10.9.14.3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; spdadd 192.168.1.3 192.168.1.11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd 192.168.1.11 192.168.1.3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; spdadd -6 fc00:14::3 fc00:14::11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd -6 fc00:14::11 fc00:14::3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; add 10.9.14.3 10.9.14.11 esp 15710 -m tunnel -E rijndael-cbc "1111111111111111" ; add 10.9.14.11 10.9.14.3 esp 24510 -m tunnel -E rijndael-cbc "1111111111111111" ; Host2: #!/sbin/setkey -f flush; spdflush; # Host configuration: # ifconfig em0 inet 10.9.8.11/24 # ifconfig em0 inet 10.9.9.11 alias # ifconfig em0 inet 10.9.10.11 alias # ifconfig em0 inet 10.9.11.11 alias # ifconfig em0 inet 10.9.12.11 alias # ifconfig em0 inet 10.9.13.11 alias # ifconfig em0 inet 10.9.14.11 alias # ifconfig em0 inet6 fe80::11/64 # ifconfig em0 inet6 fe80::1:11/64 # ifconfig em0 inet6 fe80::11:11/64 # ifconfig em0 inet6 fc00::11/64 # ifconfig em0 inet6 fc00:10::11/64 # ifconfig em0 inet6 fc00:11::11/64 # ifconfig em0 inet6 fc00:12::11/64 # ifconfig em0 inet6 fc00:13::11/64 # ifconfig gif1 create inet 192.168.0.11/24 192.168.0.3 tunnel 10.9.9.11 10.9.9.3 up # ifconfig gif1 inet6 fc00:1::11/64 # ifconfig gif1 inet6 fe80::1:11/64 # ifconfig gif2 create inet 172.16.0.11/24 172.16.0.3 # ifconfig gif2 inet6 tunnel fe80::1:11%em0 fe80::1:3%em0 # ifconfig gif2 inet6 fc00:2::11/64 # ifconfig gif3 create inet 192.168.1.11/24 192.168.1.3 tunnel 10.9.14.11 10.9.14.3 up # ifconfig gif3 inet6 fc00:14::11/64 # spdadd -6 ::/0 ::/0 icmp6 135,0 -P out none; spdadd -6 ::/0 ::/0 icmp6 136,0 -P out none; # Test 1: IPv4 + transport mode # 10.9.8.3 <- transport mode IPSec -> 10.9.8.11 spdadd 10.9.8.3 10.9.8.11 any -P in ipsec esp/transport//default; spdadd 10.9.8.11 10.9.8.3 any -P out ipsec esp/transport//default; add 10.9.8.3 10.9.8.11 esp 15701 -m transport -E rijndael-cbc "1111111111111111" ; add 10.9.8.11 10.9.8.3 esp 24501 -m transport -E rijndael-cbc "1111111111111111" ; # Test 2: IPv4 + gif + transport mode # 192.168.0.3 <- transport mode IPSec -> 192.168.0.11 spdadd 192.168.0.3 192.168.0.11 any -P in ipsec esp/transport//default; spdadd 192.168.0.11 192.168.0.3 any -P out ipsec esp/transport//default; add 192.168.0.3 192.168.0.11 esp 15702 -m transport -E rijndael-cbc "1111111111111111" ; add 192.168.0.11 192.168.0.3 esp 24502 -m transport -E rijndael-cbc "1111111111111111" ; # Test 3: IPv6 + transport mode # fc00::3 <- transport mode IPSec -> fc00::11 spdadd -6 fc00::3 fc00::11 any -P in ipsec esp/transport//default; spdadd -6 fc00::11 fc00::3 any -P out ipsec esp/transport//default; add -6 fc00::3 fc00::11 esp 15703 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fc00::11 fc00::3 esp 24503 -m transport -E rijndael-cbc "1111111111111111" ; # Test 4: IPv6 LLA + transport mode # fe80::3%em0 <- transport mode IPSec -> fe80::11%em0 spdadd -6 fe80::3%em0 fe80::11%em0 any -P in ipsec esp/transport//default; spdadd -6 fe80::11%em0 fe80::3%em0 any -P out ipsec esp/transport//default; add -6 fe80::3%em0 fe80::11%em0 esp 15704 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fe80::11%em0 fe80::3%em0 esp 24504 -m transport -E rijndael-cbc "1111111111111111" ; # Test 5: IPv6 LLA + gif + transport mode # fe80::1:3%gif1 <- transport mode IPSec -> fe80::1:11%gif1 spdadd -6 fe80::1:3%gif1 fe80::1:11%gif1 any -P in ipsec esp/transport//default; spdadd -6 fe80::1:11%gif1 fe80::1:3%gif1 any -P out ipsec esp/transport//default; add -6 fe80::1:3%gif1 fe80::1:11%gif1 esp 15705 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fe80::1:11%gif1 fe80::1:3%gif1 esp 24505 -m transport -E rijndael-cbc "1111111111111111" ; # Test 6: IPv6 + gif + transport mode # fc00:1::3 <- transport mode IPSec -> fc00:1::11 spdadd -6 fc00:1::3 fc00:1::11 any -P in ipsec esp/transport//default; spdadd -6 fc00:1::11 fc00:1::3 any -P out ipsec esp/transport//default; add -6 fc00:1::3 fc00:1::11 esp 15706 -m transport -E rijndael-cbc "1111111111111111" ; add -6 fc00:1::11 fc00:1::3 esp 24506 -m transport -E rijndael-cbc "1111111111111111" ; # Test 7: IPv4 tunnel mode 10.9.11.3 <-> 10.9.11.11 # 10.9.10.3 <- tunnel mode IPSec -> 10.9.10.11 # fc00:10::3 <- -> fc00:10::11 spdadd 10.9.10.3 10.9.10.11 any -P in ipsec esp/tunnel/10.9.11.3-10.9.11.11/default; spdadd 10.9.10.11 10.9.10.3 any -P out ipsec esp/tunnel/10.9.11.11-10.9.11.3/default; spdadd -6 fc00:10::3 fc00:10::11 any -P in ipsec esp/tunnel/10.9.11.3-10.9.11.11/default; spdadd -6 fc00:10::11 fc00:10::3 any -P out ipsec esp/tunnel/10.9.11.11-10.9.11.3/default; add 10.9.11.3 10.9.11.11 esp 15707 -m tunnel -E rijndael-cbc "1111111111111111" ; add 10.9.11.11 10.9.11.3 esp 24507 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 8: IPv6 tunnel mode fc00:11::3 <-> fc00:11::11 # 10.9.12.3 <- tunnel mode IPSec -> 10.9.12.11 # fc00:12::3 <- -> fc00:12::11 spdadd 10.9.12.3 10.9.12.11 any -P in ipsec esp/tunnel/fc00:11::3-fc00:11::11/default; spdadd 10.9.12.11 10.9.12.3 any -P out ipsec esp/tunnel/fc00:11::11-fc00:11::3/default; spdadd -6 fc00:12::3 fc00:12::11 any -P in ipsec esp/tunnel/fc00:11::3-fc00:11::11/default; spdadd -6 fc00:12::11 fc00:12::3 any -P out ipsec esp/tunnel/fc00:11::11-fc00:11::3/default; add -6 fc00:11::3 fc00:11::11 esp 15708 -m tunnel -E rijndael-cbc "1111111111111111" ; add -6 fc00:11::11 fc00:11::3 esp 24508 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 9: IPv6 tunnel mode + LLA fe80::11:3 <-> fe80::11:11 # 10.9.13.3 <- tunnel mode IPSec -> 10.9.13.11 # fc00:13::3 <- -> fc00:13::11 spdadd 10.9.13.3 10.9.13.11 any -P in ipsec esp/tunnel/fe80::11:3%em0-fe80::11:11%em0/default; spdadd 10.9.13.11 10.9.13.3 any -P out ipsec esp/tunnel/fe80::11:11%em0-fe80::11:3%em0/default; spdadd -6 fc00:13::3 fc00:13::11 any -P in ipsec esp/tunnel/fe80::11:3%em0-fe80::11:11%em0/default; spdadd -6 fc00:13::11 fc00:13::3 any -P out ipsec esp/tunnel/fe80::11:11%em0-fe80::11:3%em0/default; add -6 fe80::11:3%em0 fe80::11:11%em0 esp 15709 -m tunnel -E rijndael-cbc "1111111111111111" ; add -6 fe80::11:11%em0 fe80::11:3%em0 esp 24509 -m tunnel -E rijndael-cbc "1111111111111111" ; # Test 10: IPv4 tunnel mode + gif 10.9.14.3 <-> 10.9.14.11 # 10.9.14.3 <- tunnel mode IPSec -> 10.9.14.11 # 192.168.1.3 <- -> 192.168.1.11 # fc00:14::3 <- -> fc00:14::11 spdadd 10.9.14.3 10.9.14.11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd 10.9.14.11 10.9.14.3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; spdadd 192.168.1.3 192.168.1.11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd 192.168.1.11 192.168.1.3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; spdadd -6 fc00:14::3 fc00:14::11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default; spdadd -6 fc00:14::11 fc00:14::3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default; add 10.9.14.3 10.9.14.11 esp 15710 -m tunnel -E rijndael-cbc "1111111111111111" ; add 10.9.14.11 10.9.14.3 esp 24510 -m tunnel -E rijndael-cbc "1111111111111111" ;