How to use IPSec on Linux (in the same machine)
1. Create IPSec configuration fileroot@vosges:/home/wwerapun/Desktop# cat ipsec.conf.esp.1
flush;
spdflush;
add 147.127.240.91 127.0.0.1 esp 2000 -E 3des-cbc "12341234abcdabcd12341234" -A hmac-sha1 "kamekamekamekamekame";
add 127.0.0.1 147.127.240.91 esp 2001 -E 3des-cbc "12341234abcdabcd12341234" -A hmac-sha1 "kamekamekamekamekame";
spdadd 147.127.240.91 127.0.0.1 any -P in ipsec esp/transport//require;
spdadd 127.0.0.1 147.127.240.91 any -P out ipsec esp/transport//require;
root@vosges:/home/wwerapun/Desktop# cat ipsec.conf.esp.2
flush;
spdflush;
add 147.127.240.91 127.0.0.1 esp 2000 -E 3des-cbc "12341234abcdabcd12341234" -A hmac-sha1 "kamekamekamekamekame";
add 127.0.0.1 147.127.240.91 esp 2001 -E 3des-cbc "12341234abcdabcd12341234" -A hmac-sha1 "kamekamekamekamekame";
spdadd 147.127.240.91 127.0.0.1 any -P out ipsec esp/transport//require;
spdadd 127.0.0.1 147.127.240.91 any -P in ipsec esp/transport//require;
--------------- Description ---------------------flush = delete previous SAs
spdflush = delete previous SPD
add = add SA, SA is uni-directional, then you have to add 2 ways.
2000 = SPI (actually, it's any number, you have to specific in the same number from 2 machines)
spdadd = add SPD , any = encrypt any protocol,
notice that =>
"out" = packet out from 147.127.240.91 to 127.0.0.1
"in" = packet in (enter) from 147.127.240.91 to 127.0.0.1
2. Ask linux to use IPSec using setkey command:root@vosges:/home/wwerapun/Desktop# setkey -f ipsec.conf.esp.1
root@vosges:/home/wwerapun/Desktop# setkey -f ipsec.conf.esp.2
3. Check the result:
root@vosges:/home/wwerapun/Desktop# setkey -D
127.0.0.1 147.127.240.91
esp mode=transport spi=2001(0x000007d1) reqid=0(0x00000000)
E: 3des-cbc 31323334 31323334 61626364 61626364 31323334 31323334
A: hmac-sha1 6b616d65 6b616d65 6b616d65 6b616d65 6b616d65
....
root@vosges:/home/wwerapun/Desktop# setkey -PD
127.0.0.1[any] 147.127.240.91[any] any
in ipsec
esp/transport//require
created: Jun 24 14:53:38 2009 lastused:
lifetime: 0(s) validtime: 0(s)
4. Test by using:
root@vosges:/home/wwerapun/Desktop# tcpdump src 147.127.240.91
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
wwerapun@vosges:~$ ping -I eth0 127.0.0.1
The result should be =>
root@vosges:/home/wwerapun/Desktop# tcpdump src 147.127.240.91
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:46:01.811793 IP vosges.enseeiht.fr > localhost: ESP(spi=0x000007d0,seq=0xe), length 100
15:46:01.812070 IP vosges.enseeiht.fr.38577 > aquitaine.enseeiht.fr.domain: 27037+ PTR? 91.240.127.147.in-addr.arpa. (45)
15:46:01.813388 IP vosges.enseeiht.fr.60957 > aquitaine.enseeiht.fr.domain: 21218+ PTR? 123.80.127.147.in-addr.arpa. (45)
15:46:02.812633 IP vosges.enseeiht.fr > localhost: ESP(spi=0x000007d0,seq=0xf), length 100
15:46:03.823621 IP vosges.enseeiht.fr > localhost: ESP(spi=0x000007d0,seq=0x10), length 100
15:46:06.810131 arp reply vosges.enseeiht.fr is-at 00:22:19:12:0a:4b (oui Unknown)
...