IPSec¶
Main article
General syntax:
State (Security Association):
- Base:
ip xfrm state - Operation:
add/delete - ID:
src $SRC dst $DST proto esp spi $ID - Request ID:
reqid $ID - Mode:
mode transport/mode tunnel - Action / Algorithms:
auth sha256 $KEY1 enc aes $KEY2/aead 'rfc4106(gcm(aes))' $KEY 128
Policy (Security Policy):
- Base:
ip xfrm policy - Operation:
add/delete - ID:
src $SRC dst $DSTdir out/dir in(ordir fwd) - Action (Template):
tmplsrc $SRC dst $DST proto espreqid $IDmode transport/mode tunnel
Example:
Start script
ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2
ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2
ip xfrm policy add src $SRC dst $DST dir out tmpl src $SRC dst $DST proto esp reqid $ID mode transport
ip xfrm policy add src $DST dst $SRC dir in tmpl src $DST dst $SRC proto esp reqid $ID mode transport
Stop script
ip xfrm state delete src $SRC dst $DST proto esp spi $ID
ip xfrm state delete src $DST dst $SRC proto esp spi $ID
ip xfrm policy delete src $SRC dst $DST proto gre dir out
ip xfrm policy delete src $DST dst $SRC proto gre dir in
Miscellaneous¶
When running IPIP tunnel (protocol 4) or SIT tunnel (protocol 41) over IPSec transport mode, the wire protocol is compatible with IPSec tunnel mode. This compatibility doesn't play well with IKE, though.