ep1.cfg revision 6b3e017e
1###########################################################################
2#   IPSEC-SECGW Endpoint1 sample configuration
3#
4#   The main purpose of this file is to show how to configure two systems
5#   back-to-back that would forward traffic through an IPsec tunnel. This
6#   file is the Endpoint1 configuration. To use this configuration file,
7#   add the following command-line option:
8#
9#       -f ./ep1.cfg
10#
11###########################################################################
12
13#SP IPv4 rules
14sp ipv4 in esp protect 5 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535
15sp ipv4 in esp protect 6 pri 1 dst 192.168.106.0/24 sport 0:65535 dport 0:65535
16sp ipv4 in esp protect 10 pri 1 dst 192.168.175.0/24 sport 0:65535 dport 0:65535
17sp ipv4 in esp protect 11 pri 1 dst 192.168.176.0/24 sport 0:65535 dport 0:65535
18sp ipv4 in esp protect 15 pri 1 dst 192.168.200.0/24 sport 0:65535 dport 0:65535
19sp ipv4 in esp protect 16 pri 1 dst 192.168.201.0/24 sport 0:65535 dport 0:65535
20sp ipv4 in esp protect 25 pri 1 dst 192.168.55.0/24 sport 0:65535 dport 0:65535
21sp ipv4 in esp protect 26 pri 1 dst 192.168.56.0/24 sport 0:65535 dport 0:65535
22sp ipv4 in esp bypass dst 192.168.240.0/24 sport 0:65535 dport 0:65535
23sp ipv4 in esp bypass dst 192.168.241.0/24 sport 0:65535 dport 0:65535
24
25sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 dport 0:65535
26sp ipv4 out esp protect 106 pri 1 dst 192.168.116.0/24 sport 0:65535 dport 0:65535
27sp ipv4 out esp protect 110 pri 1 dst 192.168.185.0/24 sport 0:65535 dport 0:65535
28sp ipv4 out esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:65535
29sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
30sp ipv4 out esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
31sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
32sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
33sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
34sp ipv4 out esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
35sp ipv4 out esp bypass pri 1 dst 192.168.245.0/24 sport 0:65535 dport 0:65535
36sp ipv4 out esp bypass pri 1 dst 192.168.246.0/24 sport 0:65535 dport 0:65535
37
38#SP IPv6 rules
39sp ipv6 in esp protect 5 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
40sport 0:65535 dport 0:65535
41sp ipv6 in esp protect 6 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
42sport 0:65535 dport 0:65535
43sp ipv6 in esp protect 10 pri 1 dst 0000:0000:1111:1111:0000:0000:0000:0000/96 \
44sport 0:65535 dport 0:65535
45sp ipv6 in esp protect 11 pri 1 dst 0000:0000:1111:1111:1111:1111:0000:0000/96 \
46sport 0:65535 dport 0:65535
47sp ipv6 in esp protect 25 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
48sport 0:65535 dport 0:65535
49sp ipv6 in esp protect 26 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
50sport 0:65535 dport 0:65535
51
52sp ipv6 out esp protect 15 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
53sport 0:65535 dport 0:65535
54sp ipv6 out esp protect 16 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
55sport 0:65535 dport 0:65535
56sp ipv6 out esp protect 110 pri 1 dst ffff:0000:1111:1111:0000:0000:0000:0000/96 \
57sport 0:65535 dport 0:65535
58sp ipv6 out esp protect 111 pri 1 dst ffff:0000:1111:1111:1111:1111:0000:0000/96 \
59sport 0:65535 dport 0:65535
60sp ipv6 out esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
61sport 0:65535 dport 0:65535
62sp ipv6 out esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
63sport 0:65535 dport 0:65535
64
65#SA rules
66sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
67auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
68mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5
69
70sa in 6 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
71a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
72a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
73
74sa in 10 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
75a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
76a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
77
78sa in 11 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
79b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
80b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport
81
82sa in 15 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.5 \
83dst 172.16.2.5
84
85sa in 16 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.1.6 \
86dst 172.16.2.6
87
88sa in 25 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
89c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
90c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
91src 1111:1111:1111:1111:1111:1111:1111:5555 \
92dst 2222:2222:2222:2222:2222:2222:2222:5555
93
94sa in 26 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
954d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
964d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
97src 1111:1111:1111:1111:1111:1111:1111:6666 \
98dst 2222:2222:2222:2222:2222:2222:2222:6666
99
100sa out 105 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
101auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
102mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
103
104sa out 106 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
105a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
106a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
107
108sa out 110 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
109a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
110a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
111
112sa out 111 cipher_algo aes-128-cbc cipher_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
113b2:b2:b2:b2:b2 auth_algo sha1-hmac auth_key b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:b2:\
114b2:b2:b2:b2:b2:b2:b2:b2:b2 mode transport
115
116sa out 115 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.5 \
117dst 172.16.1.5
118
119sa out 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
120
121sa out 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
122c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
123c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
124src 2222:2222:2222:2222:2222:2222:2222:5555 \
125dst 1111:1111:1111:1111:1111:1111:1111:5555
126
127sa out 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
1284d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
1294d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
130src 2222:2222:2222:2222:2222:2222:2222:6666 \
131dst 1111:1111:1111:1111:1111:1111:1111:6666
132
133#Routing rules
134rt ipv4 dst 172.16.1.5/32 port 0
135rt ipv4 dst 172.16.1.6/32 port 1
136rt ipv4 dst 192.168.185.0/24 port 0
137rt ipv4 dst 192.168.186.0/24 port 1
138rt ipv4 dst 192.168.245.0/24 port 0
139rt ipv4 dst 192.168.246.0/24 port 1
140rt ipv4 dst 192.168.105.0/24 port 2
141rt ipv4 dst 192.168.106.0/24 port 3
142rt ipv4 dst 192.168.55.0/24 port 2
143rt ipv4 dst 192.168.56.0/24 port 3
144rt ipv4 dst 192.168.175.0/24 port 2
145rt ipv4 dst 192.168.176.0/24 port 3
146rt ipv4 dst 192.168.200.0/24 port 2
147rt ipv4 dst 192.168.201.0/24 port 3
148rt ipv4 dst 192.168.240.0/24 port 2
149rt ipv4 dst 192.168.241.0/24 port 3
150
151rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0
152rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:6666/116 port 1
153rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 0
154rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 1
155rt ipv6 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/116 port 2
156rt ipv6 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/116 port 3
157rt ipv6 dst 0000:0000:0000:0000:5555:5555:0000:0000/116 port 2
158rt ipv6 dst 0000:0000:0000:0000:6666:6666:0000:0000/116 port 3
159rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 2
160rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 3
161