// // $Name: V6PC_IKE_1_0_1 $ // // $TAHI: ct/ike/ike_ipsec.def,v 1.37.4.2 2005/11/22 01:59:39 ozoe Exp $ // //////////////////////////////////////////////////////////////////////// #ifdef PACKET_IPSEC_DEF //==================================================================== #ifndef IPSEC_ALGO #define IPSEC_ALGO EALGO_ESP_3DES_HMAC_SHA #endif #ifndef IPSEC_ALGO2 #define IPSEC_ALGO2 EALGO_ESP_3DES_HMAC_SHA #endif #ifndef IPSEC_HDR_TYPE #define IPSEC_HDR_TYPE hdr_esp #endif #ifndef IPSEC_HDR_TYPE2 #define IPSEC_HDR_TYPE2 hdr_esp2 #endif #ifndef IPSECAH_HDR_TYPE #define IPSECAH_HDR_TYPE hdr_ah #endif #ifndef IPSEC_HDR_TYPE_TUNNEL #define IPSEC_HDR_TYPE_TUNNEL hdr_esp_tunnel #endif #ifndef IPSECAH_HDR_TYPE_TUNNEL #define IPSECAH_HDR_TYPE_TUNNEL hdr_ah_tunnel #endif #ifndef IPSEC_SPI_VALUE #define IPSEC_SPI_VALUE any #endif #ifndef IPSEC_SPI_VALUE2 #define IPSEC_SPI_VALUE2 any #endif #ifndef IPSEC_SEQ_NUMBER #define IPSEC_SEQ_NUMBER any #endif #ifndef IPSEC_NEXT_HEADER #ifdef PACKET_IPSEC_TCP #define IPSEC_NEXT_HEADER 6 #else #define IPSEC_NEXT_HEADER 58 #endif //PACKET_IPSEC_TCP #endif //IPSEC_NEXT_HEADER Hdr_ESP hdr_esp { SPI = IPSEC_SPI_VALUE; SequenceNumber = IPSEC_SEQ_NUMBER; algorithm = IPSEC_ALGO; NextHeader = IPSEC_NEXT_HEADER; } Hdr_ESP hdr_esp2 { SPI = IPSEC_SPI_VALUE2; SequenceNumber = IPSEC_SEQ_NUMBER; algorithm = IPSEC_ALGO2; NextHeader = IPSEC_NEXT_HEADER; } Hdr_ESP hdr_esp_tunnel { SPI = IPSEC_SPI_VALUE; SequenceNumber = IPSEC_SEQ_NUMBER; algorithm = IPSEC_ALGO; NextHeader = 41; } Hdr_AH hdr_ah { SPI = IPSEC_SPI_VALUE; SequenceNumber = IPSEC_SEQ_NUMBER; algorithm = IPSEC_ALGO; NextHeader = IPSEC_NEXT_HEADER; } Hdr_AH hdr_ah_tunnel { SPI = IPSEC_SPI_VALUE; SequenceNumber = IPSEC_SEQ_NUMBER; algorithm = IPSEC_ALGO; NextHeader = 41; } //==================================================================== #ifndef IPSEC_ENC_KEY #define IPSEC_ENC_KEY \ "000000000000000000000000000000000000000000000000" #endif // IPSEC_ENC_KEY #ifndef IPSEC_HASH_KEY #define IPSEC_HASH_KEY \ "0000000000000000000000000000000000000000" #endif // IPSEC_HASH_KEY #ifndef IPSEC_ENC_KEY2 #define IPSEC_ENC_KEY2 \ "000000000000000000000000000000000000000000000000" #endif // IPSEC_ENC_KEY2 #ifndef IPSEC_HASH_KEY2 #define IPSEC_HASH_KEY2 \ "0000000000000000000000000000000000000000" #endif // IPSEC_HASH_KEY2 //==================================================================== ESPAlgorithm EALGO_ESP_3DES_HMAC_SHA { crypt = des3cbc_2(hexstr(IPSEC_ENC_KEY, 24)); auth = hmacsha1_2(hexstr(IPSEC_HASH_KEY, 20)); } ESPAlgorithm EALGO_ESP_3DES_HMAC_SHA2 { crypt = des3cbc_2(hexstr(IPSEC_ENC_KEY2, 24)); auth = hmacsha1_2(hexstr(IPSEC_HASH_KEY2, 20)); } ESPAlgorithm EALGO_ESP_3DES_HMAC_MD5 { crypt = des3cbc_2(hexstr(IPSEC_ENC_KEY, 24)); auth = hmacmd5_2(hexstr(IPSEC_HASH_KEY, 16)); } //non-auth ESPAlgorithm EALGO_ESP_3DES { crypt = des3cbc_2(hexstr(IPSEC_ENC_KEY, 24)); } ESPAlgorithm EALGO_ESP_DES_HMAC_SHA{ crypt = descbc_2(hexstr(IPSEC_ENC_KEY, 8)); auth = hmacsha1_2(hexstr(IPSEC_HASH_KEY, 20)); } //==================================================================== ESPAlgorithm EALGO_ESP_DES_HMAC_MD5{ crypt = descbc_2(hexstr(IPSEC_ENC_KEY, 8)); auth = hmacmd5_2(hexstr(IPSEC_HASH_KEY, 16)); } ESPAlgorithm EALGO_ESP_DES{ crypt = descbc_2(hexstr(IPSEC_ENC_KEY, 8)); } AHAlgorithm AALGO_AH_MD5 { auth = hmacmd5_2(hexstr(IPSEC_HASH_KEY, 16)); } AHAlgorithm AALGO_AH_SHA { auth = hmacsha1_2(hexstr(IPSEC_HASH_KEY, 20)); } //==================================================================== // Tunnel Mode ///////////////////////////// FEM_hdr_ipv6_exth( echo_request_recv_esp_tunnel_net2sgw1_net3sgw2, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_SGW2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_esp_tunnel_net2sgw1_net3sgw2); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net4host2); } ) FEM_hdr_ipv6_exth( echo_request_recv_esp_tunnel_net2sgw1_net3sgw2_2, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_SGW2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_esp_tunnel_net2sgw1_net3sgw2_2); exthdr = IPSEC_HDR_TYPE2; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net4host2); } ) FEM_hdr_ipv6_exth( echo_request_send_esp_tunnel_net3sgw2_net2sgw1, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_SGW2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_esp_tunnel_net3sgw2_net2sgw1); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_recv_net4host2_net0host1); } ) FEM_hdr_ipv6_exth( echo_request_send_esp_tunnel_net3host2_net2sgw1, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_HOST2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_esp_tunnel_net3host2_net2sgw1); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_recv_net3host2_net0host1); } ) FEM_hdr_ipv6_exth( echo_reply_recv_esp_tunnel_net2sgw1_net3sgw2, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_SGW2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_recv_esp_tunnel_net2sgw1_net3sgw2); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_reply_send_net0host1_net4host2); } ) FEM_hdr_ipv6_exth( echo_request_recv_esp_tunnel_net2sgw1_net3host2, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_esp_tunnel_net2sgw1_net3host2); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net3host2); } ) FEM_hdr_ipv6_exth( echo_reply_send_esp_tunnel_net3sgw2_net2sgw1, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_SGW2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_send_esp_tunnel_net3sgw2_net2sgw1); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_reply_recv_net4host2_net0host1); } ) /********** AH **********/ FEM_hdr_ipv6_exth( echo_request_send_ah_trans_net1host2_net0host1, _HETHER_nut2tnA11, { _SRC(v6(IKE_TN_NET1_HOST2_ADDR)); _DST(v6(IKE_NUT_NET0_HOST1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_ah_trans_net0host1_net1host2); exthdr = IPSECAH_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net1host2); } ) FEM_hdr_ipv6_exth( echo_request_send_ah_trans_net1sgw1_net0host1, _HETHER_nut2tnA11, { _SRC(v6(IKE_TN_NET1_SGW1_ADDR)); _DST(v6(IKE_NUT_NET0_HOST1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_ah_trans_net1sgw1_net0host1); exthdr = IPSECAH_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net1host2); } ) FEM_hdr_ipv6_exth( echo_reply_recv_ah_tunnel_net0host1_net1host2, _HETHER_tnA112nut, { _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_recv_ah_tunnel_net0host1_net1host2); exthdr = IPSECAH_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_reply_recv_net0host1_net1host2); } ) #if 0 FEM_hdr_ipv6_exth( echo_request_send_net0host1_net4host2_ah, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_SGW2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_net0host1_net4host2_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net4host2); } ) FEM_hdr_ipv6_exth( echo_request_send_net0host1_net3host2_ah, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_net0host1_net3host2_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_send_net0host1_net3host2); } ) FEM_hdr_ipv6_exth( echo_request_recv_net4host2_net0host1_ah, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_SGW2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_net4host2_net0host1_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_recv_net4host2_net0host1); } ) FEM_hdr_ipv6_exth( echo_request_recv_net3host2_net0host1_ah, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_HOST2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_net3host2_net0host1_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_request_recv_net3host2_net0host1); } ) FEM_hdr_ipv6_exth( echo_reply_send_net0host1_net4host2_ah, _HETHER_nut2tnA11, { _SRC(v6(IKE_NUT_NET2_SGW1_ADDR)); _DST(v6(IKE_TN_NET3_SGW2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_send_net0host1_net4host2_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_reply_send_net0host1_net4host2); } ) FEM_hdr_ipv6_exth( echo_reply_recv_net4host2_net0host1_ah, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET3_SGW2_ADDR)); _DST(v6(IKE_NUT_NET2_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_recv_net4host2_net0host1_ah); exthdr = IPSEC_HDR_TYPE; upper = _PACKET_IPV6_NAME(echo_reply_recv_net4host2_net0host1); } ) #endif // // For End-Node vs SGW test // ///////////////////////////// FEM_hdr_ipv6_exth( echo_request_recv_esp_tunnel_net0host1_net1sgw1, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_esp_tunnel_net0host1_net1sgw1); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_recv_net0host1_net2host2); } ) //vs host FEM_hdr_ipv6_exth( echo_request_recv_esp_tunnel_net0host1_net1host2, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_esp_tunnel_net0host1_net1host2); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_recv_net0host1_net1host2); } ) FEM_hdr_ipv6_exth( echo_reply_recv_esp_tunnel_net0host1_net1sgw1, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_recv_esp_tunnel_net0host1_net1host2); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_reply_recv_net0host1_net2host2); } ) FEM_hdr_ipv6_exth( echo_reply_recv_esp_tunnel_net0host1_net1host2, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_reply_recv_esp_tunnel_net0host1_net1host2); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_reply_recv_net0host1_net1host2); } ) FEM_hdr_ipv6_exth( echo_request_send_esp_tunnel_net1sgw1_net0host1, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET1_SGW1_ADDR)); // _DST(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _DST(v6(IKE_NUT_NET0_HOST1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_esp_tunnel_net1host2_net0host1); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_send_net2host2_net0host1); } ) //for Tunnel mode vs HOST FEM_hdr_ipv6_exth( echo_request_send_esp_tunnel_net1host2_net0host1, _HETHER_tnA112nut, { _SRC(v6(IKE_TN_NET1_HOST2_ADDR)); // _DST(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _DST(v6(IKE_NUT_NET0_HOST1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_send_esp_tunnel_net1host2_net0host1); exthdr = IPSEC_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_send_net1host2_net0host1); } ) FEM_hdr_ipv6_exth( echo_request_recv_ah_tunnel_net0host1_net1sgw1, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_SGW1_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_ah_tunnel_net0host1_net1sgw1); exthdr = IPSECAH_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_recv_net0host1_net2host2); } ) //vs host FEM_hdr_ipv6_exth( echo_request_recv_ah_tunnel_net0host1_net1host2, _HETHER_nut2tnA11, { // _SRC(v6merge(_GLOBAL0_UCAST_PRFX, _GLOBAL0_UCAST_PRFXLEN, nutv6())); _SRC(v6(IKE_NUT_NET0_HOST1_ADDR)); _DST(v6(IKE_TN_NET1_HOST2_ADDR)); }, { header = _HDR_IPV6_NAME(echo_request_recv_ah_tunnel_net0host1_net1host2); exthdr = IPSECAH_HDR_TYPE_TUNNEL; upper = _PACKET_IPV6_NAME(echo_request_recv_net0host1_net1host2); } ) //==================================================================== //#ifdef PACKET_IPSEC_ICMP //#endif //PACKET_IPSEC_ICMP #ifdef PACKET_IPSEC_TCP #include "ike_ipsec_transport_tcp.def" #else #include "ike_ipsec_transport_icmp.def" #endif //PACKET_IPSEC_TCP #endif // PACKET_IPSEC_DEF