pattern

Linux 2.6 内核上配置IPSec VPN 的工具

IPsec transport mode

	HOST-A ================ HOST-B
	(A)                     (B)

	IKE negotiation: A <--> B
	phase 1 ID payloads: <anything, anything>
	SA addresses: A <--> B
	outgoing packet: IP(A->B)
	phase 2 ID payloads: none, or <A, B>

	HOST-A's policy:
		spdadd A B any -P out ipsec ah/transport//require;
		spdadd B A any -P in ipsec ah/transport//require;

	HOST-B's policy:
		spdadd B A any -P out ipsec ah/transport//require;
		spdadd A B any -P in ipsec ah/transport//require;

	both racoon.conf:
		no particular twists

IPsec tunnel mode

	HOST-A --- Gateway-A =========== Gateway-B --- HOST-B
	(A)        (GA)                  (GB)          (B)

	IKE negotiation: GA <--> GB
	phase 2 ID payloads: <anything, anything>
		IDs should reflect GA and GB's authenticity.
	SA addresses: GA <--> GB
	outgoing packet: IP(GA->GB)
	phase 2 ID payloads: A, B

	Gateway-A's policy:
		spdadd A B any -P out ipsec esp/tunnel/GA-GB/require;
		spdadd B A any -P in ipsec esp/tunnel/GB-GA/require;

	Gateway-B's policy:
		spdadd B A any -P out ipsec esp/tunnel/GB-GA/require;
		spdadd A B any -P in ipsec esp/tunnel/GA-GB/require;

	both racoon.conf:
		no particular twists

MIP6

	MN ================ CN
	(HA/COA)           (CNA)

	IKE negotiation: COA <--> CNA
		* MN always initiate IKE session probably.
	phase 1 ID payloads: <anything, anything>
	SA addresses: HA <--> CNA
	outgoing packet: IP(COA->CNA) | HAoption(HA)
	phase 2 ID payloads: <HA, CNA>

	MN's policy:
		spdadd HA CNA any -P out ipsec ah/transport//require;
		spdadd CNA HA any -P in ipsec ah/transport//require;

	MN's racoon.conf:
		remote CNA { support_mip6 on; }

	CN's policy:
		spdadd CNA HA any -P out ipsec ah/transport//require;
		spdadd HA CNA any -P in ipsec ah/transport//require;

	CN's racoon.conf:
		support_mip6 on;
		(generate_policy on;)

o Anonymous client on IPsec transport mode

	HOST-A communicates with Server by using IPsec transport mode.

	HOST-A =========== Server
	(A)                (G)

	IKE negotiation: A <-> G
	phase 1 ID payloads: anything,anything
	SA addresses: A <--> S
	phase 2 ID payloads: none

	S accepts network connections from network range net/pl (like
	1.0.0.0/8).

	HOST-A's policy:
		spdadd A S any -P out ipsec esp/transport//require;
		spdadd S A any -P in ipsec esp/transport//require;

	A's racoon.conf:
		no particular twists

	Server's policy:
		spdadd S net/pl any -P out ipsec esp/transport//require;
		spdadd net/pl S any -P in ipsec esp/transport//require;

	Server's racoon.conf:
		anonymous { passive on; }

	due to the absense of phase 2 ID, IPsec SA will be installed for
	A <--> S, not for net/pl <--> S.

o anonymous client allocated IP address dynamically and having a internal
  address.

	HOST-A communicates with hosts on Network-B through Gateway
	by using IPsec tunnel mode.
	IP address of HOST-A is allocated dynamically.

	HOST-A =========== Gateway ----------- Network-B
	(Ao/Ai)             (G)                  (net-B)

	HOST-A has two IP address, Ao as outernal is dynamically allocated,
	and Ai as internal can be routed to Network-B.
	Gateway's address on A side is G.
	main mode with pre-shared key can not be used.

	IKE negotiation: Ao <-> G
	phase 1 ID payloads: anything,anything
	SA addresses: Ao <--> G
	phase 2 ID payloads: Ai/net-B

	policy configuration at HOST-A:
		spdadd Ai net-B any -P out ipsec esp/tunnel/Ao-G/require;
		spdadd net-B Ai any -P in ipsec esp/tunnel/G-Ao/require;

	racoon.conf at HOST-A:
		no particular twists

	policy configuration at Gateway:
		Nothing

	Server's racoon.conf:
		anonymous { passive on; }

o anonymous client allocated IP address dynamically.

	HOST-A communicates with hosts on Network-B through Gateway
	by using IPsec tunnel mode, also using NAT.
	IP address of HOST-A is allocated dynamically.

	HOST-A =========== Gateway ----------- Network-B
	  (A)               (G)                  (net-B)

	HOST-A's IP address is dynamically allocated,
	Gateway's address on A side is G.
	main mode with pre-shared key can not be used.

	IKE negotiation: A <-> G
	phase 1 ID payloads: anything,anything
	SA addresses: A <--> G
	phase 2 ID payloads: A/net-B

	policy configuration at HOST-A:
		spdadd A net-B any -P out ipsec esp/tunnel/A-G/require;
		spdadd net-B A any -P in ipsec esp/tunnel/G-A/require;

	racoon.conf at HOST-A:
		no particular twists

	policy configuration at Gateway:
		Nothing

	Server's racoon.conf:
		anonymous { passive on; }