Skip to content

Instantly share code, notes, and snippets.

@vishvananda
Created October 22, 2013 03:16
Show Gist options
  • Save vishvananda/7094676 to your computer and use it in GitHub Desktop.
Save vishvananda/7094676 to your computer and use it in GitHub Desktop.
Script to set up an ipsec tunnel between two machines For Example: ./tunnel.sh 10.10.10.1 10.10.10.2 192.168.0.1 192.168.0.2 would set up an ipsec tunnel over 10.10.10.1 address using 192.168.0.1 as a virtual address passwordless sudo required for user on remote machine
#!/bin/bash
if [ "$4" == "" ]; then
echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
echo "creates an ipsec tunnel between two machines"
exit 1
fi
SRC="$1"; shift
DST="$1"; shift
LOCAL="$1"; shift
REMOTE="$1"; shift
KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`
echo "spdflush; flush;" | sudo setkey -c
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip addr add $LOCAL dev lo
sudo ip route add $REMOTE dev eth1 src $LOCAL
ssh $DST /bin/bash << EOF
echo "spdflush; flush;" | sudo setkey -c
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip addr add $REMOTE dev lo
sudo ip route add $LOCAL dev eth1 src $REMOTE
EOF
@oblazek
Copy link

oblazek commented Aug 8, 2017

Is there some way that I can specify AES encryption key lengths 64, 128 or 256bits?
Thanks a lot, Ondrej

@kkedf
Copy link

kkedf commented Nov 22, 2017

AES support 128, 192, 256bits

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.

the xfrm key length change to using aes128, aes192, aes256

ip xfrm state flush

ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(md5)" "0x1122"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(md5)" "0x1111"

//ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc cipher_null "" auth-trunc "hmac(md5)" "0x1122" 96
//ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc cipher_null "" auth-trunc "hmac(md5)" "0x1111" 96

ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(sha1)" "0x1122"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(sha1)" "0x1111"

ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(sha256)" "0x1122"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc cipher_null "" auth "hmac(sha256)" "0x1111"

ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "cbc(des)" "0x1122020304050607"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "cbc(des)" "0x1111020304050607"

ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "cbc(des3_ede)" "0x112202030405060708090a0b0c0d0e0f0001020304050607"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "cbc(des3_ede)" "0x111102030405060708090a0b0c0d0e0f0001020304050607"

aes128bit
ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "cbc(aes)" "0x112202030405060708090a0b0c0d0e0f"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "cbc(aes)" "0x111102030405060708090a0b0c0d0e0f"

aes256bit
ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "cbc(aes)" "0x112202030405060708090a0b0c0d0e0f112202030405060708090a0b0c0d0e0f"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "cbc(aes)" "0x111102030405060708090a0b0c0d0e0f111102030405060708090a0b0c0d0e0f"

ctraes128bit (add 4byte nonce)
ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "rfc3686(ctr(aes))" "0x112202030405060708090a0b0c0d0e0f00000000"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "rfc3686(ctr(aes))" "0x111102030405060708090a0b0c0d0e0f00000000"

ctraes256bit (add 4byte nonce)
ip xfrm state flush
ip xfrm state add src 192.168.168.1 dst 192.168.168.155 proto esp spi "0x1122" reqid "0x1" mode tunnel enc "rfc3686(ctr(aes))" "0x112202030405060708090a0b0c0d0e0f112202030405060708090a0b0c0d0e0f00000000"
ip xfrm state add src 192.168.168.155 dst 192.168.168.1 proto esp spi "0x1111" reqid "0x1" mode tunnel enc "rfc3686(ctr(aes))" "0x111102030405060708090a0b0c0d0e0f111102030405060708090a0b0c0d0e0f00000000"

@jlearman
Copy link

jlearman commented Jun 15, 2022

I believe that echo "spdflush; flush;" | sudo setkey -c can be replaced by ip xfrm state flush && ip xfrm policy flush, in which case there is no need to install ipsec-tools for setkey.

(Thanks for this and netlink API!)

@congzhangzh
Copy link

I believe that echo "spdflush; flush;" | sudo setkey -c can be replaced by ip xfrm state flush && ip xfrm policy flush, in which case there is no need to install ipsec-tools for setkey.

(Thanks for this and netlink API!)

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment