From owner-doc-jp@jp.freebsd.org  Thu Mar 16 17:44:43 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id RAA46778;
	Thu, 16 Mar 2000 17:44:43 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from thumb.nail.or.jp (ppp147.dialup.st.keio.ac.jp [131.113.27.147])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id RAA46771
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:41 +0900 (JST)
	(envelope-from dui@360.cc)
Received: from localhost (localhost.nail.or.jp [127.0.0.1])
	by thumb.nail.or.jp (8.9.3/8.9.3) with ESMTP id RAA01009
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:23 +0900 (JST)
	(envelope-from dui@360.cc)
To: doc-jp@jp.freebsd.org
In-Reply-To: Your message of "Sun, 12 Mar 2000 11:42:33 +0900"
	<200003120244.LAA28494@mail.geocities.co.jp>
References: <200003120244.LAA28494@mail.geocities.co.jp>
X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <20000316174422O.dui@360.cc>
Date: Thu, 16 Mar 2000 17:44:22 +0900
From: Naoto Kaneko <dui@360.cc>
X-Dispatcher: imput version 980905(IM100)
Lines: 183
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7172
Subject: [doc-jp 7172] Re: handbook/security/chapter.sgml 1.25 -> 1.26 #3
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: dui@360.cc

$B6b;R$G$9!#$*$7$^$$$G$9!#(B

$B$=$l$G$O!"3'$5$s::FI$N$[$I$r!#(B

From: Hiroki Sato <hrs@geocities.co.jp>
Subject: [doc-jp 7161] handbook/security/chapter.sgml 1.25 -> 1.26 #3
Date: Sun, 12 Mar 2000 11:42:33 +0900
Message-ID: <200003120244.LAA28494@mail.geocities.co.jp>

> (handbook/security/chapter.sgml 1.25 -> 1.26 #3)
> 
>     <sect2>
>       <title>Tunnel mode example with IPv6</title>
> 
>       <para>Encryption algorithm is 3des-cbc, and authentication algorithm
>       for ESP is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
>       Configuration at Gateway-A:</para>
> 
>       <screen>
> 
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
>                 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
>                 ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
>         spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
>                 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
>                 ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
>         add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
>                 -E 3des-cbc "kamekame12341234kame1234"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
>                 -A hmac-md5 "this is the test" ;
>         add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
>                 -E 3des-cbc "kamekame12341234kame1234"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
>                 -A hmac-md5 "this is the test" ;
> 
>         EOF
> 
>       </screen>
> 
>       <para>Making SAs with the different end</para>
> 
>       <para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
>       algorithm is cast128-cbc, and authentication algorithm for ESP is
>       hmac-sha1.  ESP transport mode is recommended between Host-A and Host-B.
>       Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
>       hmac-md5.</para>
> 
>       <screen>
> 
>               ================== ESP =================
>               |  ======= ESP =======                 |
>               |  |                 |                 |
>              Host-A            Gateway-A           Host-B
>           fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
> 
>       </screen>
> 
>       <para>Configuration at Host-A:</para>
> 
>       <screen>
> 
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
>                 esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
>                 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
>         spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
>                 esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
>                 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
>         add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
>                 -m transport
>                 -E cast128-cbc "12341234"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
>                 -E rc5-cbc "kamekame"
>                 -A hmac-md5 "this is the test" ;
>         add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
>                 -m transport
>                 -E cast128-cbc "12341234"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
>                 -E rc5-cbc "kamekame"
>                 -A hmac-md5 "this is the test" ;
> 
>         EOF
> 
>       </screen>
>      </sect2>

(handbook/security/chapter.sgml 1.25 -> 1.26 #3)

    <sect2>
      <title>IPv6$B$G$N%H%s%M%k%b!<%I$NNc(B</title>

      <para>Gateway-A$B$N@_Dj$G$9(B. $B0E9f2=%"%k%4%j%:%`$O(B3des-cbc$B$G(B, ESP$B$N(B
      $BG'>Z%"%k%4%j%9%`$O(Bhmac-sha1$B$G$9(B. AH$B$NG'>Z%"%k%4%j%:%`$O(Bhmac-md5
      $B$G$9(B. </para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
                ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
        spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
                ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
                -E 3des-cbc "kamekame12341234kame1234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
                -A hmac-md5 "this is the test" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
                -E 3des-cbc "kamekame12341234kame1234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
                -A hmac-md5 "this is the test" ;

        EOF

      </screen>

      <para>$BJLC<Kv$X$N(BSA$B$N:n$jJ}(B</para>

      <para>ESP$B%H%s%M%k%b!<%I$O(BHost-A$B$H(BGateway-A$B$N4V$GI,MW$H$5$l$^$9(B. 
      $B0E9f2=%"%k%4%j%:%`$O(Bcast128-cbc, ESP$B$NG'>Z%"%k%4%j%:%`$O(B
      hmac-sha1$B$G$9(B. Host-A$B$H(BHost-B$B$N4V$G$O(BESP$B%H%i%s%9%]!<%H%b!<%I$,?d(B
      $B>)$5$l$^$9(B. $B0E9f2=%"%k%4%j%:%`$O(Brc5-cbc, ESP$B$NG'>Z%"%k%4%j%:%`$O(B
      hmac-md5$B$G$9(B. </para>

      <screen>

              ================== ESP =================
              |  ======= ESP =======                 |
              |  |                 |                 |
             Host-A            Gateway-A           Host-B
          fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2

      </screen>

      <para>Host-A$B$G$N@_Dj(B:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
                esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
        spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
                esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
        add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
                -m transport
                -E cast128-cbc "12341234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
                -E rc5-cbc "kamekame"
                -A hmac-md5 "this is the test" ;
        add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
                -m transport
                -E cast128-cbc "12341234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
                -E rc5-cbc "kamekame"
                -A hmac-md5 "this is the test" ;

        EOF

      </screen>
     </sect2>

	                             /* $B6b;R(B $BD>?M(B
					$B7D1~Bg3XM}9)3XIt>pJs9)3X2J(B3$BG/(B
					dui@360.cc */







