Conf files

The main wrinkle is that I only want to encrypt memcached traffic (port 11211), and disallow any unencrypted traffic to that port. I can't figure out how to debug the connections, though.

# Configuration for 192.168.130.12/w01



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w02

add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5

        0xSMALLKEY1;

# w02 -> w01

add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5

        0xSMALLKEY1;

# w01 -> w03

add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5

        0xSMALLKEY1;

# w03 -> w01

add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w02

add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w02

add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w01 -> w02

spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# any -> w01

spdadd 0.0.0.0[any] 192.168.130.12[11211] any -P in ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w03

spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w03 -> w01

#spdadd 192.168.130.53 192.168.130.12 any -P in ipsec

#spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P in ipsec

#           esp/transport//require

#           ah/transport//require;









# Configuration for 192.168.130.30



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w02

add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5

        0xSMALLKEY1;

# w02 -> w01

add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w02

add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w02

add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w02 -> w01

spdadd 192.168.130.30[any] 192.168.130.12[11211] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w02

spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P in ipsec

           esp/transport//require

           ah/transport//require;







# Configuration for 192.168.130.53



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w03

add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5

        0xSMALLKEY1;

# w03 -> w01

add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w03

add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w03 -> w01

spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w03

spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P in ipsec

           esp/transport//require

           ah/transport//require;
Welcome to IWETHEY!
