Add IPv6 related docs.

Reviewed by: phantom

1 files changed, 629 insertions, 0 deletions

diff --git a/share/examples/IPv6/USAGE b/share/examples/IPv6/USAGE
new file mode 100644
index 0000000..f9122c2
--- /dev/null
+++ b/share/examples/IPv6/USAGE
@@ -0,0 +1,629 @@
+			USAGE
+
+			KAME Project
+			http://www.kame.net/newsletter/
+			$FreeBSD$
+
+This is a introduction of how to use the commands provided in the KAME
+kit.  For more information, please refer to each man page.
+
+<<<ifconfig>>>
+
+A link-local address is automatically assigned to each interface, when
+the interface becomes up for the first time.  Even if you find an interface
+without a link-local address, do not panic.  The link-local address will be
+assigned when it becomes up (with "ifconfig IF up").
+
+Some network drivers allow an interface to become up even without a
+hardware address (for example, PCMCIA network cards).  In such cases, it is
+possible that an interface has no link-local address even if the
+interface is up.  If you see such situation, please disable the
+interface once and then re-enable it (i.e. do `ifconfig IF down;
+ifconfig IF up').
+
+Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface
+identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources,
+like ethernet cards.  Pseudo interfaces will be able to get IPv6 link-local
+address, if you have other "real" interface configured beforehand.
+If you have no EUI64/IEEE802 sources on the node, you may need to configure
+link-local address manually.  Though we have last-resort code in the kernel,
+which generates interface identifier from MD5(hostname), it may not suitable
+for your usage (for example, if you configure same hostname on both sides
+of gif tunnel, you will be doomed).
+
+If you have a router announcing Router Advertisement,
+global addresses will be assigned automatically.  So, "ifconfig" is not
+necessary for your *host*. (Please refer to "sysctl" section for configuring
+a host to accept Router Advertisement.)
+
+If you want to set up a router, you need to assign global addresses
+for two or more interfaces by "ifconfig" or "prefix". (prefix command
+is described at next section)
+If you want to assign a global address by "ifconfig", don't forget to
+specify the "alias" argument to keep the link-local address.
+
+# ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias
+# ifconfig de0
+de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
+        inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64
+        inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:1000:: prefixlen 64 anycast
+        ether 00:00:f8:01:63:17
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+
+See also "/etc/rc.network6" for actual examples.
+
+<<prefix>>
+
+In IPv6 architecture, an IPv6 address of an interface can be generated
+from a prefix assigned to it, and a link-dependent identifier for the
+interface.  Assigning a full IPv6 address by ifconfig is not
+necessary anymore, because, user can only take care of prefix, by letting
+system take care of interface identifier.
+
+The newly added "prefix" command enables user to just assign prefixes
+for interfaces, and let your system automatically generate IPv6
+addresses.  Prefixes added by the "prefix" command is maintained in
+the kernel consistently with prefixes assigned by Router
+Renumbering(in case of routers).
+
+But "prefix" command can only be used on router, because host should be
+able to configure its addr automatically. Prefixes added by the "prefix"
+command are maintained independently from prefixes assigned by
+Router Advertisement. Those two type of prefixes should not coexist on
+a machine at the same time, and when it happens, it is considered to be
+miss configuration.
+
+Manual assignment of prefixes or change of prefix properties take
+precedence over ones assigned by Router Renumbering.
+
+If you want to assign a prefix(and consequently an address) manually, do
+as follows:
+
+# prefix de0 fec0:0:0:1000::
+# ifconfig de0
+de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
+        inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:1000:: prefixlen 64 anycast
+        ether 00:00:f8:01:63:17
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+
+To check assigned prefix, use the "ndp" command. (See description of
+ndp command about its usage)
+
+# ndp -p
+fec0:0:0:1000::/64 if=de0
+  flags=LA, vltime=2592000, pltime=604800, expire=Never
+  No advertising router
+
+The "prefix" command also has node internal prefix renumbering
+ability.
+
+If you have multiple prefixes which have fec0:0:0:1000:/56 at the top,
+and would like to renumber them to fec0:0:0:2000:/56, then use the
+"prefix" command with the "matchpr" argument and the "usepr" argument.
+
+Suppose that current state of before renumbering as follows:
+
+# ifconfig de0
+de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
+        inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:1000:: prefixlen 64 anycast
+        ether 00:00:f8:01:63:17
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+
+# ifconfig de1
+de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
+        inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
+        inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64
+        inet6 fec0:0:0:1001:: prefixlen 64 anycast
+        ether 00:00:f8:55:70:11
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+
+# ndp -p
+fec0:0:0:1000::/64 if=de0
+  flags=LA, vltime=2592000, pltime=604800, expire=Never
+  No advertising router
+fec0:0:0:1001::/64 if=de1
+  flags=LA, vltime=2592000, pltime=604800, expire=Never
+  No advertising router
+
+Then do as follows:
+
+# prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change
+
+If command is successful, prefixes and addresses will be renumbered as
+follows.
+
+# ifconfig de0
+de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255
+        inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64
+        inet6 fec0:0:0:2000:: prefixlen 64 anycast
+        ether 00:00:f8:01:63:17
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+# ifconfig de1
+de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+        inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255
+        inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64
+        inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64
+        inet6 fec0:0:0:2001:: prefixlen 64 anycast
+        ether 00:00:f8:55:70:11
+        media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
+# ndp -p
+fec0:0:0:2000::/64 if=de0
+  flags=LA, vltime=2592000, pltime=604800, expire=Never
+  No advertising router
+fec0:0:0:2001::/64 if=de1
+  flags=LA, vltime=2592000, pltime=604800, expire=Never
+  No advertising router
+
+See also "/etc/rc.network6" for actual examples.
+
+<<<route>>>
+
+If there is a router announcing Router Advertisement on the subnet,
+you don't need to add a default route for your host by yourself.
+(Please refer to "sysctl" section to accept Router Advertisement.)
+
+If you want to add a default route manually, do as follows:
+
+# route add -inet6 default fe80::200:a2ff:fe0e:7543%de0
+
+"default" means ::/0.
+
+Note that, in IPv6, link-local address should be used as gateway
+("fe80::200:a2ff:fe0e:7543%de1" in the above).  If you use global addresses,
+icmp6 redirect may not work properly.  For ease of configuration we recommend
+you to avoid static routes and run a routing daemon (route6d for example)
+instead.
+
+<<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.)
+
+Reachability can be checked by "ping6".  This "ping6" allows multicast
+for its argument.
+
+% ping6 -I xl0 ff02::1
+or
+% ping6 ff02::1%xl0
+
+PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1
+56 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms
+56 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!)
+56 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!)
+56 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!)
+
+<<<ping6 -w>>>
+
+Name resolution is possible by ICMPv6 node information query message.
+This is very convenient for link-local addresses whose host name cannot be
+resolved by DNS.  Specify the "-w" option to "ping6".
+
+% ping6 -I xl0 -w ff02::1
+
+64 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net
+67 bytes from fe80::5254:ff:feda:d161: banana.kame.net
+69 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net
+66 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net
+66 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net
+
+<<<traceroute6>>>
+
+The route for a target host can be checked by "traceroute6".
+
+% traceroute6 tokyo.v6.wide.ad.jp
+
+traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
+ 1  nr60.v6.kame.net  1.239 ms  0.924 ms  0.908 ms
+ 2  otemachi.v6.wide.ad.jp  28.953 ms  31.451 ms  26.567 ms
+ 3  tokyo.v6.wide.ad.jp  26.549 ms  26.58 ms  26.186 ms
+
+If the -l option is specified, both address and name are shown in each line.
+% traceroute6 -l tokyo.v6.wide.ad.jp
+
+traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets
+ 1  nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf)  1.23 ms  0.952 ms  0.92 ms
+ 2  otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0)  27.345 ms  26.706 ms  26.563 ms
+ 3  tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923)  26.329 ms  26.36 ms  28.63 ms
+
+<<<ndp>>>
+
+To display the current Neighbor cache, use "ndp":
+
+% ndp -a
+Neighbor                      Linklayer Address   Netif Expire    St Flgs Prbs
+nr60.v6.kame.net              0:60:97:c2:80:bf      xl0  expired   S    R
+fec0:0:0:1000:2c0:cff:fe10    0:c0:c:10:3a:53       xl0  permanent R
+paradise.v6.kame.net          52:54:0:dc:52:17      xl0  expired   S    R
+fe80:1::200:eff:fe49:f929     0:0:e:49:f9:29        xl0  expired   S    R
+fe80:1::200:86ff:fe05:80da    0:0:86:5:80:da        xl0  expired   S
+fe80:1::200:86ff:fe05:c2d8    0:0:86:5:c2:d8        xl0  9s        R
+
+To flush the all NDP cache, execute the following by root.
+
+# ndp -c
+
+To display the prefix list.
+
+% ndp -p
+fec0:0:0::1000::/64 if=xl0
+  flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s
+  advertised by
+    fe80::5254:ff:fedc:5217
+    fe80::260:97ff:fec2:80bf
+    fe80::200:eff:fe49:f929
+
+To display the default router list.
+
+% ndp -r
+fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s
+fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s
+fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s
+
+<<<rtsol>>>
+
+To generate a Router Solicitation message right now to get global
+addresses, use "rtsol".
+
+# ifconfig xl0
+xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
+        inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
+        ether 0:a0:24:ab:83:9b
+	media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
+
+# rtsol xl0
+# ifconfig xl0
+xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
+        inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64
+        inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64
+        ether 0:a0:24:ab:83:9b
+	media: autoselect (10baseT/UTP) status: active
+	supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
+
+
+<<<rtsold>>>
+
+rtsold is a daemon version of rtsol.  If you run KAME IPv6 on a laptop
+computer and frequently move with it, the daemon is useful since it watches
+the interface and sends router solicitations when the status of the interface
+changes.  Note, however, that the feature is disabled by default.  Please
+add -m option at invocation of rtsold.
+
+rtsold also supports multiple interfaces.  For example, you can
+invoke the daemon as follows:
+# rtsold -m ep0 cnw0
+
+<<<netstat>>>
+
+To see routing table:
+
+# netstat -nr
+# netstat -nrl (long format with Ref and Use)
+
+<<<sysctl>>>
+
+If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is
+accepted.  This means that global addresses and default route are
+automatically set up.  Otherwise, the announcement is rejected.  The
+default value is 0.  To set "net.inet6.ip6.accept_rtadv" to 1, execute
+as follows:
+
+# sysctl -w net.inet6.ip6.accept_rtadv=1
+
+<<<gifconfig>>>
+
+"gif" interface enables you to perform IPv{4,6} over IPv{4,6}
+protocol tunneling.  To use this interface, you must specify the
+outer IPv{4,6} address by using gifconfig, like:
+
+# gifconfig gif0 172.16.198.61 172.16.11.21
+
+"ifconfig gif0" will configure the address pair used for inner
+IPv{4,6} header.
+
+It is not required to configure inner IPv{4,6} address pair.  If
+you do not configure inner IPv{4,6} address pair, tunnel link is
+considered as un-numbered link and the source address of inner
+IPv{4,6} address pair will be borrowed from other interfaces.
+
+The following example configures un-numbered IPv6-over-IPv4 tunnel:
+# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
+
+The following example configures numbered IPv6-over-IPv4 tunnel:
+# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0
+# ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias
+
+IPv6 spec allows you to use point-to-point link without global IPv6
+address assigned to the interface.  Routing protocol (such as RIPng)
+uses link-local addresses only.  If you are to configure IPv6-over-IPv4
+tunnel, you need not to configure an address pair for inner IPv6
+header.  We suggest you to use the former example (un-numbered
+IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity,
+for router to router connection.
+
+Note that it is so easy to make an infinite routing loop using gif
+interface, if you configure a tunnel using the same protocol family
+for inner and outer header (i.e. IPv4-over-IPv4).
+
+Refer to gifconfig(8) for more details.
+
+<<<inetd>>>
+
+Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy
+configuration support.
+
+Refer to inetd(8) for more details.
+
+<<<IPsec>>>
+
+The current KAME supports both transport mode and tunnel mode.
+However, tunnel mode comes with some restrictions.
+http://www.kame.net/newsletter/ has more comprehensive examples.
+
+Let's setup security association to deploy a secure channel between
+HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
+complicated example.  From HOST A to HOST B, only old AH is used.
+From HOST B to HOST A, new AH and new ESP are combined.
+
+Now we should choose algorithm to be used corresponding to "AH"/"new
+AH"/"ESP"/"new ESP".  Please refer to the "setkey" man page to know
+algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1 for new AH,
+and new-DES-expIV with 8 byte IV for new ESP.
+
+Key length highly depends on each algorithm.  For example, key
+length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
+and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
+"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.
+
+OK, let's assign SPI (Security Parameter Index) for each protocol.
+Please note that we need 3 SPIs for this secure channel since three
+security headers are produced (one for from HOST A to HOST B, two for
+from HOST B to HOST A).  Please also note that SPI MUST be greater
+than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
+
+
+	         (1)
+	HOST A ------> HOST B
+
+	(1)PROTO=AH
+		ALG=MD5(RFC1826)
+		KEY=MYSECRETMYSECRET
+		SPI=1000
+
+	         (2.1)
+	HOST A <------ HOST B
+	       <------
+	         (2.2)
+
+	(2.1)
+	PROTO=AH
+		ALG=new-HMAC-SHA1(new AH)
+		KEY=KAMEKAMEKAMEKAMEKAME
+		SPI=2000
+
+	(2.2)
+	PROTO=ESP
+		ALG=new-DES-expIV(new ESP)
+			IV length = 8
+		KEY=PASSWORD
+		SPI=3000
+
+Now, let's setup security association.  Execute "setkey" on both HOST
+A and B:
+
+# setkey -c
+add 10.2.3.4 10.6.7.8 ah  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
+add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
+add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
+^D
+
+Actually, IPsec communication doesn't process until security policy
+entries will be defined.  In this case, you must setup each host.
+
+At A:
+# setkey -c
+spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
+	ah/transport/10.2.3.4-10.6.7.8/require ;
+^D
+
+At B:
+spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+	esp/transport/10.6.7.8-10.2.3.4/require ;
+spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
+	ah/transport/10.6.7.8-10.2.3.4/require ;
+^D
+
+To utilize the security associations installed into the kernel, you
+must set the socket security level by using setsockopt().
+This is per-application (or per-socket) security.  For example,
+the "ping" command has the -P option with parameter to enable AH and/or ESP.
+
+For example:
+% ping -P "out ipsec \
+	ah/transport/10.0.1.1-10.0.2.2/use \
+	esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
+
+If there are proper SAs, this policy specification causes ICMP packet
+to be AH transport mode inner ESP tunnel mode like below.
+
+	   HOST C -----------> GATEWAY D ----------> HOST E
+	  10.0.1.1        10.0.1.2   10.0.2.1       10.0.2.2
+	    | |                 |                    |
+	    | ======= ESP =======                    |
+	    ==================== AH ==================
+
+
+
+Another example using IPv6.
+
+ESP transport mode is recommended for TCP port number 110 between Host-A and
+Host-B.
+
+              ============ ESP ============
+              |                           |
+           Host-A                        Host-B
+          fec0::10 -------------------- fec0::11
+
+Encryption algorithm is blowfish-cbc whose key is "kamekame", and
+authentication algorithm is hmac-sha1 whose key is "this is the test key".
+Configuration at Host-A:
+
+        # setkey -c <<EOF
+        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
+                esp/transport/fec0::10-fec0::11/use ;
+        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
+                esp/transport/fec0::11-fec0::10/use ;
+        add fec0::10 fec0::11 esp 0x10001
+                -m transport
+                -E blowfish-cbc "kamekame"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0::11 fec0::10 esp 0x10002
+                -m transport
+                -E blowfish-cbc "kamekame"
+                -A hmac-sha1 "this is the test key" ;
+        EOF
+
+and at Host-B:
+
+        # setkey -c <<EOF
+        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
+                esp/transport/fec0::11-fec0::10/use ;
+        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
+                esp/transport/fec0::10-fec0::11/use ;
+        add fec0::10 fec0::11 esp 0x10001 -m transport
+                -E blowfish-cbc "kamekame"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0::11 fec0::10 esp 0x10002 -m transport
+                -E blowfish-cbc "kamekame"
+                -A hmac-sha1 "this is the test key" ;
+        EOF
+
+Note the direction of SP.
+
+
+Tunnel mode between two security gateways
+
+Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with
+keyed-md5 whose key is "this is the test" as authentication algorithm.
+
+                               ======= AH =======
+                               |                |
+           Network-A       Gateway-A        Gateway-B        Network-B
+          10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
+
+Configuration at Gateway-A:
+
+        # setkey -c <<EOF
+        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
+                ah/tunnel/172.16.0.1-172.16.0.2/require ;
+        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
+                ah/tunnel/172.16.0.2-172.16.0.1/require ;
+        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
+                -A keyed-md5 "this is the test" ;
+        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
+                -A keyed-md5 "this is the test" ;
+
+If port number field is omitted such above then "[any]" is employed. `-m'
+specifies the mode of SA to be used. "-m any" means wild-card of mode of
+security protocol. You can use this SA for both tunnel and transport mode.
+
+and at Gateway-B:
+
+        # setkey -c <<EOF
+        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
+                ah/tunnel/172.16.0.2-172.16.0.1/require ;
+        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
+                ah/tunnel/172.16.0.1-172.16.0.2/require ;
+        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
+                -A keyed-md5 "this is the test" ;
+        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
+                -A keyed-md5 "this is the test" ;
+
+
+Making SA bundle between two security gateways
+
+AH transport mode and ESP tunnel mode is required between Gateway-A and
+Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport
+mode is next.
+
+                                  ========== AH =========
+                                  |  ======= ESP =====  |
+                                  |  |               |  |
+             Network-A          Gateway-A        Gateway-B           Network-B
+          fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
+
+Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is
+hmac-sha1. Authentication algorithm for AH is hmac-md5.
+Configuration at Gateway-A:
+
+        # setkey -c <<EOF
+        spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
+                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
+                ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
+        spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
+                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
+                ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
+        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
+                -E 3des-cbc "kamekame12341234kame1234"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
+                -A hmac-md5 "this is the test" ;
+        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
+                -E 3des-cbc "kamekame12341234kame1234"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
+                -A hmac-md5 "this is the test" ;
+
+
+Making SAs with the different end
+
+ESP tunnel mode is required between Host-A and Gateway-A. Encryption
+algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1.
+ESP transport mode is recommended between Host-A and Host-B. Encryption
+algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5.
+
+              ================== ESP =================
+              |  ======= ESP =======                 |
+              |  |                 |                 |
+             Host-A            Gateway-A           Host-B
+          fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
+
+Configuration at Host-A:
+
+        # setkey -c <<EOF
+        spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
+                esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
+                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
+        spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
+                esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
+                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
+        add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
+                -m transport
+                -E cast128-cbc "12341234"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
+                -E rc5-cbc "kamekame"
+                -A hmac-md5 "this is the test" ;
+        add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
+                -m transport
+                -E cast128-cbc "12341234"
+                -A hmac-sha1 "this is the test key" ;
+        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
+                -E rc5-cbc "kamekame"
+                -A hmac-md5 "this is the test" ;
+
+							<end of USAGE>