Listening on divert socket requires root-privileges. After daemon
is started, you have to:
12345 by
default). For example to divert outbound TCP and UDP traffic from
fc00::dc host to fc00::ac, and inbound ESP traffic
from fc00::ac, you can use the following ipfw
commands:
ipfw add divert 12345 esp from fc00::ac to fc00::dc
ipfw add divert 12345 { tcp or udp } from fc00::dc to fc00::ac
$ echo "
flush ;
spdflush ;
add fc00::ac fc00::dc esp 0x12345678 -u 123 -E aes-gcm-16 0xd3537e657fde5599a2804fbb52d1aaed94b65d3e ;
add fc00::dc fc00::ac esp 0x12345679 -u 234 -E aes-gcm-16 0x9a2dae68e475eacb39d41f23c3cbef890e9f6276 tfc:1320 ;
add fc00::123 fc00::234 esp 0x12345680 -u 345 -E aes-gcm-16-esn 0xd3537e657fde5599a2804fbb52d1aaed94b65d3d tfc:1320 ;
spdadd fc00::ac/128 fc00::dc/128 tcp -P in ipsec esp/transport//unique:123 ;
spdadd fc00::ac/128 fc00::dc/128 udp -P in ipsec esp/transport//unique:123 ;
spdadd fc00::dc/128 fc00::ac/128 tcp -P out ipsec esp/transport//unique:234 ;
spdadd fc00::dc/128 fc00::ac/128 udp -P out ipsec esp/transport//unique:234 ;
dump ;
spddump ;
" | while read cmd; do
[ -z "$cmd" ] || printf "$cmd\r\n" | socat - UNIX-CONNECT:esper.sock
done
and ESPER will output command execution result:
OK [...] OK SA ID:123 fc00::ac -> fc00::dc SPI:12345678 SEQ:0x00000000 AES-GCM-16-128 SA ID:234 fc00::dc -> fc00::ac SPI:12345679 SEQ:0x00000000 AES-GCM-16-128 SA ID:345 fc00::123 -> fc00::234 SPI:12345680 SEQ:0x0000000000000000 TFC:1320 AES-GCM-16-128 SP fc00::ac/128[0] -> fc00::dc/128[0] PROTO:6 IN TRANSPORT SAID:123 SP fc00::ac/128[0] -> fc00::dc/128[0] PROTO:17 IN TRANSPORT SAID:123 SP fc00::dc/128[0] -> fc00::ac/128[0] PROTO:6 OUT TRANSPORT SAID:234 SP fc00::dc/128[0] -> fc00::ac/128[0] PROTO:17 OUT TRANSPORT SAID:234