Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve english, improve formatting, sort options.

This commit is contained in:
wiz 2005-04-15 10:58:11 +00:00
parent aff82fa50e
commit 0f822df19c
7 changed files with 444 additions and 421 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipsec_set_policy.3,v 1.8 2005/04/14 10:30:28 wiz Exp $
.\" $NetBSD: ipsec_set_policy.3,v 1.9 2005/04/15 10:58:11 wiz Exp $
.\"
.\" $KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
.\"
@ -36,7 +36,7 @@
.Nm ipsec_set_policy ,
.Nm ipsec_get_policylen ,
.Nm ipsec_dump_policy
.Nd manipulate IPsec policy specification structure from readable string
.Nd manipulate IPsec policy specification structure from human-readable policy string
.\"
.Sh LIBRARY
.Lb libipsec
@ -50,32 +50,31 @@
.Fn ipsec_dump_policy "char *buf" "char *delim"
.Sh DESCRIPTION
.Fn ipsec_set_policy
generates IPsec policy specification structure, namely
generates an IPsec policy specification structure, namely
.Li struct sadb_x_policy
and/or
.Li struct sadb_x_ipsecrequest
from human-readable policy specification.
policy specification must be given as C string
from a human-readable policy specification.
The policy specification must be given as a C string
.Fa policy
and length
.Fa len
of
.Fa policy .
and its length
.Fa len .
.Fn ipsec_set_policy
will return the buffer of IPsec policy specification structure.
The buffer is dynamically allocated, and must be freed by the caller by calling
.Xr free 3 .
will return a buffer with the corresponding IPsec policy specification structure.
The buffer is dynamically allocated, and must be
.Xr free 3 Ap d
by the caller.
.Pp
You may want the length of the generated buffer such when calling
.Xr setsockopt 2 .
You can get the length of the generated buffer with
.Fn ipsec_get_policylen
will return the length.
(i.e. for calling
.Xr setsockopt 2 ) .
.Pp
.Fn ipsec_dump_policy
converts IPsec policy structure into readable form.
converts an IPsec policy structure into human-readable form.
Therefore,
.Fn ipsec_dump_policy
can be regarded as inverse conversion of
can be regarded as the inverse function to
.Fn ipsec_set_policy .
.Fa buf
points to an IPsec policy structure,
@ -86,11 +85,12 @@ If you set
.Fa delim
to
.Dv NULL ,
single whitespace is assumed.
a single whitespace is assumed.
.Fn ipsec_dump_policy
returns pointer to dynamically allocated string.
It is caller's responsibility to reclaim the region, by using
.Xr free 3 .
returns a pointer to a dynamically allocated string.
It is the caller's responsibility to
.Xr free 3
it.
.Pp
.Fa policy
is formatted as either of the following:
@ -98,22 +98,21 @@ is formatted as either of the following:
.It Ar direction [priority specification] Li discard
.Ar direction
must be
.Li in
,
.Li out
.Li in ,
.Li out ,
or
.Li fwd .
.Ar direction
specifies which direction the policy needs to be applied.
Nonstandard direction
.Ar fwd
specifies in which direction the policy needs to be applied.
The non-standard direction
.Li fwd
is substituted with
.Ar in
.Li in
on platforms which do not support forward policies.
.Pp
.Ar priority specification
is used to control the placement of the policy within the SPD.
Policy position is determined by
The policy position is determined by
a signed integer where higher priorities indicate the policy is placed
closer to the beginning of the list and lower priorities indicate the
policy is placed closer to the end of the list.
@ -122,14 +121,14 @@ priorities are added at the end of the group of such policies.
.Pp
Priority can only
be specified when libipsec has been compiled against kernel headers that
support policy priorities (>= 2.6.6).
support policy priorities (Linux \*[Gt]= 2.6.6).
It takes one of the following formats:
.Bl -tag -width "discard"
.It Xo
.Ar {priority,prio} offset
.Xc
.Ar offset
is an integer in ranges -2147483647..214783648.
is an integer in the range -2147483647..214783648.
.It Xo
.Ar {priority,prio} base {+,-} offset
.Xc
@ -138,7 +137,7 @@ is either
.Li low (-1073741824) ,
.Li def (0) ,
or
.Li high (1073741824)
.Li high (1073741824) .
.Pp
.Ar offset
is an unsigned integer.
@ -146,8 +145,8 @@ It can be up to 1073741824 for
positive offsets, and up to 1073741823 for negative offsets.
.El
.Pp
The interpretation of policy priority in these functions and the kernel DOES
differ.
The interpretation of policy priority in these functions and the
kernel DOES differ.
The relationship between the two can be described as
p(kernel) = 0x80000000 - p(func)
.Pp
@ -156,13 +155,13 @@ With
policy, packets will be dropped if they match the policy.
.It Ar direction [priority specification] Li entrust
.Li entrust
means to consult to SPD defined by
means to consult the SPD defined by
.Xr setkey 8 .
.It Ar direction [priority specification] Li bypass
.Li bypass
means to be bypassed the IPsec processing.
.Pq packet will be transmitted in clear .
This is for privileged socket.
means to bypass the IPsec processing.
.Pq the packet will be transmitted in clear .
This is for privileged sockets.
.It Xo
.Ar direction
.Bq Ar priority specification
@ -174,7 +173,7 @@ means that the matching packets are subject to IPsec processing.
.Li ipsec
can be followed by one or more
.Ar request
string, which is formatted as below:
strings, which are formatted as below:
.Bl -tag -width "discard"
.It Xo
.Ar protocol
@ -189,7 +188,7 @@ string, which is formatted as below:
.Ar protocol
is either
.Li ah ,
.Li esp
.Li esp ,
or
.Li ipcomp .
.Pp
@ -202,13 +201,13 @@ or
.Ar src
and
.Ar dst
specifies IPsec endpoint.
specifies the IPsec endpoint.
.Ar src
always means
always means the
.Dq sending node
and
.Ar dst
always means
always means the
.Dq receiving node .
Therefore, when
.Ar direction
@ -232,7 +231,7 @@ can be omitted.
.Pp
.Ar level
must be set to one of the following:
.Li default , use , require
.Li default , use , require ,
or
.Li unique .
.Li default
@ -275,21 +274,25 @@ and slash prior to
.Ar level
can be omitted.
However, it is encouraged to specify them explicitly
to avoid unintended behaviors.
to avoid unintended behavior.
If
.Ar level
is omitted, it will be interpreted as
.Li default .
.El
.Pp
Note that there is a bit difference of specification from
Note that there are slight differences to the specification of
.Xr setkey 8 .
In specification by
In the specification of
.Xr setkey 8 ,
both entrust and bypass are not used.
both
.Li entrust
and
.Li bypass
are not used.
Refer to
.Xr setkey 8
for detail.
for details.
.Pp
Here are several examples
.Pq long lines are wrapped for readability :
@ -304,13 +307,16 @@ in ipsec ipcomp/transport//use
.El
.Sh RETURN VALUES
.Fn ipsec_set_policy
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
returns a pointer to the allocated buffer with the policy specification
if successful; otherwise a
.Dv NULL
pointer is returned.
.Fn ipsec_get_policylen
returns with positive value
returns a positive value
.Pq meaning the buffer size
on success, and negative value on errors.
on success, and a negative value on errors.
.Fn ipsec_dump_policy
returns a pointer to dynamically allocated region on success,
returns a pointer to a dynamically allocated region on success,
and
.Dv NULL
on errors.
@ -319,4 +325,4 @@ on errors.
.Xr ipsec 4 ,
.Xr setkey 8
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
The functions first appeared in the WIDE/KAME IPv6 protocol stack kit.

22
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipsec_strerror.3,v 1.5 2005/04/14 10:25:58 wiz Exp $
.\" $NetBSD: ipsec_strerror.3,v 1.6 2005/04/15 10:58:11 wiz Exp $
.\"
.\" $KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
.\"
@ -35,14 +35,14 @@
.\"
.Sh NAME
.Nm ipsec_strerror
.Nd error message for IPsec policy manipulation library
.Nd error messages for the IPsec policy manipulation library
.\"
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
.In netinet6/ipsec.h
.Ft "const char *"
.Fn ipsec_strerror
.Fn ipsec_strerror void
.\"
.Sh DESCRIPTION
.Pa netinet6/ipsec.h
@ -50,12 +50,12 @@ declares
.Pp
.Dl extern int ipsec_errcode ;
.Pp
which is used to pass an error code from IPsec policy manipulation library
to an user program.
which is used to pass an error code from the IPsec policy manipulation
library to a program.
.Fn ipsec_strerror
can be used to obtain the error message string for the error code.
.Pp
The array pointed to is not to be modified by the program.
The array pointed to is not to be modified by the calling program.
Since
.Fn ipsec_strerror
uses
@ -64,21 +64,21 @@ as underlying function, calling
.Xr strerror 3
after
.Fn ipsec_strerror
would make the return value from
will make the return value from
.Fn ipsec_strerror
invalid, or overwritten.
invalid or overwritten.
.\"
.Sh RETURN VALUES
.Fn ipsec_strerror
always return a pointer to C string.
The C string must not be overwritten by user programs.
always returns a pointer to a C string.
The C string must not be overwritten by the calling program.
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3
.\"
.Sh HISTORY
.Fn ipsec_strerror
first appeared in WIDE/KAME IPv6 protocol stack kit.
first appeared in the WIDE/KAME IPv6 protocol stack kit.
.\"
.Sh BUGS
.Fn ipsec_strerror

51
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: plainrsa-gen.8,v 1.6 2005/04/14 10:30:28 wiz Exp $
.\" $NetBSD: plainrsa-gen.8,v 1.7 2005/04/15 10:58:11 wiz Exp $
.\"
.\" Id: plainrsa-gen.8,v 1.2 2004/07/12 20:43:50 ludvigm Exp
.\"
@ -33,10 +33,10 @@
.Dd June 14, 2004
.Dt PLAINRSA-GEN 8
.Os
\"
.\"
.Sh NAME
.Nm plainrsa-gen
.Nd Generator of Plain RSA keys
.Nd generator for Plain RSA keys
.\"
.Sh SYNOPSIS
.Nm plainrsa-gen
@ -50,44 +50,44 @@
.Sh DESCRIPTION
.Nm
can be used to generate
.Pa Plain RSA keys
.Li Plain RSA keys
for authentication purposes.
Using
.Pa Plain RSA keys
.Li Plain RSA keys
is optional.
Other possibilities are
.Pa Pre-shared keys
.Li Pre-shared keys
or
.Pa X.509 certificates .
.Li X.509 certificates .
.\"
.Bl -tag -width Ds
.It Fl b Ar bits
bit length of the key.
Default is
.Pa 1024 ,
.Li 1024 ,
recommended length is
.Pa 2048
.Li 2048
or even
.Pa 4096
.Li 4096
bits.
Note that generating longer keys takes longer time.
Note that generating longer keys takes more time.
.It Fl e Ar pubexp
value of RSA public exponent.
value of the RSA public exponent.
Default is
.Pa 0x3 .
Don't change unless you really know what you are doing!
.Li 0x3 .
Don't change this unless you really know what you are doing!
.It Fl f Ar outfile
write the resulting key to
.Pa outfile
.Ar outfile
instead of
.Pa stdout .
.Li stdout .
If the file already exists it won't be overwritten.
You wouldn't like to lose your private key by accident, would you?
.El
.\"
.Sh OUTPUT FILE FORMAT
This is the secret
.Pa private key
.Li private key
that should
.Ic never
leave your computer:
@ -107,11 +107,11 @@ leave your computer:
.Ed
.Pp
The line
.Pa pubkey=0sAQOrW...
.Li pubkey=0sAQOrW...
of the
.Pa private key
.Li private key
contains a
.Pa public key
.Li public key
that should be stored in the other peer's configuration in this format:
.Bd -literal
: PUB 0sAQOrWlcwbAIdNSMhDt...
@ -119,24 +119,21 @@ that should be stored in the other peer's configuration in this format:
.\"
.Pp
You can also specify
.Pa from
.Li from
and
.Pa to
.Li to
addresses for which the key is valid:
.Bd -literal
0.0.0.0/0 10.20.30.0/24 : PUB 0sAQOrWlcwbAIdNSMhDt...
.Ed
.\"
.Ed
.\"
.Sh SEE ALSO
.Xr racoon.conf 5 ,
.Xr racoon 8
.\"
.Sh HISTORY
The
.Nm
written by
was written by
.An Michal Ludvig Aq michal@logix.cz
first appeared in
and first appeared in
.Ic ipsec-tools 0.4 .

84
crypto/dist/ipsec-tools/src/racoon/racoon.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.8,v 1.5 2005/04/14 10:30:28 wiz Exp $
.\" $NetBSD: racoon.8,v 1.6 2005/04/15 10:58:11 wiz Exp $
.\"
.\" Id: racoon.8,v 1.3 2004/07/12 20:35:58 ludvigm Exp
.\"
@ -40,7 +40,7 @@
.Sh SYNOPSIS
.Nm racoon
.Bk -words
.Op Fl BFvdL46
.Op Fl 46BdFLv
.Ek
.Bk -words
.Op Fl f Ar configfile
@ -49,91 +49,89 @@
.Op Fl l Ar logfile
.Ek
.Bk -words
.Op Fl p Ar isakmp-port
.Op Fl P Ar isakmp-natt-port
.Ek
.Bk -words
.Op Fl P Ar isakmp-natt-port
.Op Fl p Ar isakmp-port
.Ek
.\"
.Sh DESCRIPTION
.Nm
speaks IKE
speaks the IKE
.Pq ISAKMP/Oakley
key management protocol,
to establish security association with other hosts.
SPD
to establish security associations with other hosts.
The SPD
.Pq Security Policy Database
in the kernel usually triggers to start
.Nm racoon .
.Nm racoon
usually sends all of informational messages, warnings and error messages to
in the kernel usually triggers
.Nm .
.Nm
usually sends all informational messages, warnings and error messages to
.Xr syslogd 8
with the facility LOG_DAEMON, the priority LOG_INFO.
Debugging messages are sent with the priority LOG_DEBUG.
with the facility
.Dv LOG_DAEMON
and the priority
.Dv LOG_INFO .
Debugging messages are sent with the priority
.Dv LOG_DEBUG .
You should configure
.Xr syslog.conf 5
appropriately to see these messages.
.Bl -tag -width Ds
.It Fl 4
.It Fl 6
Specify the default address family for the sockets.
.It Fl B
Install SA(s) from the file which is specified in
.Xr racoon.conf 5 .
.It Fl d
Increase the debug level.
Multiple
.Fl d
arguments will increase the debug level even more.
.It Fl F
Run
.Nm racoon
.Nm
in the foreground.
.It Fl f Ar configfile
Use
.Ar configfile
as the configuration file instead of the default.
.It Fl L
Include
.Ar file_name:line_number:function_name
in all messages.
.It Fl l Ar logfile
Use
.Ar logfile
as the logging file instead of
.Xr syslogd 8 .
.It Fl p Ar isakmp-port
Listen to ISAKMP key exchange on port
.Ar isakmp-port
instead of the default port number, 500.
.It Fl P Ar isakmp-natt-port
Use
.Ar isakmp-natt-port
for NAT-Traversal port-floating.
The default is 4500.
.It Fl p Ar isakmp-port
Listen to the ISAKMP key exchange on port
.Ar isakmp-port
instead of the default port number, 500.
.It Fl v
The flag causes the packet dump be more verbose, with higher debugging level.
.It Fl d
Increase the debug level.
Multiple
.Fl d
will increase the debug level even more.
.It Fl L
Include
.Ar file_name:line_number:function_name
location in all messages.
.It Fl 4
.It Fl 6
Specifies the default address family for the sockets.
This flag causes the packet dump be more verbose, with higher
debugging level.
.El
.Pp
.Nm
assumes the presence of kernel random number device
assumes the presence of the kernel random number device
.Xr rnd 4
at
.Pa /dev/urandom .
Informational messages are labeled
.Em info ,
and debugging messages are labeled
.Em debug .
You have to configure
.Xr syslog.conf 5
if you want to see them in a logging file.
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.Sh FILES
.Bl -tag -width /usr/local/v6/etc/racoon.conf -compact
.It Pa /usr/local/v6/etc/racoon.conf
.Bl -tag -width /etc/racoon.conf -compact
.It Pa /etc/racoon.conf
default configuration file.
.El
.\"
@ -147,11 +145,11 @@ default configuration file.
.Sh HISTORY
The
.Nm
command first appeared in
command first appeared in the
.Dq YIPS
Yokogawa IPsec implementation.
.\"
.Sh SECURITY CONSIDERATIONS
The use of IKE phase 1 aggressive mode is not recommended,
as described in
.Li http://www.kb.cert.org/vuls/id/886601 .
.Pa http://www.kb.cert.org/vuls/id/886601 .

244
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.conf.5,v 1.11 2005/04/14 10:30:28 wiz Exp $
.\" $NetBSD: racoon.conf.5,v 1.12 2005/04/15 10:58:11 wiz Exp $
.\"
.\" Id: racoon.conf.5,v 1.27.2.2 2005/03/16 23:18:43 manubsd Exp
.\"
@ -48,7 +48,7 @@ ISAKMP daemon.
negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
and for kernel IPsec (IPsec SA, or phase 2 SA).
The file consists of a sequence of directives and statements.
Each directive is composed by a tag, and statements are enclosed by
Each directive is composed by a tag and statements, enclosed by
.Ql {
and
.Ql } .
@ -82,7 +82,7 @@ number is always enclosed by
and
.Ql \&] .
In this case, the port number is not an optional keyword.
If it is possible to omit
If it is possible to omit the
.Ar port
number,
the expression becomes
@ -110,7 +110,7 @@ The former must be prefixed with
.It Ar file
means any string enclosed in
.Ql \&"
.Pq double quote .
.Pq double quotes .
.It Ar address
means IPv6 and/or IPv4 address.
.It Ar port
@ -133,38 +133,39 @@ specifies privilege separation parameters.
When enabled, these enable
.Xr racoon 8
to operate with an unprivileged instance doing most of the work, while
a privileged instance take care of performing the following operations
a privileged instance takes care of performing the following operations
as root: reading PSK and private keys, launching hook scripts, and
validating passwords against system database or against PAM.
validating passwords against system databases or against PAM.
.Pp
.Bl -tag -width Ds -compact
.It Ic user Ar user ;
The user the unprivileged instance of
The user to which the unprivileged instance of
.Xr racoon 8 ,
should switch to.
should switch.
This can be a quoted user name or a numeric UID.
.It Ic group Ar group ;
The group the unprivileged instance of
The group to which the unprivileged instance of
.Xr racoon 8 ,
should switch to. This can be a quoted group name or a numeric GID.
should switch.
This can be a quoted group name or a numeric GID.
.It Ic chroot Ar path ;
A directory where the unprivileged instance of
A directory to which the unprivileged instance of
.Xr racoon 8
should
.Xr chroot 2
to.
.Xr chroot 2 .
This directory should hold a tree where the following files must be
reachable:
.Bl -tag -width Ds -compact
.It Pa /dev/random
.It Pa /dev/urandom
.It The certificates
.It The file containing the Xauth banner
.It the certificates
.It the file containing the Xauth banner
.El
.Pp
The PSK file, the private keys, and the hook scripts are accessed through
The PSK file, the private keys, and the hook scripts are accessed through the
privileged instance of
.Xr racoon 8
privileged instance and do not need to be reachable in the
and do not need to be reachable in the
.Xr chroot 2 Ap ed
tree.
.El
@ -190,16 +191,17 @@ See
will search this directory if a certificate or certificate request is received.
If you run with privilege separation,
.Xr racoon 8
will refuse to use a certificate
stored outside of this directory.
will refuse to use a certificate stored outside of this directory.
.It Ic path backupsa Ar file ;
specifies a file to be stored a SA information which is negotiated by racoon.
specifies a file to which SA information which is negotiated by
racoon should be stored.
.Xr racoon 8
will install SA(s) from the file with a boot option
.Fl B .
The file is increasing because
will install SA(s) from the file when started with the
.Fl B
flag.
The file is growing because
.Xr racoon 8
simply add a SA to the file at the moment.
simply adds SAs to it.
You should maintain the file manually.
.It Ic path script Ar path
.Xr racoon 8
@ -243,9 +245,9 @@ The default time is 15 seconds.
the maximum time it should take to complete phase 2.
The default time is 10 seconds.
.It Ic natt_keepalive Ar number Ar timeunit ;
interval between sending NAT-Traversal keepalive packets.
interval between sending NAT-Traversal keep-alive packets.
The default time is 20 seconds.
Set to 0s to disable.
Set to 0s to disable keep-alive packets.
.El
.El
.\"
@ -256,11 +258,12 @@ If no
.Ar listen
directive is specified,
.Xr racoon 8
will listen on all of the available interface addresses.
will listen on all available interface addresses.
The following is the list of valid statements:
.Pp
.Bl -tag -width Ds -compact
.\" How do I express bold brackets; `[' and `]' .
.\" Answer: For bold brackets, do "Ic \&[ foo \&]".
.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
.It Ic isakmp Ar address Bq Bq Ar port ;
If this is specified,
@ -279,7 +282,7 @@ with port 4500, which is specified by IANA.
There is no default.
.It Ic strict_address ;
require that all addresses for ISAKMP must be bound.
This statement will be ignored if you do not specify any addresses.
This statement will be ignored if you do not specify any address.
.El
The
.Ar listen
@ -288,10 +291,10 @@ if racoon was built with support for admin port.
.Bl -tag -width Ds -compact
.It Ic adminsock Ar path Op Ar owner\ group\ mode ;
.Ar path ,
.Ar owner
.Ar owner ,
and
.Ar group
are the socket path, owner and group, they must be quoted.
are the socket path, owner, and group; they must be quoted.
Defaults are
.Pa /var/racoon/racoon.sock ,
UID 0, and GID 0.
@ -351,16 +354,15 @@ directive.
.Pp
Sections with
.Ic inherit Ar parent
statement (where
statements (where
.Ar parent
is either
.Ar address
or a keyword
.Ic anonymous
)
.Ic anonymous )
have all values predefined to those of a given
.Ar parent .
In these sections it's enough to redefine only changed parameters.
In these sections it is enough to redefine only the changed parameters.
.Pp
The following are valid statements.
.Pp
@ -368,17 +370,17 @@ The following are valid statements.
.\"
.It Ic exchange_mode ( main \*(Ba aggressive \*(Ba base ) ;
defines the exchange mode for phase 1 when racoon is the initiator.
Also it means the acceptable exchange mode when racoon is responder.
It also means the acceptable exchange mode when racoon is responder.
More than one mode can be specified by separating them with a comma.
All of the modes are acceptable.
The first exchange mode is what racoon uses when it is the initiator.
.\"
.It Ic doi Ic ipsec_doi ;
means to use IPsec DOI as specified RFC 2407.
means to use IPsec DOI as specified in RFC 2407.
You can omit this statement.
.\"
.It Ic situation Ic identity_only ;
means to use SIT_IDENTITY_ONLY as specified RFC 2407.
means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
You can omit this statement.
.\"
.It Ic identifier Ar idtype ;
@ -389,10 +391,12 @@ Instead, use
.It Ic my_identifier Ar idtype ... ;
specifies the identifier sent to the remote host
and the type to use in the phase 1 negotiation.
.Ic address, fqdn , user_fqdn , keyid and asn1dn
.Ic address, fqdn , user_fqdn , keyid ,
and
.Ic asn1dn
can be used as an
.Ar idtype .
they are used like:
Use them in the following way:
.Bl -tag -width Ds -compact
.It Ic my_identifier Ic address Bq Ar address ;
the type is the IP address.
@ -409,10 +413,10 @@ If
.Ar string
is omitted,
.Xr racoon 8
will get DN from Subject field in the certificate.
will get the DN from the Subject field in the certificate.
.El
.\"
.It Ic xauth_login Ic Bq Ar string ;
.It Ic xauth_login Bq Ar string ;
specifies the login to use in client-side Hybrid authentication.
It is available only if
.Xr racoon 8
@ -431,7 +435,7 @@ If it is defined, the behavior of the verification depends on the flag of
.Ic verify_identifier .
The usage of
.Ar idtype
is same as
is the same as
.Ic my_identifier
except that the individual component values of an
.Ic asn1dn
@ -447,7 +451,7 @@ If you want to verify the peer's identifier,
set this to on.
In this case, if the value defined by
.Ic peers_identifier
is not same to the peer's identifier in the ID payload,
is not the same as the peer's identifier in the ID payload,
the negotiation will failed.
The default is off.
.\"
@ -458,9 +462,9 @@ is one of followings:
.Bl -tag -width Ds -compact
.It Ic x509 Ar certfile Ar privkeyfile ;
.Ar certfile
means a file name of certificate.
means a file name of a certificate.
.Ar privkeyfile
means a file name of secret key.
means a file name of a secret key.
.El
.It Ic ca_type Ar cacertspec ;
specifies a root certificate authority specification.
@ -497,13 +501,13 @@ and will use this certificate as the peer's certificate.
.\"
.It Ic script Ar script Ic phase1_up
.It Ic script Ar script Ic phase1_down
Shell scripts that get executed when an phase 1 SA goes up or down.
Both script get either
Shell scripts that get executed when a phase 1 SA goes up or down.
Both scripts get either
.Ic phase1_up
or
.Ic phase1_down
as first argument, and the following
variable are set in their environment:
variables are set in their environment:
.Bl -tag -width Ds -compact
.It Ev LOCAL_ADDR
The local address of the phase 1 SA.
@ -539,25 +543,24 @@ set this to off.
The default is on.
.\"
.It Ic lifetime time Ar number Ar timeunit ;
define a lifetime of a certain time
Define a lifetime of a certain time
which will be proposed in the phase 1 negotiations.
Any proposal will be accepted, and the attribute(s) will be not proposed to
the peer if you do not specify it(them).
the peer if you do not specify it (them).
They can be individually specified in each proposal.
.\"
.It Ic ike_frag (on \(ba off) ;
Enable receiver-side IKE fragmentation, if
.Xr racoon 8
has been build with
this feature.
This extension is there to workaround
has been built with this feature.
This extension is there to work around
broken firewalls that do not work with fragmented UDP packets.
IKE fragmentation is always enabled on the sender-side, and
it is used if the peer advertise itself as IKE fragmentation capable.
it is used if the peer advertises itself as IKE fragmentation capable.
.\"
.It Ic esp_frag Ar fraglen ;
This option is only relevant if you use NAT traversal in tunnel mode.
Its purpose is to workaround broken DSL routers that reject UDP
Its purpose is to work around broken DSL routers that reject UDP
fragments, by fragmenting the IP packets before ESP encapsulation.
The result is ESP over UDP of fragmented packets instead of fragmented
ESP over UDP packets.
@ -566,23 +569,23 @@ is the maximum size of the fragments.
552 should work anywhere,
but the higher
.Ar fraglen
is, the better the performances are.
is, the better is the performance.
.Pp
Note that because PMTU discovery is broken on many sites, you will have to
use MSS clamping if you want TCP to work correctly.
Note that because PMTU discovery is broken on many sites, you will
have to use MSS clamping if you want TCP to work correctly.
.\"
.It Ic initial_contact (on \(ba off) ;
enable this to send an INITIAL-CONTACT message.
The default value is
.Ic on .
This message is useful only when
the implementation of the responder choices an old SA when there are multiple
SAs which are different established time, and the initiator reboots.
If racoon did not use the message,
the responder would use an old SA even when an new SA was established.
The KAME stack has the switch in the system wide value,
the implementation of the responder chooses an old SA when there are multiple
SAs with different established time, and the initiator reboots.
If racoon did not send the message,
the responder would use an old SA even when a new SA was established.
The KAME stack has the switch in the system wide value
net.key.preferred_oldsa.
when the value is zero, the stack always use an new SA.
when the value is zero, the stack always uses a new SA.
.\"
.It Ic passive (on \(ba off) ;
If you do not want to initiate the negotiation, set this to on.
@ -598,7 +601,7 @@ The default level is
.Ic strict .
If the
.Ar level
is;
is:
.Bl -tag -width Ds -compact
.It Ic obey
the responder will obey the initiator anytime.
@ -616,7 +619,7 @@ If the responder's length is
shorter than the initiator's one, the responder uses its own length
AND sends a RESPONDER-LIFETIME notify message to an initiator in the
case of lifetime (phase 2 only).
About PFS, this directive is same as
For PFS, this directive behaves the same as
.Ic strict .
.It Ic exact
If the initiator's length is not equal to the responder's one, the
@ -626,28 +629,29 @@ the initiator's one, then the responder will reject the proposal.
.El
.\"
.It Ic support_proxy (on \(ba off) ;
If this value is set on then both values of ID payloads in phase 2 exchange
are always used as the addresses of end-point of IPsec-SAs.
If this value is set to on, then both values of ID payloads in the
phase 2 exchange are always used as the addresses of end-point of
IPsec-SAs.
The default is off.
.\"
.It Ic generate_policy (on \(ba off) ;
This directive is for the responder.
Therefore you should set
.Ic passive
on in order that
to on in order that
.Xr racoon 8
only becomes a responder.
If the responder does not have any policy in SPD during phase 2 negotiation,
and the directive is set on, then
If the responder does not have any policy in SPD during phase 2
negotiation, and the directive is set to on, then
.Xr racoon 8
will choice the first proposal in the
will choose the first proposal in the
SA payload from the initiator, and generate policy entries from the proposal.
It is useful to negotiate with the client which is allocated IP address
It is useful to negotiate with clients whose IP address is allocated
dynamically.
Note that inappropriate policy might be installed into the responder's SPD
by the initiator.
So that other communication might fail if such policies installed
due to some policy mismatches between the initiator and the responder.
Note that an inappropriate policy might be installed into the responder's SPD
by the initiator,
so other communications might fail if such policies are installed
due to a policy mismatch between the initiator and the responder.
This directive is ignored in the initiator case.
The default value is
.Ic off .
@ -656,31 +660,31 @@ The default value is
.It Ic nat_traversal (on \(ba off \(ba force) ;
This directive enables use of the NAT-Traversal IPsec extension
(NAT-T).
NAT-T allows one or both peers to reside behind a NAT gateway (i.e.
NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
doing address- or port-translation).
Presence of NAT gateways along the path
is discovered during phase 1 handshake and if found, NAT-T is negotiated.
When NAT-T is in charge all ESP and AH packets of a given connection
When NAT-T is in charge, all ESP and AH packets of a given connection
are encapsulated into UDP datagrams (port 4500, by default).
Possible values are:
.Bl -tag -width Ds -compact
.It Ic on
NAT-T is used when NAT gateway is detected between the peers.
NAT-T is used when a NAT gateway is detected between the peers.
.It Ic off
NAT-T is not proposed/accepted.
This is the default.
.It Ic force
NAT-T is used regardless if there is a NAT between the peers or not.
NAT-T is used regardless if a NAT is detected between the peers or not.
.El
Please note that NAT-T support is a compile time option.
Please note that NAT-T support is a compile-time option.
Although it is enabled in the source distribution by default, it
may not be available in your particular build.
In that case you will get a
warning when using any of NAT-T related config options.
warning when using any NAT-T related config options.
.\"
.It Ic dpd_delay Ar delay ;
This option activates the DPD and sets the time (in seconds) allowed
between 2 proofs of aliveness requests.
between 2 proof of liveness requests.
The default value is
.Ic 0 ,
which disables DPD monitoring, but still negotiates DPD support.
@ -689,14 +693,14 @@ which disables DPD monitoring, but still negotiates DPD support.
If
.Ic dpd_delay
is set, this sets the delay (in seconds) to wait for a proof of
aliveness before considering it as failed and send another request.
liveness before considering it as failed and send another request.
The default value is
.Ic 5 .
.\"
.It Ic dpd_maxfail Ar number ;
If
.Ic dpd_delay
is set, this sets the maximum number of proof of aliveness to request
is set, this sets the maximum number of proof of liveness to request
(without reply) before considering the peer is dead.
The default value is
.Ic 5 .
@ -747,14 +751,14 @@ is one of following:
.Ic modp768 , modp1024 , modp1536 ,
.Ic modp2048 , modp3072 , modp4096 ,
.Ic modp6144 , modp8192 .
Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number.
Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
When you want to use aggressive mode,
you must define same DH group in each proposal.
you must define the same DH group in each proposal.
.It Ic lifetime time Ar number Ar timeunit ;
define lifetime of the phase 1 SA proposal.
Refer to the description of
Refer to the description of the
.Ic lifetime
directive immediately defined in
directive defined in the
.Ic remote
directive.
.It Ic gss_id Ar string ;
@ -820,7 +824,7 @@ is one of following:
.Ic modp768 , modp1024 , modp1536 ,
.Ic modp2048 , modp3072 , modp4096 ,
.Ic modp6144 , modp8192 .
Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number.
Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
.\"
.It Ic lifetime time Ar number Ar timeunit ;
define the lifetime of amount of time
@ -833,17 +837,17 @@ directive.
.\"
.It Ic my_identifier Ar idtype ... ;
is obsolete.
It does not make sense to specify a identifier in the phase 2.
It does not make sense to specify an identifier in the phase 2.
.El
.\"
.Pp
.Xr racoon 8
does not have the list of security protocols to be negotiated.
does not have a list of security protocols to be negotiated.
The list of security protocols are passed by SPD in the kernel.
Therefore you have to define all of the potential algorithms
in the phase 2 proposals even if there is a algorithm which will not be used.
in the phase 2 proposals even if there are algorithms which will not be used.
These algorithms are define by using the following three directives,
and they are lined with single comma as the separator.
with a single comma as the separator.
For algorithms that can take variable-length keys, algorithm names
can be followed by a key length, like
.Dq Li blowfish 448 .
@ -889,12 +893,12 @@ Note that the kernel may not support the algorithm you have specified.
define logging level.
.Ar level
is one of following:
.Ic notify , debug
.Ic notify , debug ,
and
.Ic debug2 .
The default is
.Ic notify .
If you put too high logging level on slower machines,
If you set the logging level too high on slower machines,
IKE negotiation can fail due to timing constraint changes.
.El
.\"
@ -917,10 +921,11 @@ If
is off, this is ignored.
The default is 20 bytes.
.It Ic exclusive_tail (on \(ba off) ;
means to put the number of pad bytes minus one into last part of the padding.
means to put the number of pad bytes minus one into the last part
of the padding.
The default is on.
.It Ic strict_check (on \(ba off) ;
means to be constrained the peer to set the number of pad bytes.
means to constrain the peer to set the number of pad bytes.
The default is off.
.El
.El
@ -946,13 +951,13 @@ This is the default.
means to use a RADIUS server.
It works only if
.Xr racoon 8
was build with libradius support, and the configuration is done in
was built with libradius support, and the configuration is done in
.Xr radius.conf 5 .
.Ar pam
means to use PAM.
It works only if
.Xr racoon 8
was build with libpam support.
was built with libpam support.
.It Ic conf_source (local \(ba radius) ;
Specify the source for IP addresses and netmask of users authenticated
through Xauth/hybrid auth.
@ -967,7 +972,7 @@ This is the default.
means to use a RADIUS server.
It works only if
.Xr racoon 8
was build with libradius support, and the configuration is done in
was built with libradius support, and the configuration is done in
.Xr radius.conf 5 .
RADIUS configuration requires RADIUS authentication.
.It Ic accounting (none \(ba radius \(ba pam) ;
@ -979,16 +984,15 @@ which disable accounting.
enable RADIUS accounting.
It works only if
.Xr racoon 8
was build with libradius support, and the configuration is done in
was built with libradius support, and the configuration is done in
.Xr radius.conf 5 .
RADIUS accounting require RADIUS authentication.
.Ar pam
enable PAM accounting.
It works only if
.Xr racoon 8
was build with libpam support.
PAM accounting require
PAM authentication.
was built with libpam support.
PAM accounting requires PAM authentication.
.It Ic pool_size Ar size
Specify the size of the IP address pool, either local or allocated
through RADIUS.
@ -1044,19 +1048,21 @@ The default value is
.El
.\"
.Ss Pre-shared key File
Pre-shared key file defines a pair of the identifier and the shared secret key
which are used at Pre-shared key authentication method in phase 1.
The pair in each lines are separated by some number of blanks and/or tab
characters like
.Xr hosts 5 .
Key can be included any blanks because all of the words after the second column
are interpreted as a secret key.
Lines start with
The pre-shared key file defines pairs of identifiers and corresponding
shared secret keys which are used in the pre-shared key authentication
method in phase 1.
The pair in each line is separated by some number of blanks and/or tab
characters like in the
.Xr hosts 5
file.
Key can include blanks because everything after the first blanks
is interpreted as the secret key.
Lines starting with
.Ql #
are ignored.
Keys which start with
.Ql 0x
are hexadecimal strings.
are interpreted as hexadecimal strings.
Note that the file must be owned by the user ID running
.Xr racoon 8
.Pq usually the privileged user ,
@ -1088,7 +1094,7 @@ sainfo anonymous
}
.Ed
.Pp
The following is a sample of the file defined pre-shared key.
The following is a sample for the pre-shared key file.
.Bd -literal -offset
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
@ -1107,7 +1113,7 @@ foo.kame.net hoge
.Sh HISTORY
The
.Nm
configuration file first appeared in
configuration file first appeared in the
.Dq YIPS
Yokogawa IPsec implementation.
.\"
@ -1116,8 +1122,8 @@ Some statements may not be handled by
.Xr racoon 8
yet.
.Pp
Diffie-Hellman computation can take a very long time,
and may cause unwanted timeouts, specifically when large D-H group is used.
Diffie-Hellman computation can take a very long time, and may cause
unwanted timeouts, specifically when a large D-H group is used.
.\"
.Sh SECURITY CONSIDERATIONS
The use of IKE phase 1 aggressive mode is not recommended,

59
crypto/dist/ipsec-tools/src/racoon/racoonctl.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoonctl.8,v 1.8 2005/04/14 10:31:35 wiz Exp $
.\" $NetBSD: racoonctl.8,v 1.9 2005/04/15 10:58:11 wiz Exp $
.\"
.\" Id: racoonctl.8,v 1.2.4.1 2005/02/24 18:04:42 manubsd Exp
.\"
@ -78,7 +78,7 @@ and
.Xr racoon 8
is done through a UNIX socket.
By changing the default mode and ownership
of the socket, you can allow non root users to alter
of the socket, you can allow non-root users to alter
.Xr racoon 8
behavior, so do that with caution.
.Pp
@ -88,34 +88,33 @@ The following commands are available:
This should cause
.Xr racoon 8
to reload its configuration file.
This seems completely broken at the time
this man page is written.
This seems completely broken at the time this man page is written.
.It show-schedule
Unknown command.
.It show-sa Op isakmp|esp|ah|ipsec
Dump the SA: All the SA if no SA class is provided, or either ISAKMP SA,
IPsec ESP SA, or IPsec AH SA, or all IPsec SA.
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
Use
.Fl l
to increase verbosity.
.It flush-sa Op isakmp|esp|ah|ipsec
is used to flush all SAs if no SA class is provided, or a class of SA,
either ISAKMP SA, IPsec ESP SA, or IPsec AH SA, or all IPsec SA.
is used to flush all SAs if no SA class is provided, or a class of SAs,
either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
.It Xo establish-sa
.Oo Fl u Ar username
.Oc Ar saopts
.Xc
Establish a SA, either a ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
The optional
.Fl u Ar username
can be used when establishing an ISAKMP SA while hybrid auth is in use.
.Nm
will prompt you for the password associated with
.Ar username
and theses credentials will be used in the Xauth exchange.
and these credentials will be used in the Xauth exchange.
.Pp
.Ar saopts
can have the following formats:
has the following format:
.Bl -tag -width Bl
.It isakmp {inet|inet6} Ar src Ar dst
.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
@ -129,7 +128,7 @@ This is a particular case of the previous command.
It will establish an ISAKMP SA with
.Ar vpn_gateway .
.It delete-sa Ar saopts
Delete a SA, either a ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
.It vpn-disconnect Ar vpn_gateway
This is a particular case of the previous command.
It will kill all SAs associated with
@ -140,31 +139,41 @@ Dump all events reported by
then quit.
The
.Fl l
causes
flag causes
.Nm
to not stop once all the events have been read, but rather to loop
awaiting and reporting new events.
.El
.Pp
Command shortcuts are available:
.Bl -tag -width Bl
.It rc reload-config
.It ss show-sa
.It sc show-schedule
.It fs flush-sa
.It ds delete-sa
.It es establish-sa
.It vc vpn-connect
.It vd vpn-disconnect
.It se show-event
.Bl -tag -width XXX -compact -offset indent
.It rc
reload-config
.It ss
show-sa
.It sc
show-schedule
.It fs
flush-sa
.It ds
delete-sa
.It es
establish-sa
.It vc
vpn-connect
.It vd
vpn-disconnect
.It se
show-event
.El
.\"
.Sh RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
.\"
.Sh FILES
.Bl -tag -width Bl
.It Pa /var/racoon/racoon.sock or Pa /var/run/racoon.sock
.Bl -tag -width 30n -compact
.It Pa /var/racoon/racoon.sock No or
.It Pa /var/run/racoon.sock
.Xr racoon 8
control socket.
.El

291
crypto/dist/ipsec-tools/src/setkey/setkey.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: setkey.8,v 1.6 2005/04/14 10:24:43 wiz Exp $
.\" $NetBSD: setkey.8,v 1.7 2005/04/15 10:58:11 wiz Exp $
.\"
.\" $KAME: setkey.8,v 1.93 2003/09/24 23:44:46 itojun Exp $
.\"
@ -39,16 +39,16 @@
.\"
.Sh SYNOPSIS
.Nm setkey
.Op Fl nvrk
.Op Fl knrv
.Ar file ...
.Nm setkey
.Op Fl nvrk
.Op Fl knrv
.Fl c
.Nm setkey
.Op Fl vrk
.Op Fl krv
.Fl f Ar filename
.Nm setkey
.Op Fl aPlvrk
.Op Fl aklPrv
.Fl D
.Nm setkey
.Op Fl Pv
@ -57,8 +57,7 @@
.Op Fl H
.Fl x
.Nm setkey
.Op Fl ?
.Op Fl V
.Op Fl ?V
.\"
.Sh DESCRIPTION
.Nm
@ -67,7 +66,7 @@ Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
.Nm
takes a series of operations from the standard input
takes a series of operations from standard input
.Po
if invoked with
.Fl c
@ -82,28 +81,29 @@ if invoked with
.It (no flag)
Dump the SAD entries or SPD entries contained in the specified
.Ar file .
.It Fl D
Dump the SAD entries.
If with
.Fl P ,
the SPD entries are dumped.
.It Fl F
Flush the SAD entries.
If with
.Fl P ,
the SPD entries are flushed.
.It Fl ?
Print short help.
.It Fl a
.Nm
usually does not display dead SAD entries with
.Fl D .
If with
.Fl a ,
the dead SAD entries will be displayed as well.
A dead SAD entry means that
it has been expired but remains in the system
because it is referenced by some SPD entries.
If
.Fl a
is also specified, the dead SAD entries will be displayed as well.
A dead SAD entry is one that has expired but remains in the
system because it is referenced by some SPD entries.
.It Fl D
Dump the SAD entries.
If
.Fl P
is also specified, the SPD entries are dumped.
.It Fl F
Flush the SAD entries.
If
.Fl P
is also specified, the SPD entries are dumped.
.It Fl H
Add hexadecimal dump on
Add hexadecimal dump in
.Fl x
mode.
.It Fl h
@ -113,37 +113,39 @@ synonym for
.Fl H .
On other systems, synonym for
.Fl ? .
.It Fl k
Use semantics used in kernel.
Available only in Linux.
See also
.Fl r .
.It Fl l
Loop forever with short output on
.Fl D .
.It Fl v
Be verbose.
The program will dump messages exchanged on
.Dv PF_KEY
socket, including messages sent from other processes to the kernel.
.It Fl n
No action.
The program will check validity of input, but no changes to the SPD will
be made.
The program will check validity of the input, but no changes to
the SPD will be made.
.It Fl r
Use semantics described in IPsec RFCs.
This mode is default.
For details see section
.Sx RFC vs Linux kernel semantics .
Available only in Linux.
.It Fl k
Use semantics used in kernel.
Available only in Linux.
See also
.Fl k .
.It Fl x
Loop forever and dump all the messages transmitted to
Loop forever and dump all the messages transmitted to the
.Dv PF_KEY
socket.
.Fl xx
makes each timestamps unformatted.
.It Fl ?
Print short help.
prints the unformatted timestamps.
.It Fl V
Print version string.
.It Fl v
Be verbose.
The program will dump messages exchanged on the
.Dv PF_KEY
socket, including messages sent from other processes to the kernel.
.El
.Ss Configuration syntax
With
@ -153,7 +155,9 @@ or
on the command line,
.Nm
accepts the following configuration syntax.
Lines starting with hash signs ('#') are treated as comment lines.
Lines starting with hash signs
.Pq Sq #
are treated as comment lines.
.Bl -tag -width Ds
.It Xo
.Li add
@ -165,8 +169,8 @@ Lines starting with hash signs ('#') are treated as comment lines.
.Xc
Add an SAD entry.
.Li add
can fail with multiple reasons,
including when the key length does not match the specified algorithm.
can fail for multiple reasons, including when the key length does
not match the specified algorithm.
.\"
.It Xo
.Li get
@ -223,7 +227,7 @@ Add an SPD entry.
.Ar tag Ar policy
.Li ;
.Xc
Add an SPD entry based on PF tag.
Add an SPD entry based on a PF tag.
.Ar tag
must be a string surrounded by double quotes.
.\"
@ -259,7 +263,7 @@ Meta-arguments are as follows:
.It Ar src
.It Ar dst
Source/destination of the secure communication is specified as
IPv4/v6 address.
an IPv4/v6 address.
.Nm
can resolve a FQDN into numeric addresses.
If the FQDN resolves into multiple addresses,
@ -267,10 +271,10 @@ If the FQDN resolves into multiple addresses,
will install multiple SAD/SPD entries into the kernel
by trying all possible combinations.
.Fl 4 ,
.Fl 6
.Fl 6 ,
and
.Fl n
restricts the address resolution of FQDN in certain ways.
restrict the address resolution of FQDN in certain ways.
.Fl 4
and
.Fl 6
@ -303,11 +307,11 @@ Security Parameter Index
.Pq SPI
for the SAD and the SPD.
.Ar spi
must be a decimal number, or a hexadecimal number with
must be a decimal number, or a hexadecimal number with a
.Dq Li 0x
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
and cannot be used.
TCP-MD5 associations must use 0x1000 and therefore only have per-host
granularity at this time.
.\"
@ -320,7 +324,7 @@ take some of the following:
Specify a security protocol mode for use.
.Ar mode
is one of following:
.Li transport , tunnel
.Li transport , tunnel ,
or
.Li any .
The default value is
@ -332,10 +336,10 @@ Specify window size of bytes for replay prevention.
must be decimal number in 32-bit word.
If
.Ar size
is zero or not specified, replay check don't take place.
is zero or not specified, replay checks don't take place.
.\"
.It Fl u Ar id
Specify the identifier of the policy entry in SPD.
Specify the identifier of the policy entry in the SPD.
See
.Ar policy .
.\"
@ -345,15 +349,15 @@ defines the content of the ESP padding.
is one of following:
.Bl -tag -width random-pad -compact
.It Li zero-pad
All of the padding are zero.
All the paddings are zero.
.It Li random-pad
A series of randomized values are set.
A series of randomized values are used.
.It Li seq-pad
A series of sequential increasing numbers started from 1 are set.
A series of sequential increasing numbers started from 1 are used.
.El
.\"
.It Fl f Li nocyclic-seq
Don't allow cyclic sequence number.
Don't allow cyclic sequence numbers.
.\"
.It Fl lh Ar time
.It Fl ls Ar time
@ -368,14 +372,14 @@ Specify hard/soft life time duration of the SA measured in bytes transported.
.It Ar algorithm
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify a encryption algorithm
Specify an encryption algorithm
.Ar ealgo
for ESP.
.It Xo
.Fl E Ar ealgo Ar key
.Fl A Ar aalgo Ar key
.Xc
Specify a encryption algorithm
Specify an encryption algorithm
.Ar ealgo ,
as well as a payload authentication algorithm
.Ar aalgo ,
@ -386,11 +390,11 @@ Specify an authentication algorithm for AH.
Specify a compression algorithm for IPComp.
If
.Fl R
is specified,
is specified, the
.Ar spi
field value will be used as the IPComp CPI
.Pq compression parameter index
on wire as is.
on wire as-is.
If
.Fl R
is not specified,
@ -400,23 +404,25 @@ field will be used only as an index for kernel internal usage.
.El
.Pp
.Ar key
must be double-quoted character string, or a series of hexadecimal digits
preceded by
must be a double-quoted character string, or a series of hexadecimal
digits preceded by
.Dq Li 0x .
.Pp
Possible values for
.Ar ealgo ,
.Ar aalgo
.Ar aalgo ,
and
.Ar calgo
are specified in separate section.
are specified in the
.Sx Algorithms
sections.
.\"
.Pp
.It Ar src_range
.It Ar dst_range
These are selections of the secure communication specified as
IPv4/v6 address or IPv4/v6 address range, and it may accompany
TCP/UDP port specification.
IPv4/v6 address or IPv4/v6 address range, and may be accompanied
by a TCP/UDP port specification.
This takes the following form:
.Bd -literal -offset
.Ar address
@ -428,11 +434,11 @@ This takes the following form:
.Ar prefixlen
and
.Ar port
must be decimal number.
The square bracket around
must be decimal numbers.
The square brackets around
.Ar port
is really necessary.
They are not man page meta-characters.
are really necessary,
they are not man page meta-characters.
For FQDN resolution, the rules applicable to
.Ar src
and
@ -442,47 +448,47 @@ apply here as well.
.Pp
.It Ar upperspec
Upper-layer protocol to be used.
You can use one of words in
You can use one of the words in
.Pa /etc/protocols
as
.Ar upperspec .
Or
.Ar upperspec ,
or
.Li icmp6 ,
.Li ip4 ,
and
.Li any
can be specified.
or
.Li any .
.Li any
stands for
.Dq any protocol .
Also you can use the protocol number.
You can specify a type and/or a code of ICMPv6 when
Upper-layer protocol is ICMPv6.
the specification can be placed after
You can also use the protocol number.
You can specify a type and/or a code of ICMPv6 when the
upper-layer protocol is ICMPv6.
The specification can be placed after
.Li icmp6 .
A type is separated with a code by single comma.
A code must be specified anytime.
A type is separated from a code by single comma.
A code must always be specified.
When a zero is specified, the kernel deals with it as a wildcard.
Note that the kernel can not distinguish a wildcard from that a type
of ICMPv6 is zero.
For example, the following means the policy doesn't require IPsec
Note that the kernel can not distinguish a wildcard from an ICPMv6
type of zero.
For example, the following means that the policy doesn't require IPsec
for any inbound Neighbor Solicitation.
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
.Pp
NOTE:
.Em Note :
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
as it requires extra reassembly at the forwarding node
.Pq not implemented at this moment .
We have many protocols in
There are many protocols in
.Pa /etc/protocols ,
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
You have to consider and be careful to use them.
but all protocols except of TCP, UDP, and ICMP may not be suitable
to use with IPsec.
You have to consider carefully what to use.
.\"
.Pp
.It Ar policy
.Ar policy
is the one of the following three formats:
is in one of the following three formats:
.Bd -literal -offset indent
.It Fl P Ar direction [priority specification] Li discard
.It Fl P Ar direction [priority specification] Li none
@ -494,12 +500,11 @@ is the one of the following three formats:
You must specify the direction of its policy as
.Ar direction .
Either
.Ar out
,
.Ar in
.Ar out ,
.Ar in ,
or
.Ar fwd
are used.
can be used.
.Pp
.Ar priority specification
is used to control the placement of the policy within the SPD.
@ -507,28 +512,27 @@ Policy position is determined by
a signed integer where higher priorities indicate the policy is placed
closer to the beginning of the list and lower priorities indicate the
policy is placed closer to the end of the list.
Policies with equal
priorities are added at the end of the group of such policies.
Policies with equal priorities are added at the end of groups
of such policies.
.Pp
Priority can only
be specified when setkey has been compiled against kernel headers that
support policy priorities (\*[Gt]= 2.6.6).
If the kernel does not support priorities,
a warning message will be printed the first time a priority specification is
used.
support policy priorities (Linux \*[Gt]= 2.6.6).
If the kernel does not support priorities, a warning message will
be printed the first time a priority specification is used.
Policy priority takes one of the following formats:
.Bl -tag -width "discard"
.It Xo
.Ar {priority,prio} offset
.Xc
.Ar offset
is an integer in ranges -2147483647..214783648.
is an integer in the range from \-2147483647 to 214783648.
.It Xo
.Ar {priority,prio} base {+,-} offset
.Ar {priority,prio} base {+,\-} offset
.Xc
.Ar base
is either
.Li low (-1073741824) ,
.Li low (\-1073741824) ,
.Li def (0) ,
or
.Li high (1073741824)
@ -545,15 +549,15 @@ means the packet matching indexes will be discarded.
means that IPsec operation will not take place onto the packet.
.Li ipsec
means that IPsec operation will take place onto the packet.
The part of
The
.Ar protocol/mode/src-dst/level
specifies the rule how to process the packet.
part specifies the rule how to process the packet.
Either
.Li ah ,
.Li esp
.Li esp ,
or
.Li ipcomp
is to be set as
must be used as
.Ar protocol .
.Ar mode
is either
@ -564,13 +568,13 @@ If
.Ar mode
is
.Li tunnel ,
you must specify the end-points addresses of the SA as
you must specify the end-point addresses of the SA as
.Ar src
and
.Ar dst
with
.Sq -
between these addresses which is used to specify the SA to use.
between these addresses, which is used to specify the SA to use.
If
.Ar mode
is
@ -582,18 +586,18 @@ and
can be omitted.
.Ar level
is to be one of the following:
.Li default , use , require
.Li default , use , require ,
or
.Li unique .
If the SA is not available in every level, the kernel will request
getting SA to the key exchange daemon.
.Li default
means the kernel consults to the system wide default against protocol you
specified, e.g.
means the kernel consults the system wide default for the protocol
you specified, e.g. the
.Li esp_trans_deflev
sysctl variable, when the kernel processes the packet.
.Li use
means that the kernel use a SA if it's available,
means that the kernel uses an SA if it's available,
otherwise the kernel keeps normal operation.
.Li require
means SA is required whenever the kernel sends a packet matched
@ -606,12 +610,12 @@ You just specify the policy level
.Xr racoon 8
will configure the SA for the policy.
If you configure the SA by manual keying for that policy,
you can put the decimal number as the policy identifier after
you can put a decimal number as the policy identifier after
.Li unique
separated by colon
separated by a colon
.Sq \&:
like the following;
.Li unique:number .
like:
.Li unique:number
in order to bind this policy to the SA.
.Li number
must be between 1 and 32767.
@ -619,9 +623,9 @@ It corresponds to
.Ar extensions Fl u
of the manual SA configuration.
When you want to use SA bundle, you can define multiple rules.
For example, if an IP header was followed by AH header followed by ESP header
followed by an upper layer protocol header, the rule
would be:
For example, if an IP header was followed by an AH header followed
by an ESP header followed by an upper layer protocol header, the
rule would be:
.Dl esp/transport//require ah/transport//require ;
The rule order is very important.
.Pp
@ -631,13 +635,11 @@ and
.Dq Li none
are not in the syntax described in
.Xr ipsec_set_policy 3 .
There are little differences in the syntax.
There are a few differences in the syntax.
See
.Xr ipsec_set_policy 3
for detail.
.Pp
.El
.Pp
.\"
.Ss Algorithms
The following list shows the supported algorithms.
@ -645,11 +647,11 @@ The following list shows the supported algorithms.
and
.Sy algorithm
are almost orthogonal.
Followings are the list of authentication algorithms that can be used as
These authentication algorithms can be used as
.Ar aalgo
in
.Fl A Ar aalgo
of
of the
.Ar protocol
parameter:
.Pp
@ -678,11 +680,11 @@ aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
These encryption algorithms can be used as
.Ar ealgo
in
.Fl E Ar ealgo
of
of the
.Ar protocol
parameter:
.Pp
@ -702,13 +704,13 @@ aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
.Pp
Note that the first 128 bits of a key for
.Li aes-ctr
will be used as AES key, and remaining 32 bits will be used as nonce.
will be used as AES key, and the remaining 32 bits will be used as nonce.
.Pp
Followings are the list of compression algorithms that can be used as
These compression algorithms can be used as
.Ar calgo
in
.Fl C Ar calgo
of
of the
.Ar protocol
parameter:
.Pp
@ -718,24 +720,28 @@ deflate rfc2394
.Ed
.\"
.Ss RFC vs Linux kernel semantics
Linux kernel uses
The Linux kernel uses the
.Ar fwd
policy instead of
policy instead of the
.Ar in
policy for packets what are forwarded through that particular box.
.Pp
In
.Ar kernel
mode setkey manages and shows policies and SAs exactly as they are stored in the kernel.
mode,
.Nm
manages and shows policies and SAs exactly as they are stored in the kernel.
.Pp
In
.Ar RFC
mode
.Ar setkey
.Bd -literal
creates fwd policies for every in policy inserted.
mode,
.Nm
.Bl -item
.It
creates fwd policies for every in policy inserted
.It
(not implemented yet) filters out all fwd policies
.Ed
.El
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
@ -776,7 +782,8 @@ add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Sh HISTORY
The
.Nm
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
command first appeared in the WIDE Hydrangea IPv6 protocol stack
kit.
The command was completely re-designed in June 1998.
.\"
.Sh BUGS
@ -787,6 +794,6 @@ For IPsec gateway configuration,
.Ar src_range
and
.Ar dst_range
with TCP/UDP port number do not work, as the gateway does not reassemble
packets
.Pq cannot inspect upper-layer headers .
with TCP/UDP port numbers does not work, as the gateway does not
reassemble packets
.Pq it cannot inspect upper-layer headers .