Improve english, improve formatting, sort options.
This commit is contained in:
parent
aff82fa50e
commit
0f822df19c
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: ipsec_set_policy.3,v 1.8 2005/04/14 10:30:28 wiz Exp $
|
||||
.\" $NetBSD: ipsec_set_policy.3,v 1.9 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" $KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
|
||||
.\"
|
||||
|
@ -36,7 +36,7 @@
|
|||
.Nm ipsec_set_policy ,
|
||||
.Nm ipsec_get_policylen ,
|
||||
.Nm ipsec_dump_policy
|
||||
.Nd manipulate IPsec policy specification structure from readable string
|
||||
.Nd manipulate IPsec policy specification structure from human-readable policy string
|
||||
.\"
|
||||
.Sh LIBRARY
|
||||
.Lb libipsec
|
||||
|
@ -50,32 +50,31 @@
|
|||
.Fn ipsec_dump_policy "char *buf" "char *delim"
|
||||
.Sh DESCRIPTION
|
||||
.Fn ipsec_set_policy
|
||||
generates IPsec policy specification structure, namely
|
||||
generates an IPsec policy specification structure, namely
|
||||
.Li struct sadb_x_policy
|
||||
and/or
|
||||
.Li struct sadb_x_ipsecrequest
|
||||
from human-readable policy specification.
|
||||
policy specification must be given as C string
|
||||
from a human-readable policy specification.
|
||||
The policy specification must be given as a C string
|
||||
.Fa policy
|
||||
and length
|
||||
.Fa len
|
||||
of
|
||||
.Fa policy .
|
||||
and its length
|
||||
.Fa len .
|
||||
.Fn ipsec_set_policy
|
||||
will return the buffer of IPsec policy specification structure.
|
||||
The buffer is dynamically allocated, and must be freed by the caller by calling
|
||||
.Xr free 3 .
|
||||
will return a buffer with the corresponding IPsec policy specification structure.
|
||||
The buffer is dynamically allocated, and must be
|
||||
.Xr free 3 Ap d
|
||||
by the caller.
|
||||
.Pp
|
||||
You may want the length of the generated buffer such when calling
|
||||
.Xr setsockopt 2 .
|
||||
You can get the length of the generated buffer with
|
||||
.Fn ipsec_get_policylen
|
||||
will return the length.
|
||||
(i.e. for calling
|
||||
.Xr setsockopt 2 ) .
|
||||
.Pp
|
||||
.Fn ipsec_dump_policy
|
||||
converts IPsec policy structure into readable form.
|
||||
converts an IPsec policy structure into human-readable form.
|
||||
Therefore,
|
||||
.Fn ipsec_dump_policy
|
||||
can be regarded as inverse conversion of
|
||||
can be regarded as the inverse function to
|
||||
.Fn ipsec_set_policy .
|
||||
.Fa buf
|
||||
points to an IPsec policy structure,
|
||||
|
@ -86,11 +85,12 @@ If you set
|
|||
.Fa delim
|
||||
to
|
||||
.Dv NULL ,
|
||||
single whitespace is assumed.
|
||||
a single whitespace is assumed.
|
||||
.Fn ipsec_dump_policy
|
||||
returns pointer to dynamically allocated string.
|
||||
It is caller's responsibility to reclaim the region, by using
|
||||
.Xr free 3 .
|
||||
returns a pointer to a dynamically allocated string.
|
||||
It is the caller's responsibility to
|
||||
.Xr free 3
|
||||
it.
|
||||
.Pp
|
||||
.Fa policy
|
||||
is formatted as either of the following:
|
||||
|
@ -98,22 +98,21 @@ is formatted as either of the following:
|
|||
.It Ar direction [priority specification] Li discard
|
||||
.Ar direction
|
||||
must be
|
||||
.Li in
|
||||
,
|
||||
.Li out
|
||||
.Li in ,
|
||||
.Li out ,
|
||||
or
|
||||
.Li fwd .
|
||||
.Ar direction
|
||||
specifies which direction the policy needs to be applied.
|
||||
Nonstandard direction
|
||||
.Ar fwd
|
||||
specifies in which direction the policy needs to be applied.
|
||||
The non-standard direction
|
||||
.Li fwd
|
||||
is substituted with
|
||||
.Ar in
|
||||
.Li in
|
||||
on platforms which do not support forward policies.
|
||||
.Pp
|
||||
.Ar priority specification
|
||||
is used to control the placement of the policy within the SPD.
|
||||
Policy position is determined by
|
||||
The policy position is determined by
|
||||
a signed integer where higher priorities indicate the policy is placed
|
||||
closer to the beginning of the list and lower priorities indicate the
|
||||
policy is placed closer to the end of the list.
|
||||
|
@ -122,14 +121,14 @@ priorities are added at the end of the group of such policies.
|
|||
.Pp
|
||||
Priority can only
|
||||
be specified when libipsec has been compiled against kernel headers that
|
||||
support policy priorities (>= 2.6.6).
|
||||
support policy priorities (Linux \*[Gt]= 2.6.6).
|
||||
It takes one of the following formats:
|
||||
.Bl -tag -width "discard"
|
||||
.It Xo
|
||||
.Ar {priority,prio} offset
|
||||
.Xc
|
||||
.Ar offset
|
||||
is an integer in ranges -2147483647..214783648.
|
||||
is an integer in the range -2147483647..214783648.
|
||||
.It Xo
|
||||
.Ar {priority,prio} base {+,-} offset
|
||||
.Xc
|
||||
|
@ -138,7 +137,7 @@ is either
|
|||
.Li low (-1073741824) ,
|
||||
.Li def (0) ,
|
||||
or
|
||||
.Li high (1073741824)
|
||||
.Li high (1073741824) .
|
||||
.Pp
|
||||
.Ar offset
|
||||
is an unsigned integer.
|
||||
|
@ -146,8 +145,8 @@ It can be up to 1073741824 for
|
|||
positive offsets, and up to 1073741823 for negative offsets.
|
||||
.El
|
||||
.Pp
|
||||
The interpretation of policy priority in these functions and the kernel DOES
|
||||
differ.
|
||||
The interpretation of policy priority in these functions and the
|
||||
kernel DOES differ.
|
||||
The relationship between the two can be described as
|
||||
p(kernel) = 0x80000000 - p(func)
|
||||
.Pp
|
||||
|
@ -156,13 +155,13 @@ With
|
|||
policy, packets will be dropped if they match the policy.
|
||||
.It Ar direction [priority specification] Li entrust
|
||||
.Li entrust
|
||||
means to consult to SPD defined by
|
||||
means to consult the SPD defined by
|
||||
.Xr setkey 8 .
|
||||
.It Ar direction [priority specification] Li bypass
|
||||
.Li bypass
|
||||
means to be bypassed the IPsec processing.
|
||||
.Pq packet will be transmitted in clear .
|
||||
This is for privileged socket.
|
||||
means to bypass the IPsec processing.
|
||||
.Pq the packet will be transmitted in clear .
|
||||
This is for privileged sockets.
|
||||
.It Xo
|
||||
.Ar direction
|
||||
.Bq Ar priority specification
|
||||
|
@ -174,7 +173,7 @@ means that the matching packets are subject to IPsec processing.
|
|||
.Li ipsec
|
||||
can be followed by one or more
|
||||
.Ar request
|
||||
string, which is formatted as below:
|
||||
strings, which are formatted as below:
|
||||
.Bl -tag -width "discard"
|
||||
.It Xo
|
||||
.Ar protocol
|
||||
|
@ -189,7 +188,7 @@ string, which is formatted as below:
|
|||
.Ar protocol
|
||||
is either
|
||||
.Li ah ,
|
||||
.Li esp
|
||||
.Li esp ,
|
||||
or
|
||||
.Li ipcomp .
|
||||
.Pp
|
||||
|
@ -202,13 +201,13 @@ or
|
|||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
specifies IPsec endpoint.
|
||||
specifies the IPsec endpoint.
|
||||
.Ar src
|
||||
always means
|
||||
always means the
|
||||
.Dq sending node
|
||||
and
|
||||
.Ar dst
|
||||
always means
|
||||
always means the
|
||||
.Dq receiving node .
|
||||
Therefore, when
|
||||
.Ar direction
|
||||
|
@ -232,7 +231,7 @@ can be omitted.
|
|||
.Pp
|
||||
.Ar level
|
||||
must be set to one of the following:
|
||||
.Li default , use , require
|
||||
.Li default , use , require ,
|
||||
or
|
||||
.Li unique .
|
||||
.Li default
|
||||
|
@ -275,21 +274,25 @@ and slash prior to
|
|||
.Ar level
|
||||
can be omitted.
|
||||
However, it is encouraged to specify them explicitly
|
||||
to avoid unintended behaviors.
|
||||
to avoid unintended behavior.
|
||||
If
|
||||
.Ar level
|
||||
is omitted, it will be interpreted as
|
||||
.Li default .
|
||||
.El
|
||||
.Pp
|
||||
Note that there is a bit difference of specification from
|
||||
Note that there are slight differences to the specification of
|
||||
.Xr setkey 8 .
|
||||
In specification by
|
||||
In the specification of
|
||||
.Xr setkey 8 ,
|
||||
both entrust and bypass are not used.
|
||||
both
|
||||
.Li entrust
|
||||
and
|
||||
.Li bypass
|
||||
are not used.
|
||||
Refer to
|
||||
.Xr setkey 8
|
||||
for detail.
|
||||
for details.
|
||||
.Pp
|
||||
Here are several examples
|
||||
.Pq long lines are wrapped for readability :
|
||||
|
@ -304,13 +307,16 @@ in ipsec ipcomp/transport//use
|
|||
.El
|
||||
.Sh RETURN VALUES
|
||||
.Fn ipsec_set_policy
|
||||
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
|
||||
returns a pointer to the allocated buffer with the policy specification
|
||||
if successful; otherwise a
|
||||
.Dv NULL
|
||||
pointer is returned.
|
||||
.Fn ipsec_get_policylen
|
||||
returns with positive value
|
||||
returns a positive value
|
||||
.Pq meaning the buffer size
|
||||
on success, and negative value on errors.
|
||||
on success, and a negative value on errors.
|
||||
.Fn ipsec_dump_policy
|
||||
returns a pointer to dynamically allocated region on success,
|
||||
returns a pointer to a dynamically allocated region on success,
|
||||
and
|
||||
.Dv NULL
|
||||
on errors.
|
||||
|
@ -319,4 +325,4 @@ on errors.
|
|||
.Xr ipsec 4 ,
|
||||
.Xr setkey 8
|
||||
.Sh HISTORY
|
||||
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
|
||||
The functions first appeared in the WIDE/KAME IPv6 protocol stack kit.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: ipsec_strerror.3,v 1.5 2005/04/14 10:25:58 wiz Exp $
|
||||
.\" $NetBSD: ipsec_strerror.3,v 1.6 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" $KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
|
||||
.\"
|
||||
|
@ -35,14 +35,14 @@
|
|||
.\"
|
||||
.Sh NAME
|
||||
.Nm ipsec_strerror
|
||||
.Nd error message for IPsec policy manipulation library
|
||||
.Nd error messages for the IPsec policy manipulation library
|
||||
.\"
|
||||
.Sh LIBRARY
|
||||
.Lb libipsec
|
||||
.Sh SYNOPSIS
|
||||
.In netinet6/ipsec.h
|
||||
.Ft "const char *"
|
||||
.Fn ipsec_strerror
|
||||
.Fn ipsec_strerror void
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Pa netinet6/ipsec.h
|
||||
|
@ -50,12 +50,12 @@ declares
|
|||
.Pp
|
||||
.Dl extern int ipsec_errcode ;
|
||||
.Pp
|
||||
which is used to pass an error code from IPsec policy manipulation library
|
||||
to an user program.
|
||||
which is used to pass an error code from the IPsec policy manipulation
|
||||
library to a program.
|
||||
.Fn ipsec_strerror
|
||||
can be used to obtain the error message string for the error code.
|
||||
.Pp
|
||||
The array pointed to is not to be modified by the program.
|
||||
The array pointed to is not to be modified by the calling program.
|
||||
Since
|
||||
.Fn ipsec_strerror
|
||||
uses
|
||||
|
@ -64,21 +64,21 @@ as underlying function, calling
|
|||
.Xr strerror 3
|
||||
after
|
||||
.Fn ipsec_strerror
|
||||
would make the return value from
|
||||
will make the return value from
|
||||
.Fn ipsec_strerror
|
||||
invalid, or overwritten.
|
||||
invalid or overwritten.
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
.Fn ipsec_strerror
|
||||
always return a pointer to C string.
|
||||
The C string must not be overwritten by user programs.
|
||||
always returns a pointer to a C string.
|
||||
The C string must not be overwritten by the calling program.
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_set_policy 3
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
.Fn ipsec_strerror
|
||||
first appeared in WIDE/KAME IPv6 protocol stack kit.
|
||||
first appeared in the WIDE/KAME IPv6 protocol stack kit.
|
||||
.\"
|
||||
.Sh BUGS
|
||||
.Fn ipsec_strerror
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: plainrsa-gen.8,v 1.6 2005/04/14 10:30:28 wiz Exp $
|
||||
.\" $NetBSD: plainrsa-gen.8,v 1.7 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" Id: plainrsa-gen.8,v 1.2 2004/07/12 20:43:50 ludvigm Exp
|
||||
.\"
|
||||
|
@ -33,10 +33,10 @@
|
|||
.Dd June 14, 2004
|
||||
.Dt PLAINRSA-GEN 8
|
||||
.Os
|
||||
\"
|
||||
.\"
|
||||
.Sh NAME
|
||||
.Nm plainrsa-gen
|
||||
.Nd Generator of Plain RSA keys
|
||||
.Nd generator for Plain RSA keys
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Nm plainrsa-gen
|
||||
|
@ -50,44 +50,44 @@
|
|||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
can be used to generate
|
||||
.Pa Plain RSA keys
|
||||
.Li Plain RSA keys
|
||||
for authentication purposes.
|
||||
Using
|
||||
.Pa Plain RSA keys
|
||||
.Li Plain RSA keys
|
||||
is optional.
|
||||
Other possibilities are
|
||||
.Pa Pre-shared keys
|
||||
.Li Pre-shared keys
|
||||
or
|
||||
.Pa X.509 certificates .
|
||||
.Li X.509 certificates .
|
||||
.\"
|
||||
.Bl -tag -width Ds
|
||||
.It Fl b Ar bits
|
||||
bit length of the key.
|
||||
Default is
|
||||
.Pa 1024 ,
|
||||
.Li 1024 ,
|
||||
recommended length is
|
||||
.Pa 2048
|
||||
.Li 2048
|
||||
or even
|
||||
.Pa 4096
|
||||
.Li 4096
|
||||
bits.
|
||||
Note that generating longer keys takes longer time.
|
||||
Note that generating longer keys takes more time.
|
||||
.It Fl e Ar pubexp
|
||||
value of RSA public exponent.
|
||||
value of the RSA public exponent.
|
||||
Default is
|
||||
.Pa 0x3 .
|
||||
Don't change unless you really know what you are doing!
|
||||
.Li 0x3 .
|
||||
Don't change this unless you really know what you are doing!
|
||||
.It Fl f Ar outfile
|
||||
write the resulting key to
|
||||
.Pa outfile
|
||||
.Ar outfile
|
||||
instead of
|
||||
.Pa stdout .
|
||||
.Li stdout .
|
||||
If the file already exists it won't be overwritten.
|
||||
You wouldn't like to lose your private key by accident, would you?
|
||||
.El
|
||||
.\"
|
||||
.Sh OUTPUT FILE FORMAT
|
||||
This is the secret
|
||||
.Pa private key
|
||||
.Li private key
|
||||
that should
|
||||
.Ic never
|
||||
leave your computer:
|
||||
|
@ -107,11 +107,11 @@ leave your computer:
|
|||
.Ed
|
||||
.Pp
|
||||
The line
|
||||
.Pa pubkey=0sAQOrW...
|
||||
.Li pubkey=0sAQOrW...
|
||||
of the
|
||||
.Pa private key
|
||||
.Li private key
|
||||
contains a
|
||||
.Pa public key
|
||||
.Li public key
|
||||
that should be stored in the other peer's configuration in this format:
|
||||
.Bd -literal
|
||||
: PUB 0sAQOrWlcwbAIdNSMhDt...
|
||||
|
@ -119,24 +119,21 @@ that should be stored in the other peer's configuration in this format:
|
|||
.\"
|
||||
.Pp
|
||||
You can also specify
|
||||
.Pa from
|
||||
.Li from
|
||||
and
|
||||
.Pa to
|
||||
.Li to
|
||||
addresses for which the key is valid:
|
||||
.Bd -literal
|
||||
0.0.0.0/0 10.20.30.0/24 : PUB 0sAQOrWlcwbAIdNSMhDt...
|
||||
.Ed
|
||||
.\"
|
||||
.Ed
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr racoon.conf 5 ,
|
||||
.Xr racoon 8
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
written by
|
||||
was written by
|
||||
.An Michal Ludvig Aq michal@logix.cz
|
||||
first appeared in
|
||||
and first appeared in
|
||||
.Ic ipsec-tools 0.4 .
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: racoon.8,v 1.5 2005/04/14 10:30:28 wiz Exp $
|
||||
.\" $NetBSD: racoon.8,v 1.6 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" Id: racoon.8,v 1.3 2004/07/12 20:35:58 ludvigm Exp
|
||||
.\"
|
||||
|
@ -40,7 +40,7 @@
|
|||
.Sh SYNOPSIS
|
||||
.Nm racoon
|
||||
.Bk -words
|
||||
.Op Fl BFvdL46
|
||||
.Op Fl 46BdFLv
|
||||
.Ek
|
||||
.Bk -words
|
||||
.Op Fl f Ar configfile
|
||||
|
@ -49,91 +49,89 @@
|
|||
.Op Fl l Ar logfile
|
||||
.Ek
|
||||
.Bk -words
|
||||
.Op Fl p Ar isakmp-port
|
||||
.Op Fl P Ar isakmp-natt-port
|
||||
.Ek
|
||||
.Bk -words
|
||||
.Op Fl P Ar isakmp-natt-port
|
||||
.Op Fl p Ar isakmp-port
|
||||
.Ek
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
speaks IKE
|
||||
speaks the IKE
|
||||
.Pq ISAKMP/Oakley
|
||||
key management protocol,
|
||||
to establish security association with other hosts.
|
||||
SPD
|
||||
to establish security associations with other hosts.
|
||||
The SPD
|
||||
.Pq Security Policy Database
|
||||
in the kernel usually triggers to start
|
||||
.Nm racoon .
|
||||
.Nm racoon
|
||||
usually sends all of informational messages, warnings and error messages to
|
||||
in the kernel usually triggers
|
||||
.Nm .
|
||||
.Nm
|
||||
usually sends all informational messages, warnings and error messages to
|
||||
.Xr syslogd 8
|
||||
with the facility LOG_DAEMON, the priority LOG_INFO.
|
||||
Debugging messages are sent with the priority LOG_DEBUG.
|
||||
with the facility
|
||||
.Dv LOG_DAEMON
|
||||
and the priority
|
||||
.Dv LOG_INFO .
|
||||
Debugging messages are sent with the priority
|
||||
.Dv LOG_DEBUG .
|
||||
You should configure
|
||||
.Xr syslog.conf 5
|
||||
appropriately to see these messages.
|
||||
.Bl -tag -width Ds
|
||||
.It Fl 4
|
||||
.It Fl 6
|
||||
Specify the default address family for the sockets.
|
||||
.It Fl B
|
||||
Install SA(s) from the file which is specified in
|
||||
.Xr racoon.conf 5 .
|
||||
.It Fl d
|
||||
Increase the debug level.
|
||||
Multiple
|
||||
.Fl d
|
||||
arguments will increase the debug level even more.
|
||||
.It Fl F
|
||||
Run
|
||||
.Nm racoon
|
||||
.Nm
|
||||
in the foreground.
|
||||
.It Fl f Ar configfile
|
||||
Use
|
||||
.Ar configfile
|
||||
as the configuration file instead of the default.
|
||||
.It Fl L
|
||||
Include
|
||||
.Ar file_name:line_number:function_name
|
||||
in all messages.
|
||||
.It Fl l Ar logfile
|
||||
Use
|
||||
.Ar logfile
|
||||
as the logging file instead of
|
||||
.Xr syslogd 8 .
|
||||
.It Fl p Ar isakmp-port
|
||||
Listen to ISAKMP key exchange on port
|
||||
.Ar isakmp-port
|
||||
instead of the default port number, 500.
|
||||
.It Fl P Ar isakmp-natt-port
|
||||
Use
|
||||
.Ar isakmp-natt-port
|
||||
for NAT-Traversal port-floating.
|
||||
The default is 4500.
|
||||
.It Fl p Ar isakmp-port
|
||||
Listen to the ISAKMP key exchange on port
|
||||
.Ar isakmp-port
|
||||
instead of the default port number, 500.
|
||||
.It Fl v
|
||||
The flag causes the packet dump be more verbose, with higher debugging level.
|
||||
.It Fl d
|
||||
Increase the debug level.
|
||||
Multiple
|
||||
.Fl d
|
||||
will increase the debug level even more.
|
||||
.It Fl L
|
||||
Include
|
||||
.Ar file_name:line_number:function_name
|
||||
location in all messages.
|
||||
.It Fl 4
|
||||
.It Fl 6
|
||||
Specifies the default address family for the sockets.
|
||||
This flag causes the packet dump be more verbose, with higher
|
||||
debugging level.
|
||||
.El
|
||||
.Pp
|
||||
.Nm
|
||||
assumes the presence of kernel random number device
|
||||
assumes the presence of the kernel random number device
|
||||
.Xr rnd 4
|
||||
at
|
||||
.Pa /dev/urandom .
|
||||
Informational messages are labeled
|
||||
.Em info ,
|
||||
and debugging messages are labeled
|
||||
.Em debug .
|
||||
You have to configure
|
||||
.Xr syslog.conf 5
|
||||
if you want to see them in a logging file.
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
The command exits with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
.Sh FILES
|
||||
.Bl -tag -width /usr/local/v6/etc/racoon.conf -compact
|
||||
.It Pa /usr/local/v6/etc/racoon.conf
|
||||
.Bl -tag -width /etc/racoon.conf -compact
|
||||
.It Pa /etc/racoon.conf
|
||||
default configuration file.
|
||||
.El
|
||||
.\"
|
||||
|
@ -147,11 +145,11 @@ default configuration file.
|
|||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in
|
||||
command first appeared in the
|
||||
.Dq YIPS
|
||||
Yokogawa IPsec implementation.
|
||||
.\"
|
||||
.Sh SECURITY CONSIDERATIONS
|
||||
The use of IKE phase 1 aggressive mode is not recommended,
|
||||
as described in
|
||||
.Li http://www.kb.cert.org/vuls/id/886601 .
|
||||
.Pa http://www.kb.cert.org/vuls/id/886601 .
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: racoon.conf.5,v 1.11 2005/04/14 10:30:28 wiz Exp $
|
||||
.\" $NetBSD: racoon.conf.5,v 1.12 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" Id: racoon.conf.5,v 1.27.2.2 2005/03/16 23:18:43 manubsd Exp
|
||||
.\"
|
||||
|
@ -48,7 +48,7 @@ ISAKMP daemon.
|
|||
negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
|
||||
and for kernel IPsec (IPsec SA, or phase 2 SA).
|
||||
The file consists of a sequence of directives and statements.
|
||||
Each directive is composed by a tag, and statements are enclosed by
|
||||
Each directive is composed by a tag and statements, enclosed by
|
||||
.Ql {
|
||||
and
|
||||
.Ql } .
|
||||
|
@ -82,7 +82,7 @@ number is always enclosed by
|
|||
and
|
||||
.Ql \&] .
|
||||
In this case, the port number is not an optional keyword.
|
||||
If it is possible to omit
|
||||
If it is possible to omit the
|
||||
.Ar port
|
||||
number,
|
||||
the expression becomes
|
||||
|
@ -110,7 +110,7 @@ The former must be prefixed with
|
|||
.It Ar file
|
||||
means any string enclosed in
|
||||
.Ql \&"
|
||||
.Pq double quote .
|
||||
.Pq double quotes .
|
||||
.It Ar address
|
||||
means IPv6 and/or IPv4 address.
|
||||
.It Ar port
|
||||
|
@ -133,38 +133,39 @@ specifies privilege separation parameters.
|
|||
When enabled, these enable
|
||||
.Xr racoon 8
|
||||
to operate with an unprivileged instance doing most of the work, while
|
||||
a privileged instance take care of performing the following operations
|
||||
a privileged instance takes care of performing the following operations
|
||||
as root: reading PSK and private keys, launching hook scripts, and
|
||||
validating passwords against system database or against PAM.
|
||||
validating passwords against system databases or against PAM.
|
||||
.Pp
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic user Ar user ;
|
||||
The user the unprivileged instance of
|
||||
The user to which the unprivileged instance of
|
||||
.Xr racoon 8 ,
|
||||
should switch to.
|
||||
should switch.
|
||||
This can be a quoted user name or a numeric UID.
|
||||
.It Ic group Ar group ;
|
||||
The group the unprivileged instance of
|
||||
The group to which the unprivileged instance of
|
||||
.Xr racoon 8 ,
|
||||
should switch to. This can be a quoted group name or a numeric GID.
|
||||
should switch.
|
||||
This can be a quoted group name or a numeric GID.
|
||||
.It Ic chroot Ar path ;
|
||||
A directory where the unprivileged instance of
|
||||
A directory to which the unprivileged instance of
|
||||
.Xr racoon 8
|
||||
should
|
||||
.Xr chroot 2
|
||||
to.
|
||||
.Xr chroot 2 .
|
||||
This directory should hold a tree where the following files must be
|
||||
reachable:
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa /dev/random
|
||||
.It Pa /dev/urandom
|
||||
.It The certificates
|
||||
.It The file containing the Xauth banner
|
||||
.It the certificates
|
||||
.It the file containing the Xauth banner
|
||||
.El
|
||||
.Pp
|
||||
The PSK file, the private keys, and the hook scripts are accessed through
|
||||
The PSK file, the private keys, and the hook scripts are accessed through the
|
||||
privileged instance of
|
||||
.Xr racoon 8
|
||||
privileged instance and do not need to be reachable in the
|
||||
and do not need to be reachable in the
|
||||
.Xr chroot 2 Ap ed
|
||||
tree.
|
||||
.El
|
||||
|
@ -190,16 +191,17 @@ See
|
|||
will search this directory if a certificate or certificate request is received.
|
||||
If you run with privilege separation,
|
||||
.Xr racoon 8
|
||||
will refuse to use a certificate
|
||||
stored outside of this directory.
|
||||
will refuse to use a certificate stored outside of this directory.
|
||||
.It Ic path backupsa Ar file ;
|
||||
specifies a file to be stored a SA information which is negotiated by racoon.
|
||||
specifies a file to which SA information which is negotiated by
|
||||
racoon should be stored.
|
||||
.Xr racoon 8
|
||||
will install SA(s) from the file with a boot option
|
||||
.Fl B .
|
||||
The file is increasing because
|
||||
will install SA(s) from the file when started with the
|
||||
.Fl B
|
||||
flag.
|
||||
The file is growing because
|
||||
.Xr racoon 8
|
||||
simply add a SA to the file at the moment.
|
||||
simply adds SAs to it.
|
||||
You should maintain the file manually.
|
||||
.It Ic path script Ar path
|
||||
.Xr racoon 8
|
||||
|
@ -243,9 +245,9 @@ The default time is 15 seconds.
|
|||
the maximum time it should take to complete phase 2.
|
||||
The default time is 10 seconds.
|
||||
.It Ic natt_keepalive Ar number Ar timeunit ;
|
||||
interval between sending NAT-Traversal keepalive packets.
|
||||
interval between sending NAT-Traversal keep-alive packets.
|
||||
The default time is 20 seconds.
|
||||
Set to 0s to disable.
|
||||
Set to 0s to disable keep-alive packets.
|
||||
.El
|
||||
.El
|
||||
.\"
|
||||
|
@ -256,11 +258,12 @@ If no
|
|||
.Ar listen
|
||||
directive is specified,
|
||||
.Xr racoon 8
|
||||
will listen on all of the available interface addresses.
|
||||
will listen on all available interface addresses.
|
||||
The following is the list of valid statements:
|
||||
.Pp
|
||||
.Bl -tag -width Ds -compact
|
||||
.\" How do I express bold brackets; `[' and `]' .
|
||||
.\" Answer: For bold brackets, do "Ic \&[ foo \&]".
|
||||
.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
|
||||
.It Ic isakmp Ar address Bq Bq Ar port ;
|
||||
If this is specified,
|
||||
|
@ -279,7 +282,7 @@ with port 4500, which is specified by IANA.
|
|||
There is no default.
|
||||
.It Ic strict_address ;
|
||||
require that all addresses for ISAKMP must be bound.
|
||||
This statement will be ignored if you do not specify any addresses.
|
||||
This statement will be ignored if you do not specify any address.
|
||||
.El
|
||||
The
|
||||
.Ar listen
|
||||
|
@ -288,10 +291,10 @@ if racoon was built with support for admin port.
|
|||
.Bl -tag -width Ds -compact
|
||||
.It Ic adminsock Ar path Op Ar owner\ group\ mode ;
|
||||
.Ar path ,
|
||||
.Ar owner
|
||||
.Ar owner ,
|
||||
and
|
||||
.Ar group
|
||||
are the socket path, owner and group, they must be quoted.
|
||||
are the socket path, owner, and group; they must be quoted.
|
||||
Defaults are
|
||||
.Pa /var/racoon/racoon.sock ,
|
||||
UID 0, and GID 0.
|
||||
|
@ -351,16 +354,15 @@ directive.
|
|||
.Pp
|
||||
Sections with
|
||||
.Ic inherit Ar parent
|
||||
statement (where
|
||||
statements (where
|
||||
.Ar parent
|
||||
is either
|
||||
.Ar address
|
||||
or a keyword
|
||||
.Ic anonymous
|
||||
)
|
||||
.Ic anonymous )
|
||||
have all values predefined to those of a given
|
||||
.Ar parent .
|
||||
In these sections it's enough to redefine only changed parameters.
|
||||
In these sections it is enough to redefine only the changed parameters.
|
||||
.Pp
|
||||
The following are valid statements.
|
||||
.Pp
|
||||
|
@ -368,17 +370,17 @@ The following are valid statements.
|
|||
.\"
|
||||
.It Ic exchange_mode ( main \*(Ba aggressive \*(Ba base ) ;
|
||||
defines the exchange mode for phase 1 when racoon is the initiator.
|
||||
Also it means the acceptable exchange mode when racoon is responder.
|
||||
It also means the acceptable exchange mode when racoon is responder.
|
||||
More than one mode can be specified by separating them with a comma.
|
||||
All of the modes are acceptable.
|
||||
The first exchange mode is what racoon uses when it is the initiator.
|
||||
.\"
|
||||
.It Ic doi Ic ipsec_doi ;
|
||||
means to use IPsec DOI as specified RFC 2407.
|
||||
means to use IPsec DOI as specified in RFC 2407.
|
||||
You can omit this statement.
|
||||
.\"
|
||||
.It Ic situation Ic identity_only ;
|
||||
means to use SIT_IDENTITY_ONLY as specified RFC 2407.
|
||||
means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
|
||||
You can omit this statement.
|
||||
.\"
|
||||
.It Ic identifier Ar idtype ;
|
||||
|
@ -389,10 +391,12 @@ Instead, use
|
|||
.It Ic my_identifier Ar idtype ... ;
|
||||
specifies the identifier sent to the remote host
|
||||
and the type to use in the phase 1 negotiation.
|
||||
.Ic address, fqdn , user_fqdn , keyid and asn1dn
|
||||
.Ic address, fqdn , user_fqdn , keyid ,
|
||||
and
|
||||
.Ic asn1dn
|
||||
can be used as an
|
||||
.Ar idtype .
|
||||
they are used like:
|
||||
Use them in the following way:
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic my_identifier Ic address Bq Ar address ;
|
||||
the type is the IP address.
|
||||
|
@ -409,10 +413,10 @@ If
|
|||
.Ar string
|
||||
is omitted,
|
||||
.Xr racoon 8
|
||||
will get DN from Subject field in the certificate.
|
||||
will get the DN from the Subject field in the certificate.
|
||||
.El
|
||||
.\"
|
||||
.It Ic xauth_login Ic Bq Ar string ;
|
||||
.It Ic xauth_login Bq Ar string ;
|
||||
specifies the login to use in client-side Hybrid authentication.
|
||||
It is available only if
|
||||
.Xr racoon 8
|
||||
|
@ -431,7 +435,7 @@ If it is defined, the behavior of the verification depends on the flag of
|
|||
.Ic verify_identifier .
|
||||
The usage of
|
||||
.Ar idtype
|
||||
is same as
|
||||
is the same as
|
||||
.Ic my_identifier
|
||||
except that the individual component values of an
|
||||
.Ic asn1dn
|
||||
|
@ -447,7 +451,7 @@ If you want to verify the peer's identifier,
|
|||
set this to on.
|
||||
In this case, if the value defined by
|
||||
.Ic peers_identifier
|
||||
is not same to the peer's identifier in the ID payload,
|
||||
is not the same as the peer's identifier in the ID payload,
|
||||
the negotiation will failed.
|
||||
The default is off.
|
||||
.\"
|
||||
|
@ -458,9 +462,9 @@ is one of followings:
|
|||
.Bl -tag -width Ds -compact
|
||||
.It Ic x509 Ar certfile Ar privkeyfile ;
|
||||
.Ar certfile
|
||||
means a file name of certificate.
|
||||
means a file name of a certificate.
|
||||
.Ar privkeyfile
|
||||
means a file name of secret key.
|
||||
means a file name of a secret key.
|
||||
.El
|
||||
.It Ic ca_type Ar cacertspec ;
|
||||
specifies a root certificate authority specification.
|
||||
|
@ -497,13 +501,13 @@ and will use this certificate as the peer's certificate.
|
|||
.\"
|
||||
.It Ic script Ar script Ic phase1_up
|
||||
.It Ic script Ar script Ic phase1_down
|
||||
Shell scripts that get executed when an phase 1 SA goes up or down.
|
||||
Both script get either
|
||||
Shell scripts that get executed when a phase 1 SA goes up or down.
|
||||
Both scripts get either
|
||||
.Ic phase1_up
|
||||
or
|
||||
.Ic phase1_down
|
||||
as first argument, and the following
|
||||
variable are set in their environment:
|
||||
variables are set in their environment:
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ev LOCAL_ADDR
|
||||
The local address of the phase 1 SA.
|
||||
|
@ -539,25 +543,24 @@ set this to off.
|
|||
The default is on.
|
||||
.\"
|
||||
.It Ic lifetime time Ar number Ar timeunit ;
|
||||
define a lifetime of a certain time
|
||||
Define a lifetime of a certain time
|
||||
which will be proposed in the phase 1 negotiations.
|
||||
Any proposal will be accepted, and the attribute(s) will be not proposed to
|
||||
the peer if you do not specify it(them).
|
||||
the peer if you do not specify it (them).
|
||||
They can be individually specified in each proposal.
|
||||
.\"
|
||||
.It Ic ike_frag (on \(ba off) ;
|
||||
Enable receiver-side IKE fragmentation, if
|
||||
.Xr racoon 8
|
||||
has been build with
|
||||
this feature.
|
||||
This extension is there to workaround
|
||||
has been built with this feature.
|
||||
This extension is there to work around
|
||||
broken firewalls that do not work with fragmented UDP packets.
|
||||
IKE fragmentation is always enabled on the sender-side, and
|
||||
it is used if the peer advertise itself as IKE fragmentation capable.
|
||||
it is used if the peer advertises itself as IKE fragmentation capable.
|
||||
.\"
|
||||
.It Ic esp_frag Ar fraglen ;
|
||||
This option is only relevant if you use NAT traversal in tunnel mode.
|
||||
Its purpose is to workaround broken DSL routers that reject UDP
|
||||
Its purpose is to work around broken DSL routers that reject UDP
|
||||
fragments, by fragmenting the IP packets before ESP encapsulation.
|
||||
The result is ESP over UDP of fragmented packets instead of fragmented
|
||||
ESP over UDP packets.
|
||||
|
@ -566,23 +569,23 @@ is the maximum size of the fragments.
|
|||
552 should work anywhere,
|
||||
but the higher
|
||||
.Ar fraglen
|
||||
is, the better the performances are.
|
||||
is, the better is the performance.
|
||||
.Pp
|
||||
Note that because PMTU discovery is broken on many sites, you will have to
|
||||
use MSS clamping if you want TCP to work correctly.
|
||||
Note that because PMTU discovery is broken on many sites, you will
|
||||
have to use MSS clamping if you want TCP to work correctly.
|
||||
.\"
|
||||
.It Ic initial_contact (on \(ba off) ;
|
||||
enable this to send an INITIAL-CONTACT message.
|
||||
The default value is
|
||||
.Ic on .
|
||||
This message is useful only when
|
||||
the implementation of the responder choices an old SA when there are multiple
|
||||
SAs which are different established time, and the initiator reboots.
|
||||
If racoon did not use the message,
|
||||
the responder would use an old SA even when an new SA was established.
|
||||
The KAME stack has the switch in the system wide value,
|
||||
the implementation of the responder chooses an old SA when there are multiple
|
||||
SAs with different established time, and the initiator reboots.
|
||||
If racoon did not send the message,
|
||||
the responder would use an old SA even when a new SA was established.
|
||||
The KAME stack has the switch in the system wide value
|
||||
net.key.preferred_oldsa.
|
||||
when the value is zero, the stack always use an new SA.
|
||||
when the value is zero, the stack always uses a new SA.
|
||||
.\"
|
||||
.It Ic passive (on \(ba off) ;
|
||||
If you do not want to initiate the negotiation, set this to on.
|
||||
|
@ -598,7 +601,7 @@ The default level is
|
|||
.Ic strict .
|
||||
If the
|
||||
.Ar level
|
||||
is;
|
||||
is:
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic obey
|
||||
the responder will obey the initiator anytime.
|
||||
|
@ -616,7 +619,7 @@ If the responder's length is
|
|||
shorter than the initiator's one, the responder uses its own length
|
||||
AND sends a RESPONDER-LIFETIME notify message to an initiator in the
|
||||
case of lifetime (phase 2 only).
|
||||
About PFS, this directive is same as
|
||||
For PFS, this directive behaves the same as
|
||||
.Ic strict .
|
||||
.It Ic exact
|
||||
If the initiator's length is not equal to the responder's one, the
|
||||
|
@ -626,28 +629,29 @@ the initiator's one, then the responder will reject the proposal.
|
|||
.El
|
||||
.\"
|
||||
.It Ic support_proxy (on \(ba off) ;
|
||||
If this value is set on then both values of ID payloads in phase 2 exchange
|
||||
are always used as the addresses of end-point of IPsec-SAs.
|
||||
If this value is set to on, then both values of ID payloads in the
|
||||
phase 2 exchange are always used as the addresses of end-point of
|
||||
IPsec-SAs.
|
||||
The default is off.
|
||||
.\"
|
||||
.It Ic generate_policy (on \(ba off) ;
|
||||
This directive is for the responder.
|
||||
Therefore you should set
|
||||
.Ic passive
|
||||
on in order that
|
||||
to on in order that
|
||||
.Xr racoon 8
|
||||
only becomes a responder.
|
||||
If the responder does not have any policy in SPD during phase 2 negotiation,
|
||||
and the directive is set on, then
|
||||
If the responder does not have any policy in SPD during phase 2
|
||||
negotiation, and the directive is set to on, then
|
||||
.Xr racoon 8
|
||||
will choice the first proposal in the
|
||||
will choose the first proposal in the
|
||||
SA payload from the initiator, and generate policy entries from the proposal.
|
||||
It is useful to negotiate with the client which is allocated IP address
|
||||
It is useful to negotiate with clients whose IP address is allocated
|
||||
dynamically.
|
||||
Note that inappropriate policy might be installed into the responder's SPD
|
||||
by the initiator.
|
||||
So that other communication might fail if such policies installed
|
||||
due to some policy mismatches between the initiator and the responder.
|
||||
Note that an inappropriate policy might be installed into the responder's SPD
|
||||
by the initiator,
|
||||
so other communications might fail if such policies are installed
|
||||
due to a policy mismatch between the initiator and the responder.
|
||||
This directive is ignored in the initiator case.
|
||||
The default value is
|
||||
.Ic off .
|
||||
|
@ -656,31 +660,31 @@ The default value is
|
|||
.It Ic nat_traversal (on \(ba off \(ba force) ;
|
||||
This directive enables use of the NAT-Traversal IPsec extension
|
||||
(NAT-T).
|
||||
NAT-T allows one or both peers to reside behind a NAT gateway (i.e.
|
||||
NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
|
||||
doing address- or port-translation).
|
||||
Presence of NAT gateways along the path
|
||||
is discovered during phase 1 handshake and if found, NAT-T is negotiated.
|
||||
When NAT-T is in charge all ESP and AH packets of a given connection
|
||||
When NAT-T is in charge, all ESP and AH packets of a given connection
|
||||
are encapsulated into UDP datagrams (port 4500, by default).
|
||||
Possible values are:
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic on
|
||||
NAT-T is used when NAT gateway is detected between the peers.
|
||||
NAT-T is used when a NAT gateway is detected between the peers.
|
||||
.It Ic off
|
||||
NAT-T is not proposed/accepted.
|
||||
This is the default.
|
||||
.It Ic force
|
||||
NAT-T is used regardless if there is a NAT between the peers or not.
|
||||
NAT-T is used regardless if a NAT is detected between the peers or not.
|
||||
.El
|
||||
Please note that NAT-T support is a compile time option.
|
||||
Please note that NAT-T support is a compile-time option.
|
||||
Although it is enabled in the source distribution by default, it
|
||||
may not be available in your particular build.
|
||||
In that case you will get a
|
||||
warning when using any of NAT-T related config options.
|
||||
warning when using any NAT-T related config options.
|
||||
.\"
|
||||
.It Ic dpd_delay Ar delay ;
|
||||
This option activates the DPD and sets the time (in seconds) allowed
|
||||
between 2 proofs of aliveness requests.
|
||||
between 2 proof of liveness requests.
|
||||
The default value is
|
||||
.Ic 0 ,
|
||||
which disables DPD monitoring, but still negotiates DPD support.
|
||||
|
@ -689,14 +693,14 @@ which disables DPD monitoring, but still negotiates DPD support.
|
|||
If
|
||||
.Ic dpd_delay
|
||||
is set, this sets the delay (in seconds) to wait for a proof of
|
||||
aliveness before considering it as failed and send another request.
|
||||
liveness before considering it as failed and send another request.
|
||||
The default value is
|
||||
.Ic 5 .
|
||||
.\"
|
||||
.It Ic dpd_maxfail Ar number ;
|
||||
If
|
||||
.Ic dpd_delay
|
||||
is set, this sets the maximum number of proof of aliveness to request
|
||||
is set, this sets the maximum number of proof of liveness to request
|
||||
(without reply) before considering the peer is dead.
|
||||
The default value is
|
||||
.Ic 5 .
|
||||
|
@ -747,14 +751,14 @@ is one of following:
|
|||
.Ic modp768 , modp1024 , modp1536 ,
|
||||
.Ic modp2048 , modp3072 , modp4096 ,
|
||||
.Ic modp6144 , modp8192 .
|
||||
Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number.
|
||||
Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
|
||||
When you want to use aggressive mode,
|
||||
you must define same DH group in each proposal.
|
||||
you must define the same DH group in each proposal.
|
||||
.It Ic lifetime time Ar number Ar timeunit ;
|
||||
define lifetime of the phase 1 SA proposal.
|
||||
Refer to the description of
|
||||
Refer to the description of the
|
||||
.Ic lifetime
|
||||
directive immediately defined in
|
||||
directive defined in the
|
||||
.Ic remote
|
||||
directive.
|
||||
.It Ic gss_id Ar string ;
|
||||
|
@ -820,7 +824,7 @@ is one of following:
|
|||
.Ic modp768 , modp1024 , modp1536 ,
|
||||
.Ic modp2048 , modp3072 , modp4096 ,
|
||||
.Ic modp6144 , modp8192 .
|
||||
Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number.
|
||||
Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
|
||||
.\"
|
||||
.It Ic lifetime time Ar number Ar timeunit ;
|
||||
define the lifetime of amount of time
|
||||
|
@ -833,17 +837,17 @@ directive.
|
|||
.\"
|
||||
.It Ic my_identifier Ar idtype ... ;
|
||||
is obsolete.
|
||||
It does not make sense to specify a identifier in the phase 2.
|
||||
It does not make sense to specify an identifier in the phase 2.
|
||||
.El
|
||||
.\"
|
||||
.Pp
|
||||
.Xr racoon 8
|
||||
does not have the list of security protocols to be negotiated.
|
||||
does not have a list of security protocols to be negotiated.
|
||||
The list of security protocols are passed by SPD in the kernel.
|
||||
Therefore you have to define all of the potential algorithms
|
||||
in the phase 2 proposals even if there is a algorithm which will not be used.
|
||||
in the phase 2 proposals even if there are algorithms which will not be used.
|
||||
These algorithms are define by using the following three directives,
|
||||
and they are lined with single comma as the separator.
|
||||
with a single comma as the separator.
|
||||
For algorithms that can take variable-length keys, algorithm names
|
||||
can be followed by a key length, like
|
||||
.Dq Li blowfish 448 .
|
||||
|
@ -889,12 +893,12 @@ Note that the kernel may not support the algorithm you have specified.
|
|||
define logging level.
|
||||
.Ar level
|
||||
is one of following:
|
||||
.Ic notify , debug
|
||||
.Ic notify , debug ,
|
||||
and
|
||||
.Ic debug2 .
|
||||
The default is
|
||||
.Ic notify .
|
||||
If you put too high logging level on slower machines,
|
||||
If you set the logging level too high on slower machines,
|
||||
IKE negotiation can fail due to timing constraint changes.
|
||||
.El
|
||||
.\"
|
||||
|
@ -917,10 +921,11 @@ If
|
|||
is off, this is ignored.
|
||||
The default is 20 bytes.
|
||||
.It Ic exclusive_tail (on \(ba off) ;
|
||||
means to put the number of pad bytes minus one into last part of the padding.
|
||||
means to put the number of pad bytes minus one into the last part
|
||||
of the padding.
|
||||
The default is on.
|
||||
.It Ic strict_check (on \(ba off) ;
|
||||
means to be constrained the peer to set the number of pad bytes.
|
||||
means to constrain the peer to set the number of pad bytes.
|
||||
The default is off.
|
||||
.El
|
||||
.El
|
||||
|
@ -946,13 +951,13 @@ This is the default.
|
|||
means to use a RADIUS server.
|
||||
It works only if
|
||||
.Xr racoon 8
|
||||
was build with libradius support, and the configuration is done in
|
||||
was built with libradius support, and the configuration is done in
|
||||
.Xr radius.conf 5 .
|
||||
.Ar pam
|
||||
means to use PAM.
|
||||
It works only if
|
||||
.Xr racoon 8
|
||||
was build with libpam support.
|
||||
was built with libpam support.
|
||||
.It Ic conf_source (local \(ba radius) ;
|
||||
Specify the source for IP addresses and netmask of users authenticated
|
||||
through Xauth/hybrid auth.
|
||||
|
@ -967,7 +972,7 @@ This is the default.
|
|||
means to use a RADIUS server.
|
||||
It works only if
|
||||
.Xr racoon 8
|
||||
was build with libradius support, and the configuration is done in
|
||||
was built with libradius support, and the configuration is done in
|
||||
.Xr radius.conf 5 .
|
||||
RADIUS configuration requires RADIUS authentication.
|
||||
.It Ic accounting (none \(ba radius \(ba pam) ;
|
||||
|
@ -979,16 +984,15 @@ which disable accounting.
|
|||
enable RADIUS accounting.
|
||||
It works only if
|
||||
.Xr racoon 8
|
||||
was build with libradius support, and the configuration is done in
|
||||
was built with libradius support, and the configuration is done in
|
||||
.Xr radius.conf 5 .
|
||||
RADIUS accounting require RADIUS authentication.
|
||||
.Ar pam
|
||||
enable PAM accounting.
|
||||
It works only if
|
||||
.Xr racoon 8
|
||||
was build with libpam support.
|
||||
PAM accounting require
|
||||
PAM authentication.
|
||||
was built with libpam support.
|
||||
PAM accounting requires PAM authentication.
|
||||
.It Ic pool_size Ar size
|
||||
Specify the size of the IP address pool, either local or allocated
|
||||
through RADIUS.
|
||||
|
@ -1044,19 +1048,21 @@ The default value is
|
|||
.El
|
||||
.\"
|
||||
.Ss Pre-shared key File
|
||||
Pre-shared key file defines a pair of the identifier and the shared secret key
|
||||
which are used at Pre-shared key authentication method in phase 1.
|
||||
The pair in each lines are separated by some number of blanks and/or tab
|
||||
characters like
|
||||
.Xr hosts 5 .
|
||||
Key can be included any blanks because all of the words after the second column
|
||||
are interpreted as a secret key.
|
||||
Lines start with
|
||||
The pre-shared key file defines pairs of identifiers and corresponding
|
||||
shared secret keys which are used in the pre-shared key authentication
|
||||
method in phase 1.
|
||||
The pair in each line is separated by some number of blanks and/or tab
|
||||
characters like in the
|
||||
.Xr hosts 5
|
||||
file.
|
||||
Key can include blanks because everything after the first blanks
|
||||
is interpreted as the secret key.
|
||||
Lines starting with
|
||||
.Ql #
|
||||
are ignored.
|
||||
Keys which start with
|
||||
.Ql 0x
|
||||
are hexadecimal strings.
|
||||
are interpreted as hexadecimal strings.
|
||||
Note that the file must be owned by the user ID running
|
||||
.Xr racoon 8
|
||||
.Pq usually the privileged user ,
|
||||
|
@ -1088,7 +1094,7 @@ sainfo anonymous
|
|||
}
|
||||
.Ed
|
||||
.Pp
|
||||
The following is a sample of the file defined pre-shared key.
|
||||
The following is a sample for the pre-shared key file.
|
||||
.Bd -literal -offset
|
||||
10.160.94.3 mekmitasdigoat
|
||||
172.16.1.133 0x12345678
|
||||
|
@ -1107,7 +1113,7 @@ foo.kame.net hoge
|
|||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
configuration file first appeared in
|
||||
configuration file first appeared in the
|
||||
.Dq YIPS
|
||||
Yokogawa IPsec implementation.
|
||||
.\"
|
||||
|
@ -1116,8 +1122,8 @@ Some statements may not be handled by
|
|||
.Xr racoon 8
|
||||
yet.
|
||||
.Pp
|
||||
Diffie-Hellman computation can take a very long time,
|
||||
and may cause unwanted timeouts, specifically when large D-H group is used.
|
||||
Diffie-Hellman computation can take a very long time, and may cause
|
||||
unwanted timeouts, specifically when a large D-H group is used.
|
||||
.\"
|
||||
.Sh SECURITY CONSIDERATIONS
|
||||
The use of IKE phase 1 aggressive mode is not recommended,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: racoonctl.8,v 1.8 2005/04/14 10:31:35 wiz Exp $
|
||||
.\" $NetBSD: racoonctl.8,v 1.9 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" Id: racoonctl.8,v 1.2.4.1 2005/02/24 18:04:42 manubsd Exp
|
||||
.\"
|
||||
|
@ -78,7 +78,7 @@ and
|
|||
.Xr racoon 8
|
||||
is done through a UNIX socket.
|
||||
By changing the default mode and ownership
|
||||
of the socket, you can allow non root users to alter
|
||||
of the socket, you can allow non-root users to alter
|
||||
.Xr racoon 8
|
||||
behavior, so do that with caution.
|
||||
.Pp
|
||||
|
@ -88,34 +88,33 @@ The following commands are available:
|
|||
This should cause
|
||||
.Xr racoon 8
|
||||
to reload its configuration file.
|
||||
This seems completely broken at the time
|
||||
this man page is written.
|
||||
This seems completely broken at the time this man page is written.
|
||||
.It show-schedule
|
||||
Unknown command.
|
||||
.It show-sa Op isakmp|esp|ah|ipsec
|
||||
Dump the SA: All the SA if no SA class is provided, or either ISAKMP SA,
|
||||
IPsec ESP SA, or IPsec AH SA, or all IPsec SA.
|
||||
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
|
||||
IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
|
||||
Use
|
||||
.Fl l
|
||||
to increase verbosity.
|
||||
.It flush-sa Op isakmp|esp|ah|ipsec
|
||||
is used to flush all SAs if no SA class is provided, or a class of SA,
|
||||
either ISAKMP SA, IPsec ESP SA, or IPsec AH SA, or all IPsec SA.
|
||||
is used to flush all SAs if no SA class is provided, or a class of SAs,
|
||||
either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
|
||||
.It Xo establish-sa
|
||||
.Oo Fl u Ar username
|
||||
.Oc Ar saopts
|
||||
.Xc
|
||||
Establish a SA, either a ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
||||
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
||||
The optional
|
||||
.Fl u Ar username
|
||||
can be used when establishing an ISAKMP SA while hybrid auth is in use.
|
||||
.Nm
|
||||
will prompt you for the password associated with
|
||||
.Ar username
|
||||
and theses credentials will be used in the Xauth exchange.
|
||||
and these credentials will be used in the Xauth exchange.
|
||||
.Pp
|
||||
.Ar saopts
|
||||
can have the following formats:
|
||||
has the following format:
|
||||
.Bl -tag -width Bl
|
||||
.It isakmp {inet|inet6} Ar src Ar dst
|
||||
.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
|
||||
|
@ -129,7 +128,7 @@ This is a particular case of the previous command.
|
|||
It will establish an ISAKMP SA with
|
||||
.Ar vpn_gateway .
|
||||
.It delete-sa Ar saopts
|
||||
Delete a SA, either a ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
||||
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
||||
.It vpn-disconnect Ar vpn_gateway
|
||||
This is a particular case of the previous command.
|
||||
It will kill all SAs associated with
|
||||
|
@ -140,31 +139,41 @@ Dump all events reported by
|
|||
then quit.
|
||||
The
|
||||
.Fl l
|
||||
causes
|
||||
flag causes
|
||||
.Nm
|
||||
to not stop once all the events have been read, but rather to loop
|
||||
awaiting and reporting new events.
|
||||
.El
|
||||
.Pp
|
||||
Command shortcuts are available:
|
||||
.Bl -tag -width Bl
|
||||
.It rc reload-config
|
||||
.It ss show-sa
|
||||
.It sc show-schedule
|
||||
.It fs flush-sa
|
||||
.It ds delete-sa
|
||||
.It es establish-sa
|
||||
.It vc vpn-connect
|
||||
.It vd vpn-disconnect
|
||||
.It se show-event
|
||||
.Bl -tag -width XXX -compact -offset indent
|
||||
.It rc
|
||||
reload-config
|
||||
.It ss
|
||||
show-sa
|
||||
.It sc
|
||||
show-schedule
|
||||
.It fs
|
||||
flush-sa
|
||||
.It ds
|
||||
delete-sa
|
||||
.It es
|
||||
establish-sa
|
||||
.It vc
|
||||
vpn-connect
|
||||
.It vd
|
||||
vpn-disconnect
|
||||
.It se
|
||||
show-event
|
||||
.El
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
The command should exit with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
.Sh FILES
|
||||
.Bl -tag -width Bl
|
||||
.It Pa /var/racoon/racoon.sock or Pa /var/run/racoon.sock
|
||||
.Bl -tag -width 30n -compact
|
||||
.It Pa /var/racoon/racoon.sock No or
|
||||
.It Pa /var/run/racoon.sock
|
||||
.Xr racoon 8
|
||||
control socket.
|
||||
.El
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: setkey.8,v 1.6 2005/04/14 10:24:43 wiz Exp $
|
||||
.\" $NetBSD: setkey.8,v 1.7 2005/04/15 10:58:11 wiz Exp $
|
||||
.\"
|
||||
.\" $KAME: setkey.8,v 1.93 2003/09/24 23:44:46 itojun Exp $
|
||||
.\"
|
||||
|
@ -39,16 +39,16 @@
|
|||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Nm setkey
|
||||
.Op Fl nvrk
|
||||
.Op Fl knrv
|
||||
.Ar file ...
|
||||
.Nm setkey
|
||||
.Op Fl nvrk
|
||||
.Op Fl knrv
|
||||
.Fl c
|
||||
.Nm setkey
|
||||
.Op Fl vrk
|
||||
.Op Fl krv
|
||||
.Fl f Ar filename
|
||||
.Nm setkey
|
||||
.Op Fl aPlvrk
|
||||
.Op Fl aklPrv
|
||||
.Fl D
|
||||
.Nm setkey
|
||||
.Op Fl Pv
|
||||
|
@ -57,8 +57,7 @@
|
|||
.Op Fl H
|
||||
.Fl x
|
||||
.Nm setkey
|
||||
.Op Fl ?
|
||||
.Op Fl V
|
||||
.Op Fl ?V
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
|
@ -67,7 +66,7 @@ Security Association Database (SAD) entries
|
|||
as well as Security Policy Database (SPD) entries in the kernel.
|
||||
.Pp
|
||||
.Nm
|
||||
takes a series of operations from the standard input
|
||||
takes a series of operations from standard input
|
||||
.Po
|
||||
if invoked with
|
||||
.Fl c
|
||||
|
@ -82,28 +81,29 @@ if invoked with
|
|||
.It (no flag)
|
||||
Dump the SAD entries or SPD entries contained in the specified
|
||||
.Ar file .
|
||||
.It Fl D
|
||||
Dump the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD entries are dumped.
|
||||
.It Fl F
|
||||
Flush the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD entries are flushed.
|
||||
.It Fl ?
|
||||
Print short help.
|
||||
.It Fl a
|
||||
.Nm
|
||||
usually does not display dead SAD entries with
|
||||
.Fl D .
|
||||
If with
|
||||
.Fl a ,
|
||||
the dead SAD entries will be displayed as well.
|
||||
A dead SAD entry means that
|
||||
it has been expired but remains in the system
|
||||
because it is referenced by some SPD entries.
|
||||
If
|
||||
.Fl a
|
||||
is also specified, the dead SAD entries will be displayed as well.
|
||||
A dead SAD entry is one that has expired but remains in the
|
||||
system because it is referenced by some SPD entries.
|
||||
.It Fl D
|
||||
Dump the SAD entries.
|
||||
If
|
||||
.Fl P
|
||||
is also specified, the SPD entries are dumped.
|
||||
.It Fl F
|
||||
Flush the SAD entries.
|
||||
If
|
||||
.Fl P
|
||||
is also specified, the SPD entries are dumped.
|
||||
.It Fl H
|
||||
Add hexadecimal dump on
|
||||
Add hexadecimal dump in
|
||||
.Fl x
|
||||
mode.
|
||||
.It Fl h
|
||||
|
@ -113,37 +113,39 @@ synonym for
|
|||
.Fl H .
|
||||
On other systems, synonym for
|
||||
.Fl ? .
|
||||
.It Fl k
|
||||
Use semantics used in kernel.
|
||||
Available only in Linux.
|
||||
See also
|
||||
.Fl r .
|
||||
.It Fl l
|
||||
Loop forever with short output on
|
||||
.Fl D .
|
||||
.It Fl v
|
||||
Be verbose.
|
||||
The program will dump messages exchanged on
|
||||
.Dv PF_KEY
|
||||
socket, including messages sent from other processes to the kernel.
|
||||
.It Fl n
|
||||
No action.
|
||||
The program will check validity of input, but no changes to the SPD will
|
||||
be made.
|
||||
The program will check validity of the input, but no changes to
|
||||
the SPD will be made.
|
||||
.It Fl r
|
||||
Use semantics described in IPsec RFCs.
|
||||
This mode is default.
|
||||
For details see section
|
||||
.Sx RFC vs Linux kernel semantics .
|
||||
Available only in Linux.
|
||||
.It Fl k
|
||||
Use semantics used in kernel.
|
||||
Available only in Linux.
|
||||
See also
|
||||
.Fl k .
|
||||
.It Fl x
|
||||
Loop forever and dump all the messages transmitted to
|
||||
Loop forever and dump all the messages transmitted to the
|
||||
.Dv PF_KEY
|
||||
socket.
|
||||
.Fl xx
|
||||
makes each timestamps unformatted.
|
||||
.It Fl ?
|
||||
Print short help.
|
||||
prints the unformatted timestamps.
|
||||
.It Fl V
|
||||
Print version string.
|
||||
.It Fl v
|
||||
Be verbose.
|
||||
The program will dump messages exchanged on the
|
||||
.Dv PF_KEY
|
||||
socket, including messages sent from other processes to the kernel.
|
||||
.El
|
||||
.Ss Configuration syntax
|
||||
With
|
||||
|
@ -153,7 +155,9 @@ or
|
|||
on the command line,
|
||||
.Nm
|
||||
accepts the following configuration syntax.
|
||||
Lines starting with hash signs ('#') are treated as comment lines.
|
||||
Lines starting with hash signs
|
||||
.Pq Sq #
|
||||
are treated as comment lines.
|
||||
.Bl -tag -width Ds
|
||||
.It Xo
|
||||
.Li add
|
||||
|
@ -165,8 +169,8 @@ Lines starting with hash signs ('#') are treated as comment lines.
|
|||
.Xc
|
||||
Add an SAD entry.
|
||||
.Li add
|
||||
can fail with multiple reasons,
|
||||
including when the key length does not match the specified algorithm.
|
||||
can fail for multiple reasons, including when the key length does
|
||||
not match the specified algorithm.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li get
|
||||
|
@ -223,7 +227,7 @@ Add an SPD entry.
|
|||
.Ar tag Ar policy
|
||||
.Li ;
|
||||
.Xc
|
||||
Add an SPD entry based on PF tag.
|
||||
Add an SPD entry based on a PF tag.
|
||||
.Ar tag
|
||||
must be a string surrounded by double quotes.
|
||||
.\"
|
||||
|
@ -259,7 +263,7 @@ Meta-arguments are as follows:
|
|||
.It Ar src
|
||||
.It Ar dst
|
||||
Source/destination of the secure communication is specified as
|
||||
IPv4/v6 address.
|
||||
an IPv4/v6 address.
|
||||
.Nm
|
||||
can resolve a FQDN into numeric addresses.
|
||||
If the FQDN resolves into multiple addresses,
|
||||
|
@ -267,10 +271,10 @@ If the FQDN resolves into multiple addresses,
|
|||
will install multiple SAD/SPD entries into the kernel
|
||||
by trying all possible combinations.
|
||||
.Fl 4 ,
|
||||
.Fl 6
|
||||
.Fl 6 ,
|
||||
and
|
||||
.Fl n
|
||||
restricts the address resolution of FQDN in certain ways.
|
||||
restrict the address resolution of FQDN in certain ways.
|
||||
.Fl 4
|
||||
and
|
||||
.Fl 6
|
||||
|
@ -303,11 +307,11 @@ Security Parameter Index
|
|||
.Pq SPI
|
||||
for the SAD and the SPD.
|
||||
.Ar spi
|
||||
must be a decimal number, or a hexadecimal number with
|
||||
must be a decimal number, or a hexadecimal number with a
|
||||
.Dq Li 0x
|
||||
prefix.
|
||||
SPI values between 0 and 255 are reserved for future use by IANA
|
||||
and they cannot be used.
|
||||
and cannot be used.
|
||||
TCP-MD5 associations must use 0x1000 and therefore only have per-host
|
||||
granularity at this time.
|
||||
.\"
|
||||
|
@ -320,7 +324,7 @@ take some of the following:
|
|||
Specify a security protocol mode for use.
|
||||
.Ar mode
|
||||
is one of following:
|
||||
.Li transport , tunnel
|
||||
.Li transport , tunnel ,
|
||||
or
|
||||
.Li any .
|
||||
The default value is
|
||||
|
@ -332,10 +336,10 @@ Specify window size of bytes for replay prevention.
|
|||
must be decimal number in 32-bit word.
|
||||
If
|
||||
.Ar size
|
||||
is zero or not specified, replay check don't take place.
|
||||
is zero or not specified, replay checks don't take place.
|
||||
.\"
|
||||
.It Fl u Ar id
|
||||
Specify the identifier of the policy entry in SPD.
|
||||
Specify the identifier of the policy entry in the SPD.
|
||||
See
|
||||
.Ar policy .
|
||||
.\"
|
||||
|
@ -345,15 +349,15 @@ defines the content of the ESP padding.
|
|||
is one of following:
|
||||
.Bl -tag -width random-pad -compact
|
||||
.It Li zero-pad
|
||||
All of the padding are zero.
|
||||
All the paddings are zero.
|
||||
.It Li random-pad
|
||||
A series of randomized values are set.
|
||||
A series of randomized values are used.
|
||||
.It Li seq-pad
|
||||
A series of sequential increasing numbers started from 1 are set.
|
||||
A series of sequential increasing numbers started from 1 are used.
|
||||
.El
|
||||
.\"
|
||||
.It Fl f Li nocyclic-seq
|
||||
Don't allow cyclic sequence number.
|
||||
Don't allow cyclic sequence numbers.
|
||||
.\"
|
||||
.It Fl lh Ar time
|
||||
.It Fl ls Ar time
|
||||
|
@ -368,14 +372,14 @@ Specify hard/soft life time duration of the SA measured in bytes transported.
|
|||
.It Ar algorithm
|
||||
.Bl -tag -width Fl -compact
|
||||
.It Fl E Ar ealgo Ar key
|
||||
Specify a encryption algorithm
|
||||
Specify an encryption algorithm
|
||||
.Ar ealgo
|
||||
for ESP.
|
||||
.It Xo
|
||||
.Fl E Ar ealgo Ar key
|
||||
.Fl A Ar aalgo Ar key
|
||||
.Xc
|
||||
Specify a encryption algorithm
|
||||
Specify an encryption algorithm
|
||||
.Ar ealgo ,
|
||||
as well as a payload authentication algorithm
|
||||
.Ar aalgo ,
|
||||
|
@ -386,11 +390,11 @@ Specify an authentication algorithm for AH.
|
|||
Specify a compression algorithm for IPComp.
|
||||
If
|
||||
.Fl R
|
||||
is specified,
|
||||
is specified, the
|
||||
.Ar spi
|
||||
field value will be used as the IPComp CPI
|
||||
.Pq compression parameter index
|
||||
on wire as is.
|
||||
on wire as-is.
|
||||
If
|
||||
.Fl R
|
||||
is not specified,
|
||||
|
@ -400,23 +404,25 @@ field will be used only as an index for kernel internal usage.
|
|||
.El
|
||||
.Pp
|
||||
.Ar key
|
||||
must be double-quoted character string, or a series of hexadecimal digits
|
||||
preceded by
|
||||
must be a double-quoted character string, or a series of hexadecimal
|
||||
digits preceded by
|
||||
.Dq Li 0x .
|
||||
.Pp
|
||||
Possible values for
|
||||
.Ar ealgo ,
|
||||
.Ar aalgo
|
||||
.Ar aalgo ,
|
||||
and
|
||||
.Ar calgo
|
||||
are specified in separate section.
|
||||
are specified in the
|
||||
.Sx Algorithms
|
||||
sections.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar src_range
|
||||
.It Ar dst_range
|
||||
These are selections of the secure communication specified as
|
||||
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
||||
TCP/UDP port specification.
|
||||
IPv4/v6 address or IPv4/v6 address range, and may be accompanied
|
||||
by a TCP/UDP port specification.
|
||||
This takes the following form:
|
||||
.Bd -literal -offset
|
||||
.Ar address
|
||||
|
@ -428,11 +434,11 @@ This takes the following form:
|
|||
.Ar prefixlen
|
||||
and
|
||||
.Ar port
|
||||
must be decimal number.
|
||||
The square bracket around
|
||||
must be decimal numbers.
|
||||
The square brackets around
|
||||
.Ar port
|
||||
is really necessary.
|
||||
They are not man page meta-characters.
|
||||
are really necessary,
|
||||
they are not man page meta-characters.
|
||||
For FQDN resolution, the rules applicable to
|
||||
.Ar src
|
||||
and
|
||||
|
@ -442,47 +448,47 @@ apply here as well.
|
|||
.Pp
|
||||
.It Ar upperspec
|
||||
Upper-layer protocol to be used.
|
||||
You can use one of words in
|
||||
You can use one of the words in
|
||||
.Pa /etc/protocols
|
||||
as
|
||||
.Ar upperspec .
|
||||
Or
|
||||
.Ar upperspec ,
|
||||
or
|
||||
.Li icmp6 ,
|
||||
.Li ip4 ,
|
||||
and
|
||||
.Li any
|
||||
can be specified.
|
||||
or
|
||||
.Li any .
|
||||
.Li any
|
||||
stands for
|
||||
.Dq any protocol .
|
||||
Also you can use the protocol number.
|
||||
You can specify a type and/or a code of ICMPv6 when
|
||||
Upper-layer protocol is ICMPv6.
|
||||
the specification can be placed after
|
||||
You can also use the protocol number.
|
||||
You can specify a type and/or a code of ICMPv6 when the
|
||||
upper-layer protocol is ICMPv6.
|
||||
The specification can be placed after
|
||||
.Li icmp6 .
|
||||
A type is separated with a code by single comma.
|
||||
A code must be specified anytime.
|
||||
A type is separated from a code by single comma.
|
||||
A code must always be specified.
|
||||
When a zero is specified, the kernel deals with it as a wildcard.
|
||||
Note that the kernel can not distinguish a wildcard from that a type
|
||||
of ICMPv6 is zero.
|
||||
For example, the following means the policy doesn't require IPsec
|
||||
Note that the kernel can not distinguish a wildcard from an ICPMv6
|
||||
type of zero.
|
||||
For example, the following means that the policy doesn't require IPsec
|
||||
for any inbound Neighbor Solicitation.
|
||||
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
|
||||
.Pp
|
||||
NOTE:
|
||||
.Em Note :
|
||||
.Ar upperspec
|
||||
does not work against forwarding case at this moment,
|
||||
as it requires extra reassembly at forwarding node
|
||||
as it requires extra reassembly at the forwarding node
|
||||
.Pq not implemented at this moment .
|
||||
We have many protocols in
|
||||
There are many protocols in
|
||||
.Pa /etc/protocols ,
|
||||
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
||||
You have to consider and be careful to use them.
|
||||
but all protocols except of TCP, UDP, and ICMP may not be suitable
|
||||
to use with IPsec.
|
||||
You have to consider carefully what to use.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar policy
|
||||
.Ar policy
|
||||
is the one of the following three formats:
|
||||
is in one of the following three formats:
|
||||
.Bd -literal -offset indent
|
||||
.It Fl P Ar direction [priority specification] Li discard
|
||||
.It Fl P Ar direction [priority specification] Li none
|
||||
|
@ -494,12 +500,11 @@ is the one of the following three formats:
|
|||
You must specify the direction of its policy as
|
||||
.Ar direction .
|
||||
Either
|
||||
.Ar out
|
||||
,
|
||||
.Ar in
|
||||
.Ar out ,
|
||||
.Ar in ,
|
||||
or
|
||||
.Ar fwd
|
||||
are used.
|
||||
can be used.
|
||||
.Pp
|
||||
.Ar priority specification
|
||||
is used to control the placement of the policy within the SPD.
|
||||
|
@ -507,28 +512,27 @@ Policy position is determined by
|
|||
a signed integer where higher priorities indicate the policy is placed
|
||||
closer to the beginning of the list and lower priorities indicate the
|
||||
policy is placed closer to the end of the list.
|
||||
Policies with equal
|
||||
priorities are added at the end of the group of such policies.
|
||||
Policies with equal priorities are added at the end of groups
|
||||
of such policies.
|
||||
.Pp
|
||||
Priority can only
|
||||
be specified when setkey has been compiled against kernel headers that
|
||||
support policy priorities (\*[Gt]= 2.6.6).
|
||||
If the kernel does not support priorities,
|
||||
a warning message will be printed the first time a priority specification is
|
||||
used.
|
||||
support policy priorities (Linux \*[Gt]= 2.6.6).
|
||||
If the kernel does not support priorities, a warning message will
|
||||
be printed the first time a priority specification is used.
|
||||
Policy priority takes one of the following formats:
|
||||
.Bl -tag -width "discard"
|
||||
.It Xo
|
||||
.Ar {priority,prio} offset
|
||||
.Xc
|
||||
.Ar offset
|
||||
is an integer in ranges -2147483647..214783648.
|
||||
is an integer in the range from \-2147483647 to 214783648.
|
||||
.It Xo
|
||||
.Ar {priority,prio} base {+,-} offset
|
||||
.Ar {priority,prio} base {+,\-} offset
|
||||
.Xc
|
||||
.Ar base
|
||||
is either
|
||||
.Li low (-1073741824) ,
|
||||
.Li low (\-1073741824) ,
|
||||
.Li def (0) ,
|
||||
or
|
||||
.Li high (1073741824)
|
||||
|
@ -545,15 +549,15 @@ means the packet matching indexes will be discarded.
|
|||
means that IPsec operation will not take place onto the packet.
|
||||
.Li ipsec
|
||||
means that IPsec operation will take place onto the packet.
|
||||
The part of
|
||||
The
|
||||
.Ar protocol/mode/src-dst/level
|
||||
specifies the rule how to process the packet.
|
||||
part specifies the rule how to process the packet.
|
||||
Either
|
||||
.Li ah ,
|
||||
.Li esp
|
||||
.Li esp ,
|
||||
or
|
||||
.Li ipcomp
|
||||
is to be set as
|
||||
must be used as
|
||||
.Ar protocol .
|
||||
.Ar mode
|
||||
is either
|
||||
|
@ -564,13 +568,13 @@ If
|
|||
.Ar mode
|
||||
is
|
||||
.Li tunnel ,
|
||||
you must specify the end-points addresses of the SA as
|
||||
you must specify the end-point addresses of the SA as
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
with
|
||||
.Sq -
|
||||
between these addresses which is used to specify the SA to use.
|
||||
between these addresses, which is used to specify the SA to use.
|
||||
If
|
||||
.Ar mode
|
||||
is
|
||||
|
@ -582,18 +586,18 @@ and
|
|||
can be omitted.
|
||||
.Ar level
|
||||
is to be one of the following:
|
||||
.Li default , use , require
|
||||
.Li default , use , require ,
|
||||
or
|
||||
.Li unique .
|
||||
If the SA is not available in every level, the kernel will request
|
||||
getting SA to the key exchange daemon.
|
||||
.Li default
|
||||
means the kernel consults to the system wide default against protocol you
|
||||
specified, e.g.
|
||||
means the kernel consults the system wide default for the protocol
|
||||
you specified, e.g. the
|
||||
.Li esp_trans_deflev
|
||||
sysctl variable, when the kernel processes the packet.
|
||||
.Li use
|
||||
means that the kernel use a SA if it's available,
|
||||
means that the kernel uses an SA if it's available,
|
||||
otherwise the kernel keeps normal operation.
|
||||
.Li require
|
||||
means SA is required whenever the kernel sends a packet matched
|
||||
|
@ -606,12 +610,12 @@ You just specify the policy level
|
|||
.Xr racoon 8
|
||||
will configure the SA for the policy.
|
||||
If you configure the SA by manual keying for that policy,
|
||||
you can put the decimal number as the policy identifier after
|
||||
you can put a decimal number as the policy identifier after
|
||||
.Li unique
|
||||
separated by colon
|
||||
separated by a colon
|
||||
.Sq \&:
|
||||
like the following;
|
||||
.Li unique:number .
|
||||
like:
|
||||
.Li unique:number
|
||||
in order to bind this policy to the SA.
|
||||
.Li number
|
||||
must be between 1 and 32767.
|
||||
|
@ -619,9 +623,9 @@ It corresponds to
|
|||
.Ar extensions Fl u
|
||||
of the manual SA configuration.
|
||||
When you want to use SA bundle, you can define multiple rules.
|
||||
For example, if an IP header was followed by AH header followed by ESP header
|
||||
followed by an upper layer protocol header, the rule
|
||||
would be:
|
||||
For example, if an IP header was followed by an AH header followed
|
||||
by an ESP header followed by an upper layer protocol header, the
|
||||
rule would be:
|
||||
.Dl esp/transport//require ah/transport//require ;
|
||||
The rule order is very important.
|
||||
.Pp
|
||||
|
@ -631,13 +635,11 @@ and
|
|||
.Dq Li none
|
||||
are not in the syntax described in
|
||||
.Xr ipsec_set_policy 3 .
|
||||
There are little differences in the syntax.
|
||||
There are a few differences in the syntax.
|
||||
See
|
||||
.Xr ipsec_set_policy 3
|
||||
for detail.
|
||||
.Pp
|
||||
.El
|
||||
.Pp
|
||||
.\"
|
||||
.Ss Algorithms
|
||||
The following list shows the supported algorithms.
|
||||
|
@ -645,11 +647,11 @@ The following list shows the supported algorithms.
|
|||
and
|
||||
.Sy algorithm
|
||||
are almost orthogonal.
|
||||
Followings are the list of authentication algorithms that can be used as
|
||||
These authentication algorithms can be used as
|
||||
.Ar aalgo
|
||||
in
|
||||
.Fl A Ar aalgo
|
||||
of
|
||||
of the
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
|
@ -678,11 +680,11 @@ aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
|||
tcp-md5 8 to 640 tcp: rfc2385
|
||||
.Ed
|
||||
.Pp
|
||||
Followings are the list of encryption algorithms that can be used as
|
||||
These encryption algorithms can be used as
|
||||
.Ar ealgo
|
||||
in
|
||||
.Fl E Ar ealgo
|
||||
of
|
||||
of the
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
|
@ -702,13 +704,13 @@ aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
|||
.Pp
|
||||
Note that the first 128 bits of a key for
|
||||
.Li aes-ctr
|
||||
will be used as AES key, and remaining 32 bits will be used as nonce.
|
||||
will be used as AES key, and the remaining 32 bits will be used as nonce.
|
||||
.Pp
|
||||
Followings are the list of compression algorithms that can be used as
|
||||
These compression algorithms can be used as
|
||||
.Ar calgo
|
||||
in
|
||||
.Fl C Ar calgo
|
||||
of
|
||||
of the
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
|
@ -718,24 +720,28 @@ deflate rfc2394
|
|||
.Ed
|
||||
.\"
|
||||
.Ss RFC vs Linux kernel semantics
|
||||
Linux kernel uses
|
||||
The Linux kernel uses the
|
||||
.Ar fwd
|
||||
policy instead of
|
||||
policy instead of the
|
||||
.Ar in
|
||||
policy for packets what are forwarded through that particular box.
|
||||
.Pp
|
||||
In
|
||||
.Ar kernel
|
||||
mode setkey manages and shows policies and SAs exactly as they are stored in the kernel.
|
||||
mode,
|
||||
.Nm
|
||||
manages and shows policies and SAs exactly as they are stored in the kernel.
|
||||
.Pp
|
||||
In
|
||||
.Ar RFC
|
||||
mode
|
||||
.Ar setkey
|
||||
.Bd -literal
|
||||
creates fwd policies for every in policy inserted.
|
||||
mode,
|
||||
.Nm
|
||||
.Bl -item
|
||||
.It
|
||||
creates fwd policies for every in policy inserted
|
||||
.It
|
||||
(not implemented yet) filters out all fwd policies
|
||||
.Ed
|
||||
.El
|
||||
.Sh RETURN VALUES
|
||||
The command exits with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
|
@ -776,7 +782,8 @@ add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
|
|||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||
command first appeared in the WIDE Hydrangea IPv6 protocol stack
|
||||
kit.
|
||||
The command was completely re-designed in June 1998.
|
||||
.\"
|
||||
.Sh BUGS
|
||||
|
@ -787,6 +794,6 @@ For IPsec gateway configuration,
|
|||
.Ar src_range
|
||||
and
|
||||
.Ar dst_range
|
||||
with TCP/UDP port number do not work, as the gateway does not reassemble
|
||||
packets
|
||||
.Pq cannot inspect upper-layer headers .
|
||||
with TCP/UDP port numbers does not work, as the gateway does not
|
||||
reassemble packets
|
||||
.Pq it cannot inspect upper-layer headers .
|
||||
|
|
Loading…
Reference in New Issue