Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New sentence, new line. Avoid marking up punctuation.

This commit is contained in:
wiz 2009-03-12 15:18:57 +00:00
parent 01bbe49d65
commit 2df943f931
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.conf.5,v 1.54 2009/03/12 10:57:26 tteras Exp $
.\" $NetBSD: racoon.conf.5,v 1.55 2009/03/12 15:18:57 wiz Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@ -383,14 +383,16 @@ This problem is known to be fixed in Linux 2.6.25 and later.
Specifies the IKE phase 1 parameters for each remote node.
.Pp
If connection is initiated using racoonctl, a unique match using the
remote IP must be found or the remote block name has to be given. For
received acquires (kernel notices traffic requiring a new SA) the
remote IP must be found or the remote block name has to be given.
For received acquires (kernel notices traffic requiring a new SA) the
remote IP and remoteid from matching sainfo block are used to decide
the remoteblock. If no uniquely matching remoteblock is found using
the remoteblock.
If no uniquely matching remoteblock is found using
these criteria, no connection attempt is done.
.Pp
When acting as responder, racoon picks the first proposal that has one
or more acceptable remote configurations. When determining if a remote
or more acceptable remote configurations.
When determining if a remote
specification is matching the following information is checked:
.Bl -bullet -tag -width Ds -compact
.It
@ -411,7 +413,8 @@ if
is on.
.It
If a certificate request was received, it must match the issuer of
.Ic "certificate_type x509" certificate.
.Ic "certificate_type x509"
certificate.
If certificate request without issuer name was sent, the
.Ic match_empty_cr
parameter specifies whether or not remote block matches.
@ -680,10 +683,10 @@ By default, the identifier sent by the remote host (as specified in its
statement) is compared with the credentials in the certificate
used to authenticate the remote host as follows:
.Bl -tag -width Ds -compact
.It Type Ic asn1dn:
.It Type Ic asn1dn :
The entire certificate subject name is compared with the identifier,
e.g. "C=XX, O=YY, ...".
.It Type Ic address, fqdn, or user_fqdn:
.It Type Ic address, fqdn, or user_fqdn :
The certificate's subjectAltName is compared with the identifier.
.El
If the two do not match the negotiation will fail.
@ -968,10 +971,11 @@ command.
.Bq Ic inherit Ar parent
.Ic { Ar statements Ic }
.Xc
Deprecated format of specifying a remote block. This will be removed
in future. It is a remnant from time when remote block was decided
Deprecated format of specifying a remote block.
This will be removed in future.
It is a remnant from time when remote block was decided
solely based on the peers IP address.
.Pp
This is equivalent to:
.Bd -literal -offset
remote "address" [inherit "parent-address"] {
@ -1348,11 +1352,11 @@ The default is
The host name or ip address of the ldap server.
The default is
.Ic localhost .
.It Ic port Ar number;
.It Ic port Ar number ;
The port that the ldap server is configured to listen on.
The default is
.Ic 389 .
.It Ic base Ar distinguished name;
.It Ic base Ar distinguished name ;
The ldap search base.
This option has no default value.
.It Ic subtree (on | off) ;
@ -1360,20 +1364,20 @@ Use the subtree ldap search scope.
Otherwise, use the one level search scope.
The default is
.Ic off .
.It Ic bind_dn Ar distinguished name;
.It Ic bind_dn Ar distinguished name ;
The user dn used to optionally bind as before performing ldap search operations.
If this option is not specified, anonymous binds are used.
.It Ic bind_pw Ar string;
.It Ic bind_pw Ar string ;
The password used when binding as
.Ic bind_dn .
.It Ic attr_user Ar attribute name;
.It Ic attr_user Ar attribute name ;
The attribute used to specify a users name in an ldap directory.
For example,
if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
The default value is
.Ic cn .
.It Ic attr_addr Ar attribute name;
.It Ic attr_mask Ar attribute name;
.It Ic attr_addr Ar attribute name ;
.It Ic attr_mask Ar attribute name ;
The attributes used to specify a users network address and subnet mask in an
ldap directory.
These values are forwarded during mode_cfg negotiation when
@ -1382,13 +1386,13 @@ The default values are
.Ic racoon-address
and
.Ic racoon-netmask .
.It Ic attr_group Ar attribute name;
.It Ic attr_group Ar attribute name ;
The attribute used to specify a group name in an ldap directory.
For example,
if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
The default value is
.Ic cn .
.It Ic attr_member Ar attribute name;
.It Ic attr_member Ar attribute name ;
The attribute used to specify group membership in an ldap directory.
The default value is
.Ic member .
@ -1409,12 +1413,12 @@ configuration file will be used instead.
.Pp
The following are valid statements:
.Bl -tag -width Ds -compact
.It Ic auth Ar (hostname | address) [port] sharedsecret;
.It Ic auth Ar (hostname | address) [port] sharedsecret ;
The host name or ip address, optional port value and shared secret value
of a radius authentication server.
Up to 5 radius authentication servers
may be specified using multiple lines.
.It Ic acct Ar (hostname | address) [port] sharedsecret;
.It Ic acct Ar (hostname | address) [port] sharedsecret ;
The host name or ip address, optional port value and shared secret value
of a radius accounting server.
Up to 5 radius accounting servers may be