.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $NetBSD: setkey.8,v 1.5 1999/09/07 06:49:37 itojun Exp $ .\" KAME Id: setkey.8,v 1.1.1.1 1999/08/08 23:31:51 itojun Exp .\" .Dd May 17, 1998 .Dt SETKEY 8 .Os .\" .Sh NAME .Nm setkey .Nd manually manipulate the SA/SP database. .\" .Sh SYNOPSIS .Nm setkey .Op Fl dv .Fl c .Nm setkey .Op Fl dv .Fl f Ar filename .Nm setkey .Op Fl adPlv .Fl D .Nm setkey .Op Fl dPv .Fl F .Nm setkey .Op Fl h .Fl x .\" .Sh DESCRIPTION .Nm updates, or lists the content of, Security Association Database (SAD) entries in the kernel as well as Security Policy Database (SPD) entries. .Pp .Nm takes a series of operation from standard input .Po if invoked with .Fl c .Pc or file named .Ar filename .Po if invoked with .Fl f Ar filename .Pc . .Bl -tag -width Ds .It Fl D Dump the SAD entries. If with .Fl P , the SPD entries are dumped. .It Fl F Flush the SAD. If with .Fl P , the SPD are flushed. .It Fl a .Nm usually do not display dead SAD entries on .Fl D . With .Fl a , dead SAD entries will be displayed as well. Dead SAD entries are kept in the kernel, when they are referenced from any of SPD entries in the kernel. .It Fl d Enable debugging messages. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY socket. .It Fl h Add hexadecimal dump on .Fl x mode. The order is significant. .It Fl l Loop forever with short output on .Fl D . .It Fl v Be verbose. .Dv PF_KEY socket .Po including messages sent from other processes .Pc . .El .Pp Operation has the following grammar. Note that lines, that start with a hashmark ('#') are treated as comment lines. Description of meta-arguments follows. .Bl -tag -width Ds .It Xo .Li add .Ar src Ar dst Ar upperspec Ar spi .Op Ar proxyspec .Ar protocol .\" .Op Ar depend_on_sa .Li ; .Xc Add a SAD entry. .\" .It Xo .Li get .Ar src Ar dst Ar upperspec Ar spi .Op Ar proxyspec .Op Ar protocol0 .Li ; .Xc Show a SAD entry. .\" .It Xo .Li delete .Ar src Ar dst Ar upperspec Ar spi .Op Ar proxyspec .Op Ar protocol0 .Li ; .Xc Remove a SAD entry. .\" .It Xo .Li flush .Op Ar protocol0 .Li ; .Xc Clear all SAD entries that matches the options. .\" .It Xo .Li dump .Op Ar protocol0 .Li ; .Xc Dumps all SAD entries that matches the options. .\" .It Xo .Li spdadd .Ar src Ar dst Ar upperspec .Op Ar policy .Li ; .Xc Add a SPD entry. .\" .It Xo .Li spddelete .Ar src Ar dst Ar upperspec .Li ; .Xc Delete a SPD entry. .\" .It Xo .Li spdflush .Li ; .Xc Clear all SPD entries. .\" .It Xo .Li spddump .Li ; .Xc Dumps all SAD entries. .\" .El .Pp Meta-arguments are as follows: .Bl -tag -width Ds .It Ar src .It Ar dst Source/destination of the secure communication is specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: .Bd -literal -offset .Ar address .Ar address/prefixlen .Ar address[port] .Ar address/prefixlen[port] .Ed .Pp .Ar prefixlen and .Ar port must be decimal number. The square bracket around .Ar port is really necessary. They are not manpage metacharacters .Li :-) .Pp .Nm does not consult hostname-to-address for arguments .Ar src and .Ar dst . They must be in numeric form. .\" .It Ar upperspec Upper-layer protocol to be used. Currently .Li tcp , .Li udp and .Li any can be specified. .Li any is as the wildcard. NOTE: .Ar upperspec of forwarding packet has no effect at this moment, since kernel code fragment to handle .Ar upperspec is disabled. .\" .It Ar spi Security Parameter Index (SPI) for the SA and SPD. It must be decimal number or hexadecimal number .Po with .Li 0x attached .Pc . .\" .It Ar proxyspec .Ar proxyspec can be specified as either an IPv4 or IPv6 address. If specified, the SAD entry will be used for tunnel mode IPsec processing. .\" .It Ar protocol .Ar protocol takes the following forms: .Bl -tag -width Ds .It Xo .Fl p .Li esp .Op Ar extensions .Op Fl E Ar ealgo Ar key .Op Fl A Ar aalgo Ar key .Op Fl r Ar replay .Xc .It Xo .Fl p .Li ah .Op Ar extensions .Op Fl A Ar aalgo Ar key .Op Fl r Ar replay .Xc .It Xo .Fl p .Li esp-old .Op Ar extensions .Op Fl E Ar ealgo Ar key .Op Fl A Ar aalgo Ar key .Op Fl r Ar replay .Xc .It Xo .Fl p .Li ah-old .Op Ar extensions .Op Fl A Ar aalgo Ar key .Op Fl r Ar replay .Xc .It Xo .Fl p .Li ipcomp .Op Fl C Ar calgo .Op Fl R .Xc .El .Pp .Fl p is always mandatory. Optional flag, .Ar extensions , can be .Li cyclic-seq , and one of the following: .Li random-pad , .Li seq-pad , .Li zero-pad . .Fl E specifies encryption algorithm, and .Fl A specifies authentication algorithm. If .Fl A is used for .Fl p Li esp or .Fl p Li esp-old , it will be treated as ESP payload authentication algorithm. Possible values for .Ar ealgo , .Ar aalgo and .Ar calgo are specified in separete section. .Ar key must be double-quoted character string or a series of hexadecimal digits. .Fl r Ar replay is used for checking replay attacks. .Ar replay must be decimal number in 32-bit word. If .Ar replay is zero or not specified, repley check don't take place. .Fl R is used only with .Li ipcomp . If .Fl R is specified with .Li ipcomp line, the kernel will use well-known IPComp CPI .Pq compression parameter index on IPComp CPI field on packets, and .Ar spi field will be ignored. .Ar spi field is only for kernel internal use in this case. .\"Therefore, compression protocol number will appear on IPComp CPI field. If .Fl R is not used, the value on .Ar spi field will appear on IPComp CPI field on outgoing packets. .Ar spi field needs to be smaller than .Li 0x10000 in this case. .\" .It Ar protocol0 This is a subset of .Ar protocol , which takes no optional arguments: .Bd -literal -offset .Xo .Fl p .Li esp .Xc .Xo .Fl p .Li ah .Xc .Xo .Fl p .Li ipcomp .Xc .Ed .\" .It Ar policy .Ar policy is the one of following: .Bd -literal -offset .Xo .Fl P .Li discard .Xc .Xo .Fl P .Li none .Xc .Xo .Fl P .Li ipsec .Ar protocol/level .Op Ar /peer .Xc .Ed .Pp .Li discard means the packet matching indexes will be discarded. .Li none means that IPsec operation will not take place onto the packet. .Li ipsec means that IPsec operation will take place onto the packet. Either .Li ah , .Li esp or .Li ipcomp is to be set as .Ar protocol . .Ar level is to be one of the following: .Li default , use or .Li require . .Li default means kernel consults to the system wide default against protocol you specified, e.g. .Li esp_trans_deflev sysctl variable, when kernel processes the packet. .Li use means that kernel use a SA if it's available, otherwise kernel keeps normal operation. .Li require means SA is required whenever kernel deals with the packet. If you plan to set up the tunnel mode of IPsec, you can specify the end-point a ddress of the tunnel as .Ar peer which will be hint when IPsec system set up SAs by Key management automatically. .El .Pp .\" .Sh ALGORITHMS The following list shows the supported algorithms. .Sy protocol and .Sy algorithm are almost orthogonal. Following are the list of authentication algorithms that can be used as .Ar aalgo in .Fl A Ar aalgo of .Ar protocol parameter: .Pp .Bl -column "algorithmxx" -column "keylengthxx" -offset .It Sy algorithm key length (bits) comment .It hmac-md5 128 ah: rfc2403 .It 128 ah-old: rfc2085 .It hmac-sha1 160 ah: rfc2404 .It 160 ah-old: 128bit ICV (no document) .It keyed-md5 128 ah: 96bit ICV (no document) .It 128 ah-old: rfc1828 .It keyed-sha1 160 ah: 96bit ICV (no document) .It 160 ah-old: 128bit ICV (no document) .It null 0 to 2048 for debugging .El .Pp Following are the list of encryption algorithms that can be used as .Ar ealgo in .Fl E Ar ealgo of .Ar protocol parameter: .Pp .Bl -column "algorithmxx" -column "keylengthxx" -offset .It Sy algorithm key length(bits) comment .It des-cbc 64 esp-old: rfc1829, esp: rfc2405 .It 3des-cbc 192 rfc2451 .It simple 0 to 2048 rfc2410 .It blowfish-cbc 40 to 448 rfc2451 .It cast128-cbc 40 to 128 rfc2451 .It rc5-cbc 40 to 2040 rfc2451 .It des-deriv 64 ipsec-ciph-des-derived-01 (expired) .It 3des-deriv 192 no document .El .Pp Following are the list of compression algorithms that can be used as .Ar calgo in .Fl C Ar calgo of .Ar protocol parameter: .Pp .Bl -column "algorithmxx" -offset .It Sy algorithm comment .It deflate rfc2394 .It lzs rfc2395 .El .\" .Sh EXAMPLES .Bd -literal -offset add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -p esp -E des-cbc "hogehoge" -A hmac-md5 "hagehogehogehoge" ; add 127.0.0.1 127.0.0.1 any 0x10001 -p esp -E blowfish-cbc "kamekame" -A hmac-sha1 "hogehogehogehogehoge" ; add 127.0.0.1 127.0.0.1 any 0x10001 -p ah-old -A keyed-md5 "testtesttesttest" ; add 10.0.0.1 10.0.0.2 udp 0x10002 203.178.141.215 -p ah -A keyed-md5 "testtesttesttest" ; get 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -p esp ; flush ; dump -p esp ; spdadd 10.0.11.41/32[21] 10.0.11.33/32[0] any -P ipsec ah/use esp/require/192.168.0.1 ; .Ed .\" .Sh RETURN VALUES The command exits with 0 on success, and non-zero on errors. .\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , .Xr sysctl 8 .\" .Sh HISTORY The .Nm command first appeared in WIDE Hydrangea IPv6 protocol stack kit. The command was completely re-designed in June 1998. .\" .\" .Sh BUGS