532 lines
10 KiB
Groff
532 lines
10 KiB
Groff
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $NetBSD: setkey.8,v 1.5 1999/09/07 06:49:37 itojun Exp $
|
|
.\" KAME Id: setkey.8,v 1.1.1.1 1999/08/08 23:31:51 itojun Exp
|
|
.\"
|
|
.Dd May 17, 1998
|
|
.Dt SETKEY 8
|
|
.Os
|
|
.\"
|
|
.Sh NAME
|
|
.Nm setkey
|
|
.Nd manually manipulate the SA/SP database.
|
|
.\"
|
|
.Sh SYNOPSIS
|
|
.Nm setkey
|
|
.Op Fl dv
|
|
.Fl c
|
|
.Nm setkey
|
|
.Op Fl dv
|
|
.Fl f Ar filename
|
|
.Nm setkey
|
|
.Op Fl adPlv
|
|
.Fl D
|
|
.Nm setkey
|
|
.Op Fl dPv
|
|
.Fl F
|
|
.Nm setkey
|
|
.Op Fl h
|
|
.Fl x
|
|
.\"
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
updates, or lists the content of, Security Association Database (SAD) entries
|
|
in the kernel as well as Security Policy Database (SPD) entries.
|
|
.Pp
|
|
.Nm
|
|
takes a series of operation from standard input
|
|
.Po
|
|
if invoked with
|
|
.Fl c
|
|
.Pc
|
|
or file named
|
|
.Ar filename
|
|
.Po
|
|
if invoked with
|
|
.Fl f Ar filename
|
|
.Pc .
|
|
.Bl -tag -width Ds
|
|
.It Fl D
|
|
Dump the SAD entries.
|
|
If with
|
|
.Fl P ,
|
|
the SPD entries are dumped.
|
|
.It Fl F
|
|
Flush the SAD.
|
|
If with
|
|
.Fl P ,
|
|
the SPD are flushed.
|
|
.It Fl a
|
|
.Nm
|
|
usually do not display dead SAD entries on
|
|
.Fl D .
|
|
With
|
|
.Fl a ,
|
|
dead SAD entries will be displayed as well.
|
|
Dead SAD entries are kept in the kernel,
|
|
when they are referenced from any of SPD entries in the kernel.
|
|
.It Fl d
|
|
Enable debugging messages.
|
|
.It Fl x
|
|
Loop forever and dump all the messages transmitted to
|
|
.Dv PF_KEY
|
|
socket.
|
|
.It Fl h
|
|
Add hexadecimal dump on
|
|
.Fl x
|
|
mode. The order is significant.
|
|
.It Fl l
|
|
Loop forever with short output on
|
|
.Fl D .
|
|
.It Fl v
|
|
Be verbose.
|
|
.Dv PF_KEY
|
|
socket
|
|
.Po
|
|
including messages sent from other processes
|
|
.Pc .
|
|
.El
|
|
.Pp
|
|
Operation has the following grammar. Note that lines, that start with a
|
|
hashmark ('#') are treated as comment lines.
|
|
Description of meta-arguments follows.
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Li add
|
|
.Ar src Ar dst Ar upperspec Ar spi
|
|
.Op Ar proxyspec
|
|
.Ar protocol
|
|
.\" .Op Ar depend_on_sa
|
|
.Li ;
|
|
.Xc
|
|
Add a SAD entry.
|
|
.\"
|
|
.It Xo
|
|
.Li get
|
|
.Ar src Ar dst Ar upperspec Ar spi
|
|
.Op Ar proxyspec
|
|
.Op Ar protocol0
|
|
.Li ;
|
|
.Xc
|
|
Show a SAD entry.
|
|
.\"
|
|
.It Xo
|
|
.Li delete
|
|
.Ar src Ar dst Ar upperspec Ar spi
|
|
.Op Ar proxyspec
|
|
.Op Ar protocol0
|
|
.Li ;
|
|
.Xc
|
|
Remove a SAD entry.
|
|
.\"
|
|
.It Xo
|
|
.Li flush
|
|
.Op Ar protocol0
|
|
.Li ;
|
|
.Xc
|
|
Clear all SAD entries that matches the options.
|
|
.\"
|
|
.It Xo
|
|
.Li dump
|
|
.Op Ar protocol0
|
|
.Li ;
|
|
.Xc
|
|
Dumps all SAD entries that matches the options.
|
|
.\"
|
|
.It Xo
|
|
.Li spdadd
|
|
.Ar src Ar dst Ar upperspec
|
|
.Op Ar policy
|
|
.Li ;
|
|
.Xc
|
|
Add a SPD entry.
|
|
.\"
|
|
.It Xo
|
|
.Li spddelete
|
|
.Ar src Ar dst Ar upperspec
|
|
.Li ;
|
|
.Xc
|
|
Delete a SPD entry.
|
|
.\"
|
|
.It Xo
|
|
.Li spdflush
|
|
.Li ;
|
|
.Xc
|
|
Clear all SPD entries.
|
|
.\"
|
|
.It Xo
|
|
.Li spddump
|
|
.Li ;
|
|
.Xc
|
|
Dumps all SAD entries.
|
|
.\"
|
|
.El
|
|
.Pp
|
|
Meta-arguments are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Ar src
|
|
.It Ar dst
|
|
Source/destination of the secure communication is specified as
|
|
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
|
TCP/UDP port specification.
|
|
This takes the following form:
|
|
.Bd -literal -offset
|
|
.Ar address
|
|
.Ar address/prefixlen
|
|
.Ar address[port]
|
|
.Ar address/prefixlen[port]
|
|
.Ed
|
|
.Pp
|
|
.Ar prefixlen
|
|
and
|
|
.Ar port
|
|
must be decimal number.
|
|
The square bracket around
|
|
.Ar port
|
|
is really necessary.
|
|
They are not manpage metacharacters
|
|
.Li :-)
|
|
.Pp
|
|
.Nm
|
|
does not consult hostname-to-address for arguments
|
|
.Ar src
|
|
and
|
|
.Ar dst .
|
|
They must be in numeric form.
|
|
.\"
|
|
.It Ar upperspec
|
|
Upper-layer protocol to be used.
|
|
Currently
|
|
.Li tcp ,
|
|
.Li udp
|
|
and
|
|
.Li any
|
|
can be specified.
|
|
.Li any
|
|
is as the wildcard.
|
|
NOTE:
|
|
.Ar upperspec
|
|
of forwarding packet has no effect at this moment, since kernel code fragment to handle
|
|
.Ar upperspec
|
|
is disabled.
|
|
.\"
|
|
.It Ar spi
|
|
Security Parameter Index (SPI) for the SA and SPD.
|
|
It must be decimal number or hexadecimal number
|
|
.Po
|
|
with
|
|
.Li 0x
|
|
attached
|
|
.Pc .
|
|
.\"
|
|
.It Ar proxyspec
|
|
.Ar proxyspec
|
|
can be specified as either an IPv4 or IPv6 address.
|
|
If specified, the SAD entry will be used for tunnel mode IPsec processing.
|
|
.\"
|
|
.It Ar protocol
|
|
.Ar protocol
|
|
takes the following forms:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl p
|
|
.Li esp
|
|
.Op Ar extensions
|
|
.Op Fl E Ar ealgo Ar key
|
|
.Op Fl A Ar aalgo Ar key
|
|
.Op Fl r Ar replay
|
|
.Xc
|
|
.It Xo
|
|
.Fl p
|
|
.Li ah
|
|
.Op Ar extensions
|
|
.Op Fl A Ar aalgo Ar key
|
|
.Op Fl r Ar replay
|
|
.Xc
|
|
.It Xo
|
|
.Fl p
|
|
.Li esp-old
|
|
.Op Ar extensions
|
|
.Op Fl E Ar ealgo Ar key
|
|
.Op Fl A Ar aalgo Ar key
|
|
.Op Fl r Ar replay
|
|
.Xc
|
|
.It Xo
|
|
.Fl p
|
|
.Li ah-old
|
|
.Op Ar extensions
|
|
.Op Fl A Ar aalgo Ar key
|
|
.Op Fl r Ar replay
|
|
.Xc
|
|
.It Xo
|
|
.Fl p
|
|
.Li ipcomp
|
|
.Op Fl C Ar calgo
|
|
.Op Fl R
|
|
.Xc
|
|
.El
|
|
.Pp
|
|
.Fl p
|
|
is always mandatory.
|
|
Optional flag,
|
|
.Ar extensions ,
|
|
can be
|
|
.Li cyclic-seq ,
|
|
and one of the following:
|
|
.Li random-pad ,
|
|
.Li seq-pad ,
|
|
.Li zero-pad .
|
|
.Fl E
|
|
specifies encryption algorithm, and
|
|
.Fl A
|
|
specifies authentication algorithm.
|
|
If
|
|
.Fl A
|
|
is used for
|
|
.Fl p Li esp
|
|
or
|
|
.Fl p Li esp-old ,
|
|
it will be treated as ESP payload authentication algorithm.
|
|
Possible values for
|
|
.Ar ealgo ,
|
|
.Ar aalgo
|
|
and
|
|
.Ar calgo
|
|
are specified in separete section.
|
|
.Ar key
|
|
must be double-quoted character string or a series of hexadecimal digits.
|
|
.Fl r Ar replay
|
|
is used for checking replay attacks.
|
|
.Ar replay
|
|
must be decimal number in 32-bit word. If
|
|
.Ar replay
|
|
is zero or not specified, repley check don't take place.
|
|
.Fl R
|
|
is used only with
|
|
.Li ipcomp .
|
|
If
|
|
.Fl R
|
|
is specified with
|
|
.Li ipcomp
|
|
line, the kernel will use well-known IPComp CPI
|
|
.Pq compression parameter index
|
|
on IPComp CPI field on packets, and
|
|
.Ar spi
|
|
field will be ignored.
|
|
.Ar spi
|
|
field is only for kernel internal use in this case.
|
|
.\"Therefore, compression protocol number will appear on IPComp CPI field.
|
|
If
|
|
.Fl R
|
|
is not used,
|
|
the value on
|
|
.Ar spi
|
|
field will appear on IPComp CPI field on outgoing packets.
|
|
.Ar spi
|
|
field needs to be smaller than
|
|
.Li 0x10000
|
|
in this case.
|
|
.\"
|
|
.It Ar protocol0
|
|
This is a subset of
|
|
.Ar protocol ,
|
|
which takes no optional arguments:
|
|
.Bd -literal -offset
|
|
.Xo
|
|
.Fl p
|
|
.Li esp
|
|
.Xc
|
|
.Xo
|
|
.Fl p
|
|
.Li ah
|
|
.Xc
|
|
.Xo
|
|
.Fl p
|
|
.Li ipcomp
|
|
.Xc
|
|
.Ed
|
|
.\"
|
|
.It Ar policy
|
|
.Ar policy
|
|
is the one of following:
|
|
.Bd -literal -offset
|
|
.Xo
|
|
.Fl P
|
|
.Li discard
|
|
.Xc
|
|
.Xo
|
|
.Fl P
|
|
.Li none
|
|
.Xc
|
|
.Xo
|
|
.Fl P
|
|
.Li ipsec
|
|
.Ar protocol/level
|
|
.Op Ar /peer
|
|
.Xc
|
|
.Ed
|
|
.Pp
|
|
.Li discard
|
|
means the packet matching indexes will be discarded.
|
|
.Li none
|
|
means that IPsec operation will not take place onto the packet.
|
|
.Li ipsec
|
|
means that IPsec operation will take place onto the packet.
|
|
Either
|
|
.Li ah ,
|
|
.Li esp
|
|
or
|
|
.Li ipcomp
|
|
is to be set as
|
|
.Ar protocol .
|
|
.Ar level
|
|
is to be one of the following:
|
|
.Li default , use
|
|
or
|
|
.Li require .
|
|
.Li default
|
|
means kernel consults to the system wide default against protocol you
|
|
specified, e.g.
|
|
.Li esp_trans_deflev
|
|
sysctl variable, when kernel processes the packet.
|
|
.Li use
|
|
means that kernel use a SA if it's available,
|
|
otherwise kernel keeps normal operation.
|
|
.Li require
|
|
means SA is required whenever kernel deals with the packet.
|
|
If you plan to set up the tunnel mode of IPsec, you can specify the end-point a
|
|
ddress of the tunnel as
|
|
.Ar peer
|
|
which will be hint when IPsec system set up SAs by Key management automatically.
|
|
.El
|
|
.Pp
|
|
.\"
|
|
.Sh ALGORITHMS
|
|
The following list shows the supported algorithms.
|
|
.Sy protocol
|
|
and
|
|
.Sy algorithm
|
|
are almost orthogonal.
|
|
Following are the list of authentication algorithms that can be used as
|
|
.Ar aalgo
|
|
in
|
|
.Fl A Ar aalgo
|
|
of
|
|
.Ar protocol
|
|
parameter:
|
|
.Pp
|
|
.Bl -column "algorithmxx" -column "keylengthxx" -offset
|
|
.It Sy algorithm key length (bits) comment
|
|
.It hmac-md5 128 ah: rfc2403
|
|
.It 128 ah-old: rfc2085
|
|
.It hmac-sha1 160 ah: rfc2404
|
|
.It 160 ah-old: 128bit ICV (no document)
|
|
.It keyed-md5 128 ah: 96bit ICV (no document)
|
|
.It 128 ah-old: rfc1828
|
|
.It keyed-sha1 160 ah: 96bit ICV (no document)
|
|
.It 160 ah-old: 128bit ICV (no document)
|
|
.It null 0 to 2048 for debugging
|
|
.El
|
|
.Pp
|
|
Following are the list of encryption algorithms that can be used as
|
|
.Ar ealgo
|
|
in
|
|
.Fl E Ar ealgo
|
|
of
|
|
.Ar protocol
|
|
parameter:
|
|
.Pp
|
|
.Bl -column "algorithmxx" -column "keylengthxx" -offset
|
|
.It Sy algorithm key length(bits) comment
|
|
.It des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
|
.It 3des-cbc 192 rfc2451
|
|
.It simple 0 to 2048 rfc2410
|
|
.It blowfish-cbc 40 to 448 rfc2451
|
|
.It cast128-cbc 40 to 128 rfc2451
|
|
.It rc5-cbc 40 to 2040 rfc2451
|
|
.It des-deriv 64 ipsec-ciph-des-derived-01 (expired)
|
|
.It 3des-deriv 192 no document
|
|
.El
|
|
.Pp
|
|
Following are the list of compression algorithms that can be used as
|
|
.Ar calgo
|
|
in
|
|
.Fl C Ar calgo
|
|
of
|
|
.Ar protocol
|
|
parameter:
|
|
.Pp
|
|
.Bl -column "algorithmxx" -offset
|
|
.It Sy algorithm comment
|
|
.It deflate rfc2394
|
|
.It lzs rfc2395
|
|
.El
|
|
.\"
|
|
.Sh EXAMPLES
|
|
.Bd -literal -offset
|
|
add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41
|
|
-p esp -E des-cbc "hogehoge"
|
|
-A hmac-md5 "hagehogehogehoge" ;
|
|
|
|
add 127.0.0.1 127.0.0.1 any 0x10001
|
|
-p esp -E blowfish-cbc "kamekame"
|
|
-A hmac-sha1 "hogehogehogehogehoge" ;
|
|
|
|
add 127.0.0.1 127.0.0.1 any 0x10001
|
|
-p ah-old -A keyed-md5 "testtesttesttest" ;
|
|
|
|
add 10.0.0.1 10.0.0.2 udp 0x10002 203.178.141.215
|
|
-p ah -A keyed-md5 "testtesttesttest" ;
|
|
|
|
get 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41
|
|
-p esp ;
|
|
|
|
flush ;
|
|
|
|
dump -p esp ;
|
|
|
|
spdadd 10.0.11.41/32[21] 10.0.11.33/32[0] any
|
|
-P ipsec ah/use esp/require/192.168.0.1 ;
|
|
|
|
.Ed
|
|
.\"
|
|
.Sh RETURN VALUES
|
|
The command exits with 0 on success, and non-zero on errors.
|
|
.\"
|
|
.Sh SEE ALSO
|
|
.Xr ipsec_set_policy 3 ,
|
|
.Xr sysctl 8
|
|
.\"
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
|
The command was completely re-designed in June 1998.
|
|
.\"
|
|
.\" .Sh BUGS
|