setkey.8 (121071) | setkey.8 (122108) |
---|---|
1.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $ 2.\" $FreeBSD: head/sbin/setkey/setkey.8 121071 2003-10-13 14:57:41Z ume $ | 1.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $ 2.\" $FreeBSD: head/sbin/setkey/setkey.8 122108 2003-11-05 09:47:54Z ume $ |
3.\" 4.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 18 unchanged lines hidden (view full) --- 29.\" SUCH DAMAGE. 30.\" 31.Dd November 20, 2000 32.Dt SETKEY 8 33.Os 34.\" 35.Sh NAME 36.Nm setkey | 3.\" 4.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 18 unchanged lines hidden (view full) --- 29.\" SUCH DAMAGE. 30.\" 31.Dd November 20, 2000 32.Dt SETKEY 8 33.Os 34.\" 35.Sh NAME 36.Nm setkey |
37.Nd "manually manipulate the IPsec SA/SP database" | 37.Nd manually manipulate the IPsec SA/SP database |
38.\" 39.Sh SYNOPSIS 40.Nm | 38.\" 39.Sh SYNOPSIS 40.Nm |
41.Op Fl dv | 41.Op Fl v |
42.Fl c 43.Nm | 42.Fl c 43.Nm |
44.Op Fl dv | 44.Op Fl v |
45.Fl f Ar filename 46.Nm | 45.Fl f Ar filename 46.Nm |
47.Op Fl adPlv | 47.Op Fl aPlv |
48.Fl D 49.Nm | 48.Fl D 49.Nm |
50.Op Fl dPv | 50.Op Fl Pv |
51.Fl F 52.Nm 53.Op Fl h 54.Fl x 55.\" 56.Sh DESCRIPTION 57The 58.Nm | 51.Fl F 52.Nm 53.Op Fl h 54.Fl x 55.\" 56.Sh DESCRIPTION 57The 58.Nm |
59utility adds, updates, dumps, or flushes | 59command adds, updates, dumps, or flushes |
60Security Association Database (SAD) entries 61as well as Security Policy Database (SPD) entries in the kernel. 62.Pp 63The 64.Nm | 60Security Association Database (SAD) entries 61as well as Security Policy Database (SPD) entries in the kernel. 62.Pp 63The 64.Nm |
65utility takes a series of operations from the standard input 66(if invoked with 67.Fl c ) | 65command takes a series of operations from the standard input 66.Po 67if invoked with 68.Fl c 69.Pc |
68or the file named 69.Ar filename | 70or the file named 71.Ar filename |
70(if invoked with 71.Fl f Ar filename ) . | 72.Po 73if invoked with 74.Fl f Ar filename 75.Pc . |
72.Bl -tag -width Ds 73.It Fl D 74Dump the SAD entries. 75If with 76.Fl P , 77the SPD entries are dumped. 78.It Fl F 79Flush the SAD entries. 80If with 81.Fl P , 82the SPD entries are flushed. 83.It Fl a | 76.Bl -tag -width Ds 77.It Fl D 78Dump the SAD entries. 79If with 80.Fl P , 81the SPD entries are dumped. 82.It Fl F 83Flush the SAD entries. 84If with 85.Fl P , 86the SPD entries are flushed. 87.It Fl a |
84Dead SAD entries are usually not displayed with | 88.Nm 89usually does not display dead SAD entries with |
85.Fl D . 86If with 87.Fl a , 88the dead SAD entries will be displayed as well. 89A dead SAD entry means that | 90.Fl D . 91If with 92.Fl a , 93the dead SAD entries will be displayed as well. 94A dead SAD entry means that |
90it has been expired but remains 91because it is referenced by SPD entries. 92.It Fl d 93Enable to print debugging messages for command parser, 94without talking to kernel. 95It is not used usually. 96.It Fl x 97Loop forever and dump all the messages transmitted to 98.Dv PF_KEY 99socket. 100.Fl xx 101makes each timestamps unformatted. | 95it has been expired but remains in the system 96because it is referenced by some SPD entries. |
102.It Fl h 103Add hexadecimal dump on 104.Fl x 105mode. 106.It Fl l 107Loop forever with short output on 108.Fl D . 109.It Fl v 110Be verbose. 111The program will dump messages exchanged on 112.Dv PF_KEY 113socket, including messages sent from other processes to the kernel. | 97.It Fl h 98Add hexadecimal dump on 99.Fl x 100mode. 101.It Fl l 102Loop forever with short output on 103.Fl D . 104.It Fl v 105Be verbose. 106The program will dump messages exchanged on 107.Dv PF_KEY 108socket, including messages sent from other processes to the kernel. |
109.It Fl x 110Loop forever and dump all the messages transmitted to 111.Dv PF_KEY 112socket. 113.Fl xx 114makes each timestamps unformatted. |
|
114.El | 115.El |
115.Pp 116Operations have the following grammar. 117Note that lines starting with 118hashmarks ('#') are treated as comment lines. | 116.Ss Configuration syntax 117With 118.Fl c 119or 120.Fl f 121on the command line, 122.Nm 123accepts the following configuration syntax. 124Lines starting with hash signs ('#') are treated as comment lines. |
119.Bl -tag -width Ds 120.It Xo 121.Li add | 125.Bl -tag -width Ds 126.It Xo 127.Li add |
128.Op Fl 46n |
|
122.Ar src Ar dst Ar protocol Ar spi 123.Op Ar extensions | 129.Ar src Ar dst Ar protocol Ar spi 130.Op Ar extensions |
124.Ar algorithm... | 131.Ar algorithm ... |
125.Li ; 126.Xc 127Add an SAD entry. | 132.Li ; 133.Xc 134Add an SAD entry. |
135.Li add 136can fail with multiple reasons, 137including when the key length does not match the specified algorithm. |
|
128.\" 129.It Xo 130.Li get | 138.\" 139.It Xo 140.Li get |
141.Op Fl 46n |
|
131.Ar src Ar dst Ar protocol Ar spi 132.Li ; 133.Xc 134Show an SAD entry. 135.\" 136.It Xo 137.Li delete | 142.Ar src Ar dst Ar protocol Ar spi 143.Li ; 144.Xc 145Show an SAD entry. 146.\" 147.It Xo 148.Li delete |
149.Op Fl 46n |
|
138.Ar src Ar dst Ar protocol Ar spi 139.Li ; 140.Xc 141Remove an SAD entry. 142.\" 143.It Xo 144.Li deleteall | 150.Ar src Ar dst Ar protocol Ar spi 151.Li ; 152.Xc 153Remove an SAD entry. 154.\" 155.It Xo 156.Li deleteall |
157.Op Fl 46n |
|
145.Ar src Ar dst Ar protocol 146.Li ; 147.Xc 148Remove all SAD entries that match the specification. 149.\" 150.It Xo 151.Li flush 152.Op Ar protocol 153.Li ; 154.Xc 155Clear all SAD entries matched by the options. | 158.Ar src Ar dst Ar protocol 159.Li ; 160.Xc 161Remove all SAD entries that match the specification. 162.\" 163.It Xo 164.Li flush 165.Op Ar protocol 166.Li ; 167.Xc 168Clear all SAD entries matched by the options. |
169.Fl F 170on the command line achieves the same functionality. |
|
156.\" 157.It Xo 158.Li dump 159.Op Ar protocol 160.Li ; 161.Xc 162Dumps all SAD entries matched by the options. | 171.\" 172.It Xo 173.Li dump 174.Op Ar protocol 175.Li ; 176.Xc 177Dumps all SAD entries matched by the options. |
178.Fl D 179on the command line achieves the same functionality. |
|
163.\" 164.It Xo 165.Li spdadd | 180.\" 181.It Xo 182.Li spdadd |
183.Op Fl 46n |
|
166.Ar src_range Ar dst_range Ar upperspec Ar policy 167.Li ; 168.Xc 169Add an SPD entry. 170.\" 171.It Xo 172.Li spddelete | 184.Ar src_range Ar dst_range Ar upperspec Ar policy 185.Li ; 186.Xc 187Add an SPD entry. 188.\" 189.It Xo 190.Li spddelete |
191.Op Fl 46n |
|
173.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction 174.Li ; 175.Xc 176Delete an SPD entry. 177.\" 178.It Xo 179.Li spdflush 180.Li ; 181.Xc 182Clear all SPD entries. | 192.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction 193.Li ; 194.Xc 195Delete an SPD entry. 196.\" 197.It Xo 198.Li spdflush 199.Li ; 200.Xc 201Clear all SPD entries. |
202.Fl FP 203on the command line achieves the same functionality. |
|
183.\" 184.It Xo 185.Li spddump 186.Li ; 187.Xc 188Dumps all SPD entries. | 204.\" 205.It Xo 206.Li spddump 207.Li ; 208.Xc 209Dumps all SPD entries. |
210.Fl DP 211on the command line achieves the same functionality. |
|
189.El 190.\" 191.Pp 192Meta-arguments are as follows: 193.Pp 194.Bl -tag -compact -width Ds 195.It Ar src 196.It Ar dst 197Source/destination of the secure communication is specified as 198IPv4/v6 address. | 212.El 213.\" 214.Pp 215Meta-arguments are as follows: 216.Pp 217.Bl -tag -compact -width Ds 218.It Ar src 219.It Ar dst 220Source/destination of the secure communication is specified as 221IPv4/v6 address. |
199The | |
200.Nm | 222.Nm |
201utility does not consult hostname-to-address for arguments 202.Ar src | 223can resolve a FQDN into numeric addresses. 224If the FQDN resolves into multiple addresses, 225.Nm 226will install multiple SAD/SPD entries into the kernel 227by trying all possible combinations. 228.Fl 4 , 229.Fl 6 |
203and | 230and |
204.Ar dst . 205They must be in numeric form. | 231.Fl n 232restricts the address resolution of FQDN in certain ways. 233.Fl 4 234and 235.Fl 6 236restrict results into IPv4/v6 addresses only, respectively. 237.Fl n 238avoids FQDN resolution and requires addresses to be numeric addresses. |
206.\" 207.Pp 208.It Ar protocol 209.Ar protocol 210is one of following: 211.Bl -tag -width Fl -compact 212.It Li esp | 239.\" 240.Pp 241.It Ar protocol 242.Ar protocol 243is one of following: 244.Bl -tag -width Fl -compact 245.It Li esp |
213ESP based on rfc2405 | 246ESP based on rfc2406 |
214.It Li esp-old 215ESP based on rfc1827 216.It Li ah 217AH based on rfc2402 218.It Li ah-old 219AH based on rfc1826 220.It Li ipcomp | 247.It Li esp-old 248ESP based on rfc1827 249.It Li ah 250AH based on rfc2402 251.It Li ah-old 252AH based on rfc1826 253.It Li ipcomp |
221IPCOMP | 254IPComp |
222.El 223.\" 224.Pp 225.It Ar spi | 255.El 256.\" 257.Pp 258.It Ar spi |
226Security Parameter Index (SPI) for the SAD and the SPD. 227It must be decimal number or hexadecimal number 228You cannot use the set of SPI values in the range 0 through 255. 229(with 230.Li 0x 231attached). | 259Security Parameter Index 260.Pq SPI 261for the SAD and the SPD. 262.Ar spi 263must be a decimal number, or a hexadecimal number with 264.Dq Li 0x 265prefix. 266SPI values between 0 and 255 are reserved for future use by IANA 267and they cannot be used. |
232.\" 233.Pp 234.It Ar extensions | 268.\" 269.Pp 270.It Ar extensions |
235takes some of the following: | 271take some of the following: |
236.Bl -tag -width Fl -compact 237.\" 238.It Fl m Ar mode 239Specify a security protocol mode for use. 240.Ar mode 241is one of following: 242.Li transport , tunnel 243or --- 34 unchanged lines hidden (view full) --- 278.It Fl ls Ar time 279Specify hard/soft life time duration of the SA. 280.El 281.\" 282.Pp 283.It Ar algorithm 284.Bl -tag -width Fl -compact 285.It Fl E Ar ealgo Ar key | 272.Bl -tag -width Fl -compact 273.\" 274.It Fl m Ar mode 275Specify a security protocol mode for use. 276.Ar mode 277is one of following: 278.Li transport , tunnel 279or --- 34 unchanged lines hidden (view full) --- 314.It Fl ls Ar time 315Specify hard/soft life time duration of the SA. 316.El 317.\" 318.Pp 319.It Ar algorithm 320.Bl -tag -width Fl -compact 321.It Fl E Ar ealgo Ar key |
286Specify an encryption algorithm. | 322Specify an encryption algorithm 323.Ar ealgo 324for ESP. 325.It Xo 326.Fl E Ar ealgo Ar key 327.Fl A Ar aalgo Ar key 328.Xc 329Specify a encryption algorithm 330.Ar ealgo , 331as well as a payload authentication algorithm 332.Ar aalgo , 333for ESP. |
287.It Fl A Ar aalgo Ar key | 334.It Fl A Ar aalgo Ar key |
288Specify an authentication algorithm. 289If 290.Fl A 291is used with 292.Ar protocol Li esp , 293it will be treated as ESP payload authentication algorithm. | 335Specify an authentication algorithm for AH. |
294.It Fl C Ar calgo Op Fl R | 336.It Fl C Ar calgo Op Fl R |
295Specify compression algorithm. | 337Specify a compression algorithm for IPComp. |
296If 297.Fl R | 338If 339.Fl R |
298is not specified with 299.Li ipcomp 300line, the kernel will use well-known IPComp CPI 301(compression parameter index) 302on IPComp CPI field on packets, and | 340is specified, |
303.Ar spi | 341.Ar spi |
304field will be ignored. 305.Ar spi 306field is only for kernel internal use in this case. 307.\"Therefore, compression protocol number will appear on IPComp CPI field. | 342field value will be used as the IPComp CPI 343.Pq compression parameter index 344on wire as is. |
308If 309.Fl R | 345If 346.Fl R |
310is used, 311the value on | 347is not specified, 348the kernel will use well-known CPI on wire, and |
312.Ar spi | 349.Ar spi |
313field will appear on IPComp CPI field on outgoing packets. 314.Ar spi 315field needs to be smaller than 316.Li 0x10000 317in this case. | 350field will be used only as an index for kernel internal usage. |
318.El 319.Pp | 351.El 352.Pp |
320.Ar protocol Li esp 321accepts 322.Fl E 323and 324.Fl A . 325.Ar protocol Li esp-old 326accepts 327.Fl E 328only. 329.Ar protocol Li ah 330and 331.Li ah-old 332accept 333.Fl A 334only. 335.Ar protocol Li ipcomp 336accepts 337.Fl C 338only. 339.Pp | |
340.Ar key | 353.Ar key |
341must be double-quoted character string or series of hexadecimal digits. | 354must be double-quoted character string, or a series of hexadecimal digits 355preceded by 356.Dq Li 0x . |
342.Pp 343Possible values for 344.Ar ealgo , 345.Ar aalgo 346and 347.Ar calgo 348are specified in separate section. 349.\" --- 14 unchanged lines hidden (view full) --- 364.Ar prefixlen 365and 366.Ar port 367must be decimal number. 368The square bracket around 369.Ar port 370is really necessary. 371They are not manpage metacharacters. | 357.Pp 358Possible values for 359.Ar ealgo , 360.Ar aalgo 361and 362.Ar calgo 363are specified in separate section. 364.\" --- 14 unchanged lines hidden (view full) --- 379.Ar prefixlen 380and 381.Ar port 382must be decimal number. 383The square bracket around 384.Ar port 385is really necessary. 386They are not manpage metacharacters. |
372.Pp 373The 374.Nm 375utility does not consult hostname-to-address for arguments | 387For FQDN resolution, the rules applicable to |
376.Ar src 377and | 388.Ar src 389and |
378.Ar dst . 379They must be in numeric form. | 390.Ar dst 391apply here as well. |
380.\" 381.Pp 382.It Ar upperspec 383Upper-layer protocol to be used. 384You can use one of words in 385.Pa /etc/protocols 386as 387.Ar upperspec . 388Or 389.Li icmp6 , 390.Li ip4 , 391and 392.Li any 393can be specified. 394.Li any 395stands for 396.Dq any protocol . 397Also you can use the protocol number. | 392.\" 393.Pp 394.It Ar upperspec 395Upper-layer protocol to be used. 396You can use one of words in 397.Pa /etc/protocols 398as 399.Ar upperspec . 400Or 401.Li icmp6 , 402.Li ip4 , 403and 404.Li any 405can be specified. 406.Li any 407stands for 408.Dq any protocol . 409Also you can use the protocol number. |
410You can specify a type and/or a code of ICMPv6 when 411Upper-layer protocol is ICMPv6. 412the specification can be placed after 413.Li icmp6 . 414A type is separated with a code by single comma. 415A code must be specified anytime. 416When a zero is specified, the kernel deals with it as a wildcard. 417Note that the kernel can not distinguish a wildcard from that a type 418of ICMPv6 is zero. 419For example, the following means the policy doesn't require IPsec 420for any inbound Neighbor Solicitation. 421.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ; |
|
398.Pp 399NOTE: 400.Ar upperspec 401does not work against forwarding case at this moment, 402as it requires extra reassembly at forwarding node | 422.Pp 423NOTE: 424.Ar upperspec 425does not work against forwarding case at this moment, 426as it requires extra reassembly at forwarding node |
403(not implemented at this moment). | 427.Pq not implemented at this moment . |
404We have many protocols in 405.Pa /etc/protocols , 406but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. 407You have to consider and be careful to use them. | 428We have many protocols in 429.Pa /etc/protocols , 430but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. 431You have to consider and be careful to use them. |
408.Li icmp 409.Li tcp 410.Li udp 411all protocols | |
412.\" 413.Pp 414.It Ar policy 415.Ar policy | 432.\" 433.Pp 434.It Ar policy 435.Ar policy |
416is the one of following: 417.Bd -literal -offset 418.Xo 419.Fl P Ar direction Li discard | 436is the one of the following three formats: 437.Bd -literal -offset indent 438.It Fl P Ar direction Li discard 439.It Fl P Ar direction Li none 440.It Xo Fl P Ar direction Li ipsec 441.Ar protocol/mode/src-dst/level Op ... |
420.Xc | 442.Xc |
421.Xo 422.Fl P Ar direction Li none 423.Xc 424.Xo 425.Fl P Ar direction Li ipsec Ar protocol/mode/src-dst/level 426.Xc | |
427.Ed 428.Pp 429You must specify the direction of its policy as 430.Ar direction . 431Either 432.Li out 433or 434.Li in 435are used. 436.Li discard 437means the packet matching indexes will be discarded. 438.Li none 439means that IPsec operation will not take place onto the packet. 440.Li ipsec 441means that IPsec operation will take place onto the packet. | 443.Ed 444.Pp 445You must specify the direction of its policy as 446.Ar direction . 447Either 448.Li out 449or 450.Li in 451are used. 452.Li discard 453means the packet matching indexes will be discarded. 454.Li none 455means that IPsec operation will not take place onto the packet. 456.Li ipsec 457means that IPsec operation will take place onto the packet. |
458The part of 459.Ar protocol/mode/src-dst/level 460specifies the rule how to process the packet. |
|
442Either 443.Li ah , 444.Li esp 445or 446.Li ipcomp 447is to be set as 448.Ar protocol . 449.Ar mode --- 25 unchanged lines hidden (view full) --- 475is to be one of the following: 476.Li default , use , require 477or 478.Li unique . 479If the SA is not available in every level, the kernel will request 480getting SA to the key exchange daemon. 481.Li default 482means the kernel consults to the system wide default against protocol you | 461Either 462.Li ah , 463.Li esp 464or 465.Li ipcomp 466is to be set as 467.Ar protocol . 468.Ar mode --- 25 unchanged lines hidden (view full) --- 494is to be one of the following: 495.Li default , use , require 496or 497.Li unique . 498If the SA is not available in every level, the kernel will request 499getting SA to the key exchange daemon. 500.Li default 501means the kernel consults to the system wide default against protocol you |
483specified, e.g.\& | 502specified, e.g. |
484.Li esp_trans_deflev 485sysctl variable, when the kernel processes the packet. 486.Li use 487means that the kernel use a SA if it's available, 488otherwise the kernel keeps normal operation. 489.Li require 490means SA is required whenever the kernel sends a packet matched 491with the policy. 492.Li unique 493is the same to require. 494In addition, it allows the policy to bind with the unique out-bound SA. | 503.Li esp_trans_deflev 504sysctl variable, when the kernel processes the packet. 505.Li use 506means that the kernel use a SA if it's available, 507otherwise the kernel keeps normal operation. 508.Li require 509means SA is required whenever the kernel sends a packet matched 510with the policy. 511.Li unique 512is the same to require. 513In addition, it allows the policy to bind with the unique out-bound SA. |
495If you use the SA by manual keying, | 514You just specify the policy level 515.Li unique , 516.Xr racoon 8 517will configure the SA for the policy. 518If you configure the SA by manual keying for that policy, |
496you can put the decimal number as the policy identifier after 497.Li unique 498separated by colon | 519you can put the decimal number as the policy identifier after 520.Li unique 521separated by colon |
499.Sq \: | 522.Sq \&: |
500like the following; 501.Li unique:number . | 523like the following; 524.Li unique:number . |
525in order to bind this policy to the SA. |
|
502.Li number 503must be between 1 and 32767. 504It corresponds to | 526.Li number 527must be between 1 and 32767. 528It corresponds to |
505.Ar extensions Fl u . | 529.Ar extensions Fl u 530of the manual SA configuration. 531When you want to use SA bundle, you can define multiple rules. 532For example, if an IP header was followed by AH header followed by ESP header 533followed by an upper layer protocol header, the rule 534would be: 535.Dl esp/transport//require ah/transport//require ; 536The rule order is very important. |
506.Pp 507Note that 508.Dq Li discard 509and 510.Dq Li none 511are not in the syntax described in 512.Xr ipsec_set_policy 3 . 513There are little differences in the syntax. --- 24 unchanged lines hidden (view full) --- 538 128 ah-old: rfc2085 539hmac-sha1 160 ah: rfc2404 540 160 ah-old: 128bit ICV (no document) 541keyed-md5 128 ah: 96bit ICV (no document) 542 128 ah-old: rfc1828 543keyed-sha1 160 ah: 96bit ICV (no document) 544 160 ah-old: 128bit ICV (no document) 545null 0 to 2048 for debugging | 537.Pp 538Note that 539.Dq Li discard 540and 541.Dq Li none 542are not in the syntax described in 543.Xr ipsec_set_policy 3 . 544There are little differences in the syntax. --- 24 unchanged lines hidden (view full) --- 569 128 ah-old: rfc2085 570hmac-sha1 160 ah: rfc2404 571 160 ah-old: 128bit ICV (no document) 572keyed-md5 128 ah: 96bit ICV (no document) 573 128 ah-old: rfc1828 574keyed-sha1 160 ah: 96bit ICV (no document) 575 160 ah-old: 128bit ICV (no document) 576null 0 to 2048 for debugging |
546hmac-sha2-256 256 ah: 96bit ICV (no document) | 577hmac-sha2-256 256 ah: 96bit ICV 578 (draft-ietf-ipsec-ciph-sha-256-00) |
547 256 ah-old: 128bit ICV (no document) 548hmac-sha2-384 384 ah: 96bit ICV (no document) 549 384 ah-old: 128bit ICV (no document) 550hmac-sha2-512 512 ah: 96bit ICV (no document) 551 512 ah-old: 128bit ICV (no document) 552hmac-ripemd160 160 ah: 96bit ICV (RFC2857) 553 ah-old: 128bit ICV (no document) | 579 256 ah-old: 128bit ICV (no document) 580hmac-sha2-384 384 ah: 96bit ICV (no document) 581 384 ah-old: 128bit ICV (no document) 582hmac-sha2-512 512 ah: 96bit ICV (no document) 583 512 ah-old: 128bit ICV (no document) 584hmac-ripemd160 160 ah: 96bit ICV (RFC2857) 585 ah-old: 128bit ICV (no document) |
554aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 555 128 ah-old: 128bit ICV (no document) | 586.\"aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 587.\" 128 ah-old: 128bit ICV (no document) |
556.Ed 557.Pp 558Followings are the list of encryption algorithms that can be used as 559.Ar ealgo 560in 561.Fl E Ar ealgo 562of 563.Ar protocol 564parameter: 565.Pp 566.Bd -literal -offset indent 567algorithm keylen (bits) comment 568des-cbc 64 esp-old: rfc1829, esp: rfc2405 5693des-cbc 192 rfc2451 | 588.Ed 589.Pp 590Followings are the list of encryption algorithms that can be used as 591.Ar ealgo 592in 593.Fl E Ar ealgo 594of 595.Ar protocol 596parameter: 597.Pp 598.Bd -literal -offset indent 599algorithm keylen (bits) comment 600des-cbc 64 esp-old: rfc1829, esp: rfc2405 6013des-cbc 192 rfc2451 |
570simple 0 to 2048 rfc2410 | 602null 0 to 2048 rfc2410 |
571blowfish-cbc 40 to 448 rfc2451 572cast128-cbc 40 to 128 rfc2451 | 603blowfish-cbc 40 to 448 rfc2451 604cast128-cbc 40 to 128 rfc2451 |
573des-deriv 64 ipsec-ciph-des-derived-01 (expired) | 605des-deriv 64 ipsec-ciph-des-derived-01 |
5743des-deriv 192 no document | 6063des-deriv 192 no document |
575rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00 576aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 | 607rijndael-cbc 128/192/256 rfc3602 608.\"aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 |
577.Ed 578.Pp 579Note that the first 128 bits of a key for 580.Li aes-ctr 581will be used as AES key, and remaining 32 bits will be used as nonce. 582.Pp 583Followings are the list of compression algorithms that can be used as 584.Ar calgo 585in 586.Fl C Ar calgo 587of 588.Ar protocol 589parameter: 590.Pp 591.Bd -literal -offset indent 592algorithm comment 593deflate rfc2394 | 609.Ed 610.Pp 611Note that the first 128 bits of a key for 612.Li aes-ctr 613will be used as AES key, and remaining 32 bits will be used as nonce. 614.Pp 615Followings are the list of compression algorithms that can be used as 616.Ar calgo 617in 618.Fl C Ar calgo 619of 620.Ar protocol 621parameter: 622.Pp 623.Bd -literal -offset indent 624algorithm comment 625deflate rfc2394 |
594lzs rfc2395 | |
595.Ed 596.\" | 626.Ed 627.\" |
628.Sh RETURN VALUES 629The command exits with 0 on success, and non-zero on errors. 630.\" |
|
597.Sh EXAMPLES 598.Bd -literal -offset | 631.Sh EXAMPLES 632.Bd -literal -offset |
599add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 600 -E des-cbc "ESP SA!!" ; | 633add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 634 -E des-cbc 0x3ffe05014819ffff ; |
601 | 635 |
602add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 603 -A hmac-sha1 "AH SA configuration!" ; | 636add -6 myhost.example.com yourhost.example.com ah 123456 637 -A hmac-sha1 "AH SA configuration!" ; |
604 | 638 |
605add 10.0.11.41 10.0.11.33 esp 0x10001 606 -E des-cbc "ESP with" 607 -A hmac-md5 "authentication!!" ; | 639add 10.0.11.41 10.0.11.33 esp 0x10001 640 -E des-cbc 0x3ffe05014819ffff 641 -A hmac-md5 "authentication!!" ; |
608 | 642 |
609get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; | 643get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; |
610 611flush ; 612 613dump esp ; 614 | 644 645flush ; 646 647dump esp ; 648 |
615spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 616 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; | 649spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 650 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; |
617 618.Ed 619.\" | 651 652.Ed 653.\" |
620.Sh RETURN VALUES 621The command exits with 0 on success, and non-zero on errors. 622.\" | |
623.Sh SEE ALSO 624.Xr ipsec_set_policy 3 , 625.Xr racoon 8 , 626.Xr sysctl 8 | 654.Sh SEE ALSO 655.Xr ipsec_set_policy 3 , 656.Xr racoon 8 , 657.Xr sysctl 8 |
658.Rs 659.%T "Changed manual key configuration for IPsec" 660.%O "http://www.kame.net/newsletter/19991007/" 661.%D "October 1999" 662.Re |
|
627.\" 628.Sh HISTORY 629The 630.Nm | 663.\" 664.Sh HISTORY 665The 666.Nm |
631utility first appeared in WIDE Hydrangea IPv6 protocol stack kit. | 667command first appeared in WIDE Hydrangea IPv6 protocol stack kit. |
632The command was completely re-designed in June 1998. 633.\" | 668The command was completely re-designed in June 1998. 669.\" |
634.\" .Sh BUGS | 670.Sh BUGS 671.Nm 672should report and handle syntax errors better. 673.Pp 674For IPsec gateway configuration, 675.Ar src_range 676and 677.Ar dst_range 678with TCP/UDP port number do not work, as the gateway does not reassemble 679packets 680.Pq cannot inspect upper-layer headers . |