setkey.8 (244318) | setkey.8 (269091) |
---|---|
1.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" | 1.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" |
30.\" $FreeBSD: head/sbin/setkey/setkey.8 244318 2012-12-16 23:00:13Z eadler $ | 30.\" $FreeBSD: head/sbin/setkey/setkey.8 269091 2014-07-25 17:09:48Z wblock $ |
31.\" | 31.\" |
32.Dd May 13, 2006 | 32.Dd July 25, 2014 |
33.Dt SETKEY 8 34.Os 35.\" 36.Sh NAME 37.Nm setkey 38.Nd "manually manipulate the IPsec SA/SP database" 39.\" 40.Sh SYNOPSIS --- 468 unchanged lines hidden (view full) --- 509.Li default , use , require 510or 511.Li unique . 512If the SA is not available in every level, the kernel will request 513the SA from the key exchange daemon. 514A value of 515.Li default 516tells the kernel to use the system wide default protocol | 33.Dt SETKEY 8 34.Os 35.\" 36.Sh NAME 37.Nm setkey 38.Nd "manually manipulate the IPsec SA/SP database" 39.\" 40.Sh SYNOPSIS --- 468 unchanged lines hidden (view full) --- 509.Li default , use , require 510or 511.Li unique . 512If the SA is not available in every level, the kernel will request 513the SA from the key exchange daemon. 514A value of 515.Li default 516tells the kernel to use the system wide default protocol |
517e.g.\& the one from the | 517e.g.,\& the one from the |
518.Li esp_trans_deflev 519sysctl variable, when the kernel processes the packet. 520A value of 521.Li use 522means that the kernel will use an SA if it is available, 523otherwise the kernel will pass the packet as it would normally. 524A value of 525.Li require --- 96 unchanged lines hidden (view full) --- 6223des-cbc 192 rfc2451 623null 0 to 2048 rfc2410 624blowfish-cbc 40 to 448 rfc2451 625cast128-cbc 40 to 128 rfc2451 626des-deriv 64 ipsec-ciph-des-derived-01 6273des-deriv 192 no document 628rijndael-cbc 128/192/256 rfc3602 629aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 | 518.Li esp_trans_deflev 519sysctl variable, when the kernel processes the packet. 520A value of 521.Li use 522means that the kernel will use an SA if it is available, 523otherwise the kernel will pass the packet as it would normally. 524A value of 525.Li require --- 96 unchanged lines hidden (view full) --- 6223des-cbc 192 rfc2451 623null 0 to 2048 rfc2410 624blowfish-cbc 40 to 448 rfc2451 625cast128-cbc 40 to 128 rfc2451 626des-deriv 64 ipsec-ciph-des-derived-01 6273des-deriv 192 no document 628rijndael-cbc 128/192/256 rfc3602 629aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 |
630camllia-cbc 128/192/256 rfc4312 | 630camellia-cbc 128/192/256 rfc4312 |
631.Ed 632.Pp 633Note that the first 128/192/256 bits of a key for 634.Li aes-ctr 635will be used as AES key, and remaining 32 bits will be used as nonce. 636.Pp 637The following are the list of compression algorithms that can be used 638as the --- 12 unchanged lines hidden (view full) --- 651.Ex -std 652.\" 653.Sh EXAMPLES 654Add an ESP SA between two IPv6 addresses using the 655des-cbc encryption algorithm. 656.Bd -literal -offset indent 657add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 658 -E des-cbc 0x3ffe05014819ffff ; | 631.Ed 632.Pp 633Note that the first 128/192/256 bits of a key for 634.Li aes-ctr 635will be used as AES key, and remaining 32 bits will be used as nonce. 636.Pp 637The following are the list of compression algorithms that can be used 638as the --- 12 unchanged lines hidden (view full) --- 651.Ex -std 652.\" 653.Sh EXAMPLES 654Add an ESP SA between two IPv6 addresses using the 655des-cbc encryption algorithm. 656.Bd -literal -offset indent 657add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 658 -E des-cbc 0x3ffe05014819ffff ; |
659 | 659.Pp |
660.Ed 661.\" 662Add an authentication SA between two FQDN specified hosts: 663.Bd -literal -offset indent 664add -6 myhost.example.com yourhost.example.com ah 123456 665 -A hmac-sha1 "AH SA configuration!" ; | 660.Ed 661.\" 662Add an authentication SA between two FQDN specified hosts: 663.Bd -literal -offset indent 664add -6 myhost.example.com yourhost.example.com ah 123456 665 -A hmac-sha1 "AH SA configuration!" ; |
666 | 666.Pp |
667.Ed 668Use both ESP and AH between two numerically specified hosts: 669.Bd -literal -offset indent 670add 10.0.11.41 10.0.11.33 esp 0x10001 671 -E des-cbc 0x3ffe05014819ffff 672 -A hmac-md5 "authentication!!" ; | 667.Ed 668Use both ESP and AH between two numerically specified hosts: 669.Bd -literal -offset indent 670add 10.0.11.41 10.0.11.33 esp 0x10001 671 -E des-cbc 0x3ffe05014819ffff 672 -A hmac-md5 "authentication!!" ; |
673 | 673.Pp |
674.Ed 675Get the SA information associated with first example above: 676.Bd -literal -offset indent 677get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; | 674.Ed 675Get the SA information associated with first example above: 676.Bd -literal -offset indent 677get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; |
678 | 678.Pp |
679.Ed 680Flush all entries from the database: 681.Bd -literal -offset indent 682flush ; | 679.Ed 680Flush all entries from the database: 681.Bd -literal -offset indent 682flush ; |
683 | 683.Pp |
684.Ed 685Dump the ESP entries from the database: 686.Bd -literal -offset indent 687dump esp ; | 684.Ed 685Dump the ESP entries from the database: 686.Bd -literal -offset indent 687dump esp ; |
688 | 688.Pp |
689.Ed 690Add a security policy between two networks that uses ESP in tunnel mode: 691.Bd -literal -offset indent 692spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 693 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; | 689.Ed 690Add a security policy between two networks that uses ESP in tunnel mode: 691.Bd -literal -offset indent 692spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 693 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; |
694 | 694.Pp |
695.Ed 696Use TCP MD5 between two numerically specified hosts: 697.Bd -literal -offset indent 698add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; | 695.Ed 696Use TCP MD5 between two numerically specified hosts: 697.Bd -literal -offset indent 698add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; |
699 | |
700.Ed 701.\" 702.Sh SEE ALSO 703.Xr ipsec_set_policy 3 , 704.Xr racoon 8 , 705.Xr sysctl 8 706.Rs 707.%T "Changed manual key configuration for IPsec" --- 23 unchanged lines hidden --- | 699.Ed 700.\" 701.Sh SEE ALSO 702.Xr ipsec_set_policy 3 , 703.Xr racoon 8 , 704.Xr sysctl 8 705.Rs 706.%T "Changed manual key configuration for IPsec" --- 23 unchanged lines hidden --- |