| setkey.8 (76750) | setkey.8 (78064) |
|---|---|
| 1.\" $FreeBSD: head/sbin/setkey/setkey.8 76750 2001-05-17 15:30:49Z brian $ 2.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $ | 1.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $ 2.\" $FreeBSD: head/sbin/setkey/setkey.8 78064 2001-06-11 12:39:29Z ume $ |
| 3.\" 4.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 3.\" 4.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 31.Dd May 17, 1998 | 31.Dd November 20, 2000 |
| 32.Dt SETKEY 8 | 32.Dt SETKEY 8 |
| 33.Os KAME | 33.Os |
| 34.\" 35.Sh NAME 36.Nm setkey 37.Nd "manually manipulate the IPsec SA/SP database" 38.\" 39.Sh SYNOPSIS 40.Nm 41.Op Fl dv --- 8 unchanged lines hidden (view full) --- 50.Op Fl dPv 51.Fl F 52.Nm 53.Op Fl h 54.Fl x 55.\" 56.Sh DESCRIPTION 57.Nm | 34.\" 35.Sh NAME 36.Nm setkey 37.Nd "manually manipulate the IPsec SA/SP database" 38.\" 39.Sh SYNOPSIS 40.Nm 41.Op Fl dv --- 8 unchanged lines hidden (view full) --- 50.Op Fl dPv 51.Fl F 52.Nm 53.Op Fl h 54.Fl x 55.\" 56.Sh DESCRIPTION 57.Nm |
| 58addes, updates, dumpes, or flushes | 58adds, updates, dumps, or flushes |
| 59Security Association Database (SAD) entries 60as well as Security Policy Database (SPD) entries in the kernel. 61.Pp 62.Nm 63takes a series of operations from the standard input 64.Po 65if invoked with 66.Fl c --- 22 unchanged lines hidden (view full) --- 89If with 90.Fl a , 91the dead SAD entries will be displayed as well. 92A dead SAD entry means that 93it has been expired but remains 94because it is referenced by SPD entries. 95.It Fl d 96Enable to print debugging messages for command parser, | 59Security Association Database (SAD) entries 60as well as Security Policy Database (SPD) entries in the kernel. 61.Pp 62.Nm 63takes a series of operations from the standard input 64.Po 65if invoked with 66.Fl c --- 22 unchanged lines hidden (view full) --- 89If with 90.Fl a , 91the dead SAD entries will be displayed as well. 92A dead SAD entry means that 93it has been expired but remains 94because it is referenced by SPD entries. 95.It Fl d 96Enable to print debugging messages for command parser, |
| 97without talking to kernel. It is not used usually. | 97without talking to kernel. 98It is not used usually. |
| 98.It Fl x 99Loop forever and dump all the messages transmitted to 100.Dv PF_KEY 101socket. | 99.It Fl x 100Loop forever and dump all the messages transmitted to 101.Dv PF_KEY 102socket. |
| 103.Fl xx 104makes each timestamps unformatted. |
|
| 102.It Fl h 103Add hexadecimal dump on 104.Fl x 105mode. 106.It Fl l 107Loop forever with short output on 108.Fl D . 109.It Fl v 110Be verbose. | 105.It Fl h 106Add hexadecimal dump on 107.Fl x 108mode. 109.It Fl l 110Loop forever with short output on 111.Fl D . 112.It Fl v 113Be verbose. |
| 114The program will dump messages exchanged on |
|
| 111.Dv PF_KEY | 115.Dv PF_KEY |
| 112socket 113.Po 114including messages sent from other processes 115.Pc . | 116socket, including messages sent from other processes to the kernel. |
| 116.El 117.Pp | 117.El 118.Pp |
| 118Operations have the following grammar. Note that lines starting with | 119Operations have the following grammar. 120Note that lines starting with |
| 119hashmarks ('#') are treated as comment lines. 120.Bl -tag -width Ds 121.It Xo 122.Li add 123.Ar src Ar dst Ar protocol Ar spi 124.Op Ar extensions 125.Ar algorithm... 126.Li ; --- 10 unchanged lines hidden (view full) --- 137.It Xo 138.Li delete 139.Ar src Ar dst Ar protocol Ar spi 140.Li ; 141.Xc 142Remove an SAD entry. 143.\" 144.It Xo | 121hashmarks ('#') are treated as comment lines. 122.Bl -tag -width Ds 123.It Xo 124.Li add 125.Ar src Ar dst Ar protocol Ar spi 126.Op Ar extensions 127.Ar algorithm... 128.Li ; --- 10 unchanged lines hidden (view full) --- 139.It Xo 140.Li delete 141.Ar src Ar dst Ar protocol Ar spi 142.Li ; 143.Xc 144Remove an SAD entry. 145.\" 146.It Xo |
| 147.Li deleteall 148.Ar src Ar dst Ar protocol 149.Li ; 150.Xc 151Remove all SAD entries that match the specification. 152.\" 153.It Xo |
|
| 145.Li flush 146.Op Ar protocol 147.Li ; 148.Xc 149Clear all SAD entries matched by the options. 150.\" 151.It Xo 152.Li dump --- 69 unchanged lines hidden (view full) --- 222.Po 223with 224.Li 0x 225attached 226.Pc . 227.\" 228.Pp 229.It Ar extensions | 154.Li flush 155.Op Ar protocol 156.Li ; 157.Xc 158Clear all SAD entries matched by the options. 159.\" 160.It Xo 161.Li dump --- 69 unchanged lines hidden (view full) --- 231.Po 232with 233.Li 0x 234attached 235.Pc . 236.\" 237.Pp 238.It Ar extensions |
| 230take some of the following: | 239takes some of the following: |
| 231.Bl -tag -width Fl -compact 232.\" 233.It Fl m Ar mode 234Specify a security protocol mode for use. 235.Ar mode 236is one of following: 237.Li transport , tunnel 238or 239.Li any . 240The default value is 241.Li any . 242.\" 243.It Fl r Ar size 244Specify window size of bytes for replay prevention. 245.Ar size | 240.Bl -tag -width Fl -compact 241.\" 242.It Fl m Ar mode 243Specify a security protocol mode for use. 244.Ar mode 245is one of following: 246.Li transport , tunnel 247or 248.Li any . 249The default value is 250.Li any . 251.\" 252.It Fl r Ar size 253Specify window size of bytes for replay prevention. 254.Ar size |
| 246must be decimal number in 32-bit word. If | 255must be decimal number in 32-bit word. 256If |
| 247.Ar size 248is zero or not specified, replay check don't take place. 249.\" 250.It Fl u Ar id | 257.Ar size 258is zero or not specified, replay check don't take place. 259.\" 260.It Fl u Ar id |
| 251Specify the identifier of policy. See also 252.Xr ipsec_set_policy 3 . | 261Specify the identifier of the policy entry in SPD. 262See 263.Ar policy . |
| 253.\" 254.It Fl f Ar pad_option | 264.\" 265.It Fl f Ar pad_option |
| 266defines the content of the ESP padding. |
|
| 255.Ar pad_option 256is one of following: | 267.Ar pad_option 268is one of following: |
| 257.Li zero-pad , random-pad 258or 259.Li seq-pad | 269.Bl -tag -width random-pad -compact 270.It Li zero-pad 271All of the padding are zero. 272.It Li random-pad 273A series of randomized values are set. 274.It Li seq-pad 275A series of sequential increasing numbers started from 1 are set. 276.El |
| 260.\" 261.It Fl f Li nocyclic-seq 262Don't allow cyclic sequence number. 263.\" 264.It Fl lh Ar time 265.It Fl ls Ar time | 277.\" 278.It Fl f Li nocyclic-seq 279Don't allow cyclic sequence number. 280.\" 281.It Fl lh Ar time 282.It Fl ls Ar time |
| 266Specify hard/soft lifetime. | 283Specify hard/soft life time duration of the SA. |
| 267.El 268.\" 269.Pp 270.It Ar algorithm 271.Bl -tag -width Fl -compact 272.It Fl E Ar ealgo Ar key | 284.El 285.\" 286.Pp 287.It Ar algorithm 288.Bl -tag -width Fl -compact 289.It Fl E Ar ealgo Ar key |
| 273Specify encryption algorithm. | 290Specify a encryption algorithm. |
| 274.It Fl A Ar aalgo Ar key | 291.It Fl A Ar aalgo Ar key |
| 275Specify authentication algorithm. | 292Specify a authentication algorithm. |
| 276If 277.Fl A | 293If 294.Fl A |
| 278is used for esp, it will be treated as ESP payload authentication algorithm. | 295is used with 296.Ar protocol Li esp , 297it will be treated as ESP payload authentication algorithm. |
| 279.It Fl C Ar calgo Op Fl R 280Specify compression algorithm. 281If 282.Fl R 283is not specified with 284.Li ipcomp 285line, the kernel will use well-known IPComp CPI 286.Pq compression parameter index --- 10 unchanged lines hidden (view full) --- 297.Ar spi 298field will appear on IPComp CPI field on outgoing packets. 299.Ar spi 300field needs to be smaller than 301.Li 0x10000 302in this case. 303.El 304.Pp | 298.It Fl C Ar calgo Op Fl R 299Specify compression algorithm. 300If 301.Fl R 302is not specified with 303.Li ipcomp 304line, the kernel will use well-known IPComp CPI 305.Pq compression parameter index --- 10 unchanged lines hidden (view full) --- 316.Ar spi 317field will appear on IPComp CPI field on outgoing packets. 318.Ar spi 319field needs to be smaller than 320.Li 0x10000 321in this case. 322.El 323.Pp |
| 305.Li esp 306SAs accept | 324.Ar protocol Li esp 325accepts |
| 307.Fl E 308and 309.Fl A . | 326.Fl E 327and 328.Fl A . |
| 310.Li esp-old 311SAs accept | 329.Ar protocol Li esp-old 330accepts |
| 312.Fl E 313only. | 331.Fl E 332only. |
| 314.Li ah | 333.Ar protocol Li ah |
| 315and 316.Li ah-old | 334and 335.Li ah-old |
| 317SAs accept | 336accept |
| 318.Fl A 319only. | 337.Fl A 338only. |
| 320.Li ipcomp 321SAs accept | 339.Ar protocol Li ipcomp 340accepts |
| 322.Fl C 323only. 324.Pp 325.Ar key 326must be double-quoted character string or series of hexadecimal digits. 327.Pp 328Possible values for 329.Ar ealgo , --- 30 unchanged lines hidden (view full) --- 360.Ar src 361and 362.Ar dst . 363They must be in numeric form. 364.\" 365.Pp 366.It Ar upperspec 367Upper-layer protocol to be used. | 341.Fl C 342only. 343.Pp 344.Ar key 345must be double-quoted character string or series of hexadecimal digits. 346.Pp 347Possible values for 348.Ar ealgo , --- 30 unchanged lines hidden (view full) --- 379.Ar src 380and 381.Ar dst . 382They must be in numeric form. 383.\" 384.Pp 385.It Ar upperspec 386Upper-layer protocol to be used. |
| 368Currently 369.Li icmp , | 387You can use one of words in 388.Pa /etc/protocols 389as 390.Ar upperspec . 391Or |
| 370.Li icmp6 , 371.Li ip4 , | 392.Li icmp6 , 393.Li ip4 , |
| 372.Li tcp , 373.Li udp | |
| 374and 375.Li any 376can be specified. 377.Li any 378stands for 379.Dq any protocol . | 394and 395.Li any 396can be specified. 397.Li any 398stands for 399.Dq any protocol . |
| 400Also you can use the protocol number. |
|
| 380.Pp 381NOTE: 382.Ar upperspec 383does not work against forwarding case at this moment, 384as it requires extra reassembly at forwarding node 385.Pq not implemented at this moment . | 401.Pp 402NOTE: 403.Ar upperspec 404does not work against forwarding case at this moment, 405as it requires extra reassembly at forwarding node 406.Pq not implemented at this moment . |
| 407We have many protocols in 408.Pa /etc/protocols , 409but protocols except of TCP, UDP and ICMP may not be suitable to use with IPSec. 410You have to consider and be careful to use them. 411.Li icmp 412.Li tcp 413.Li udp 414all protocols |
|
| 386.\" 387.Pp 388.It Ar policy 389.Ar policy 390is the one of following: | 415.\" 416.Pp 417.It Ar policy 418.Ar policy 419is the one of following: |
| 391.Pp 392.Bl -item -compact 393.It | 420.Bd -literal -offset 421.Xo |
| 394.Fl P 395.Ar direction 396.Li discard | 422.Fl P 423.Ar direction 424.Li discard |
| 397.It | 425.Xc 426.Xo |
| 398.Fl P 399.Ar direction 400.Li none | 427.Fl P 428.Ar direction 429.Li none |
| 401.It | 430.Xc 431.Xo |
| 402.Fl P 403.Ar direction 404.Li ipsec 405.Ar protocol/mode/src-dst/level | 432.Fl P 433.Ar direction 434.Li ipsec 435.Ar protocol/mode/src-dst/level |
| 406.El | 436.Xc 437.Ed |
| 407.Pp 408You must specify the direction of its policy as 409.Ar direction . 410Either 411.Li out 412or 413.Li in 414are used. --- 10 unchanged lines hidden (view full) --- 425.Li ipcomp 426is to be set as 427.Ar protocol . 428.Ar mode 429is either 430.Li transport 431or 432.Li tunnel . | 438.Pp 439You must specify the direction of its policy as 440.Ar direction . 441Either 442.Li out 443or 444.Li in 445are used. --- 10 unchanged lines hidden (view full) --- 456.Li ipcomp 457is to be set as 458.Ar protocol . 459.Ar mode 460is either 461.Li transport 462or 463.Li tunnel . |
| 433You must specify the end-points addresses of the SA as | 464If 465.Ar mode 466is 467.Li tunnel , 468you must specify the end-points addresses of the SA as |
| 434.Ar src 435and 436.Ar dst 437with 438.Sq - 439between these addresses which is used to specify the SA to use. | 469.Ar src 470and 471.Ar dst 472with 473.Sq - 474between these addresses which is used to specify the SA to use. |
| 475If 476.Ar mode 477is 478.Li transport , 479both 480.Ar src 481and 482.Ar dst 483can be omited. |
|
| 440.Ar level 441is to be one of the following: | 484.Ar level 485is to be one of the following: |
| 442.Li default , use | 486.Li default , use , require |
| 443or | 487or |
| 444.Li require . | 488.Li unique . 489If the SA is not available in every level, the kernel will request 490getting SA to the key exchange daemon. |
| 445.Li default 446means the kernel consults to the system wide default against protocol you 447specified, e.g. 448.Li esp_trans_deflev 449sysctl variable, when the kernel processes the packet. 450.Li use 451means that the kernel use a SA if it's available, 452otherwise the kernel keeps normal operation. 453.Li require | 491.Li default 492means the kernel consults to the system wide default against protocol you 493specified, e.g. 494.Li esp_trans_deflev 495sysctl variable, when the kernel processes the packet. 496.Li use 497means that the kernel use a SA if it's available, 498otherwise the kernel keeps normal operation. 499.Li require |
| 454means SA is required whenever the kernel deals with the packet. | 500means SA is required whenever the kernel sends a packet matched 501with the policy. 502.Li unique 503is the same to require. 504In addition, it allows the policy to bind with the unique out-bound SA. 505If you use the SA by manual keying, 506you can put the decimal number as the policy identifier after 507.Li unique 508separated by colon 509.Sq \: 510like the following; 511.Li unique:number . 512.Li number 513must be between 1 and 32767. 514It corresponds to 515.Ar extensions Fl u . 516.Pp |
| 455Note that 456.Dq Li discard 457and 458.Dq Li none 459are not in the syntax described in 460.Xr ipsec_set_policy 3 . 461There are little differences in the syntax. 462See --- 23 unchanged lines hidden (view full) --- 486 128 ah-old: rfc2085 487hmac-sha1 160 ah: rfc2404 488 160 ah-old: 128bit ICV (no document) 489keyed-md5 128 ah: 96bit ICV (no document) 490 128 ah-old: rfc1828 491keyed-sha1 160 ah: 96bit ICV (no document) 492 160 ah-old: 128bit ICV (no document) 493null 0 to 2048 for debugging | 517Note that 518.Dq Li discard 519and 520.Dq Li none 521are not in the syntax described in 522.Xr ipsec_set_policy 3 . 523There are little differences in the syntax. 524See --- 23 unchanged lines hidden (view full) --- 548 128 ah-old: rfc2085 549hmac-sha1 160 ah: rfc2404 550 160 ah-old: 128bit ICV (no document) 551keyed-md5 128 ah: 96bit ICV (no document) 552 128 ah-old: rfc1828 553keyed-sha1 160 ah: 96bit ICV (no document) 554 160 ah-old: 128bit ICV (no document) 555null 0 to 2048 for debugging |
| 556hmac-sha2-256 256 ah: 96bit ICV (no document) 557 256 ah-old: 128bit ICV (no document) 558hmac-sha2-384 384 ah: 96bit ICV (no document) 559 384 ah-old: 128bit ICV (no document) 560hmac-sha2-512 512 ah: 96bit ICV (no document) 561 512 ah-old: 128bit ICV (no document) |
|
| 494.Ed 495.Pp 496Followings are the list of encryption algorithms that can be used as 497.Ar ealgo 498in 499.Fl E Ar ealgo 500of 501.Ar protocol 502parameter: 503.Pp 504.Bd -literal -offset indent 505algorithm keylen (bits) comment 506des-cbc 64 esp-old: rfc1829, esp: rfc2405 5073des-cbc 192 rfc2451 508simple 0 to 2048 rfc2410 509blowfish-cbc 40 to 448 rfc2451 510cast128-cbc 40 to 128 rfc2451 | 562.Ed 563.Pp 564Followings are the list of encryption algorithms that can be used as 565.Ar ealgo 566in 567.Fl E Ar ealgo 568of 569.Ar protocol 570parameter: 571.Pp 572.Bd -literal -offset indent 573algorithm keylen (bits) comment 574des-cbc 64 esp-old: rfc1829, esp: rfc2405 5753des-cbc 192 rfc2451 576simple 0 to 2048 rfc2410 577blowfish-cbc 40 to 448 rfc2451 578cast128-cbc 40 to 128 rfc2451 |
| 511rc5-cbc 40 to 2040 rfc2451 | |
| 512des-deriv 64 ipsec-ciph-des-derived-01 (expired) 5133des-deriv 192 no document | 579des-deriv 64 ipsec-ciph-des-derived-01 (expired) 5803des-deriv 192 no document |
| 581rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00 |
|
| 514.Ed 515.Pp 516Followings are the list of compression algorithms that can be used as 517.Ar calgo 518in 519.Fl C Ar calgo 520of 521.Ar protocol --- 28 unchanged lines hidden (view full) --- 550 551.Ed 552.\" 553.Sh RETURN VALUES 554The command exits with 0 on success, and non-zero on errors. 555.\" 556.Sh SEE ALSO 557.Xr ipsec_set_policy 3 , | 582.Ed 583.Pp 584Followings are the list of compression algorithms that can be used as 585.Ar calgo 586in 587.Fl C Ar calgo 588of 589.Ar protocol --- 28 unchanged lines hidden (view full) --- 618 619.Ed 620.\" 621.Sh RETURN VALUES 622The command exits with 0 on success, and non-zero on errors. 623.\" 624.Sh SEE ALSO 625.Xr ipsec_set_policy 3 , |
| 558.Xr sysctl 8 | 626.Xr sysctl 8 , 627.Xr racoon 8 |
| 559.\" 560.Sh HISTORY 561The 562.Nm 563command first appeared in WIDE Hydrangea IPv6 protocol stack kit. 564The command was completely re-designed in June 1998. 565.\" 566.\" .Sh BUGS | 628.\" 629.Sh HISTORY 630The 631.Nm 632command first appeared in WIDE Hydrangea IPv6 protocol stack kit. 633The command was completely re-designed in June 1998. 634.\" 635.\" .Sh BUGS |