setkey 8 iputils-&snapshot; setkey manually manipulate the IPsec SA/SP database setkey -dv setkey -dv setkey -adPlv setkey -dPv setkey -h Dump the SAD entries. If with Flush the SAD entries. If with Enable to print debugging messages for command parser, without talking to kernel. It is not used usually. Loop forever and dump all the messages transmitted to Add hexadecimal dump on Loop forever with short output on Be verbose. The program will dump messages exchanged on Operations have the following grammar. Note that lines starting with hashmarks ('#') are treated as comment lines. Add an SAD entry. Show an SAD entry. Remove an SAD entry. Remove all SAD entries that match the specification. Clear all SAD entries matched by the options. Dump all SAD entries matched by the options. Add an SPD entry. Delete an SPD entry. Clear all SPD entries. Dump all SPD entries. Meta-arguments are as follows: Source/destination of the secure communication is specified as IPv4/v6 address. ESP based on rfc2405 AH based on rfc2402 IPCOMP ESP based on rfc1827 ESP based on rfc1826 ]]> Security Parameter Index (SPI) for the SAD and the SPD. It must be decimal number or hexadecimal number (with takes some of the following: Specify a security protocol mode for use. NOTE: it is a difference of KAME. Our implemenation does not allow to use single SA both for transport and tunnel mode via IPsec interface. Tunneled frames still can be encapsulated in transport mode SA, provided you use tunnel devices and apply transport mode IPsec to IPIP protocol. Specify window size of bytes for replay prevention. NOTE: it is a difference of KAME. Default value must be reasonable before all. Specify the identifier of the policy entry in SPD. See defines the content of the ESP padding. .Ar pad_option is one of following: .Bl -tag -width random-pad -compact .It Li zero-pad All of the padding are zero. .It Li random-pad A series of randomized values are set. .It Li seq-pad A series of sequential increasing numbers started from 1 are set. Don't allow cyclic sequence number. ]]> Specify hard/soft life time duration of the SA. Specify an encryption algorithm. Specify an authentication algorithm. If Specify compression algorithm. If ]]> accepts Possible values for are specified in separate section. These are selections of the secure communication specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: address address/prefixlen address[port] address/prefixlen[port] Upper-layer protocol to be used. You can use one of words in /etc/protocols as NOTE: /etc/protocols, but protocols except of TCP, UDP and ICMP may not be suitable to use with IPSec. You have to consider and be careful to use them. protocol/mode/src-dst/level You must specify the direction of its policy as is to be set as Note that The following list shows the supported algorithms. algorithm keylen (bits) comment hmac-md5 128 ah: rfc2403 hmac-sha1 160 ah: rfc2401 Followings are the list of encryption algorithms that can be used as algorithm keylen (bits) comment des-cbc 64 esp: rfc2405 3des-cbc 192 esp: rfc2451 Followings are the list of compression algorithms that can be used as algorithm comment deflate rfc2394 lzs rfc2395 ]]> add 10.0.11.41 10.0.11.33 esp 123457 -m tunnel -E des-cbc "ESP SA!!" ; add 10.0.11.41 10.0.11.33 ah 123456 -m transport -A hmac-sha1 "AH SA configuration!" ; add 10.0.11.41 10.0.11.34 esp 0x10001 -m tunnel -E des-cbc "ESP with" -A hmac-md5 "authentication!!" ; get 10.0.11.41 10.0.11.33 ah 123456 ; flush ; dump esp ; Encapsulate output of telnetd in ESP tunnel encrypted with DES and authenticated with MD5. spdadd 192.168.0.1/32[23] 192.168.0.2/32[any] any -P out ipsec esp/tunnel/10.0.11.41-10.0.11.34/require ; Or alternatively, encapsulate output of telnetd in ESP tunnel encrypted with DES, but with stronger authentication of whole encapsulated packet with MD5. spdadd 192.168.0.1/32[23] 192.168.0.2/32[any] any -P out ipsec esp/tunnel/10.0.11.41-10.0.11.33/require ah/transport//require ; The command exits with 0 on success, and non-zero on errors. ipsec_set_policy(3), racoon(8), sysctl(8) The This port to Linux was made on November 2002. $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $ $FreeBSD: src/usr.sbin/setkey/setkey.8,v 1.19 2001/08/10 13:45:35 ru Exp $ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ]]>