FCL/sf/os/ossrv: stdlibs/libcrypt/doc/setkey.3@564bc7b7ad27 (annotated)

79 564bc7b7ad27 201043 hgs parents: diff changeset	1	.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
564bc7b7ad27 201043 hgs parents: diff changeset	2	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	3	.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
564bc7b7ad27 201043 hgs parents: diff changeset	4	.\" All rights reserved.
564bc7b7ad27 201043 hgs parents: diff changeset	5	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	6	.\" Redistribution and use in source and binary forms, with or without
564bc7b7ad27 201043 hgs parents: diff changeset	7	.\" modification, are permitted provided that the following conditions
564bc7b7ad27 201043 hgs parents: diff changeset	8	.\" are met:
564bc7b7ad27 201043 hgs parents: diff changeset	9	.\" 1. Redistributions of source code must retain the above copyright
564bc7b7ad27 201043 hgs parents: diff changeset	10	.\" notice, this list of conditions and the following disclaimer.
564bc7b7ad27 201043 hgs parents: diff changeset	11	.\" 2. Redistributions in binary form must reproduce the above copyright
564bc7b7ad27 201043 hgs parents: diff changeset	12	.\" notice, this list of conditions and the following disclaimer in the
564bc7b7ad27 201043 hgs parents: diff changeset	13	.\" documentation and/or other materials provided with the distribution.
564bc7b7ad27 201043 hgs parents: diff changeset	14	.\" 3. Neither the name of the project nor the names of its contributors
564bc7b7ad27 201043 hgs parents: diff changeset	15	.\" may be used to endorse or promote products derived from this software
564bc7b7ad27 201043 hgs parents: diff changeset	16	.\" without specific prior written permission.
564bc7b7ad27 201043 hgs parents: diff changeset	17	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	18	.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
564bc7b7ad27 201043 hgs parents: diff changeset	19	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
564bc7b7ad27 201043 hgs parents: diff changeset	20	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
564bc7b7ad27 201043 hgs parents: diff changeset	21	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
564bc7b7ad27 201043 hgs parents: diff changeset	22	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
564bc7b7ad27 201043 hgs parents: diff changeset	23	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
564bc7b7ad27 201043 hgs parents: diff changeset	24	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
564bc7b7ad27 201043 hgs parents: diff changeset	25	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
564bc7b7ad27 201043 hgs parents: diff changeset	26	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
564bc7b7ad27 201043 hgs parents: diff changeset	27	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
564bc7b7ad27 201043 hgs parents: diff changeset	28	.\" SUCH DAMAGE.
564bc7b7ad27 201043 hgs parents: diff changeset	29	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	30	.\" $FreeBSD: src/usr.sbin/setkey/setkey.8,v 1.34 2005/02/09 18:04:42 ru Exp $
564bc7b7ad27 201043 hgs parents: diff changeset	31	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	32	.Dd November 20, 2000
564bc7b7ad27 201043 hgs parents: diff changeset	33	.Dt SETKEY 8
564bc7b7ad27 201043 hgs parents: diff changeset	34	.Os
564bc7b7ad27 201043 hgs parents: diff changeset	35	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	36	.Sh NAME
564bc7b7ad27 201043 hgs parents: diff changeset	37	.Nm setkey
564bc7b7ad27 201043 hgs parents: diff changeset	38	.Nd "manually manipulate the IPsec SA/SP database"
564bc7b7ad27 201043 hgs parents: diff changeset	39	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	40	.Sh SYNOPSIS
564bc7b7ad27 201043 hgs parents: diff changeset	41	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	42	.Op Fl v
564bc7b7ad27 201043 hgs parents: diff changeset	43	.Fl c
564bc7b7ad27 201043 hgs parents: diff changeset	44	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	45	.Op Fl v
564bc7b7ad27 201043 hgs parents: diff changeset	46	.Fl f Ar filename
564bc7b7ad27 201043 hgs parents: diff changeset	47	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	48	.Op Fl aPlv
564bc7b7ad27 201043 hgs parents: diff changeset	49	.Fl D
564bc7b7ad27 201043 hgs parents: diff changeset	50	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	51	.Op Fl Pv
564bc7b7ad27 201043 hgs parents: diff changeset	52	.Fl F
564bc7b7ad27 201043 hgs parents: diff changeset	53	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	54	.Op Fl h
564bc7b7ad27 201043 hgs parents: diff changeset	55	.Fl x
564bc7b7ad27 201043 hgs parents: diff changeset	56	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	57	.Sh DESCRIPTION
564bc7b7ad27 201043 hgs parents: diff changeset	58	The
564bc7b7ad27 201043 hgs parents: diff changeset	59	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	60	utility adds, updates, dumps, or flushes
564bc7b7ad27 201043 hgs parents: diff changeset	61	Security Association Database (SAD) entries
564bc7b7ad27 201043 hgs parents: diff changeset	62	as well as Security Policy Database (SPD) entries in the kernel.
564bc7b7ad27 201043 hgs parents: diff changeset	63	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	64	The
564bc7b7ad27 201043 hgs parents: diff changeset	65	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	66	utility takes a series of operations from the standard input
564bc7b7ad27 201043 hgs parents: diff changeset	67	(if invoked with
564bc7b7ad27 201043 hgs parents: diff changeset	68	.Fl c )
564bc7b7ad27 201043 hgs parents: diff changeset	69	or the file named
564bc7b7ad27 201043 hgs parents: diff changeset	70	.Ar filename
564bc7b7ad27 201043 hgs parents: diff changeset	71	(if invoked with
564bc7b7ad27 201043 hgs parents: diff changeset	72	.Fl f Ar filename ) .
564bc7b7ad27 201043 hgs parents: diff changeset	73	.Bl -tag -width indent
564bc7b7ad27 201043 hgs parents: diff changeset	74	.It Fl D
564bc7b7ad27 201043 hgs parents: diff changeset	75	Dump the SAD entries.
564bc7b7ad27 201043 hgs parents: diff changeset	76	If with
564bc7b7ad27 201043 hgs parents: diff changeset	77	.Fl P ,
564bc7b7ad27 201043 hgs parents: diff changeset	78	the SPD entries are dumped.
564bc7b7ad27 201043 hgs parents: diff changeset	79	.It Fl F
564bc7b7ad27 201043 hgs parents: diff changeset	80	Flush the SAD entries.
564bc7b7ad27 201043 hgs parents: diff changeset	81	If with
564bc7b7ad27 201043 hgs parents: diff changeset	82	.Fl P ,
564bc7b7ad27 201043 hgs parents: diff changeset	83	the SPD entries are flushed.
564bc7b7ad27 201043 hgs parents: diff changeset	84	.It Fl a
564bc7b7ad27 201043 hgs parents: diff changeset	85	The
564bc7b7ad27 201043 hgs parents: diff changeset	86	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	87	utility
564bc7b7ad27 201043 hgs parents: diff changeset	88	usually does not display dead SAD entries with
564bc7b7ad27 201043 hgs parents: diff changeset	89	.Fl D .
564bc7b7ad27 201043 hgs parents: diff changeset	90	If with
564bc7b7ad27 201043 hgs parents: diff changeset	91	.Fl a ,
564bc7b7ad27 201043 hgs parents: diff changeset	92	the dead SAD entries will be displayed as well.
564bc7b7ad27 201043 hgs parents: diff changeset	93	A dead SAD entry means that
564bc7b7ad27 201043 hgs parents: diff changeset	94	it has been expired but remains in the system
564bc7b7ad27 201043 hgs parents: diff changeset	95	because it is referenced by some SPD entries.
564bc7b7ad27 201043 hgs parents: diff changeset	96	.It Fl h
564bc7b7ad27 201043 hgs parents: diff changeset	97	Add hexadecimal dump on
564bc7b7ad27 201043 hgs parents: diff changeset	98	.Fl x
564bc7b7ad27 201043 hgs parents: diff changeset	99	mode.
564bc7b7ad27 201043 hgs parents: diff changeset	100	.It Fl l
564bc7b7ad27 201043 hgs parents: diff changeset	101	Loop forever with short output on
564bc7b7ad27 201043 hgs parents: diff changeset	102	.Fl D .
564bc7b7ad27 201043 hgs parents: diff changeset	103	.It Fl v
564bc7b7ad27 201043 hgs parents: diff changeset	104	Be verbose.
564bc7b7ad27 201043 hgs parents: diff changeset	105	The program will dump messages exchanged on
564bc7b7ad27 201043 hgs parents: diff changeset	106	.Dv PF_KEY
564bc7b7ad27 201043 hgs parents: diff changeset	107	socket, including messages sent from other processes to the kernel.
564bc7b7ad27 201043 hgs parents: diff changeset	108	.It Fl x
564bc7b7ad27 201043 hgs parents: diff changeset	109	Loop forever and dump all the messages transmitted to
564bc7b7ad27 201043 hgs parents: diff changeset	110	.Dv PF_KEY
564bc7b7ad27 201043 hgs parents: diff changeset	111	socket.
564bc7b7ad27 201043 hgs parents: diff changeset	112	.Fl xx
564bc7b7ad27 201043 hgs parents: diff changeset	113	makes each timestamps unformatted.
564bc7b7ad27 201043 hgs parents: diff changeset	114	.El
564bc7b7ad27 201043 hgs parents: diff changeset	115	.Ss Configuration syntax
564bc7b7ad27 201043 hgs parents: diff changeset	116	With
564bc7b7ad27 201043 hgs parents: diff changeset	117	.Fl c
564bc7b7ad27 201043 hgs parents: diff changeset	118	or
564bc7b7ad27 201043 hgs parents: diff changeset	119	.Fl f
564bc7b7ad27 201043 hgs parents: diff changeset	120	on the command line,
564bc7b7ad27 201043 hgs parents: diff changeset	121	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	122	accepts the following configuration syntax.
564bc7b7ad27 201043 hgs parents: diff changeset	123	Lines starting with hash signs
564bc7b7ad27 201043 hgs parents: diff changeset	124	.Pq Ql #
564bc7b7ad27 201043 hgs parents: diff changeset	125	are treated as comment lines.
564bc7b7ad27 201043 hgs parents: diff changeset	126	.Bl -tag -width indent
564bc7b7ad27 201043 hgs parents: diff changeset	127	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	128	.Li add
564bc7b7ad27 201043 hgs parents: diff changeset	129	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	130	.Ar src Ar dst Ar protocol Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	131	.Op Ar extensions
564bc7b7ad27 201043 hgs parents: diff changeset	132	.Ar algorithm ...
564bc7b7ad27 201043 hgs parents: diff changeset	133	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	134	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	135	Add an SAD entry.
564bc7b7ad27 201043 hgs parents: diff changeset	136	.Li add
564bc7b7ad27 201043 hgs parents: diff changeset	137	can fail with multiple reasons,
564bc7b7ad27 201043 hgs parents: diff changeset	138	including when the key length does not match the specified algorithm.
564bc7b7ad27 201043 hgs parents: diff changeset	139	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	140	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	141	.Li get
564bc7b7ad27 201043 hgs parents: diff changeset	142	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	143	.Ar src Ar dst Ar protocol Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	144	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	145	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	146	Show an SAD entry.
564bc7b7ad27 201043 hgs parents: diff changeset	147	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	148	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	149	.Li delete
564bc7b7ad27 201043 hgs parents: diff changeset	150	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	151	.Ar src Ar dst Ar protocol Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	152	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	153	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	154	Remove an SAD entry.
564bc7b7ad27 201043 hgs parents: diff changeset	155	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	156	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	157	.Li deleteall
564bc7b7ad27 201043 hgs parents: diff changeset	158	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	159	.Ar src Ar dst Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	160	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	161	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	162	Remove all SAD entries that match the specification.
564bc7b7ad27 201043 hgs parents: diff changeset	163	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	164	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	165	.Li flush
564bc7b7ad27 201043 hgs parents: diff changeset	166	.Op Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	167	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	168	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	169	Clear all SAD entries matched by the options.
564bc7b7ad27 201043 hgs parents: diff changeset	170	.Fl F
564bc7b7ad27 201043 hgs parents: diff changeset	171	on the command line achieves the same functionality.
564bc7b7ad27 201043 hgs parents: diff changeset	172	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	173	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	174	.Li dump
564bc7b7ad27 201043 hgs parents: diff changeset	175	.Op Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	176	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	177	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	178	Dumps all SAD entries matched by the options.
564bc7b7ad27 201043 hgs parents: diff changeset	179	.Fl D
564bc7b7ad27 201043 hgs parents: diff changeset	180	on the command line achieves the same functionality.
564bc7b7ad27 201043 hgs parents: diff changeset	181	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	182	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	183	.Li spdadd
564bc7b7ad27 201043 hgs parents: diff changeset	184	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	185	.Ar src_range Ar dst_range Ar upperspec Ar policy
564bc7b7ad27 201043 hgs parents: diff changeset	186	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	187	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	188	Add an SPD entry.
564bc7b7ad27 201043 hgs parents: diff changeset	189	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	190	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	191	.Li spddelete
564bc7b7ad27 201043 hgs parents: diff changeset	192	.Op Fl 46n
564bc7b7ad27 201043 hgs parents: diff changeset	193	.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
564bc7b7ad27 201043 hgs parents: diff changeset	194	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	195	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	196	Delete an SPD entry.
564bc7b7ad27 201043 hgs parents: diff changeset	197	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	198	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	199	.Li spdflush
564bc7b7ad27 201043 hgs parents: diff changeset	200	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	201	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	202	Clear all SPD entries.
564bc7b7ad27 201043 hgs parents: diff changeset	203	.Fl FP
564bc7b7ad27 201043 hgs parents: diff changeset	204	on the command line achieves the same functionality.
564bc7b7ad27 201043 hgs parents: diff changeset	205	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	206	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	207	.Li spddump
564bc7b7ad27 201043 hgs parents: diff changeset	208	.Li ;
564bc7b7ad27 201043 hgs parents: diff changeset	209	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	210	Dumps all SPD entries.
564bc7b7ad27 201043 hgs parents: diff changeset	211	.Fl DP
564bc7b7ad27 201043 hgs parents: diff changeset	212	on the command line achieves the same functionality.
564bc7b7ad27 201043 hgs parents: diff changeset	213	.El
564bc7b7ad27 201043 hgs parents: diff changeset	214	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	215	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	216	Meta-arguments are as follows:
564bc7b7ad27 201043 hgs parents: diff changeset	217	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	218	.Bl -tag -compact -width indent
564bc7b7ad27 201043 hgs parents: diff changeset	219	.It Ar src
564bc7b7ad27 201043 hgs parents: diff changeset	220	.It Ar dst
564bc7b7ad27 201043 hgs parents: diff changeset	221	Source/destination of the secure communication is specified as
564bc7b7ad27 201043 hgs parents: diff changeset	222	IPv4/v6 address.
564bc7b7ad27 201043 hgs parents: diff changeset	223	The
564bc7b7ad27 201043 hgs parents: diff changeset	224	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	225	utility
564bc7b7ad27 201043 hgs parents: diff changeset	226	can resolve a FQDN into numeric addresses.
564bc7b7ad27 201043 hgs parents: diff changeset	227	If the FQDN resolves into multiple addresses,
564bc7b7ad27 201043 hgs parents: diff changeset	228	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	229	will install multiple SAD/SPD entries into the kernel
564bc7b7ad27 201043 hgs parents: diff changeset	230	by trying all possible combinations.
564bc7b7ad27 201043 hgs parents: diff changeset	231	.Fl 4 ,
564bc7b7ad27 201043 hgs parents: diff changeset	232	.Fl 6
564bc7b7ad27 201043 hgs parents: diff changeset	233	and
564bc7b7ad27 201043 hgs parents: diff changeset	234	.Fl n
564bc7b7ad27 201043 hgs parents: diff changeset	235	restricts the address resolution of FQDN in certain ways.
564bc7b7ad27 201043 hgs parents: diff changeset	236	.Fl 4
564bc7b7ad27 201043 hgs parents: diff changeset	237	and
564bc7b7ad27 201043 hgs parents: diff changeset	238	.Fl 6
564bc7b7ad27 201043 hgs parents: diff changeset	239	restrict results into IPv4/v6 addresses only, respectively.
564bc7b7ad27 201043 hgs parents: diff changeset	240	.Fl n
564bc7b7ad27 201043 hgs parents: diff changeset	241	avoids FQDN resolution and requires addresses to be numeric addresses.
564bc7b7ad27 201043 hgs parents: diff changeset	242	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	243	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	244	.It Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	245	.Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	246	is one of following:
564bc7b7ad27 201043 hgs parents: diff changeset	247	.Bl -tag -width Fl -compact
564bc7b7ad27 201043 hgs parents: diff changeset	248	.It Li esp
564bc7b7ad27 201043 hgs parents: diff changeset	249	ESP based on rfc2406
564bc7b7ad27 201043 hgs parents: diff changeset	250	.It Li esp-old
564bc7b7ad27 201043 hgs parents: diff changeset	251	ESP based on rfc1827
564bc7b7ad27 201043 hgs parents: diff changeset	252	.It Li ah
564bc7b7ad27 201043 hgs parents: diff changeset	253	AH based on rfc2402
564bc7b7ad27 201043 hgs parents: diff changeset	254	.It Li ah-old
564bc7b7ad27 201043 hgs parents: diff changeset	255	AH based on rfc1826
564bc7b7ad27 201043 hgs parents: diff changeset	256	.It Li ipcomp
564bc7b7ad27 201043 hgs parents: diff changeset	257	IPComp
564bc7b7ad27 201043 hgs parents: diff changeset	258	.It Li tcp
564bc7b7ad27 201043 hgs parents: diff changeset	259	TCP-MD5 based on rfc2385
564bc7b7ad27 201043 hgs parents: diff changeset	260	.El
564bc7b7ad27 201043 hgs parents: diff changeset	261	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	262	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	263	.It Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	264	Security Parameter Index
564bc7b7ad27 201043 hgs parents: diff changeset	265	(SPI)
564bc7b7ad27 201043 hgs parents: diff changeset	266	for the SAD and the SPD.
564bc7b7ad27 201043 hgs parents: diff changeset	267	.Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	268	must be a decimal number, or a hexadecimal number with
564bc7b7ad27 201043 hgs parents: diff changeset	269	.Ql 0x
564bc7b7ad27 201043 hgs parents: diff changeset	270	prefix.
564bc7b7ad27 201043 hgs parents: diff changeset	271	SPI values between 0 and 255 are reserved for future use by IANA
564bc7b7ad27 201043 hgs parents: diff changeset	272	and they cannot be used.
564bc7b7ad27 201043 hgs parents: diff changeset	273	TCP-MD5 associations must use 0x1000 and therefore only have per-host
564bc7b7ad27 201043 hgs parents: diff changeset	274	granularity at this time.
564bc7b7ad27 201043 hgs parents: diff changeset	275	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	276	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	277	.It Ar extensions
564bc7b7ad27 201043 hgs parents: diff changeset	278	take some of the following:
564bc7b7ad27 201043 hgs parents: diff changeset	279	.Bl -tag -width Fl -compact
564bc7b7ad27 201043 hgs parents: diff changeset	280	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	281	.It Fl m Ar mode
564bc7b7ad27 201043 hgs parents: diff changeset	282	Specify a security protocol mode for use.
564bc7b7ad27 201043 hgs parents: diff changeset	283	.Ar mode
564bc7b7ad27 201043 hgs parents: diff changeset	284	is one of following:
564bc7b7ad27 201043 hgs parents: diff changeset	285	.Li transport , tunnel
564bc7b7ad27 201043 hgs parents: diff changeset	286	or
564bc7b7ad27 201043 hgs parents: diff changeset	287	.Li any .
564bc7b7ad27 201043 hgs parents: diff changeset	288	The default value is
564bc7b7ad27 201043 hgs parents: diff changeset	289	.Li any .
564bc7b7ad27 201043 hgs parents: diff changeset	290	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	291	.It Fl r Ar size
564bc7b7ad27 201043 hgs parents: diff changeset	292	Specify window size of bytes for replay prevention.
564bc7b7ad27 201043 hgs parents: diff changeset	293	.Ar size
564bc7b7ad27 201043 hgs parents: diff changeset	294	must be decimal number in 32-bit word.
564bc7b7ad27 201043 hgs parents: diff changeset	295	If
564bc7b7ad27 201043 hgs parents: diff changeset	296	.Ar size
564bc7b7ad27 201043 hgs parents: diff changeset	297	is zero or not specified, replay check does not take place.
564bc7b7ad27 201043 hgs parents: diff changeset	298	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	299	.It Fl u Ar id
564bc7b7ad27 201043 hgs parents: diff changeset	300	Specify the identifier of the policy entry in SPD.
564bc7b7ad27 201043 hgs parents: diff changeset	301	See
564bc7b7ad27 201043 hgs parents: diff changeset	302	.Ar policy .
564bc7b7ad27 201043 hgs parents: diff changeset	303	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	304	.It Fl f Ar pad_option
564bc7b7ad27 201043 hgs parents: diff changeset	305	defines the content of the ESP padding.
564bc7b7ad27 201043 hgs parents: diff changeset	306	.Ar pad_option
564bc7b7ad27 201043 hgs parents: diff changeset	307	is one of following:
564bc7b7ad27 201043 hgs parents: diff changeset	308	.Bl -tag -width random-pad -compact
564bc7b7ad27 201043 hgs parents: diff changeset	309	.It Li zero-pad
564bc7b7ad27 201043 hgs parents: diff changeset	310	All of the padding are zero.
564bc7b7ad27 201043 hgs parents: diff changeset	311	.It Li random-pad
564bc7b7ad27 201043 hgs parents: diff changeset	312	A series of randomized values are set.
564bc7b7ad27 201043 hgs parents: diff changeset	313	.It Li seq-pad
564bc7b7ad27 201043 hgs parents: diff changeset	314	A series of sequential increasing numbers started from 1 are set.
564bc7b7ad27 201043 hgs parents: diff changeset	315	.El
564bc7b7ad27 201043 hgs parents: diff changeset	316	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	317	.It Fl f Li nocyclic-seq
564bc7b7ad27 201043 hgs parents: diff changeset	318	Do not allow cyclic sequence number.
564bc7b7ad27 201043 hgs parents: diff changeset	319	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	320	.It Fl lh Ar time
564bc7b7ad27 201043 hgs parents: diff changeset	321	.It Fl ls Ar time
564bc7b7ad27 201043 hgs parents: diff changeset	322	Specify hard/soft life time duration of the SA.
564bc7b7ad27 201043 hgs parents: diff changeset	323	.El
564bc7b7ad27 201043 hgs parents: diff changeset	324	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	325	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	326	.It Ar algorithm
564bc7b7ad27 201043 hgs parents: diff changeset	327	.Bl -tag -width Fl -compact
564bc7b7ad27 201043 hgs parents: diff changeset	328	.It Fl E Ar ealgo Ar key
564bc7b7ad27 201043 hgs parents: diff changeset	329	Specify an encryption algorithm
564bc7b7ad27 201043 hgs parents: diff changeset	330	.Ar ealgo
564bc7b7ad27 201043 hgs parents: diff changeset	331	for ESP.
564bc7b7ad27 201043 hgs parents: diff changeset	332	.It Xo
564bc7b7ad27 201043 hgs parents: diff changeset	333	.Fl E Ar ealgo Ar key
564bc7b7ad27 201043 hgs parents: diff changeset	334	.Fl A Ar aalgo Ar key
564bc7b7ad27 201043 hgs parents: diff changeset	335	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	336	Specify a encryption algorithm
564bc7b7ad27 201043 hgs parents: diff changeset	337	.Ar ealgo ,
564bc7b7ad27 201043 hgs parents: diff changeset	338	as well as a payload authentication algorithm
564bc7b7ad27 201043 hgs parents: diff changeset	339	.Ar aalgo ,
564bc7b7ad27 201043 hgs parents: diff changeset	340	for ESP.
564bc7b7ad27 201043 hgs parents: diff changeset	341	.It Fl A Ar aalgo Ar key
564bc7b7ad27 201043 hgs parents: diff changeset	342	Specify an authentication algorithm for AH.
564bc7b7ad27 201043 hgs parents: diff changeset	343	.It Fl C Ar calgo Op Fl R
564bc7b7ad27 201043 hgs parents: diff changeset	344	Specify a compression algorithm for IPComp.
564bc7b7ad27 201043 hgs parents: diff changeset	345	If
564bc7b7ad27 201043 hgs parents: diff changeset	346	.Fl R
564bc7b7ad27 201043 hgs parents: diff changeset	347	is specified,
564bc7b7ad27 201043 hgs parents: diff changeset	348	.Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	349	field value will be used as the IPComp CPI
564bc7b7ad27 201043 hgs parents: diff changeset	350	(compression parameter index)
564bc7b7ad27 201043 hgs parents: diff changeset	351	on wire as is.
564bc7b7ad27 201043 hgs parents: diff changeset	352	If
564bc7b7ad27 201043 hgs parents: diff changeset	353	.Fl R
564bc7b7ad27 201043 hgs parents: diff changeset	354	is not specified,
564bc7b7ad27 201043 hgs parents: diff changeset	355	the kernel will use well-known CPI on wire, and
564bc7b7ad27 201043 hgs parents: diff changeset	356	.Ar spi
564bc7b7ad27 201043 hgs parents: diff changeset	357	field will be used only as an index for kernel internal usage.
564bc7b7ad27 201043 hgs parents: diff changeset	358	.El
564bc7b7ad27 201043 hgs parents: diff changeset	359	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	360	.Ar key
564bc7b7ad27 201043 hgs parents: diff changeset	361	must be double-quoted character string, or a series of hexadecimal digits
564bc7b7ad27 201043 hgs parents: diff changeset	362	preceded by
564bc7b7ad27 201043 hgs parents: diff changeset	363	.Ql 0x .
564bc7b7ad27 201043 hgs parents: diff changeset	364	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	365	Possible values for
564bc7b7ad27 201043 hgs parents: diff changeset	366	.Ar ealgo ,
564bc7b7ad27 201043 hgs parents: diff changeset	367	.Ar aalgo
564bc7b7ad27 201043 hgs parents: diff changeset	368	and
564bc7b7ad27 201043 hgs parents: diff changeset	369	.Ar calgo
564bc7b7ad27 201043 hgs parents: diff changeset	370	are specified in separate section.
564bc7b7ad27 201043 hgs parents: diff changeset	371	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	372	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	373	.It Ar src_range
564bc7b7ad27 201043 hgs parents: diff changeset	374	.It Ar dst_range
564bc7b7ad27 201043 hgs parents: diff changeset	375	These are selections of the secure communication specified as
564bc7b7ad27 201043 hgs parents: diff changeset	376	IPv4/v6 address or IPv4/v6 address range, and it may accompany
564bc7b7ad27 201043 hgs parents: diff changeset	377	TCP/UDP port specification.
564bc7b7ad27 201043 hgs parents: diff changeset	378	This takes the following form:
564bc7b7ad27 201043 hgs parents: diff changeset	379	.Bd -unfilled
564bc7b7ad27 201043 hgs parents: diff changeset	380	.Ar address
564bc7b7ad27 201043 hgs parents: diff changeset	381	.Ar address/prefixlen
564bc7b7ad27 201043 hgs parents: diff changeset	382	.Ar address[port]
564bc7b7ad27 201043 hgs parents: diff changeset	383	.Ar address/prefixlen[port]
564bc7b7ad27 201043 hgs parents: diff changeset	384	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	385	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	386	.Ar prefixlen
564bc7b7ad27 201043 hgs parents: diff changeset	387	and
564bc7b7ad27 201043 hgs parents: diff changeset	388	.Ar port
564bc7b7ad27 201043 hgs parents: diff changeset	389	must be decimal number.
564bc7b7ad27 201043 hgs parents: diff changeset	390	The square bracket around
564bc7b7ad27 201043 hgs parents: diff changeset	391	.Ar port
564bc7b7ad27 201043 hgs parents: diff changeset	392	is really necessary.
564bc7b7ad27 201043 hgs parents: diff changeset	393	They are not manpage metacharacters.
564bc7b7ad27 201043 hgs parents: diff changeset	394	For FQDN resolution, the rules applicable to
564bc7b7ad27 201043 hgs parents: diff changeset	395	.Ar src
564bc7b7ad27 201043 hgs parents: diff changeset	396	and
564bc7b7ad27 201043 hgs parents: diff changeset	397	.Ar dst
564bc7b7ad27 201043 hgs parents: diff changeset	398	apply here as well.
564bc7b7ad27 201043 hgs parents: diff changeset	399	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	400	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	401	.It Ar upperspec
564bc7b7ad27 201043 hgs parents: diff changeset	402	Upper-layer protocol to be used.
564bc7b7ad27 201043 hgs parents: diff changeset	403	Use one of the words in
564bc7b7ad27 201043 hgs parents: diff changeset	404	.Pa /etc/protocols
564bc7b7ad27 201043 hgs parents: diff changeset	405	as
564bc7b7ad27 201043 hgs parents: diff changeset	406	.Ar upperspec .
564bc7b7ad27 201043 hgs parents: diff changeset	407	Or
564bc7b7ad27 201043 hgs parents: diff changeset	408	.Li icmp6 ,
564bc7b7ad27 201043 hgs parents: diff changeset	409	.Li ip4 ,
564bc7b7ad27 201043 hgs parents: diff changeset	410	and
564bc7b7ad27 201043 hgs parents: diff changeset	411	.Li any
564bc7b7ad27 201043 hgs parents: diff changeset	412	can be specified.
564bc7b7ad27 201043 hgs parents: diff changeset	413	.Li any
564bc7b7ad27 201043 hgs parents: diff changeset	414	stands for
564bc7b7ad27 201043 hgs parents: diff changeset	415	.Dq any protocol .
564bc7b7ad27 201043 hgs parents: diff changeset	416	Also, use the protocol number.
564bc7b7ad27 201043 hgs parents: diff changeset	417	Specify a type and/or a code of ICMPv6 when
564bc7b7ad27 201043 hgs parents: diff changeset	418	upper-layer protocol is ICMPv6.
564bc7b7ad27 201043 hgs parents: diff changeset	419	The specification can be placed after
564bc7b7ad27 201043 hgs parents: diff changeset	420	.Li icmp6 .
564bc7b7ad27 201043 hgs parents: diff changeset	421	A type is separated with a code by single comma.
564bc7b7ad27 201043 hgs parents: diff changeset	422	A code must be specified anytime.
564bc7b7ad27 201043 hgs parents: diff changeset	423	When a zero is specified, the kernel deals with it as a wildcard.
564bc7b7ad27 201043 hgs parents: diff changeset	424	Note that the kernel cannot distinguish a wildcard from that a type
564bc7b7ad27 201043 hgs parents: diff changeset	425	of ICMPv6 is zero.
564bc7b7ad27 201043 hgs parents: diff changeset	426	For example, the following means the policy does not require IPsec
564bc7b7ad27 201043 hgs parents: diff changeset	427	for any inbound Neighbor Solicitation:
564bc7b7ad27 201043 hgs parents: diff changeset	428	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	429	.Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;"
564bc7b7ad27 201043 hgs parents: diff changeset	430	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	431	NOTE:
564bc7b7ad27 201043 hgs parents: diff changeset	432	.Ar upperspec
564bc7b7ad27 201043 hgs parents: diff changeset	433	does not work against forwarding case at this moment,
564bc7b7ad27 201043 hgs parents: diff changeset	434	as it requires extra reassembly at forwarding node
564bc7b7ad27 201043 hgs parents: diff changeset	435	(not implemented at this moment).
564bc7b7ad27 201043 hgs parents: diff changeset	436	There are many protocols in
564bc7b7ad27 201043 hgs parents: diff changeset	437	.Pa /etc/protocols ,
564bc7b7ad27 201043 hgs parents: diff changeset	438	but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
564bc7b7ad27 201043 hgs parents: diff changeset	439	be cautious when using the protocols.
564bc7b7ad27 201043 hgs parents: diff changeset	440	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	441	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	442	.It Ar policy
564bc7b7ad27 201043 hgs parents: diff changeset	443	.Ar policy
564bc7b7ad27 201043 hgs parents: diff changeset	444	is the one of the following three formats:
564bc7b7ad27 201043 hgs parents: diff changeset	445	.Bd -ragged -offset indent
564bc7b7ad27 201043 hgs parents: diff changeset	446	.It Fl P Ar direction Li discard
564bc7b7ad27 201043 hgs parents: diff changeset	447	.It Fl P Ar direction Li none
564bc7b7ad27 201043 hgs parents: diff changeset	448	.It Xo Fl P Ar direction Li ipsec
564bc7b7ad27 201043 hgs parents: diff changeset	449	.Ar protocol/mode/src-dst/level Op ...
564bc7b7ad27 201043 hgs parents: diff changeset	450	.Xc
564bc7b7ad27 201043 hgs parents: diff changeset	451	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	452	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	453	Specify the direction of its policy as
564bc7b7ad27 201043 hgs parents: diff changeset	454	.Ar direction .
564bc7b7ad27 201043 hgs parents: diff changeset	455	Either
564bc7b7ad27 201043 hgs parents: diff changeset	456	.Li out
564bc7b7ad27 201043 hgs parents: diff changeset	457	or
564bc7b7ad27 201043 hgs parents: diff changeset	458	.Li in
564bc7b7ad27 201043 hgs parents: diff changeset	459	are used.
564bc7b7ad27 201043 hgs parents: diff changeset	460	.Li discard
564bc7b7ad27 201043 hgs parents: diff changeset	461	means the packet matching indexes will be discarded.
564bc7b7ad27 201043 hgs parents: diff changeset	462	.Li none
564bc7b7ad27 201043 hgs parents: diff changeset	463	means that IPsec operation will not take place onto the packet.
564bc7b7ad27 201043 hgs parents: diff changeset	464	.Li ipsec
564bc7b7ad27 201043 hgs parents: diff changeset	465	means that IPsec operation will take place onto the packet.
564bc7b7ad27 201043 hgs parents: diff changeset	466	The part of
564bc7b7ad27 201043 hgs parents: diff changeset	467	.Ar protocol/mode/src-dst/level
564bc7b7ad27 201043 hgs parents: diff changeset	468	specifies the rule how to process the packet.
564bc7b7ad27 201043 hgs parents: diff changeset	469	Either
564bc7b7ad27 201043 hgs parents: diff changeset	470	.Li ah ,
564bc7b7ad27 201043 hgs parents: diff changeset	471	.Li esp
564bc7b7ad27 201043 hgs parents: diff changeset	472	or
564bc7b7ad27 201043 hgs parents: diff changeset	473	.Li ipcomp
564bc7b7ad27 201043 hgs parents: diff changeset	474	is to be set as
564bc7b7ad27 201043 hgs parents: diff changeset	475	.Ar protocol .
564bc7b7ad27 201043 hgs parents: diff changeset	476	.Ar mode
564bc7b7ad27 201043 hgs parents: diff changeset	477	is either
564bc7b7ad27 201043 hgs parents: diff changeset	478	.Li transport
564bc7b7ad27 201043 hgs parents: diff changeset	479	or
564bc7b7ad27 201043 hgs parents: diff changeset	480	.Li tunnel .
564bc7b7ad27 201043 hgs parents: diff changeset	481	If
564bc7b7ad27 201043 hgs parents: diff changeset	482	.Ar mode
564bc7b7ad27 201043 hgs parents: diff changeset	483	is
564bc7b7ad27 201043 hgs parents: diff changeset	484	.Li tunnel ,
564bc7b7ad27 201043 hgs parents: diff changeset	485	specify the end-points addresses of the SA as
564bc7b7ad27 201043 hgs parents: diff changeset	486	.Ar src
564bc7b7ad27 201043 hgs parents: diff changeset	487	and
564bc7b7ad27 201043 hgs parents: diff changeset	488	.Ar dst
564bc7b7ad27 201043 hgs parents: diff changeset	489	with
564bc7b7ad27 201043 hgs parents: diff changeset	490	.Sq -
564bc7b7ad27 201043 hgs parents: diff changeset	491	between these addresses which is used to specify the SA to use.
564bc7b7ad27 201043 hgs parents: diff changeset	492	If
564bc7b7ad27 201043 hgs parents: diff changeset	493	.Ar mode
564bc7b7ad27 201043 hgs parents: diff changeset	494	is
564bc7b7ad27 201043 hgs parents: diff changeset	495	.Li transport ,
564bc7b7ad27 201043 hgs parents: diff changeset	496	both
564bc7b7ad27 201043 hgs parents: diff changeset	497	.Ar src
564bc7b7ad27 201043 hgs parents: diff changeset	498	and
564bc7b7ad27 201043 hgs parents: diff changeset	499	.Ar dst
564bc7b7ad27 201043 hgs parents: diff changeset	500	can be omitted.
564bc7b7ad27 201043 hgs parents: diff changeset	501	.Ar level
564bc7b7ad27 201043 hgs parents: diff changeset	502	is to be one of the following:
564bc7b7ad27 201043 hgs parents: diff changeset	503	.Li default , use , require
564bc7b7ad27 201043 hgs parents: diff changeset	504	or
564bc7b7ad27 201043 hgs parents: diff changeset	505	.Li unique .
564bc7b7ad27 201043 hgs parents: diff changeset	506	If the SA is not available in every level, the kernel will request
564bc7b7ad27 201043 hgs parents: diff changeset	507	getting SA to the key exchange daemon.
564bc7b7ad27 201043 hgs parents: diff changeset	508	.Li default
564bc7b7ad27 201043 hgs parents: diff changeset	509	means the kernel consults to the system wide default against the specified protocol
564bc7b7ad27 201043 hgs parents: diff changeset	510	, for example,
564bc7b7ad27 201043 hgs parents: diff changeset	511	.Li esp_trans_deflev
564bc7b7ad27 201043 hgs parents: diff changeset	512	sysctl variable, when the kernel processes the packet.
564bc7b7ad27 201043 hgs parents: diff changeset	513	.Li use
564bc7b7ad27 201043 hgs parents: diff changeset	514	means that the kernel use a SA if it is available,
564bc7b7ad27 201043 hgs parents: diff changeset	515	otherwise the kernel keeps normal operation.
564bc7b7ad27 201043 hgs parents: diff changeset	516	.Li require
564bc7b7ad27 201043 hgs parents: diff changeset	517	means SA is required whenever the kernel sends a packet matched
564bc7b7ad27 201043 hgs parents: diff changeset	518	with the policy.
564bc7b7ad27 201043 hgs parents: diff changeset	519	.Li unique
564bc7b7ad27 201043 hgs parents: diff changeset	520	is the same to require.
564bc7b7ad27 201043 hgs parents: diff changeset	521	In addition, it allows the policy to bind with the unique out-bound SA.
564bc7b7ad27 201043 hgs parents: diff changeset	522	Specify the policy level
564bc7b7ad27 201043 hgs parents: diff changeset	523	.Li unique ,
564bc7b7ad27 201043 hgs parents: diff changeset	524	.Xr racoon 8
564bc7b7ad27 201043 hgs parents: diff changeset	525	will configure the SA for the policy.
564bc7b7ad27 201043 hgs parents: diff changeset	526	If the SA is configured by manual keying for that policy,
564bc7b7ad27 201043 hgs parents: diff changeset	527	put the decimal number as the policy identifier after
564bc7b7ad27 201043 hgs parents: diff changeset	528	.Li unique
564bc7b7ad27 201043 hgs parents: diff changeset	529	separated by colon
564bc7b7ad27 201043 hgs parents: diff changeset	530	.Ql :\&
564bc7b7ad27 201043 hgs parents: diff changeset	531	like the following;
564bc7b7ad27 201043 hgs parents: diff changeset	532	.Li unique:number .
564bc7b7ad27 201043 hgs parents: diff changeset	533	In order to bind this policy to the SA,
564bc7b7ad27 201043 hgs parents: diff changeset	534	.Li number
564bc7b7ad27 201043 hgs parents: diff changeset	535	must be between 1 and 32767.
564bc7b7ad27 201043 hgs parents: diff changeset	536	It corresponds to
564bc7b7ad27 201043 hgs parents: diff changeset	537	.Ar extensions Fl u
564bc7b7ad27 201043 hgs parents: diff changeset	538	of the manual SA configuration.
564bc7b7ad27 201043 hgs parents: diff changeset	539	In order to use the SA bundle, multiple rules can be defined.
564bc7b7ad27 201043 hgs parents: diff changeset	540	For example, if an IP header was followed by AH header followed by ESP header
564bc7b7ad27 201043 hgs parents: diff changeset	541	followed by an upper layer protocol header, the rule
564bc7b7ad27 201043 hgs parents: diff changeset	542	would be:
564bc7b7ad27 201043 hgs parents: diff changeset	543	.Dl esp/transport//require ah/transport//require ;
564bc7b7ad27 201043 hgs parents: diff changeset	544	The rule order is very important.
564bc7b7ad27 201043 hgs parents: diff changeset	545	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	546	Note that
564bc7b7ad27 201043 hgs parents: diff changeset	547	.Dq Li discard
564bc7b7ad27 201043 hgs parents: diff changeset	548	and
564bc7b7ad27 201043 hgs parents: diff changeset	549	.Dq Li none
564bc7b7ad27 201043 hgs parents: diff changeset	550	are not in the syntax described in
564bc7b7ad27 201043 hgs parents: diff changeset	551	.Xr ipsec_set_policy 3 .
564bc7b7ad27 201043 hgs parents: diff changeset	552	There are little differences in the syntax.
564bc7b7ad27 201043 hgs parents: diff changeset	553	See
564bc7b7ad27 201043 hgs parents: diff changeset	554	.Xr ipsec_set_policy 3
564bc7b7ad27 201043 hgs parents: diff changeset	555	for detail.
564bc7b7ad27 201043 hgs parents: diff changeset	556	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	557	.El
564bc7b7ad27 201043 hgs parents: diff changeset	558	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	559	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	560	.Sh ALGORITHMS
564bc7b7ad27 201043 hgs parents: diff changeset	561	The following list shows the supported algorithms.
564bc7b7ad27 201043 hgs parents: diff changeset	562	.Sy protocol
564bc7b7ad27 201043 hgs parents: diff changeset	563	and
564bc7b7ad27 201043 hgs parents: diff changeset	564	.Sy algorithm
564bc7b7ad27 201043 hgs parents: diff changeset	565	are almost orthogonal.
564bc7b7ad27 201043 hgs parents: diff changeset	566	Followings are the list of authentication algorithms that can be used as
564bc7b7ad27 201043 hgs parents: diff changeset	567	.Ar aalgo
564bc7b7ad27 201043 hgs parents: diff changeset	568	in
564bc7b7ad27 201043 hgs parents: diff changeset	569	.Fl A Ar aalgo
564bc7b7ad27 201043 hgs parents: diff changeset	570	of
564bc7b7ad27 201043 hgs parents: diff changeset	571	.Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	572	parameter:
564bc7b7ad27 201043 hgs parents: diff changeset	573	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	574	.Bd -literal -offset indent
564bc7b7ad27 201043 hgs parents: diff changeset	575	algorithm keylen (bits) comment
564bc7b7ad27 201043 hgs parents: diff changeset	576	hmac-md5 128 ah: rfc2403
564bc7b7ad27 201043 hgs parents: diff changeset	577	128 ah-old: rfc2085
564bc7b7ad27 201043 hgs parents: diff changeset	578	hmac-sha1 160 ah: rfc2404
564bc7b7ad27 201043 hgs parents: diff changeset	579	160 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	580	keyed-md5 128 ah: 96bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	581	128 ah-old: rfc1828
564bc7b7ad27 201043 hgs parents: diff changeset	582	keyed-sha1 160 ah: 96bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	583	160 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	584	null 0 to 2048 for debugging
564bc7b7ad27 201043 hgs parents: diff changeset	585	hmac-sha2-256 256 ah: 96bit ICV
564bc7b7ad27 201043 hgs parents: diff changeset	586	(draft-ietf-ipsec-ciph-sha-256-00)
564bc7b7ad27 201043 hgs parents: diff changeset	587	256 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	588	hmac-sha2-384 384 ah: 96bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	589	384 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	590	hmac-sha2-512 512 ah: 96bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	591	512 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	592	hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
564bc7b7ad27 201043 hgs parents: diff changeset	593	ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	594	aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
564bc7b7ad27 201043 hgs parents: diff changeset	595	128 ah-old: 128bit ICV (no document)
564bc7b7ad27 201043 hgs parents: diff changeset	596	tcp-md5 8 to 640 tcp: rfc2385
564bc7b7ad27 201043 hgs parents: diff changeset	597	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	598	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	599	Followings are the list of encryption algorithms that can be used as
564bc7b7ad27 201043 hgs parents: diff changeset	600	.Ar ealgo
564bc7b7ad27 201043 hgs parents: diff changeset	601	in
564bc7b7ad27 201043 hgs parents: diff changeset	602	.Fl E Ar ealgo
564bc7b7ad27 201043 hgs parents: diff changeset	603	of
564bc7b7ad27 201043 hgs parents: diff changeset	604	.Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	605	parameter:
564bc7b7ad27 201043 hgs parents: diff changeset	606	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	607	.Bd -literal -offset indent
564bc7b7ad27 201043 hgs parents: diff changeset	608	algorithm keylen (bits) comment
564bc7b7ad27 201043 hgs parents: diff changeset	609	des-cbc 64 esp-old: rfc1829, esp: rfc2405
564bc7b7ad27 201043 hgs parents: diff changeset	610	3des-cbc 192 rfc2451
564bc7b7ad27 201043 hgs parents: diff changeset	611	null 0 to 2048 rfc2410
564bc7b7ad27 201043 hgs parents: diff changeset	612	blowfish-cbc 40 to 448 rfc2451
564bc7b7ad27 201043 hgs parents: diff changeset	613	cast128-cbc 40 to 128 rfc2451
564bc7b7ad27 201043 hgs parents: diff changeset	614	des-deriv 64 ipsec-ciph-des-derived-01
564bc7b7ad27 201043 hgs parents: diff changeset	615	3des-deriv 192 no document
564bc7b7ad27 201043 hgs parents: diff changeset	616	rijndael-cbc 128/192/256 rfc3602
564bc7b7ad27 201043 hgs parents: diff changeset	617	aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
564bc7b7ad27 201043 hgs parents: diff changeset	618	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	619	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	620	Note that the first 128 bits of a key for
564bc7b7ad27 201043 hgs parents: diff changeset	621	.Li aes-ctr
564bc7b7ad27 201043 hgs parents: diff changeset	622	will be used as AES key, and remaining 32 bits will be used as nonce.
564bc7b7ad27 201043 hgs parents: diff changeset	623	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	624	Followings are the list of compression algorithms that can be used as
564bc7b7ad27 201043 hgs parents: diff changeset	625	.Ar calgo
564bc7b7ad27 201043 hgs parents: diff changeset	626	in
564bc7b7ad27 201043 hgs parents: diff changeset	627	.Fl C Ar calgo
564bc7b7ad27 201043 hgs parents: diff changeset	628	of
564bc7b7ad27 201043 hgs parents: diff changeset	629	.Ar protocol
564bc7b7ad27 201043 hgs parents: diff changeset	630	parameter:
564bc7b7ad27 201043 hgs parents: diff changeset	631	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	632	.Bd -literal -offset indent
564bc7b7ad27 201043 hgs parents: diff changeset	633	algorithm comment
564bc7b7ad27 201043 hgs parents: diff changeset	634	deflate rfc2394
564bc7b7ad27 201043 hgs parents: diff changeset	635	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	636	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	637	.Sh EXIT STATUS
564bc7b7ad27 201043 hgs parents: diff changeset	638	.Ex -std
564bc7b7ad27 201043 hgs parents: diff changeset	639	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	640	.Sh EXAMPLES
564bc7b7ad27 201043 hgs parents: diff changeset	641	.Bd -literal -offset
564bc7b7ad27 201043 hgs parents: diff changeset	642	add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
564bc7b7ad27 201043 hgs parents: diff changeset	643	-E des-cbc 0x3ffe05014819ffff ;
564bc7b7ad27 201043 hgs parents: diff changeset	644
564bc7b7ad27 201043 hgs parents: diff changeset	645	add -6 myhost.example.com yourhost.example.com ah 123456
564bc7b7ad27 201043 hgs parents: diff changeset	646	-A hmac-sha1 "AH SA configuration!" ;
564bc7b7ad27 201043 hgs parents: diff changeset	647
564bc7b7ad27 201043 hgs parents: diff changeset	648	add 10.0.11.41 10.0.11.33 esp 0x10001
564bc7b7ad27 201043 hgs parents: diff changeset	649	-E des-cbc 0x3ffe05014819ffff
564bc7b7ad27 201043 hgs parents: diff changeset	650	-A hmac-md5 "authentication!!" ;
564bc7b7ad27 201043 hgs parents: diff changeset	651
564bc7b7ad27 201043 hgs parents: diff changeset	652	get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
564bc7b7ad27 201043 hgs parents: diff changeset	653
564bc7b7ad27 201043 hgs parents: diff changeset	654	flush ;
564bc7b7ad27 201043 hgs parents: diff changeset	655
564bc7b7ad27 201043 hgs parents: diff changeset	656	dump esp ;
564bc7b7ad27 201043 hgs parents: diff changeset	657
564bc7b7ad27 201043 hgs parents: diff changeset	658	spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
564bc7b7ad27 201043 hgs parents: diff changeset	659	-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
564bc7b7ad27 201043 hgs parents: diff changeset	660
564bc7b7ad27 201043 hgs parents: diff changeset	661	add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
564bc7b7ad27 201043 hgs parents: diff changeset	662
564bc7b7ad27 201043 hgs parents: diff changeset	663	.Ed
564bc7b7ad27 201043 hgs parents: diff changeset	664	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	665	.Sh SEE ALSO
564bc7b7ad27 201043 hgs parents: diff changeset	666	.Xr ipsec_set_policy 3 ,
564bc7b7ad27 201043 hgs parents: diff changeset	667	.Xr racoon 8 ,
564bc7b7ad27 201043 hgs parents: diff changeset	668	.Xr sysctl 8
564bc7b7ad27 201043 hgs parents: diff changeset	669	.Rs
564bc7b7ad27 201043 hgs parents: diff changeset	670	.%T "Changed manual key configuration for IPsec"
564bc7b7ad27 201043 hgs parents: diff changeset	671	.%O "http://www.kame.net/newsletter/19991007/"
564bc7b7ad27 201043 hgs parents: diff changeset	672	.%D "October 1999"
564bc7b7ad27 201043 hgs parents: diff changeset	673	.Re
564bc7b7ad27 201043 hgs parents: diff changeset	674	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	675	.Sh HISTORY
564bc7b7ad27 201043 hgs parents: diff changeset	676	The
564bc7b7ad27 201043 hgs parents: diff changeset	677	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	678	utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
564bc7b7ad27 201043 hgs parents: diff changeset	679	The utility was completely re-designed in June 1998.
564bc7b7ad27 201043 hgs parents: diff changeset	680	.\"
564bc7b7ad27 201043 hgs parents: diff changeset	681	.Sh BUGS
564bc7b7ad27 201043 hgs parents: diff changeset	682	The
564bc7b7ad27 201043 hgs parents: diff changeset	683	.Nm
564bc7b7ad27 201043 hgs parents: diff changeset	684	utility
564bc7b7ad27 201043 hgs parents: diff changeset	685	should report and handle syntax errors better.
564bc7b7ad27 201043 hgs parents: diff changeset	686	.Pp
564bc7b7ad27 201043 hgs parents: diff changeset	687	For IPsec gateway configuration,
564bc7b7ad27 201043 hgs parents: diff changeset	688	.Ar src_range
564bc7b7ad27 201043 hgs parents: diff changeset	689	and
564bc7b7ad27 201043 hgs parents: diff changeset	690	.Ar dst_range
564bc7b7ad27 201043 hgs parents: diff changeset	691	with TCP/UDP port number do not work, as the gateway does not reassemble
564bc7b7ad27 201043 hgs parents: diff changeset	692	packets
564bc7b7ad27 201043 hgs parents: diff changeset	693	(cannot inspect upper-layer headers).

author	hgs
	Tue, 02 Nov 2010 19:23:22 +0530
changeset 79	564bc7b7ad27
permissions	-rw-r--r--