diff options
author | pjd <pjd@FreeBSD.org> | 2005-10-12 21:40:41 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2005-10-12 21:40:41 +0000 |
commit | 053665bac90d14585a498ab6f860e11fbdeeeb36 (patch) | |
tree | 1600cb34f9373cf9f3b7a23f20390e0cacf1a3dc /usr.sbin/setkey/setkey.8 | |
parent | 3e107f99141a41b88c5c2b73ebd82591076ea73a (diff) | |
download | FreeBSD-src-053665bac90d14585a498ab6f860e11fbdeeeb36.zip FreeBSD-src-053665bac90d14585a498ab6f860e11fbdeeeb36.tar.gz |
setkey(8) was repo-copied from usr.sbin/ to sbin/.
This will allow for NFS mount of /usr over IPsec.
Discussed on: arch@
Diffstat (limited to 'usr.sbin/setkey/setkey.8')
-rw-r--r-- | usr.sbin/setkey/setkey.8 | 693 |
1 files changed, 0 insertions, 693 deletions
diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 deleted file mode 100644 index 36537c8..0000000 --- a/usr.sbin/setkey/setkey.8 +++ /dev/null @@ -1,693 +0,0 @@ -.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $ -.\" -.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd November 20, 2000 -.Dt SETKEY 8 -.Os -.\" -.Sh NAME -.Nm setkey -.Nd "manually manipulate the IPsec SA/SP database" -.\" -.Sh SYNOPSIS -.Nm -.Op Fl v -.Fl c -.Nm -.Op Fl v -.Fl f Ar filename -.Nm -.Op Fl aPlv -.Fl D -.Nm -.Op Fl Pv -.Fl F -.Nm -.Op Fl h -.Fl x -.\" -.Sh DESCRIPTION -The -.Nm -utility adds, updates, dumps, or flushes -Security Association Database (SAD) entries -as well as Security Policy Database (SPD) entries in the kernel. -.Pp -The -.Nm -utility takes a series of operations from the standard input -(if invoked with -.Fl c ) -or the file named -.Ar filename -(if invoked with -.Fl f Ar filename ) . -.Bl -tag -width indent -.It Fl D -Dump the SAD entries. -If with -.Fl P , -the SPD entries are dumped. -.It Fl F -Flush the SAD entries. -If with -.Fl P , -the SPD entries are flushed. -.It Fl a -The -.Nm -utility -usually does not display dead SAD entries with -.Fl D . -If with -.Fl a , -the dead SAD entries will be displayed as well. -A dead SAD entry means that -it has been expired but remains in the system -because it is referenced by some SPD entries. -.It Fl h -Add hexadecimal dump on -.Fl x -mode. -.It Fl l -Loop forever with short output on -.Fl D . -.It Fl v -Be verbose. -The program will dump messages exchanged on -.Dv PF_KEY -socket, including messages sent from other processes to the kernel. -.It Fl x -Loop forever and dump all the messages transmitted to -.Dv PF_KEY -socket. -.Fl xx -makes each timestamps unformatted. -.El -.Ss Configuration syntax -With -.Fl c -or -.Fl f -on the command line, -.Nm -accepts the following configuration syntax. -Lines starting with hash signs -.Pq Ql # -are treated as comment lines. -.Bl -tag -width indent -.It Xo -.Li add -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Op Ar extensions -.Ar algorithm ... -.Li ; -.Xc -Add an SAD entry. -.Li add -can fail with multiple reasons, -including when the key length does not match the specified algorithm. -.\" -.It Xo -.Li get -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Li ; -.Xc -Show an SAD entry. -.\" -.It Xo -.Li delete -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Li ; -.Xc -Remove an SAD entry. -.\" -.It Xo -.Li deleteall -.Op Fl 46n -.Ar src Ar dst Ar protocol -.Li ; -.Xc -Remove all SAD entries that match the specification. -.\" -.It Xo -.Li flush -.Op Ar protocol -.Li ; -.Xc -Clear all SAD entries matched by the options. -.Fl F -on the command line achieves the same functionality. -.\" -.It Xo -.Li dump -.Op Ar protocol -.Li ; -.Xc -Dumps all SAD entries matched by the options. -.Fl D -on the command line achieves the same functionality. -.\" -.It Xo -.Li spdadd -.Op Fl 46n -.Ar src_range Ar dst_range Ar upperspec Ar policy -.Li ; -.Xc -Add an SPD entry. -.\" -.It Xo -.Li spddelete -.Op Fl 46n -.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction -.Li ; -.Xc -Delete an SPD entry. -.\" -.It Xo -.Li spdflush -.Li ; -.Xc -Clear all SPD entries. -.Fl FP -on the command line achieves the same functionality. -.\" -.It Xo -.Li spddump -.Li ; -.Xc -Dumps all SPD entries. -.Fl DP -on the command line achieves the same functionality. -.El -.\" -.Pp -Meta-arguments are as follows: -.Pp -.Bl -tag -compact -width indent -.It Ar src -.It Ar dst -Source/destination of the secure communication is specified as -IPv4/v6 address. -The -.Nm -utility -can resolve a FQDN into numeric addresses. -If the FQDN resolves into multiple addresses, -.Nm -will install multiple SAD/SPD entries into the kernel -by trying all possible combinations. -.Fl 4 , -.Fl 6 -and -.Fl n -restricts the address resolution of FQDN in certain ways. -.Fl 4 -and -.Fl 6 -restrict results into IPv4/v6 addresses only, respectively. -.Fl n -avoids FQDN resolution and requires addresses to be numeric addresses. -.\" -.Pp -.It Ar protocol -.Ar protocol -is one of following: -.Bl -tag -width Fl -compact -.It Li esp -ESP based on rfc2406 -.It Li esp-old -ESP based on rfc1827 -.It Li ah -AH based on rfc2402 -.It Li ah-old -AH based on rfc1826 -.It Li ipcomp -IPComp -.It Li tcp -TCP-MD5 based on rfc2385 -.El -.\" -.Pp -.It Ar spi -Security Parameter Index -(SPI) -for the SAD and the SPD. -.Ar spi -must be a decimal number, or a hexadecimal number with -.Ql 0x -prefix. -SPI values between 0 and 255 are reserved for future use by IANA -and they cannot be used. -TCP-MD5 associations must use 0x1000 and therefore only have per-host -granularity at this time. -.\" -.Pp -.It Ar extensions -take some of the following: -.Bl -tag -width Fl -compact -.\" -.It Fl m Ar mode -Specify a security protocol mode for use. -.Ar mode -is one of following: -.Li transport , tunnel -or -.Li any . -The default value is -.Li any . -.\" -.It Fl r Ar size -Specify window size of bytes for replay prevention. -.Ar size -must be decimal number in 32-bit word. -If -.Ar size -is zero or not specified, replay check does not take place. -.\" -.It Fl u Ar id -Specify the identifier of the policy entry in SPD. -See -.Ar policy . -.\" -.It Fl f Ar pad_option -defines the content of the ESP padding. -.Ar pad_option -is one of following: -.Bl -tag -width random-pad -compact -.It Li zero-pad -All of the padding are zero. -.It Li random-pad -A series of randomized values are set. -.It Li seq-pad -A series of sequential increasing numbers started from 1 are set. -.El -.\" -.It Fl f Li nocyclic-seq -Do not allow cyclic sequence number. -.\" -.It Fl lh Ar time -.It Fl ls Ar time -Specify hard/soft life time duration of the SA. -.El -.\" -.Pp -.It Ar algorithm -.Bl -tag -width Fl -compact -.It Fl E Ar ealgo Ar key -Specify an encryption algorithm -.Ar ealgo -for ESP. -.It Xo -.Fl E Ar ealgo Ar key -.Fl A Ar aalgo Ar key -.Xc -Specify a encryption algorithm -.Ar ealgo , -as well as a payload authentication algorithm -.Ar aalgo , -for ESP. -.It Fl A Ar aalgo Ar key -Specify an authentication algorithm for AH. -.It Fl C Ar calgo Op Fl R -Specify a compression algorithm for IPComp. -If -.Fl R -is specified, -.Ar spi -field value will be used as the IPComp CPI -(compression parameter index) -on wire as is. -If -.Fl R -is not specified, -the kernel will use well-known CPI on wire, and -.Ar spi -field will be used only as an index for kernel internal usage. -.El -.Pp -.Ar key -must be double-quoted character string, or a series of hexadecimal digits -preceded by -.Ql 0x . -.Pp -Possible values for -.Ar ealgo , -.Ar aalgo -and -.Ar calgo -are specified in separate section. -.\" -.Pp -.It Ar src_range -.It Ar dst_range -These are selections of the secure communication specified as -IPv4/v6 address or IPv4/v6 address range, and it may accompany -TCP/UDP port specification. -This takes the following form: -.Bd -unfilled -.Ar address -.Ar address/prefixlen -.Ar address[port] -.Ar address/prefixlen[port] -.Ed -.Pp -.Ar prefixlen -and -.Ar port -must be decimal number. -The square bracket around -.Ar port -is really necessary. -They are not manpage metacharacters. -For FQDN resolution, the rules applicable to -.Ar src -and -.Ar dst -apply here as well. -.\" -.Pp -.It Ar upperspec -Upper-layer protocol to be used. -You can use one of words in -.Pa /etc/protocols -as -.Ar upperspec . -Or -.Li icmp6 , -.Li ip4 , -and -.Li any -can be specified. -.Li any -stands for -.Dq any protocol . -Also you can use the protocol number. -You can specify a type and/or a code of ICMPv6 when -upper-layer protocol is ICMPv6. -The specification can be placed after -.Li icmp6 . -A type is separated with a code by single comma. -A code must be specified anytime. -When a zero is specified, the kernel deals with it as a wildcard. -Note that the kernel cannot distinguish a wildcard from that a type -of ICMPv6 is zero. -For example, the following means the policy does not require IPsec -for any inbound Neighbor Solicitation: -.Pp -.Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;" -.Pp -NOTE: -.Ar upperspec -does not work against forwarding case at this moment, -as it requires extra reassembly at forwarding node -(not implemented at this moment). -We have many protocols in -.Pa /etc/protocols , -but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. -You have to consider and be careful to use them. -.\" -.Pp -.It Ar policy -.Ar policy -is the one of the following three formats: -.Bd -ragged -offset indent -.It Fl P Ar direction Li discard -.It Fl P Ar direction Li none -.It Xo Fl P Ar direction Li ipsec -.Ar protocol/mode/src-dst/level Op ... -.Xc -.Ed -.Pp -You must specify the direction of its policy as -.Ar direction . -Either -.Li out -or -.Li in -are used. -.Li discard -means the packet matching indexes will be discarded. -.Li none -means that IPsec operation will not take place onto the packet. -.Li ipsec -means that IPsec operation will take place onto the packet. -The part of -.Ar protocol/mode/src-dst/level -specifies the rule how to process the packet. -Either -.Li ah , -.Li esp -or -.Li ipcomp -is to be set as -.Ar protocol . -.Ar mode -is either -.Li transport -or -.Li tunnel . -If -.Ar mode -is -.Li tunnel , -you must specify the end-points addresses of the SA as -.Ar src -and -.Ar dst -with -.Sq - -between these addresses which is used to specify the SA to use. -If -.Ar mode -is -.Li transport , -both -.Ar src -and -.Ar dst -can be omitted. -.Ar level -is to be one of the following: -.Li default , use , require -or -.Li unique . -If the SA is not available in every level, the kernel will request -getting SA to the key exchange daemon. -.Li default -means the kernel consults to the system wide default against protocol you -specified, e.g., -.Li esp_trans_deflev -sysctl variable, when the kernel processes the packet. -.Li use -means that the kernel use a SA if it is available, -otherwise the kernel keeps normal operation. -.Li require -means SA is required whenever the kernel sends a packet matched -with the policy. -.Li unique -is the same to require. -In addition, it allows the policy to bind with the unique out-bound SA. -You just specify the policy level -.Li unique , -.Xr racoon 8 -will configure the SA for the policy. -If you configure the SA by manual keying for that policy, -you can put the decimal number as the policy identifier after -.Li unique -separated by colon -.Ql :\& -like the following; -.Li unique:number . -In order to bind this policy to the SA, -.Li number -must be between 1 and 32767. -It corresponds to -.Ar extensions Fl u -of the manual SA configuration. -When you want to use SA bundle, you can define multiple rules. -For example, if an IP header was followed by AH header followed by ESP header -followed by an upper layer protocol header, the rule -would be: -.Dl esp/transport//require ah/transport//require ; -The rule order is very important. -.Pp -Note that -.Dq Li discard -and -.Dq Li none -are not in the syntax described in -.Xr ipsec_set_policy 3 . -There are little differences in the syntax. -See -.Xr ipsec_set_policy 3 -for detail. -.Pp -.El -.Pp -.\" -.Sh ALGORITHMS -The following list shows the supported algorithms. -.Sy protocol -and -.Sy algorithm -are almost orthogonal. -Followings are the list of authentication algorithms that can be used as -.Ar aalgo -in -.Fl A Ar aalgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm keylen (bits) comment -hmac-md5 128 ah: rfc2403 - 128 ah-old: rfc2085 -hmac-sha1 160 ah: rfc2404 - 160 ah-old: 128bit ICV (no document) -keyed-md5 128 ah: 96bit ICV (no document) - 128 ah-old: rfc1828 -keyed-sha1 160 ah: 96bit ICV (no document) - 160 ah-old: 128bit ICV (no document) -null 0 to 2048 for debugging -hmac-sha2-256 256 ah: 96bit ICV - (draft-ietf-ipsec-ciph-sha-256-00) - 256 ah-old: 128bit ICV (no document) -hmac-sha2-384 384 ah: 96bit ICV (no document) - 384 ah-old: 128bit ICV (no document) -hmac-sha2-512 512 ah: 96bit ICV (no document) - 512 ah-old: 128bit ICV (no document) -hmac-ripemd160 160 ah: 96bit ICV (RFC2857) - ah-old: 128bit ICV (no document) -aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) - 128 ah-old: 128bit ICV (no document) -tcp-md5 8 to 640 tcp: rfc2385 -.Ed -.Pp -Followings are the list of encryption algorithms that can be used as -.Ar ealgo -in -.Fl E Ar ealgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm keylen (bits) comment -des-cbc 64 esp-old: rfc1829, esp: rfc2405 -3des-cbc 192 rfc2451 -null 0 to 2048 rfc2410 -blowfish-cbc 40 to 448 rfc2451 -cast128-cbc 40 to 128 rfc2451 -des-deriv 64 ipsec-ciph-des-derived-01 -3des-deriv 192 no document -rijndael-cbc 128/192/256 rfc3602 -aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 -.Ed -.Pp -Note that the first 128 bits of a key for -.Li aes-ctr -will be used as AES key, and remaining 32 bits will be used as nonce. -.Pp -Followings are the list of compression algorithms that can be used as -.Ar calgo -in -.Fl C Ar calgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm comment -deflate rfc2394 -.Ed -.\" -.Sh EXIT STATUS -.Ex -std -.\" -.Sh EXAMPLES -.Bd -literal -offset -add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 - -E des-cbc 0x3ffe05014819ffff ; - -add -6 myhost.example.com yourhost.example.com ah 123456 - -A hmac-sha1 "AH SA configuration!" ; - -add 10.0.11.41 10.0.11.33 esp 0x10001 - -E des-cbc 0x3ffe05014819ffff - -A hmac-md5 "authentication!!" ; - -get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; - -flush ; - -dump esp ; - -spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any - -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; - -add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; - -.Ed -.\" -.Sh SEE ALSO -.Xr ipsec_set_policy 3 , -.Xr racoon 8 , -.Xr sysctl 8 -.Rs -.%T "Changed manual key configuration for IPsec" -.%O "http://www.kame.net/newsletter/19991007/" -.%D "October 1999" -.Re -.\" -.Sh HISTORY -The -.Nm -utility first appeared in WIDE Hydrangea IPv6 protocol stack kit. -The utility was completely re-designed in June 1998. -.\" -.Sh BUGS -The -.Nm -utility -should report and handle syntax errors better. -.Pp -For IPsec gateway configuration, -.Ar src_range -and -.Ar dst_range -with TCP/UDP port number do not work, as the gateway does not reassemble -packets -(cannot inspect upper-layer headers). |