Annotation of embedaddon/ipsec-tools/src/setkey/setkey.8, revision 1.1
1.1 ! misho 1: .\" $NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $
! 2: .\"
! 3: .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
! 4: .\" All rights reserved.
! 5: .\"
! 6: .\" Redistribution and use in source and binary forms, with or without
! 7: .\" modification, are permitted provided that the following conditions
! 8: .\" are met:
! 9: .\" 1. Redistributions of source code must retain the above copyright
! 10: .\" notice, this list of conditions and the following disclaimer.
! 11: .\" 2. Redistributions in binary form must reproduce the above copyright
! 12: .\" notice, this list of conditions and the following disclaimer in the
! 13: .\" documentation and/or other materials provided with the distribution.
! 14: .\" 3. Neither the name of the project nor the names of its contributors
! 15: .\" may be used to endorse or promote products derived from this software
! 16: .\" without specific prior written permission.
! 17: .\"
! 18: .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 28: .\" SUCH DAMAGE.
! 29: .\"
! 30: .Dd June 4, 2010
! 31: .Dt SETKEY 8
! 32: .Os
! 33: .\"
! 34: .Sh NAME
! 35: .Nm setkey
! 36: .Nd manually manipulate the IPsec SA/SP database
! 37: .\"
! 38: .Sh SYNOPSIS
! 39: .Nm setkey
! 40: .Op Fl knrv
! 41: .Ar file ...
! 42: .Nm setkey
! 43: .Op Fl knrv
! 44: .Fl c
! 45: .Nm setkey
! 46: .Op Fl krv
! 47: .Fl f Ar filename
! 48: .Nm setkey
! 49: .Op Fl aklPrv
! 50: .Fl D
! 51: .Nm setkey
! 52: .Op Fl Pvp
! 53: .Fl F
! 54: .Nm setkey
! 55: .Op Fl H
! 56: .Fl x
! 57: .Nm setkey
! 58: .Op Fl ?V
! 59: .\"
! 60: .Sh DESCRIPTION
! 61: .Nm
! 62: adds, updates, dumps, or flushes
! 63: Security Association Database (SAD) entries
! 64: as well as Security Policy Database (SPD) entries in the kernel.
! 65: .Pp
! 66: .Nm
! 67: takes a series of operations from standard input
! 68: .Po
! 69: if invoked with
! 70: .Fl c
! 71: .Pc
! 72: or the file named
! 73: .Ar filename
! 74: .Po
! 75: if invoked with
! 76: .Fl f Ar filename
! 77: .Pc .
! 78: .Bl -tag -width Ds
! 79: .It (no flag)
! 80: Dump the SAD entries or SPD entries contained in the specified
! 81: .Ar file .
! 82: .It Fl ?
! 83: Print short help.
! 84: .It Fl a
! 85: .Nm
! 86: usually does not display dead SAD entries with
! 87: .Fl D .
! 88: If
! 89: .Fl a
! 90: is also specified, the dead SAD entries will be displayed as well.
! 91: A dead SAD entry is one that has expired but remains in the
! 92: system because it is referenced by some SPD entries.
! 93: .It Fl D
! 94: Dump the SAD entries.
! 95: If
! 96: .Fl P
! 97: is also specified, the SPD entries are dumped.
! 98: If
! 99: .Fl p
! 100: is specified, the ports are displayed.
! 101: .It Fl F
! 102: Flush the SAD entries.
! 103: If
! 104: .Fl P
! 105: is also specified, the SPD entries are flushed.
! 106: .It Fl H
! 107: Add hexadecimal dump in
! 108: .Fl x
! 109: mode.
! 110: .It Fl h
! 111: On
! 112: .Nx ,
! 113: synonym for
! 114: .Fl H .
! 115: On other systems, synonym for
! 116: .Fl ? .
! 117: .It Fl k
! 118: Use semantics used in kernel.
! 119: Available only in Linux.
! 120: See also
! 121: .Fl r .
! 122: .It Fl l
! 123: Loop forever with short output on
! 124: .Fl D .
! 125: .It Fl n
! 126: No action.
! 127: The program will check validity of the input, but no changes to
! 128: the SPD will be made.
! 129: .It Fl r
! 130: Use semantics described in IPsec RFCs.
! 131: This mode is default.
! 132: For details see section
! 133: .Sx RFC vs Linux kernel semantics .
! 134: Available only in Linux.
! 135: See also
! 136: .Fl k .
! 137: .It Fl x
! 138: Loop forever and dump all the messages transmitted to the
! 139: .Dv PF_KEY
! 140: socket.
! 141: .Fl xx
! 142: prints the unformatted timestamps.
! 143: .It Fl V
! 144: Print version string.
! 145: .It Fl v
! 146: Be verbose.
! 147: The program will dump messages exchanged on the
! 148: .Dv PF_KEY
! 149: socket, including messages sent from other processes to the kernel.
! 150: .El
! 151: .Ss Configuration syntax
! 152: With
! 153: .Fl c
! 154: or
! 155: .Fl f
! 156: on the command line,
! 157: .Nm
! 158: accepts the following configuration syntax.
! 159: Lines starting with hash signs
! 160: .Pq Sq #
! 161: are treated as comment lines.
! 162: .Bl -tag -width Ds
! 163: .It Li add Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi \
! 164: Oo Ar extensions Oc Ar algorithm ... Li ;
! 165: Add an SAD entry.
! 166: .Li add
! 167: can fail for multiple reasons, including when the key length does
! 168: not match the specified algorithm.
! 169: .\"
! 170: .It Li get Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
! 171: Show an SAD entry.
! 172: .\"
! 173: .It Li delete Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
! 174: Remove an SAD entry.
! 175: .\"
! 176: .It Li deleteall Oo Fl 46n Oc Ar src Ar dst Ar protocol Li ;
! 177: Remove all SAD entries that match the specification.
! 178: .\"
! 179: .It Li flush Oo Ar protocol Oc Li ;
! 180: Clear all SAD entries matched by the options.
! 181: .Fl F
! 182: on the command line achieves the same functionality.
! 183: .\"
! 184: .It Li dump Oo Ar protocol Oc Li ;
! 185: Dumps all SAD entries matched by the options.
! 186: .Fl D
! 187: on the command line achieves the same functionality.
! 188: .\"
! 189: .It Li spdadd Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
! 190: Ar label Ar policy Li ;
! 191: Add an SPD entry.
! 192: .\"
! 193: .It Li spdadd tagged Ar tag Ar policy Li ;
! 194: Add an SPD entry based on a PF tag.
! 195: .Ar tag
! 196: must be a string surrounded by double quotes.
! 197: .\"
! 198: .It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
! 199: Ar label Ar policy Li ;
! 200: Updates an SPD entry.
! 201: .\"
! 202: .It Li spdupdate tagged Ar tag Ar policy Li ;
! 203: Update an SPD entry based on a PF tag.
! 204: .Ar tag
! 205: must be a string surrounded by double quotes.
! 206: .\"
! 207: .It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
! 208: Fl P Ar direction Li ;
! 209: Delete an SPD entry.
! 210: .\"
! 211: .It Li spdflush Li ;
! 212: Clear all SPD entries.
! 213: .Fl FP
! 214: on the command line achieves the same functionality.
! 215: .\"
! 216: .It Li spddump Li ;
! 217: Dumps all SPD entries.
! 218: .Fl DP
! 219: on the command line achieves the same functionality.
! 220: .El
! 221: .\"
! 222: .Pp
! 223: Meta-arguments are as follows:
! 224: .Pp
! 225: .Bl -tag -compact -width Ds
! 226: .It Ar src
! 227: .It Ar dst
! 228: Source/destination of the secure communication is specified as
! 229: an IPv4/v6 address, and an optional port number between square
! 230: brackets.
! 231: .Nm
! 232: can resolve a FQDN into numeric addresses.
! 233: If the FQDN resolves into multiple addresses,
! 234: .Nm
! 235: will install multiple SAD/SPD entries into the kernel
! 236: by trying all possible combinations.
! 237: .Fl 4 ,
! 238: .Fl 6 ,
! 239: and
! 240: .Fl n
! 241: restrict the address resolution of FQDN in certain ways.
! 242: .Fl 4
! 243: and
! 244: .Fl 6
! 245: restrict results into IPv4/v6 addresses only, respectively.
! 246: .Fl n
! 247: avoids FQDN resolution and requires addresses to be numeric addresses.
! 248: .\"
! 249: .Pp
! 250: .It Ar protocol
! 251: .Ar protocol
! 252: is one of following:
! 253: .Bl -tag -width Fl -compact
! 254: .It Li esp
! 255: ESP based on rfc2406
! 256: .It Li esp-old
! 257: ESP based on rfc1827
! 258: .It Li ah
! 259: AH based on rfc2402
! 260: .It Li ah-old
! 261: AH based on rfc1826
! 262: .It Li ipcomp
! 263: IPComp
! 264: .It Li tcp
! 265: TCP-MD5 based on rfc2385
! 266: .El
! 267: .\"
! 268: .Pp
! 269: .It Ar spi
! 270: Security Parameter Index
! 271: .Pq SPI
! 272: for the SAD and the SPD.
! 273: .Ar spi
! 274: must be a decimal number, or a hexadecimal number with a
! 275: .Dq Li 0x
! 276: prefix.
! 277: SPI values between 0 and 255 are reserved for future use by IANA
! 278: and cannot be used.
! 279: TCP-MD5 associations must use 0x1000 and therefore only have per-host
! 280: granularity at this time.
! 281: .\"
! 282: .Pp
! 283: .It Ar extensions
! 284: take some of the following:
! 285: .Bl -tag -width Fl -compact
! 286: .\"
! 287: .It Fl m Ar mode
! 288: Specify a security protocol mode for use.
! 289: .Ar mode
! 290: is one of following:
! 291: .Li transport , tunnel ,
! 292: or
! 293: .Li any .
! 294: The default value is
! 295: .Li any .
! 296: .\"
! 297: .It Fl r Ar size
! 298: Specify window size of bytes for replay prevention.
! 299: .Ar size
! 300: must be decimal number in 32-bit word.
! 301: If
! 302: .Ar size
! 303: is zero or not specified, replay checks don't take place.
! 304: .\"
! 305: .It Fl u Ar id
! 306: Specify the identifier of the policy entry in the SPD.
! 307: See
! 308: .Ar policy .
! 309: .\"
! 310: .It Fl f Ar pad_option
! 311: defines the content of the ESP padding.
! 312: .Ar pad_option
! 313: is one of following:
! 314: .Bl -tag -width random-pad -compact
! 315: .It Li zero-pad
! 316: All the paddings are zero.
! 317: .It Li random-pad
! 318: A series of randomized values are used.
! 319: .It Li seq-pad
! 320: A series of sequential increasing numbers started from 1 are used.
! 321: .El
! 322: .\"
! 323: .It Fl f Li nocyclic-seq
! 324: Don't allow cyclic sequence numbers.
! 325: .\"
! 326: .It Fl lh Ar time
! 327: .It Fl ls Ar time
! 328: Specify hard/soft life time duration of the SA measured in seconds.
! 329: .\"
! 330: .It Fl bh Ar bytes
! 331: .It Fl bs Ar bytes
! 332: Specify hard/soft life time duration of the SA measured in bytes transported.
! 333: .\"
! 334: .It Fl ctx Ar doi Ar algorithm Ar context-name
! 335: Specify an access control label.
! 336: The access control label is interpreted by the LSM (e.g., SELinux).
! 337: Ultimately, it enables MAC on network communications.
! 338: .Bl -tag -width Fl -compact
! 339: .It Ar doi
! 340: The domain of interpretation, which is used by the
! 341: IKE daemon to identify the domain in which negotiation takes place.
! 342: .It Ar algorithm
! 343: Indicates the LSM for which the label is generated (e.g., SELinux).
! 344: .It Ar context-name
! 345: The string representation of the label that is interpreted by the LSM.
! 346: .El
! 347: .El
! 348: .\"
! 349: .Pp
! 350: .It Ar algorithm
! 351: .Bl -tag -width Fl -compact
! 352: .It Fl E Ar ealgo Ar key
! 353: Specify an encryption algorithm
! 354: .Ar ealgo
! 355: for ESP.
! 356: .It Fl E Ar ealgo Ar key Fl A Ar aalgo Ar key
! 357: Specify an encryption algorithm
! 358: .Ar ealgo ,
! 359: as well as a payload authentication algorithm
! 360: .Ar aalgo ,
! 361: for ESP.
! 362: .It Fl A Ar aalgo Ar key
! 363: Specify an authentication algorithm for AH.
! 364: .It Fl C Ar calgo Op Fl R
! 365: Specify a compression algorithm for IPComp.
! 366: If
! 367: .Fl R
! 368: is specified, the
! 369: .Ar spi
! 370: field value will be used as the IPComp CPI
! 371: .Pq compression parameter index
! 372: on wire as-is.
! 373: If
! 374: .Fl R
! 375: is not specified,
! 376: the kernel will use well-known CPI on wire, and
! 377: .Ar spi
! 378: field will be used only as an index for kernel internal usage.
! 379: .El
! 380: .Pp
! 381: .Ar key
! 382: must be a double-quoted character string, or a series of hexadecimal
! 383: digits preceded by
! 384: .Dq Li 0x .
! 385: .Pp
! 386: Possible values for
! 387: .Ar ealgo ,
! 388: .Ar aalgo ,
! 389: and
! 390: .Ar calgo
! 391: are specified in the
! 392: .Sx Algorithms
! 393: sections.
! 394: .\"
! 395: .Pp
! 396: .It Ar src_range
! 397: .It Ar dst_range
! 398: These select the communications that should be secured by IPsec.
! 399: They can be an IPv4/v6 address or an IPv4/v6 address range, and
! 400: may be accompanied by a TCP/UDP port specification.
! 401: This takes the following form:
! 402: .Bd -literal -offset
! 403: .Ar address
! 404: .Ar address/prefixlen
! 405: .Ar address[port]
! 406: .Ar address/prefixlen[port]
! 407: .Ed
! 408: .Pp
! 409: .Ar prefixlen
! 410: and
! 411: .Ar port
! 412: must be decimal numbers.
! 413: The square brackets around
! 414: .Ar port
! 415: are really necessary,
! 416: they are not man page meta-characters.
! 417: For FQDN resolution, the rules applicable to
! 418: .Ar src
! 419: and
! 420: .Ar dst
! 421: apply here as well.
! 422: .\"
! 423: .Pp
! 424: .It Ar upperspec
! 425: Upper-layer protocol to be used.
! 426: You can use one of the words in
! 427: .Pa /etc/protocols
! 428: as
! 429: .Ar upperspec ,
! 430: or
! 431: .Li icmp6 ,
! 432: .Li ip4 ,
! 433: .Li gre ,
! 434: or
! 435: .Li any .
! 436: .Li any
! 437: stands for
! 438: .Dq any protocol .
! 439: You can also use the protocol number.
! 440: Additional specification can be placed after the protocol name for
! 441: some protocols.
! 442: You can specify a type and/or a code of ICMP or ICMPv6.
! 443: The type is separated from a code by single comma and the code must
! 444: always be specified.
! 445: GRE key can be specified in dotted-quad format or as plain number.
! 446: When a zero is specified, the kernel deals with it as a wildcard.
! 447: Note that the kernel can not distinguish a wildcard from an ICPMv6
! 448: type of zero.
! 449: .Pp
! 450: For example, the following means that the policy doesn't require IPsec
! 451: for any inbound Neighbor Solicitation.
! 452: .Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
! 453: .Pp
! 454: A second example of requiring transport mode encryption of specific
! 455: GRE tunnel:
! 456: .Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
! 457: .Pp
! 458: .Em Note :
! 459: .Ar upperspec
! 460: does not work against forwarding case at this moment,
! 461: as it requires extra reassembly at the forwarding node
! 462: .Pq not implemented at this moment .
! 463: There are many protocols in
! 464: .Pa /etc/protocols ,
! 465: but all protocols except of TCP, UDP, GRE, and ICMP may not be suitable
! 466: to use with IPsec.
! 467: You have to consider carefully what to use.
! 468: .\"
! 469: .Pp
! 470: .It Ar label
! 471: .Ar label
! 472: is the access control label for the policy.
! 473: This label is interpreted by the LSM (e.g., SELinux).
! 474: Ultimately, it enables MAC on network communications.
! 475: When a policy contains an access control label, SAs
! 476: negotiated with this policy will contain the label.
! 477: Its format:
! 478: .Bl -tag -width Fl -compact
! 479: .\"
! 480: .It Fl ctx Ar doi Ar algorithm Ar context-name
! 481: .Bl -tag -width Fl -compact
! 482: .It Ar doi
! 483: The domain of interpretation, which is used by the
! 484: IKE daemon to identify the domain in which negotiation takes place.
! 485: .It Ar algorithm
! 486: Indicates the LSM for which the label is generated (e.g., SELinux).
! 487: .It Ar context-name
! 488: The string representation of the label that is interpreted by the LSM.
! 489: .El
! 490: .El
! 491: .\"
! 492: .Pp
! 493: .It Ar policy
! 494: .Ar policy
! 495: is in one of the following three formats:
! 496: .Bl -item -compact
! 497: .It
! 498: .Fl P Ar direction [priority specification] Li discard
! 499: .It
! 500: .Fl P Ar direction [priority specification] Li none
! 501: .It
! 502: .Fl P Ar direction [priority specification] Li ipsec
! 503: .Ar protocol/mode/src-dst/level Op ...
! 504: .El
! 505: .Pp
! 506: You must specify the direction of its policy as
! 507: .Ar direction .
! 508: Either
! 509: .Ar out ,
! 510: .Ar in ,
! 511: or
! 512: .Ar fwd
! 513: can be used.
! 514: .Pp
! 515: .Ar priority specification
! 516: is used to control the placement of the policy within the SPD.
! 517: Policy position is determined by
! 518: a signed integer where higher priorities indicate the policy is placed
! 519: closer to the beginning of the list and lower priorities indicate the
! 520: policy is placed closer to the end of the list.
! 521: Policies with equal priorities are added at the end of groups
! 522: of such policies.
! 523: .Pp
! 524: Priority can only
! 525: be specified when setkey has been compiled against kernel headers that
! 526: support policy priorities (Linux \*[Gt]= 2.6.6).
! 527: If the kernel does not support priorities, a warning message will
! 528: be printed the first time a priority specification is used.
! 529: Policy priority takes one of the following formats:
! 530: .Bl -tag -width "discard"
! 531: .It Ar {priority,prio} offset
! 532: .Ar offset
! 533: is an integer in the range from \-2147483647 to 214783648.
! 534: .It Ar {priority,prio} base {+,\-} offset
! 535: .Ar base
! 536: is either
! 537: .Li low (\-1073741824) ,
! 538: .Li def (0) ,
! 539: or
! 540: .Li high (1073741824)
! 541: .Pp
! 542: .Ar offset
! 543: is an unsigned integer.
! 544: It can be up to 1073741824 for
! 545: positive offsets, and up to 1073741823 for negative offsets.
! 546: .El
! 547: .Pp
! 548: .Li discard
! 549: means the packet matching indexes will be discarded.
! 550: .Li none
! 551: means that IPsec operation will not take place onto the packet.
! 552: .Li ipsec
! 553: means that IPsec operation will take place onto the packet.
! 554: .Pp
! 555: The
! 556: .Ar protocol/mode/src-dst/level
! 557: part specifies the rule how to process the packet.
! 558: Either
! 559: .Li ah ,
! 560: .Li esp ,
! 561: or
! 562: .Li ipcomp
! 563: must be used as
! 564: .Ar protocol .
! 565: .Ar mode
! 566: is either
! 567: .Li transport
! 568: or
! 569: .Li tunnel .
! 570: If
! 571: .Ar mode
! 572: is
! 573: .Li tunnel ,
! 574: you must specify the end-point addresses of the SA as
! 575: .Ar src
! 576: and
! 577: .Ar dst
! 578: with
! 579: .Sq -
! 580: between these addresses, which is used to specify the SA to use.
! 581: If
! 582: .Ar mode
! 583: is
! 584: .Li transport ,
! 585: both
! 586: .Ar src
! 587: and
! 588: .Ar dst
! 589: can be omitted.
! 590: .Ar level
! 591: is to be one of the following:
! 592: .Li default , use , require ,
! 593: or
! 594: .Li unique .
! 595: If the SA is not available in every level, the kernel will
! 596: ask the key exchange daemon to establish a suitable SA.
! 597: .Li default
! 598: means the kernel consults the system wide default for the protocol
! 599: you specified, e.g. the
! 600: .Li esp_trans_deflev
! 601: sysctl variable, when the kernel processes the packet.
! 602: .Li use
! 603: means that the kernel uses an SA if it's available,
! 604: otherwise the kernel keeps normal operation.
! 605: .Li require
! 606: means SA is required whenever the kernel sends a packet matched
! 607: with the policy.
! 608: .Li unique
! 609: is the same as
! 610: .Li require ;
! 611: in addition, it allows the policy to match the unique out-bound SA.
! 612: You just specify the policy level
! 613: .Li unique ,
! 614: .Xr racoon 8
! 615: will configure the SA for the policy.
! 616: If you configure the SA by manual keying for that policy,
! 617: you can put a decimal number as the policy identifier after
! 618: .Li unique
! 619: separated by a colon
! 620: .Sq \&:
! 621: like:
! 622: .Li unique:number
! 623: in order to bind this policy to the SA.
! 624: .Li number
! 625: must be between 1 and 32767.
! 626: It corresponds to
! 627: .Ar extensions Fl u
! 628: of the manual SA configuration.
! 629: When you want to use SA bundle, you can define multiple rules.
! 630: For example, if an IP header was followed by an AH header followed
! 631: by an ESP header followed by an upper layer protocol header, the
! 632: rule would be:
! 633: .Dl esp/transport//require ah/transport//require ;
! 634: The rule order is very important.
! 635: .Pp
! 636: When NAT-T is enabled in the kernel, policy matching for ESP over
! 637: UDP packets may be done on endpoint addresses and port
! 638: (this depends on the system.
! 639: System that do not perform the port check cannot support
! 640: multiple endpoints behind the same NAT).
! 641: When using ESP over UDP, you can specify port numbers in the endpoint
! 642: addresses to get the correct matching.
! 643: Here is an example:
! 644: .Bd -literal -offset
! 645: spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any \-P out ipsec
! 646: esp/tunnel/192.168.0.1[4500]-192.168.1.2[30000]/require ;
! 647:
! 648: .Ed
! 649: These ports must be left unspecified (which defaults to 0) for
! 650: anything other than ESP over UDP.
! 651: They can be displayed in SPD dump using
! 652: .Nm
! 653: .Fl DPp .
! 654: .Pp
! 655: Note that
! 656: .Dq Li discard
! 657: and
! 658: .Dq Li none
! 659: are not in the syntax described in
! 660: .Xr ipsec_set_policy 3 .
! 661: There are a few differences in the syntax.
! 662: See
! 663: .Xr ipsec_set_policy 3
! 664: for detail.
! 665: .El
! 666: .\"
! 667: .Ss Algorithms
! 668: The following list shows the supported algorithms.
! 669: .Sy protocol
! 670: and
! 671: .Sy algorithm
! 672: are almost orthogonal.
! 673: These authentication algorithms can be used as
! 674: .Ar aalgo
! 675: in
! 676: .Fl A Ar aalgo
! 677: of the
! 678: .Ar protocol
! 679: parameter:
! 680: .Pp
! 681: .Bd -literal -offset indent
! 682: algorithm keylen (bits)
! 683: hmac-md5 128 ah: rfc2403
! 684: 128 ah-old: rfc2085
! 685: hmac-sha1 160 ah: rfc2404
! 686: 160 ah-old: 128bit ICV (no document)
! 687: keyed-md5 128 ah: 96bit ICV (no document)
! 688: 128 ah-old: rfc1828
! 689: keyed-sha1 160 ah: 96bit ICV (no document)
! 690: 160 ah-old: 128bit ICV (no document)
! 691: null 0 to 2048 for debugging
! 692: hmac-sha256 256 ah: 96bit ICV
! 693: (draft-ietf-ipsec-ciph-sha-256-00)
! 694: 256 ah-old: 128bit ICV (no document)
! 695: hmac-sha384 384 ah: 96bit ICV (no document)
! 696: 384 ah-old: 128bit ICV (no document)
! 697: hmac-sha512 512 ah: 96bit ICV (no document)
! 698: 512 ah-old: 128bit ICV (no document)
! 699: hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
! 700: ah-old: 128bit ICV (no document)
! 701: aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
! 702: 128 ah-old: 128bit ICV (no document)
! 703: tcp-md5 8 to 640 tcp: rfc2385
! 704: .Ed
! 705: .Pp
! 706: These encryption algorithms can be used as
! 707: .Ar ealgo
! 708: in
! 709: .Fl E Ar ealgo
! 710: of the
! 711: .Ar protocol
! 712: parameter:
! 713: .Pp
! 714: .Bd -literal -offset indent
! 715: algorithm keylen (bits)
! 716: des-cbc 64 esp-old: rfc1829, esp: rfc2405
! 717: 3des-cbc 192 rfc2451
! 718: null 0 to 2048 rfc2410
! 719: blowfish-cbc 40 to 448 rfc2451
! 720: cast128-cbc 40 to 128 rfc2451
! 721: des-deriv 64 ipsec-ciph-des-derived-01
! 722: 3des-deriv 192 no document
! 723: rijndael-cbc 128/192/256 rfc3602
! 724: twofish-cbc 0 to 256 draft-ietf-ipsec-ciph-aes-cbc-01
! 725: aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
! 726: camellia-cbc 128/192/256 rfc4312
! 727: .Ed
! 728: .Pp
! 729: Note that the first 128 bits of a key for
! 730: .Li aes-ctr
! 731: will be used as AES key, and the remaining 32 bits will be used as nonce.
! 732: .Pp
! 733: These compression algorithms can be used as
! 734: .Ar calgo
! 735: in
! 736: .Fl C Ar calgo
! 737: of the
! 738: .Ar protocol
! 739: parameter:
! 740: .Pp
! 741: .Bd -literal -offset indent
! 742: algorithm
! 743: deflate rfc2394
! 744: .Ed
! 745: .\"
! 746: .Ss RFC vs Linux kernel semantics
! 747: The Linux kernel uses the
! 748: .Ar fwd
! 749: policy instead of the
! 750: .Ar in
! 751: policy for packets what are forwarded through that particular box.
! 752: .Pp
! 753: In
! 754: .Ar kernel
! 755: mode,
! 756: .Nm
! 757: manages and shows policies and SAs exactly as they are stored in the kernel.
! 758: .Pp
! 759: In
! 760: .Ar RFC
! 761: mode,
! 762: .Nm
! 763: .Bl -item
! 764: .It
! 765: creates
! 766: .Ar fwd
! 767: policies for every
! 768: .Ar in
! 769: policy inserted
! 770: .It
! 771: (not implemented yet) filters out all
! 772: .Ar fwd
! 773: policies
! 774: .El
! 775: .Sh RETURN VALUES
! 776: The command exits with 0 on success, and non-zero on errors.
! 777: .\"
! 778: .Sh EXAMPLES
! 779: .Bd -literal -offset
! 780: add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
! 781: \-E des-cbc 0x3ffe05014819ffff ;
! 782:
! 783: add \-6 myhost.example.com yourhost.example.com ah 123456
! 784: \-A hmac-sha1 "AH SA configuration!" ;
! 785:
! 786: add 10.0.11.41 10.0.11.33 esp 0x10001
! 787: \-E des-cbc 0x3ffe05014819ffff
! 788: \-A hmac-md5 "authentication!!" ;
! 789:
! 790: get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
! 791:
! 792: flush ;
! 793:
! 794: dump esp ;
! 795:
! 796: spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
! 797: \-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
! 798:
! 799: add 10.1.10.34 10.1.10.36 tcp 0x1000 \-A tcp-md5 "TCP-MD5 BGP secret" ;
! 800:
! 801: add 10.0.11.41 10.0.11.33 esp 0x10001
! 802: \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh"
! 803: \-E des-cbc 0x3ffe05014819ffff;
! 804:
! 805: spdadd 10.0.11.41 10.0.11.33 any
! 806: \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh"
! 807: \-P out ipsec esp/transport//require ;
! 808: .Ed
! 809: .\"
! 810: .Sh SEE ALSO
! 811: .Xr ipsec_set_policy 3 ,
! 812: .Xr racoon 8 ,
! 813: .Xr sysctl 8
! 814: .Rs
! 815: .%T "Changed manual key configuration for IPsec"
! 816: .%U "http://www.kame.net/newsletter/19991007/"
! 817: .%D "October 1999"
! 818: .Re
! 819: .\"
! 820: .Sh HISTORY
! 821: The
! 822: .Nm
! 823: command first appeared in the WIDE Hydrangea IPv6 protocol stack
! 824: kit.
! 825: The command was completely re-designed in June 1998.
! 826: .\"
! 827: .Sh BUGS
! 828: .Nm
! 829: should report and handle syntax errors better.
! 830: .Pp
! 831: For IPsec gateway configuration,
! 832: .Ar src_range
! 833: and
! 834: .Ar dst_range
! 835: with TCP/UDP port numbers does not work, as the gateway does not
! 836: reassemble packets
! 837: .Pq it cannot inspect upper-layer headers .
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to setkey.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / setkey