1: .\" $NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $
2: .\"
3: .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
4: .\" All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. Neither the name of the project nor the names of its contributors
15: .\" may be used to endorse or promote products derived from this software
16: .\" without specific prior written permission.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .Dd June 4, 2010
31: .Dt SETKEY 8
32: .Os
33: .\"
34: .Sh NAME
35: .Nm setkey
36: .Nd manually manipulate the IPsec SA/SP database
37: .\"
38: .Sh SYNOPSIS
39: .Nm setkey
40: .Op Fl knrv
41: .Ar file ...
42: .Nm setkey
43: .Op Fl knrv
44: .Fl c
45: .Nm setkey
46: .Op Fl krv
47: .Fl f Ar filename
48: .Nm setkey
49: .Op Fl aklPrv
50: .Fl D
51: .Nm setkey
52: .Op Fl Pvp
53: .Fl F
54: .Nm setkey
55: .Op Fl H
56: .Fl x
57: .Nm setkey
58: .Op Fl ?V
59: .\"
60: .Sh DESCRIPTION
61: .Nm
62: adds, updates, dumps, or flushes
63: Security Association Database (SAD) entries
64: as well as Security Policy Database (SPD) entries in the kernel.
65: .Pp
66: .Nm
67: takes a series of operations from standard input
68: .Po
69: if invoked with
70: .Fl c
71: .Pc
72: or the file named
73: .Ar filename
74: .Po
75: if invoked with
76: .Fl f Ar filename
77: .Pc .
78: .Bl -tag -width Ds
79: .It (no flag)
80: Dump the SAD entries or SPD entries contained in the specified
81: .Ar file .
82: .It Fl ?
83: Print short help.
84: .It Fl a
85: .Nm
86: usually does not display dead SAD entries with
87: .Fl D .
88: If
89: .Fl a
90: is also specified, the dead SAD entries will be displayed as well.
91: A dead SAD entry is one that has expired but remains in the
92: system because it is referenced by some SPD entries.
93: .It Fl D
94: Dump the SAD entries.
95: If
96: .Fl P
97: is also specified, the SPD entries are dumped.
98: If
99: .Fl p
100: is specified, the ports are displayed.
101: .It Fl F
102: Flush the SAD entries.
103: If
104: .Fl P
105: is also specified, the SPD entries are flushed.
106: .It Fl H
107: Add hexadecimal dump in
108: .Fl x
109: mode.
110: .It Fl h
111: On
112: .Nx ,
113: synonym for
114: .Fl H .
115: On other systems, synonym for
116: .Fl ? .
117: .It Fl k
118: Use semantics used in kernel.
119: Available only in Linux.
120: See also
121: .Fl r .
122: .It Fl l
123: Loop forever with short output on
124: .Fl D .
125: .It Fl n
126: No action.
127: The program will check validity of the input, but no changes to
128: the SPD will be made.
129: .It Fl r
130: Use semantics described in IPsec RFCs.
131: This mode is default.
132: For details see section
133: .Sx RFC vs Linux kernel semantics .
134: Available only in Linux.
135: See also
136: .Fl k .
137: .It Fl x
138: Loop forever and dump all the messages transmitted to the
139: .Dv PF_KEY
140: socket.
141: .Fl xx
142: prints the unformatted timestamps.
143: .It Fl V
144: Print version string.
145: .It Fl v
146: Be verbose.
147: The program will dump messages exchanged on the
148: .Dv PF_KEY
149: socket, including messages sent from other processes to the kernel.
150: .El
151: .Ss Configuration syntax
152: With
153: .Fl c
154: or
155: .Fl f
156: on the command line,
157: .Nm
158: accepts the following configuration syntax.
159: Lines starting with hash signs
160: .Pq Sq #
161: are treated as comment lines.
162: .Bl -tag -width Ds
163: .It Li add Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi \
164: Oo Ar extensions Oc Ar algorithm ... Li ;
165: Add an SAD entry.
166: .Li add
167: can fail for multiple reasons, including when the key length does
168: not match the specified algorithm.
169: .\"
170: .It Li get Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
171: Show an SAD entry.
172: .\"
173: .It Li delete Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
174: Remove an SAD entry.
175: .\"
176: .It Li deleteall Oo Fl 46n Oc Ar src Ar dst Ar protocol Li ;
177: Remove all SAD entries that match the specification.
178: .\"
179: .It Li flush Oo Ar protocol Oc Li ;
180: Clear all SAD entries matched by the options.
181: .Fl F
182: on the command line achieves the same functionality.
183: .\"
184: .It Li dump Oo Ar protocol Oc Li ;
185: Dumps all SAD entries matched by the options.
186: .Fl D
187: on the command line achieves the same functionality.
188: .\"
189: .It Li spdadd Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
190: Ar label Ar policy Li ;
191: Add an SPD entry.
192: .\"
193: .It Li spdadd tagged Ar tag Ar policy Li ;
194: Add an SPD entry based on a PF tag.
195: .Ar tag
196: must be a string surrounded by double quotes.
197: .\"
198: .It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
199: Ar label Ar policy Li ;
200: Updates an SPD entry.
201: .\"
202: .It Li spdupdate tagged Ar tag Ar policy Li ;
203: Update an SPD entry based on a PF tag.
204: .Ar tag
205: must be a string surrounded by double quotes.
206: .\"
207: .It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
208: Fl P Ar direction Li ;
209: Delete an SPD entry.
210: .\"
211: .It Li spdflush Li ;
212: Clear all SPD entries.
213: .Fl FP
214: on the command line achieves the same functionality.
215: .\"
216: .It Li spddump Li ;
217: Dumps all SPD entries.
218: .Fl DP
219: on the command line achieves the same functionality.
220: .El
221: .\"
222: .Pp
223: Meta-arguments are as follows:
224: .Pp
225: .Bl -tag -compact -width Ds
226: .It Ar src
227: .It Ar dst
228: Source/destination of the secure communication is specified as
229: an IPv4/v6 address, and an optional port number between square
230: brackets.
231: .Nm
232: can resolve a FQDN into numeric addresses.
233: If the FQDN resolves into multiple addresses,
234: .Nm
235: will install multiple SAD/SPD entries into the kernel
236: by trying all possible combinations.
237: .Fl 4 ,
238: .Fl 6 ,
239: and
240: .Fl n
241: restrict the address resolution of FQDN in certain ways.
242: .Fl 4
243: and
244: .Fl 6
245: restrict results into IPv4/v6 addresses only, respectively.
246: .Fl n
247: avoids FQDN resolution and requires addresses to be numeric addresses.
248: .\"
249: .Pp
250: .It Ar protocol
251: .Ar protocol
252: is one of following:
253: .Bl -tag -width Fl -compact
254: .It Li esp
255: ESP based on rfc2406
256: .It Li esp-old
257: ESP based on rfc1827
258: .It Li ah
259: AH based on rfc2402
260: .It Li ah-old
261: AH based on rfc1826
262: .It Li ipcomp
263: IPComp
264: .It Li tcp
265: TCP-MD5 based on rfc2385
266: .El
267: .\"
268: .Pp
269: .It Ar spi
270: Security Parameter Index
271: .Pq SPI
272: for the SAD and the SPD.
273: .Ar spi
274: must be a decimal number, or a hexadecimal number with a
275: .Dq Li 0x
276: prefix.
277: SPI values between 0 and 255 are reserved for future use by IANA
278: and cannot be used.
279: TCP-MD5 associations must use 0x1000 and therefore only have per-host
280: granularity at this time.
281: .\"
282: .Pp
283: .It Ar extensions
284: take some of the following:
285: .Bl -tag -width Fl -compact
286: .\"
287: .It Fl m Ar mode
288: Specify a security protocol mode for use.
289: .Ar mode
290: is one of following:
291: .Li transport , tunnel ,
292: or
293: .Li any .
294: The default value is
295: .Li any .
296: .\"
297: .It Fl r Ar size
298: Specify window size of bytes for replay prevention.
299: .Ar size
300: must be decimal number in 32-bit word.
301: If
302: .Ar size
303: is zero or not specified, replay checks don't take place.
304: .\"
305: .It Fl u Ar id
306: Specify the identifier of the policy entry in the SPD.
307: See
308: .Ar policy .
309: .\"
310: .It Fl f Ar pad_option
311: defines the content of the ESP padding.
312: .Ar pad_option
313: is one of following:
314: .Bl -tag -width random-pad -compact
315: .It Li zero-pad
316: All the paddings are zero.
317: .It Li random-pad
318: A series of randomized values are used.
319: .It Li seq-pad
320: A series of sequential increasing numbers started from 1 are used.
321: .El
322: .\"
323: .It Fl f Li nocyclic-seq
324: Don't allow cyclic sequence numbers.
325: .\"
326: .It Fl lh Ar time
327: .It Fl ls Ar time
328: Specify hard/soft life time duration of the SA measured in seconds.
329: .\"
330: .It Fl bh Ar bytes
331: .It Fl bs Ar bytes
332: Specify hard/soft life time duration of the SA measured in bytes transported.
333: .\"
334: .It Fl ctx Ar doi Ar algorithm Ar context-name
335: Specify an access control label.
336: The access control label is interpreted by the LSM (e.g., SELinux).
337: Ultimately, it enables MAC on network communications.
338: .Bl -tag -width Fl -compact
339: .It Ar doi
340: The domain of interpretation, which is used by the
341: IKE daemon to identify the domain in which negotiation takes place.
342: .It Ar algorithm
343: Indicates the LSM for which the label is generated (e.g., SELinux).
344: .It Ar context-name
345: The string representation of the label that is interpreted by the LSM.
346: .El
347: .El
348: .\"
349: .Pp
350: .It Ar algorithm
351: .Bl -tag -width Fl -compact
352: .It Fl E Ar ealgo Ar key
353: Specify an encryption algorithm
354: .Ar ealgo
355: for ESP.
356: .It Fl E Ar ealgo Ar key Fl A Ar aalgo Ar key
357: Specify an encryption algorithm
358: .Ar ealgo ,
359: as well as a payload authentication algorithm
360: .Ar aalgo ,
361: for ESP.
362: .It Fl A Ar aalgo Ar key
363: Specify an authentication algorithm for AH.
364: .It Fl C Ar calgo Op Fl R
365: Specify a compression algorithm for IPComp.
366: If
367: .Fl R
368: is specified, the
369: .Ar spi
370: field value will be used as the IPComp CPI
371: .Pq compression parameter index
372: on wire as-is.
373: If
374: .Fl R
375: is not specified,
376: the kernel will use well-known CPI on wire, and
377: .Ar spi
378: field will be used only as an index for kernel internal usage.
379: .El
380: .Pp
381: .Ar key
382: must be a double-quoted character string, or a series of hexadecimal
383: digits preceded by
384: .Dq Li 0x .
385: .Pp
386: Possible values for
387: .Ar ealgo ,
388: .Ar aalgo ,
389: and
390: .Ar calgo
391: are specified in the
392: .Sx Algorithms
393: sections.
394: .\"
395: .Pp
396: .It Ar src_range
397: .It Ar dst_range
398: These select the communications that should be secured by IPsec.
399: They can be an IPv4/v6 address or an IPv4/v6 address range, and
400: may be accompanied by a TCP/UDP port specification.
401: This takes the following form:
402: .Bd -literal -offset
403: .Ar address
404: .Ar address/prefixlen
405: .Ar address[port]
406: .Ar address/prefixlen[port]
407: .Ed
408: .Pp
409: .Ar prefixlen
410: and
411: .Ar port
412: must be decimal numbers.
413: The square brackets around
414: .Ar port
415: are really necessary,
416: they are not man page meta-characters.
417: For FQDN resolution, the rules applicable to
418: .Ar src
419: and
420: .Ar dst
421: apply here as well.
422: .\"
423: .Pp
424: .It Ar upperspec
425: Upper-layer protocol to be used.
426: You can use one of the words in
427: .Pa /etc/protocols
428: as
429: .Ar upperspec ,
430: or
431: .Li icmp6 ,
432: .Li ip4 ,
433: .Li gre ,
434: or
435: .Li any .
436: .Li any
437: stands for
438: .Dq any protocol .
439: You can also use the protocol number.
440: Additional specification can be placed after the protocol name for
441: some protocols.
442: You can specify a type and/or a code of ICMP or ICMPv6.
443: The type is separated from a code by single comma and the code must
444: always be specified.
445: GRE key can be specified in dotted-quad format or as plain number.
446: When a zero is specified, the kernel deals with it as a wildcard.
447: Note that the kernel can not distinguish a wildcard from an ICPMv6
448: type of zero.
449: .Pp
450: For example, the following means that the policy doesn't require IPsec
451: for any inbound Neighbor Solicitation.
452: .Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
453: .Pp
454: A second example of requiring transport mode encryption of specific
455: GRE tunnel:
456: .Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
457: .Pp
458: .Em Note :
459: .Ar upperspec
460: does not work against forwarding case at this moment,
461: as it requires extra reassembly at the forwarding node
462: .Pq not implemented at this moment .
463: There are many protocols in
464: .Pa /etc/protocols ,
465: but all protocols except of TCP, UDP, GRE, and ICMP may not be suitable
466: to use with IPsec.
467: You have to consider carefully what to use.
468: .\"
469: .Pp
470: .It Ar label
471: .Ar label
472: is the access control label for the policy.
473: This label is interpreted by the LSM (e.g., SELinux).
474: Ultimately, it enables MAC on network communications.
475: When a policy contains an access control label, SAs
476: negotiated with this policy will contain the label.
477: Its format:
478: .Bl -tag -width Fl -compact
479: .\"
480: .It Fl ctx Ar doi Ar algorithm Ar context-name
481: .Bl -tag -width Fl -compact
482: .It Ar doi
483: The domain of interpretation, which is used by the
484: IKE daemon to identify the domain in which negotiation takes place.
485: .It Ar algorithm
486: Indicates the LSM for which the label is generated (e.g., SELinux).
487: .It Ar context-name
488: The string representation of the label that is interpreted by the LSM.
489: .El
490: .El
491: .\"
492: .Pp
493: .It Ar policy
494: .Ar policy
495: is in one of the following three formats:
496: .Bl -item -compact
497: .It
498: .Fl P Ar direction [priority specification] Li discard
499: .It
500: .Fl P Ar direction [priority specification] Li none
501: .It
502: .Fl P Ar direction [priority specification] Li ipsec
503: .Ar protocol/mode/src-dst/level Op ...
504: .El
505: .Pp
506: You must specify the direction of its policy as
507: .Ar direction .
508: Either
509: .Ar out ,
510: .Ar in ,
511: or
512: .Ar fwd
513: can be used.
514: .Pp
515: .Ar priority specification
516: is used to control the placement of the policy within the SPD.
517: Policy position is determined by
518: a signed integer where higher priorities indicate the policy is placed
519: closer to the beginning of the list and lower priorities indicate the
520: policy is placed closer to the end of the list.
521: Policies with equal priorities are added at the end of groups
522: of such policies.
523: .Pp
524: Priority can only
525: be specified when setkey has been compiled against kernel headers that
526: support policy priorities (Linux \*[Gt]= 2.6.6).
527: If the kernel does not support priorities, a warning message will
528: be printed the first time a priority specification is used.
529: Policy priority takes one of the following formats:
530: .Bl -tag -width "discard"
531: .It Ar {priority,prio} offset
532: .Ar offset
533: is an integer in the range from \-2147483647 to 214783648.
534: .It Ar {priority,prio} base {+,\-} offset
535: .Ar base
536: is either
537: .Li low (\-1073741824) ,
538: .Li def (0) ,
539: or
540: .Li high (1073741824)
541: .Pp
542: .Ar offset
543: is an unsigned integer.
544: It can be up to 1073741824 for
545: positive offsets, and up to 1073741823 for negative offsets.
546: .El
547: .Pp
548: .Li discard
549: means the packet matching indexes will be discarded.
550: .Li none
551: means that IPsec operation will not take place onto the packet.
552: .Li ipsec
553: means that IPsec operation will take place onto the packet.
554: .Pp
555: The
556: .Ar protocol/mode/src-dst/level
557: part specifies the rule how to process the packet.
558: Either
559: .Li ah ,
560: .Li esp ,
561: or
562: .Li ipcomp
563: must be used as
564: .Ar protocol .
565: .Ar mode
566: is either
567: .Li transport
568: or
569: .Li tunnel .
570: If
571: .Ar mode
572: is
573: .Li tunnel ,
574: you must specify the end-point addresses of the SA as
575: .Ar src
576: and
577: .Ar dst
578: with
579: .Sq -
580: between these addresses, which is used to specify the SA to use.
581: If
582: .Ar mode
583: is
584: .Li transport ,
585: both
586: .Ar src
587: and
588: .Ar dst
589: can be omitted.
590: .Ar level
591: is to be one of the following:
592: .Li default , use , require ,
593: or
594: .Li unique .
595: If the SA is not available in every level, the kernel will
596: ask the key exchange daemon to establish a suitable SA.
597: .Li default
598: means the kernel consults the system wide default for the protocol
599: you specified, e.g. the
600: .Li esp_trans_deflev
601: sysctl variable, when the kernel processes the packet.
602: .Li use
603: means that the kernel uses an SA if it's available,
604: otherwise the kernel keeps normal operation.
605: .Li require
606: means SA is required whenever the kernel sends a packet matched
607: with the policy.
608: .Li unique
609: is the same as
610: .Li require ;
611: in addition, it allows the policy to match the unique out-bound SA.
612: You just specify the policy level
613: .Li unique ,
614: .Xr racoon 8
615: will configure the SA for the policy.
616: If you configure the SA by manual keying for that policy,
617: you can put a decimal number as the policy identifier after
618: .Li unique
619: separated by a colon
620: .Sq \&:
621: like:
622: .Li unique:number
623: in order to bind this policy to the SA.
624: .Li number
625: must be between 1 and 32767.
626: It corresponds to
627: .Ar extensions Fl u
628: of the manual SA configuration.
629: When you want to use SA bundle, you can define multiple rules.
630: For example, if an IP header was followed by an AH header followed
631: by an ESP header followed by an upper layer protocol header, the
632: rule would be:
633: .Dl esp/transport//require ah/transport//require ;
634: The rule order is very important.
635: .Pp
636: When NAT-T is enabled in the kernel, policy matching for ESP over
637: UDP packets may be done on endpoint addresses and port
638: (this depends on the system.
639: System that do not perform the port check cannot support
640: multiple endpoints behind the same NAT).
641: When using ESP over UDP, you can specify port numbers in the endpoint
642: addresses to get the correct matching.
643: Here is an example:
644: .Bd -literal -offset
645: spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any \-P out ipsec
646: esp/tunnel/192.168.0.1[4500]-192.168.1.2[30000]/require ;
647:
648: .Ed
649: These ports must be left unspecified (which defaults to 0) for
650: anything other than ESP over UDP.
651: They can be displayed in SPD dump using
652: .Nm
653: .Fl DPp .
654: .Pp
655: Note that
656: .Dq Li discard
657: and
658: .Dq Li none
659: are not in the syntax described in
660: .Xr ipsec_set_policy 3 .
661: There are a few differences in the syntax.
662: See
663: .Xr ipsec_set_policy 3
664: for detail.
665: .El
666: .\"
667: .Ss Algorithms
668: The following list shows the supported algorithms.
669: .Sy protocol
670: and
671: .Sy algorithm
672: are almost orthogonal.
673: These authentication algorithms can be used as
674: .Ar aalgo
675: in
676: .Fl A Ar aalgo
677: of the
678: .Ar protocol
679: parameter:
680: .Pp
681: .Bd -literal -offset indent
682: algorithm keylen (bits)
683: hmac-md5 128 ah: rfc2403
684: 128 ah-old: rfc2085
685: hmac-sha1 160 ah: rfc2404
686: 160 ah-old: 128bit ICV (no document)
687: keyed-md5 128 ah: 96bit ICV (no document)
688: 128 ah-old: rfc1828
689: keyed-sha1 160 ah: 96bit ICV (no document)
690: 160 ah-old: 128bit ICV (no document)
691: null 0 to 2048 for debugging
692: hmac-sha256 256 ah: 96bit ICV
693: (draft-ietf-ipsec-ciph-sha-256-00)
694: 256 ah-old: 128bit ICV (no document)
695: hmac-sha384 384 ah: 96bit ICV (no document)
696: 384 ah-old: 128bit ICV (no document)
697: hmac-sha512 512 ah: 96bit ICV (no document)
698: 512 ah-old: 128bit ICV (no document)
699: hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
700: ah-old: 128bit ICV (no document)
701: aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
702: 128 ah-old: 128bit ICV (no document)
703: tcp-md5 8 to 640 tcp: rfc2385
704: .Ed
705: .Pp
706: These encryption algorithms can be used as
707: .Ar ealgo
708: in
709: .Fl E Ar ealgo
710: of the
711: .Ar protocol
712: parameter:
713: .Pp
714: .Bd -literal -offset indent
715: algorithm keylen (bits)
716: des-cbc 64 esp-old: rfc1829, esp: rfc2405
717: 3des-cbc 192 rfc2451
718: null 0 to 2048 rfc2410
719: blowfish-cbc 40 to 448 rfc2451
720: cast128-cbc 40 to 128 rfc2451
721: des-deriv 64 ipsec-ciph-des-derived-01
722: 3des-deriv 192 no document
723: rijndael-cbc 128/192/256 rfc3602
724: twofish-cbc 0 to 256 draft-ietf-ipsec-ciph-aes-cbc-01
725: aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
726: camellia-cbc 128/192/256 rfc4312
727: .Ed
728: .Pp
729: Note that the first 128 bits of a key for
730: .Li aes-ctr
731: will be used as AES key, and the remaining 32 bits will be used as nonce.
732: .Pp
733: These compression algorithms can be used as
734: .Ar calgo
735: in
736: .Fl C Ar calgo
737: of the
738: .Ar protocol
739: parameter:
740: .Pp
741: .Bd -literal -offset indent
742: algorithm
743: deflate rfc2394
744: .Ed
745: .\"
746: .Ss RFC vs Linux kernel semantics
747: The Linux kernel uses the
748: .Ar fwd
749: policy instead of the
750: .Ar in
751: policy for packets what are forwarded through that particular box.
752: .Pp
753: In
754: .Ar kernel
755: mode,
756: .Nm
757: manages and shows policies and SAs exactly as they are stored in the kernel.
758: .Pp
759: In
760: .Ar RFC
761: mode,
762: .Nm
763: .Bl -item
764: .It
765: creates
766: .Ar fwd
767: policies for every
768: .Ar in
769: policy inserted
770: .It
771: (not implemented yet) filters out all
772: .Ar fwd
773: policies
774: .El
775: .Sh RETURN VALUES
776: The command exits with 0 on success, and non-zero on errors.
777: .\"
778: .Sh EXAMPLES
779: .Bd -literal -offset
780: add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
781: \-E des-cbc 0x3ffe05014819ffff ;
782:
783: add \-6 myhost.example.com yourhost.example.com ah 123456
784: \-A hmac-sha1 "AH SA configuration!" ;
785:
786: add 10.0.11.41 10.0.11.33 esp 0x10001
787: \-E des-cbc 0x3ffe05014819ffff
788: \-A hmac-md5 "authentication!!" ;
789:
790: get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
791:
792: flush ;
793:
794: dump esp ;
795:
796: spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
797: \-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
798:
799: add 10.1.10.34 10.1.10.36 tcp 0x1000 \-A tcp-md5 "TCP-MD5 BGP secret" ;
800:
801: add 10.0.11.41 10.0.11.33 esp 0x10001
802: \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh"
803: \-E des-cbc 0x3ffe05014819ffff;
804:
805: spdadd 10.0.11.41 10.0.11.33 any
806: \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh"
807: \-P out ipsec esp/transport//require ;
808: .Ed
809: .\"
810: .Sh SEE ALSO
811: .Xr ipsec_set_policy 3 ,
812: .Xr racoon 8 ,
813: .Xr sysctl 8
814: .Rs
815: .%T "Changed manual key configuration for IPsec"
816: .%U "http://www.kame.net/newsletter/19991007/"
817: .%D "October 1999"
818: .Re
819: .\"
820: .Sh HISTORY
821: The
822: .Nm
823: command first appeared in the WIDE Hydrangea IPv6 protocol stack
824: kit.
825: The command was completely re-designed in June 1998.
826: .\"
827: .Sh BUGS
828: .Nm
829: should report and handle syntax errors better.
830: .Pp
831: For IPsec gateway configuration,
832: .Ar src_range
833: and
834: .Ar dst_range
835: with TCP/UDP port numbers does not work, as the gateway does not
836: reassemble packets
837: .Pq it cannot inspect upper-layer headers .
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to setkey.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / setkey