2003-11-05 09:47:54 +00:00
|
|
|
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
|
|
|
.\" All rights reserved.
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
2005-02-09 18:07:17 +00:00
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
2006-01-08 13:59:44 +00:00
|
|
|
.Dd January 8, 2006
|
2000-01-06 12:40:54 +00:00
|
|
|
.Dt SETKEY 8
|
2001-06-11 12:39:29 +00:00
|
|
|
.Os
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm setkey
|
2004-06-05 20:22:15 +00:00
|
|
|
.Nd "manually manipulate the IPsec SA/SP database"
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh SYNOPSIS
|
2000-11-20 20:10:44 +00:00
|
|
|
.Nm
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl v
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl c
|
2000-11-20 20:10:44 +00:00
|
|
|
.Nm
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl v
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl f Ar filename
|
2000-11-20 20:10:44 +00:00
|
|
|
.Nm
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl aPlv
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl D
|
2000-11-20 20:10:44 +00:00
|
|
|
.Nm
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl Pv
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl F
|
2000-11-20 20:10:44 +00:00
|
|
|
.Nm
|
2000-01-06 12:40:54 +00:00
|
|
|
.Op Fl h
|
|
|
|
.Fl x
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh DESCRIPTION
|
2002-07-14 14:47:15 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility adds, updates, dumps, or flushes
|
2000-07-04 16:22:05 +00:00
|
|
|
Security Association Database (SAD) entries
|
|
|
|
as well as Security Policy Database (SPD) entries in the kernel.
|
2000-01-06 12:40:54 +00:00
|
|
|
.Pp
|
2002-07-14 14:47:15 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility takes a series of operations from the standard input
|
|
|
|
(if invoked with
|
|
|
|
.Fl c )
|
2000-07-04 16:22:05 +00:00
|
|
|
or the file named
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar filename
|
2004-06-05 20:22:15 +00:00
|
|
|
(if invoked with
|
|
|
|
.Fl f Ar filename ) .
|
|
|
|
.Bl -tag -width indent
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl D
|
|
|
|
Dump the SAD entries.
|
|
|
|
If with
|
|
|
|
.Fl P ,
|
|
|
|
the SPD entries are dumped.
|
|
|
|
.It Fl F
|
2000-07-04 16:22:05 +00:00
|
|
|
Flush the SAD entries.
|
2000-01-06 12:40:54 +00:00
|
|
|
If with
|
|
|
|
.Fl P ,
|
2000-07-04 16:22:05 +00:00
|
|
|
the SPD entries are flushed.
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl a
|
2004-06-05 20:22:15 +00:00
|
|
|
The
|
2003-11-05 09:47:54 +00:00
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility
|
2003-11-05 09:47:54 +00:00
|
|
|
usually does not display dead SAD entries with
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl D .
|
2000-07-04 16:22:05 +00:00
|
|
|
If with
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl a ,
|
2000-07-04 16:22:05 +00:00
|
|
|
the dead SAD entries will be displayed as well.
|
|
|
|
A dead SAD entry means that
|
2003-11-05 09:47:54 +00:00
|
|
|
it has been expired but remains in the system
|
|
|
|
because it is referenced by some SPD entries.
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl h
|
|
|
|
Add hexadecimal dump on
|
|
|
|
.Fl x
|
2000-03-01 14:09:25 +00:00
|
|
|
mode.
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl l
|
|
|
|
Loop forever with short output on
|
|
|
|
.Fl D .
|
|
|
|
.It Fl v
|
|
|
|
Be verbose.
|
2001-06-11 12:39:29 +00:00
|
|
|
The program will dump messages exchanged on
|
2000-01-06 12:40:54 +00:00
|
|
|
.Dv PF_KEY
|
2001-06-11 12:39:29 +00:00
|
|
|
socket, including messages sent from other processes to the kernel.
|
2003-11-05 09:47:54 +00:00
|
|
|
.It Fl x
|
|
|
|
Loop forever and dump all the messages transmitted to
|
|
|
|
.Dv PF_KEY
|
|
|
|
socket.
|
|
|
|
.Fl xx
|
|
|
|
makes each timestamps unformatted.
|
2000-01-06 12:40:54 +00:00
|
|
|
.El
|
2003-11-05 09:47:54 +00:00
|
|
|
.Ss Configuration syntax
|
|
|
|
With
|
|
|
|
.Fl c
|
|
|
|
or
|
|
|
|
.Fl f
|
|
|
|
on the command line,
|
|
|
|
.Nm
|
|
|
|
accepts the following configuration syntax.
|
2004-06-05 20:22:15 +00:00
|
|
|
Lines starting with hash signs
|
|
|
|
.Pq Ql #
|
|
|
|
are treated as comment lines.
|
|
|
|
.Bl -tag -width indent
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Xo
|
|
|
|
.Li add
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src Ar dst Ar protocol Ar spi
|
|
|
|
.Op Ar extensions
|
2003-11-05 09:47:54 +00:00
|
|
|
.Ar algorithm ...
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Add an SAD entry.
|
2003-11-05 09:47:54 +00:00
|
|
|
.Li add
|
|
|
|
can fail with multiple reasons,
|
|
|
|
including when the key length does not match the specified algorithm.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li get
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src Ar dst Ar protocol Ar spi
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Show an SAD entry.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li delete
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src Ar dst Ar protocol Ar spi
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Remove an SAD entry.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li deleteall
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2001-06-11 12:39:29 +00:00
|
|
|
.Ar src Ar dst Ar protocol
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
|
|
|
Remove all SAD entries that match the specification.
|
|
|
|
.\"
|
|
|
|
.It Xo
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li flush
|
|
|
|
.Op Ar protocol
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Clear all SAD entries matched by the options.
|
2003-11-05 09:47:54 +00:00
|
|
|
.Fl F
|
|
|
|
on the command line achieves the same functionality.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li dump
|
|
|
|
.Op Ar protocol
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Dumps all SAD entries matched by the options.
|
2003-11-05 09:47:54 +00:00
|
|
|
.Fl D
|
|
|
|
on the command line achieves the same functionality.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li spdadd
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Add an SPD entry.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li spddelete
|
2003-11-05 09:47:54 +00:00
|
|
|
.Op Fl 46n
|
2000-07-04 16:22:05 +00:00
|
|
|
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-07-04 16:22:05 +00:00
|
|
|
Delete an SPD entry.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li spdflush
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
|
|
|
Clear all SPD entries.
|
2003-11-05 09:47:54 +00:00
|
|
|
.Fl FP
|
|
|
|
on the command line achieves the same functionality.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.It Xo
|
|
|
|
.Li spddump
|
|
|
|
.Li ;
|
|
|
|
.Xc
|
2000-03-12 19:56:30 +00:00
|
|
|
Dumps all SPD entries.
|
2003-11-05 09:47:54 +00:00
|
|
|
.Fl DP
|
|
|
|
on the command line achieves the same functionality.
|
2000-01-06 12:40:54 +00:00
|
|
|
.El
|
|
|
|
.\"
|
|
|
|
.Pp
|
|
|
|
Meta-arguments are as follows:
|
2001-01-01 23:30:51 +00:00
|
|
|
.Pp
|
2004-06-05 20:22:15 +00:00
|
|
|
.Bl -tag -compact -width indent
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Ar src
|
|
|
|
.It Ar dst
|
|
|
|
Source/destination of the secure communication is specified as
|
|
|
|
IPv4/v6 address.
|
2004-06-05 20:22:15 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility
|
2003-11-05 09:47:54 +00:00
|
|
|
can resolve a FQDN into numeric addresses.
|
|
|
|
If the FQDN resolves into multiple addresses,
|
|
|
|
.Nm
|
|
|
|
will install multiple SAD/SPD entries into the kernel
|
|
|
|
by trying all possible combinations.
|
|
|
|
.Fl 4 ,
|
|
|
|
.Fl 6
|
2000-01-06 12:40:54 +00:00
|
|
|
and
|
2003-11-05 09:47:54 +00:00
|
|
|
.Fl n
|
|
|
|
restricts the address resolution of FQDN in certain ways.
|
|
|
|
.Fl 4
|
|
|
|
and
|
|
|
|
.Fl 6
|
|
|
|
restrict results into IPv4/v6 addresses only, respectively.
|
|
|
|
.Fl n
|
|
|
|
avoids FQDN resolution and requires addresses to be numeric addresses.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.Pp
|
|
|
|
.It Ar protocol
|
|
|
|
.Ar protocol
|
|
|
|
is one of following:
|
|
|
|
.Bl -tag -width Fl -compact
|
|
|
|
.It Li esp
|
2003-11-05 09:47:54 +00:00
|
|
|
ESP based on rfc2406
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Li esp-old
|
|
|
|
ESP based on rfc1827
|
|
|
|
.It Li ah
|
|
|
|
AH based on rfc2402
|
|
|
|
.It Li ah-old
|
|
|
|
AH based on rfc1826
|
|
|
|
.It Li ipcomp
|
2003-11-05 09:47:54 +00:00
|
|
|
IPComp
|
2004-02-11 04:34:34 +00:00
|
|
|
.It Li tcp
|
|
|
|
TCP-MD5 based on rfc2385
|
2000-01-06 12:40:54 +00:00
|
|
|
.El
|
|
|
|
.\"
|
|
|
|
.Pp
|
|
|
|
.It Ar spi
|
2003-11-05 09:47:54 +00:00
|
|
|
Security Parameter Index
|
2004-06-05 20:22:15 +00:00
|
|
|
(SPI)
|
2003-11-05 09:47:54 +00:00
|
|
|
for the SAD and the SPD.
|
|
|
|
.Ar spi
|
|
|
|
must be a decimal number, or a hexadecimal number with
|
2004-06-05 20:22:15 +00:00
|
|
|
.Ql 0x
|
2003-11-05 09:47:54 +00:00
|
|
|
prefix.
|
|
|
|
SPI values between 0 and 255 are reserved for future use by IANA
|
|
|
|
and they cannot be used.
|
2004-02-11 04:34:34 +00:00
|
|
|
TCP-MD5 associations must use 0x1000 and therefore only have per-host
|
|
|
|
granularity at this time.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
|
|
|
.Pp
|
|
|
|
.It Ar extensions
|
2003-11-05 09:47:54 +00:00
|
|
|
take some of the following:
|
2000-07-04 16:22:05 +00:00
|
|
|
.Bl -tag -width Fl -compact
|
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl m Ar mode
|
2000-07-04 16:22:05 +00:00
|
|
|
Specify a security protocol mode for use.
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar mode
|
|
|
|
is one of following:
|
|
|
|
.Li transport , tunnel
|
|
|
|
or
|
|
|
|
.Li any .
|
2000-07-04 16:22:05 +00:00
|
|
|
The default value is
|
|
|
|
.Li any .
|
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl r Ar size
|
|
|
|
Specify window size of bytes for replay prevention.
|
|
|
|
.Ar size
|
2001-06-11 12:39:29 +00:00
|
|
|
must be decimal number in 32-bit word.
|
|
|
|
If
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar size
|
2004-06-05 20:22:15 +00:00
|
|
|
is zero or not specified, replay check does not take place.
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
|
|
|
.It Fl u Ar id
|
2001-06-11 12:39:29 +00:00
|
|
|
Specify the identifier of the policy entry in SPD.
|
|
|
|
See
|
|
|
|
.Ar policy .
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl f Ar pad_option
|
2001-06-11 12:39:29 +00:00
|
|
|
defines the content of the ESP padding.
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar pad_option
|
|
|
|
is one of following:
|
2001-06-11 12:39:29 +00:00
|
|
|
.Bl -tag -width random-pad -compact
|
|
|
|
.It Li zero-pad
|
|
|
|
All of the padding are zero.
|
|
|
|
.It Li random-pad
|
|
|
|
A series of randomized values are set.
|
|
|
|
.It Li seq-pad
|
|
|
|
A series of sequential increasing numbers started from 1 are set.
|
|
|
|
.El
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
|
|
|
.It Fl f Li nocyclic-seq
|
2004-06-05 20:22:15 +00:00
|
|
|
Do not allow cyclic sequence number.
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl lh Ar time
|
|
|
|
.It Fl ls Ar time
|
2001-06-11 12:39:29 +00:00
|
|
|
Specify hard/soft life time duration of the SA.
|
2000-01-06 12:40:54 +00:00
|
|
|
.El
|
|
|
|
.\"
|
|
|
|
.Pp
|
|
|
|
.It Ar algorithm
|
2000-07-04 16:22:05 +00:00
|
|
|
.Bl -tag -width Fl -compact
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl E Ar ealgo Ar key
|
2003-11-05 09:47:54 +00:00
|
|
|
Specify an encryption algorithm
|
|
|
|
.Ar ealgo
|
|
|
|
for ESP.
|
|
|
|
.It Xo
|
|
|
|
.Fl E Ar ealgo Ar key
|
|
|
|
.Fl A Ar aalgo Ar key
|
|
|
|
.Xc
|
|
|
|
Specify a encryption algorithm
|
|
|
|
.Ar ealgo ,
|
|
|
|
as well as a payload authentication algorithm
|
|
|
|
.Ar aalgo ,
|
|
|
|
for ESP.
|
2000-05-15 14:16:30 +00:00
|
|
|
.It Fl A Ar aalgo Ar key
|
2003-11-05 09:47:54 +00:00
|
|
|
Specify an authentication algorithm for AH.
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Fl C Ar calgo Op Fl R
|
2003-11-05 09:47:54 +00:00
|
|
|
Specify a compression algorithm for IPComp.
|
2000-01-06 12:40:54 +00:00
|
|
|
If
|
|
|
|
.Fl R
|
2006-01-08 13:59:44 +00:00
|
|
|
is specified, the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar spi
|
2003-11-05 09:47:54 +00:00
|
|
|
field value will be used as the IPComp CPI
|
2004-06-05 20:22:15 +00:00
|
|
|
(compression parameter index)
|
2003-11-05 09:47:54 +00:00
|
|
|
on wire as is.
|
2000-01-06 12:40:54 +00:00
|
|
|
If
|
|
|
|
.Fl R
|
2003-11-05 09:47:54 +00:00
|
|
|
is not specified,
|
|
|
|
the kernel will use well-known CPI on wire, and
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar spi
|
2003-11-05 09:47:54 +00:00
|
|
|
field will be used only as an index for kernel internal usage.
|
2000-01-06 12:40:54 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
.Ar key
|
2003-11-05 09:47:54 +00:00
|
|
|
must be double-quoted character string, or a series of hexadecimal digits
|
|
|
|
preceded by
|
2004-06-05 20:22:15 +00:00
|
|
|
.Ql 0x .
|
2000-01-06 12:40:54 +00:00
|
|
|
.Pp
|
|
|
|
Possible values for
|
|
|
|
.Ar ealgo ,
|
|
|
|
.Ar aalgo
|
|
|
|
and
|
|
|
|
.Ar calgo
|
|
|
|
are specified in separate section.
|
|
|
|
.\"
|
2001-01-01 23:30:51 +00:00
|
|
|
.Pp
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Ar src_range
|
|
|
|
.It Ar dst_range
|
2000-07-04 16:22:05 +00:00
|
|
|
These are selections of the secure communication specified as
|
2000-01-06 12:40:54 +00:00
|
|
|
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
|
|
|
TCP/UDP port specification.
|
|
|
|
This takes the following form:
|
2005-01-15 12:26:29 +00:00
|
|
|
.Bd -unfilled
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar address
|
|
|
|
.Ar address/prefixlen
|
|
|
|
.Ar address[port]
|
|
|
|
.Ar address/prefixlen[port]
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
.Ar prefixlen
|
|
|
|
and
|
|
|
|
.Ar port
|
2006-01-08 13:59:44 +00:00
|
|
|
must be a decimal number.
|
|
|
|
The square brackets around
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar port
|
2006-01-08 13:59:44 +00:00
|
|
|
are necessary and are not manpage metacharacters.
|
2003-11-05 09:47:54 +00:00
|
|
|
For FQDN resolution, the rules applicable to
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src
|
|
|
|
and
|
2003-11-05 09:47:54 +00:00
|
|
|
.Ar dst
|
|
|
|
apply here as well.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
2001-01-01 23:30:51 +00:00
|
|
|
.Pp
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Ar upperspec
|
2006-01-08 13:59:44 +00:00
|
|
|
The upper layer protocol to be used.
|
|
|
|
You can use one of the words in
|
2001-06-11 12:39:29 +00:00
|
|
|
.Pa /etc/protocols
|
|
|
|
as
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ar upperspec ,
|
|
|
|
as well as
|
2001-05-17 15:30:49 +00:00
|
|
|
.Li icmp6 ,
|
|
|
|
.Li ip4 ,
|
2006-01-08 13:59:44 +00:00
|
|
|
or
|
|
|
|
.Li any .
|
|
|
|
.Li Any
|
2000-01-06 12:40:54 +00:00
|
|
|
stands for
|
|
|
|
.Dq any protocol .
|
2006-01-08 13:59:44 +00:00
|
|
|
The protocol number may also be used to specify the
|
|
|
|
.Ar upperspec .
|
|
|
|
A type and code related to ICMPv6 may also be specified as an
|
|
|
|
.Ar upperspec .
|
|
|
|
The type is specified first, followed by a comma and then the relevant
|
|
|
|
code.
|
|
|
|
The specification must be placed after
|
2003-11-05 09:47:54 +00:00
|
|
|
.Li icmp6 .
|
2006-01-08 13:59:44 +00:00
|
|
|
The kernel considers a zero to be a wildcard but
|
|
|
|
cannot distinguish between a wildcard and an ICMPv6
|
|
|
|
type which is zero.
|
|
|
|
The following example shows a policy where IPSec is not required for
|
|
|
|
inbound Neighbor Solicitations:
|
2004-06-05 20:22:15 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Pp
|
|
|
|
NOTE:
|
|
|
|
.Ar upperspec
|
2006-01-08 13:59:44 +00:00
|
|
|
does not work in the forwarding case at this moment,
|
|
|
|
as it requires extra reassembly at forwarding node,
|
|
|
|
which is not implemented at this moment.
|
|
|
|
Although there are many protocols in
|
2001-06-11 12:39:29 +00:00
|
|
|
.Pa /etc/protocols ,
|
2006-01-08 13:59:44 +00:00
|
|
|
protocols other than TCP, UDP and ICMP may not be suitable to use with IPsec.
|
2000-01-06 12:40:54 +00:00
|
|
|
.\"
|
2001-01-01 23:30:51 +00:00
|
|
|
.Pp
|
2000-01-06 12:40:54 +00:00
|
|
|
.It Ar policy
|
|
|
|
.Ar policy
|
2006-01-08 13:59:44 +00:00
|
|
|
is expressed in one of the following three formats:
|
2004-06-05 20:22:15 +00:00
|
|
|
.Bd -ragged -offset indent
|
2003-11-05 09:47:54 +00:00
|
|
|
.It Fl P Ar direction Li discard
|
|
|
|
.It Fl P Ar direction Li none
|
|
|
|
.It Xo Fl P Ar direction Li ipsec
|
|
|
|
.Ar protocol/mode/src-dst/level Op ...
|
2001-06-11 12:39:29 +00:00
|
|
|
.Xc
|
|
|
|
.Ed
|
2000-01-06 12:40:54 +00:00
|
|
|
.Pp
|
2006-01-08 13:59:44 +00:00
|
|
|
The direction of a policy must be specified as
|
|
|
|
one of:
|
|
|
|
.Li out ,
|
|
|
|
.Li in ,
|
|
|
|
.Li discard
|
|
|
|
.Li none ,
|
|
|
|
or
|
|
|
|
.Li ipsec .
|
|
|
|
.Li Discard
|
|
|
|
means that packets matching the supplied indices will be discarded
|
|
|
|
while
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li none
|
2006-01-08 13:59:44 +00:00
|
|
|
means that IPsec operations will not take place on the packet and
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li ipsec
|
|
|
|
means that IPsec operation will take place onto the packet.
|
2006-01-08 13:59:44 +00:00
|
|
|
The
|
2003-11-05 09:47:54 +00:00
|
|
|
.Ar protocol/mode/src-dst/level
|
2006-01-08 13:59:44 +00:00
|
|
|
statement gives the rule for how to process the packet.
|
|
|
|
.Ar Protocol is specified as
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li ah ,
|
|
|
|
.Li esp
|
|
|
|
or
|
|
|
|
.Li ipcomp
|
2006-01-08 13:59:44 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar mode
|
|
|
|
is either
|
|
|
|
.Li transport
|
|
|
|
or
|
|
|
|
.Li tunnel .
|
2001-06-11 12:39:29 +00:00
|
|
|
If
|
|
|
|
.Ar mode
|
|
|
|
is
|
|
|
|
.Li tunnel ,
|
2006-01-08 13:59:44 +00:00
|
|
|
you must specify the end-point addresses of the SA as
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar src
|
|
|
|
and
|
|
|
|
.Ar dst
|
2006-01-08 13:59:44 +00:00
|
|
|
with a dash,
|
|
|
|
.Sq - ,
|
|
|
|
between the addresses.
|
2001-06-11 12:39:29 +00:00
|
|
|
If
|
|
|
|
.Ar mode
|
|
|
|
is
|
|
|
|
.Li transport ,
|
|
|
|
both
|
|
|
|
.Ar src
|
|
|
|
and
|
|
|
|
.Ar dst
|
2002-12-27 12:15:40 +00:00
|
|
|
can be omitted.
|
2006-01-08 13:59:44 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar level
|
2006-01-08 13:59:44 +00:00
|
|
|
is one of the following:
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li default , use , require
|
2000-01-06 12:40:54 +00:00
|
|
|
or
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li unique .
|
|
|
|
If the SA is not available in every level, the kernel will request
|
2006-01-08 13:59:44 +00:00
|
|
|
the SA from the key exchange daemon.
|
|
|
|
A value of
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li default
|
2006-01-08 13:59:44 +00:00
|
|
|
tells the kernel to use the system wide default protocol
|
|
|
|
e.g. the one from the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Li esp_trans_deflev
|
2000-07-04 16:22:05 +00:00
|
|
|
sysctl variable, when the kernel processes the packet.
|
2006-01-08 13:59:44 +00:00
|
|
|
.Li Use
|
|
|
|
means that the kernel will use an SA if it is available,
|
|
|
|
otherwise the kernel will pass the packet as it would normally.
|
|
|
|
.Li Require
|
|
|
|
means that an SA is required whenever the kernel sends a packet matched
|
|
|
|
that matches the policy.
|
|
|
|
The
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li unique
|
2006-01-08 13:59:44 +00:00
|
|
|
level is the same as
|
|
|
|
.Li require
|
|
|
|
but, in addition, it allows the policy to bind with the unique out-bound SA.
|
|
|
|
For example, if you specify the policy level
|
2003-11-05 09:47:54 +00:00
|
|
|
.Li unique ,
|
|
|
|
.Xr racoon 8
|
|
|
|
will configure the SA for the policy.
|
|
|
|
If you configure the SA by manual keying for that policy,
|
2001-06-11 12:39:29 +00:00
|
|
|
you can put the decimal number as the policy identifier after
|
|
|
|
.Li unique
|
|
|
|
separated by colon
|
2004-06-05 20:22:15 +00:00
|
|
|
.Ql :\&
|
2006-01-08 13:59:44 +00:00
|
|
|
as in the following example:
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li unique:number .
|
2004-06-05 20:22:15 +00:00
|
|
|
In order to bind this policy to the SA,
|
2001-06-11 12:39:29 +00:00
|
|
|
.Li number
|
2006-01-08 13:59:44 +00:00
|
|
|
must be between 1 and 32767,
|
|
|
|
which corresponds to
|
2003-11-05 09:47:54 +00:00
|
|
|
.Ar extensions Fl u
|
2006-01-08 13:59:44 +00:00
|
|
|
of manual SA configuration.
|
|
|
|
.Pp
|
|
|
|
When you want to use an SA bundle, you can define multiple rules. For
|
|
|
|
example, if an IP header was followed by an AH header followed by an
|
|
|
|
ESP header followed by an upper layer protocol header, the rule would
|
|
|
|
be:
|
2003-11-05 09:47:54 +00:00
|
|
|
.Dl esp/transport//require ah/transport//require ;
|
|
|
|
The rule order is very important.
|
2001-06-11 12:39:29 +00:00
|
|
|
.Pp
|
2000-01-06 12:40:54 +00:00
|
|
|
Note that
|
|
|
|
.Dq Li discard
|
|
|
|
and
|
|
|
|
.Dq Li none
|
|
|
|
are not in the syntax described in
|
|
|
|
.Xr ipsec_set_policy 3 .
|
2006-01-08 13:59:44 +00:00
|
|
|
There are small, but important, differences in the syntax.
|
2000-01-06 12:40:54 +00:00
|
|
|
See
|
|
|
|
.Xr ipsec_set_policy 3
|
2006-01-08 13:59:44 +00:00
|
|
|
for details.
|
2000-01-06 12:40:54 +00:00
|
|
|
.Pp
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
.\"
|
|
|
|
.Sh ALGORITHMS
|
|
|
|
The following list shows the supported algorithms.
|
2006-01-08 13:59:44 +00:00
|
|
|
The
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sy protocol
|
|
|
|
and
|
|
|
|
.Sy algorithm
|
2006-01-08 13:59:44 +00:00
|
|
|
are almost completely orthogonal.
|
|
|
|
The following list of authentication algorithms can be used as
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar aalgo
|
2006-01-08 13:59:44 +00:00
|
|
|
in the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl A Ar aalgo
|
2006-01-08 13:59:44 +00:00
|
|
|
of the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar protocol
|
|
|
|
parameter:
|
|
|
|
.Pp
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
algorithm keylen (bits) comment
|
|
|
|
hmac-md5 128 ah: rfc2403
|
|
|
|
128 ah-old: rfc2085
|
|
|
|
hmac-sha1 160 ah: rfc2404
|
|
|
|
160 ah-old: 128bit ICV (no document)
|
|
|
|
keyed-md5 128 ah: 96bit ICV (no document)
|
|
|
|
128 ah-old: rfc1828
|
|
|
|
keyed-sha1 160 ah: 96bit ICV (no document)
|
|
|
|
160 ah-old: 128bit ICV (no document)
|
|
|
|
null 0 to 2048 for debugging
|
2003-11-05 09:47:54 +00:00
|
|
|
hmac-sha2-256 256 ah: 96bit ICV
|
|
|
|
(draft-ietf-ipsec-ciph-sha-256-00)
|
2001-06-11 12:39:29 +00:00
|
|
|
256 ah-old: 128bit ICV (no document)
|
|
|
|
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
|
|
|
384 ah-old: 128bit ICV (no document)
|
|
|
|
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
|
|
|
512 ah-old: 128bit ICV (no document)
|
2003-10-12 09:41:42 +00:00
|
|
|
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
|
|
|
ah-old: 128bit ICV (no document)
|
2003-11-10 10:39:14 +00:00
|
|
|
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
|
|
|
128 ah-old: 128bit ICV (no document)
|
2004-02-11 04:34:34 +00:00
|
|
|
tcp-md5 8 to 640 tcp: rfc2385
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2006-01-08 13:59:44 +00:00
|
|
|
The following is the list of encryption algorithms that can be used as the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar ealgo
|
2006-01-08 13:59:44 +00:00
|
|
|
in the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl E Ar ealgo
|
2006-01-08 13:59:44 +00:00
|
|
|
of the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar protocol
|
|
|
|
parameter:
|
|
|
|
.Pp
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
algorithm keylen (bits) comment
|
|
|
|
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
|
|
|
3des-cbc 192 rfc2451
|
2003-11-05 09:47:54 +00:00
|
|
|
null 0 to 2048 rfc2410
|
2000-01-06 12:40:54 +00:00
|
|
|
blowfish-cbc 40 to 448 rfc2451
|
|
|
|
cast128-cbc 40 to 128 rfc2451
|
2003-11-05 09:47:54 +00:00
|
|
|
des-deriv 64 ipsec-ciph-des-derived-01
|
2000-01-06 12:40:54 +00:00
|
|
|
3des-deriv 192 no document
|
2003-11-05 09:47:54 +00:00
|
|
|
rijndael-cbc 128/192/256 rfc3602
|
2003-11-10 10:39:14 +00:00
|
|
|
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2003-10-13 14:57:41 +00:00
|
|
|
Note that the first 128 bits of a key for
|
|
|
|
.Li aes-ctr
|
|
|
|
will be used as AES key, and remaining 32 bits will be used as nonce.
|
|
|
|
.Pp
|
2006-01-08 13:59:44 +00:00
|
|
|
The following are the list of compression algorithms that can be used
|
|
|
|
as the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar calgo
|
2006-01-08 13:59:44 +00:00
|
|
|
in the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Fl C Ar calgo
|
2006-01-08 13:59:44 +00:00
|
|
|
of the
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ar protocol
|
|
|
|
parameter:
|
|
|
|
.Pp
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
algorithm comment
|
|
|
|
deflate rfc2394
|
|
|
|
.Ed
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2005-01-17 07:44:44 +00:00
|
|
|
.Sh EXIT STATUS
|
2004-06-05 20:22:15 +00:00
|
|
|
.Ex -std
|
2003-11-05 09:47:54 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh EXAMPLES
|
2006-01-08 13:59:44 +00:00
|
|
|
Add an ESP SA between two IPv6 addresses using the
|
|
|
|
des-cbc encryption algorithm.
|
2000-01-06 12:40:54 +00:00
|
|
|
.Bd -literal -offset
|
2003-11-05 09:47:54 +00:00
|
|
|
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
|
|
|
-E des-cbc 0x3ffe05014819ffff ;
|
2000-01-06 12:40:54 +00:00
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
.\"
|
|
|
|
Add an authentication SA between two FQDN specified hosts:
|
|
|
|
.Bd -literal -offset
|
2003-11-05 09:47:54 +00:00
|
|
|
add -6 myhost.example.com yourhost.example.com ah 123456
|
|
|
|
-A hmac-sha1 "AH SA configuration!" ;
|
2000-01-06 12:40:54 +00:00
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Use both ESP and AH between two numerically specified hosts:
|
|
|
|
.Bd -literal -offset
|
2003-11-05 09:47:54 +00:00
|
|
|
add 10.0.11.41 10.0.11.33 esp 0x10001
|
|
|
|
-E des-cbc 0x3ffe05014819ffff
|
|
|
|
-A hmac-md5 "authentication!!" ;
|
2000-01-06 12:40:54 +00:00
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Get the SA information assocaited with first example above:
|
|
|
|
.Bd -literal -offset
|
2003-11-05 09:47:54 +00:00
|
|
|
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
2000-01-06 12:40:54 +00:00
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Flush all entries from the database:
|
|
|
|
.Bd -literal -offset
|
2000-01-06 12:40:54 +00:00
|
|
|
flush ;
|
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Dump the ESP entries from the database:
|
|
|
|
.Bd -literal -offset
|
2000-01-06 12:40:54 +00:00
|
|
|
dump esp ;
|
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Add a security policy between two networks that uses ESP in tunnel mode:
|
|
|
|
.Bd -literal -offset
|
2003-11-05 09:47:54 +00:00
|
|
|
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
|
|
|
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
2000-01-06 12:40:54 +00:00
|
|
|
|
2006-01-08 13:59:44 +00:00
|
|
|
.Ed
|
|
|
|
Use TCP MD5 between two numerically specified hosts:
|
|
|
|
.Bd -literal -offset
|
2004-02-11 04:34:34 +00:00
|
|
|
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
|
|
|
|
|
2000-01-06 12:40:54 +00:00
|
|
|
.Ed
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ipsec_set_policy 3 ,
|
2001-07-06 16:46:48 +00:00
|
|
|
.Xr racoon 8 ,
|
|
|
|
.Xr sysctl 8
|
2003-11-05 09:47:54 +00:00
|
|
|
.Rs
|
|
|
|
.%T "Changed manual key configuration for IPsec"
|
|
|
|
.%O "http://www.kame.net/newsletter/19991007/"
|
|
|
|
.%D "October 1999"
|
|
|
|
.Re
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2000-01-06 12:40:54 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
|
|
|
The utility was completely re-designed in June 1998.
|
2000-07-04 16:22:05 +00:00
|
|
|
.\"
|
2003-11-05 09:47:54 +00:00
|
|
|
.Sh BUGS
|
2004-06-05 20:22:15 +00:00
|
|
|
The
|
2003-11-05 09:47:54 +00:00
|
|
|
.Nm
|
2004-06-05 20:22:15 +00:00
|
|
|
utility
|
2003-11-05 09:47:54 +00:00
|
|
|
should report and handle syntax errors better.
|
|
|
|
.Pp
|
|
|
|
For IPsec gateway configuration,
|
|
|
|
.Ar src_range
|
|
|
|
and
|
|
|
|
.Ar dst_range
|
|
|
|
with TCP/UDP port number do not work, as the gateway does not reassemble
|
|
|
|
packets
|
2004-06-05 20:22:15 +00:00
|
|
|
(cannot inspect upper-layer headers).
|