diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2004-05-08 20:00:45 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2004-05-08 20:00:45 +0000 |
commit | 127df57137697ff721a641a1527d9fd5ee7dc1bb (patch) | |
tree | 5c04b01f7f5f43c21145e37abde9c2423eac164f | |
parent | 63a76f57ef1ca4f60bf7c7485abd6579ca91b2ac (diff) |
a bloody attempt at documenting the ipsec fluff.
this needs to be fleshed out and polished, but at least it is somewhat
documented now...
-rw-r--r-- | usr.sbin/bgpd/bgpd.conf.5 | 64 |
1 files changed, 62 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index c594613170c..cbe9b58e9a6 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.22 2004/05/07 10:06:15 djm Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.23 2004/05/08 20:00:44 henning Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -359,6 +359,63 @@ The shared secret can either be given as a password or hexadecimal key. tcp md5sig password mekmidasdigoat tcp md5sig key deadbeef .Ed +.It Ar ipsec (ah|esp) (in|out) spi <number> <authspec> [<encspec>] +Enable IPsec with static keying. +There have to be at least two "ipsec" statements per peer with manual +keying, one per direction. +.Ar authspec +specifies the authentication algorithm and key. +It can be +.Bd -literal -offset indent +sha1 <key> +md5 <key> +.Ed +.Pp +.Ar encspec +specifies the encryption algorithm and key. +.Ar ah +does not support encryption. +With +.Ar esp , +encryption is optional. +.Ar encspec +can be +.Bd -literal -offset indent +3des <key> +3des-cbc <key> +aes <key> +aes-128-cbc <key> +.Ed +.Pp +Keys have to be given in hexadecimal format. +.It Ar ipsec (ah|esp) ike +Enable IPsec with dynamic keying. +In this mode, +.Ar bgpd +sets up the flows, and a key management daemon such as +.Xr isakmpd 8 +is responsible for the session keys. +With +.Xr isakmpd 8 , +it is sufficient to copy the peer's public key, found in +.Pa /etc/isakmpd/private/local.pub +to the local machine. It has to be stored in a file +named after the peer's IP address and has to be stored in +.Pa /etc/isakmpd/pubkeys/ipv4/ . +The local public key has to be copied to the peer in the same way. +A simple +.Pa /etc/isakmpd/isakmpd.policy +file is needed as well, it can be as simple as +.Bd -literal -offset indent +Authorizer: "POLICY" +Comment: This bare-bones assertion accepts everything +.Ed +.Pp +After starting the +.Xr isakmpd 8 +and +.Ar bgpd +daemons on both sides the session should be established. .El .Sh FILTER .Ar bgpd @@ -563,8 +620,11 @@ configuration file. .El .Sh SEE ALSO .Xr strftime 3 , +.Xr ipsec 4 , .Xr tcp 4 , -.Xr bgpd 8 +.Xr bgpd 8 , +.Xr ipsecadm 8 , +.Xr isakmpd 8 .Sh HISTORY The .Nm |