summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-04-22 02:04:24 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-04-22 02:04:24 +0000
commit39daeeadd16f12c9a735eb0fb0f0c6e611407583 (patch)
tree03af0a4d70a279abc311e34a8d4f3cc662128080
parent4b01db585bd101d9d55938f15f3e7b504f9d23d0 (diff)
Change the example to use -keyfile/-authkeyfile, add a sentence on why
-key/-authkey are somewhat risky (command line snooping).
-rw-r--r--share/man/man8/vpn.824
1 files changed, 17 insertions, 7 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 020aaa90dfb..ac862e6281a 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.31 2000/04/21 21:37:49 deraadt Exp $
+.\" $OpenBSD: vpn.8,v 1.32 2000/04/22 02:04:23 angelos Exp $
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -139,14 +139,24 @@ must be defined on each end of the VPN, e.g.:
ipsecadm new esp -spi SPI_OUT -src A_EXTERNAL_IP
-dst B_EXTERNAL_IP -forcetunnel
-enc 3des -auth sha1
- -key ENCRYPTION_KEY -authkey AUTHENTICATION_KEY
+ -keyfile ENCRYPTION_KEY_FILE -authkeyfile AUTHENTICATION_KEY_FILE
ipsecadm new esp -spi SPI_IN -src B_EXTERNAL_IP
-dst A_EXTERNAL_IP -forcetunnel
-enc 3des -auth sha1
- -key ENCRYPTION_KEY -authkey AUTHENTICATION_KEY
+ -keyfile ENCRYPTION_KEY_FILE -authkeyfile AUTHENTICATION_KEY_FILE
.Ed
.Pp
+Note that the
+.Fl key
+and
+.Fl authkey
+may be used to specify the keys directly in the
+.Xr ipsecadm 8
+command line. However, another user could view the files by using the
+.Xr ps 1
+command at the appropriate time (or use a program for doing so).
+.Pp
.Ss Creating IPSec Flows
Both IPsec gateways need to configure
.Xr ipsec 4
@@ -289,15 +299,15 @@ c9fff55b501206a6607fb45c392c5e1568db2aaf
Create the Security Associations (on both endpoints):
.Pp
.Bd -literal
+# echo 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 > enc_key
+# echo c9fff55b501206a6607fb45c392c5e1568db2aaf > auth_key
# /sbin/ipsecadm new esp -src 192.168.2.1 -dst 192.168.1.254 \e\
-forcetunnel -spi 1000 -enc 3des -auth sha1 \e\
- -key 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 \e\
- -authkey c9fff55b501206a6607fb45c392c5e1568db2aaf
+ -keyfile enc_key -authkeyfile auth_key
# /sbin/ipsecadm new esp -src 192.168.1.254 -dst 192.168.2.1 \e\
-forcetunnel -spi 1001 -enc 3des -auth sha1 \e\
- -key 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 \e\
- -authkey c9fff55b501206a6607fb45c392c5e1568db2aaf
+ -keyfile enc_key -authkeyfile auth_key
.Ed
.Pp
.It