Add support for IKE AH rules to ipsecctl. Man page input by jmc@.

ok hshoexer@

11 files changed, 127 insertions, 31 deletions

diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index ecdbce94f6e..6961b629de7 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.40 2006/07/21 12:50:55 hshoexer Exp $
+# $OpenBSD: Makefile,v 1.41 2006/08/29 17:52:40 naddy Exp $
 
 # TARGETS
 # ipsec: feed ipsecNN.in through ipsecctl and check wether the output matches
@@ -14,11 +14,11 @@ TCPMD5TESTS=1 2 3
 SATESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
 SAFAIL=1 2
 IPSECFAIL=1 2
-IKEFAIL=1 3 4 5
+IKEFAIL=1 3 4 5 6
 IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
 IKETESTS+=16 17 18 19 20 21 22 23
 IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40
-IKETESTS+=41 42 43 46 47 48 49 50 51 52
+IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55
 
 IKEDELTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
 IKEDELTESTS+=16 17 18 19 20 21 22 23
diff --git a/regress/sbin/ipsecctl/ike53.in b/regress/sbin/ipsecctl/ike53.in
new file mode 100644
index 00000000000..0f93f39768b
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike53.in
@@ -0,0 +1 @@
+ike ah from 1.1.1.1 to 2.2.2.2
diff --git a/regress/sbin/ipsecctl/ike53.ok b/regress/sbin/ipsecctl/ike53.ok
new file mode 100644
index 00000000000..884712edaef
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike53.ok
@@ -0,0 +1,18 @@
+C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
+C set [peer-2.2.2.2]:Phase=1 force
+C set [peer-2.2.2.2]:Address=2.2.2.2 force
+C set [peer-2.2.2.2]:Configuration=mm-2.2.2.2 force
+C set [mm-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C set [IPsec-1.1.1.1-2.2.2.2]:Phase=2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Configuration=qm-1.1.1.1-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Remote-ID=rid-2.2.2.2 force
+C set [qm-1.1.1.1-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-2.2.2.2]:Suites=QM-AH-SHA2-256-PFS-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-2.2.2.2]:ID-type=IPV4_ADDR force
+C set [rid-2.2.2.2]:Address=2.2.2.2 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-2.2.2.2
diff --git a/regress/sbin/ipsecctl/ike54.in b/regress/sbin/ipsecctl/ike54.in
new file mode 100644
index 00000000000..a51f0e23809
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike54.in
@@ -0,0 +1 @@
+ike ah transport proto udp from 1.1.1.1 port ntp to any
diff --git a/regress/sbin/ipsecctl/ike54.ok b/regress/sbin/ipsecctl/ike54.ok
new file mode 100644
index 00000000000..33c41b9eca0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike54.ok
@@ -0,0 +1,21 @@
+C set [Phase 1]:Default=peer-default force
+C set [peer-default]:Phase=1 force
+C set [peer-default]:Configuration=mm-default force
+C set [mm-default]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-default]:Transforms=AES-SHA-RSA_SIG force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Phase=2 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:ISAKMP-peer=peer-default force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Configuration=qm-1.1.1.1-0.0.0.0/0 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
+C set [qm-1.1.1.1-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-0.0.0.0/0]:Suites=QM-AH-TRP-SHA2-256-PFS-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
+C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
+C set [lid-1.1.1.1]:Protocol=17 force
+C set [rid-0.0.0.0/0]:Protocol=17 force
+C set [lid-1.1.1.1]:Port=123 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-0.0.0.0/0
diff --git a/regress/sbin/ipsecctl/ike55.in b/regress/sbin/ipsecctl/ike55.in
new file mode 100644
index 00000000000..34d49a5f5ce
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike55.in
@@ -0,0 +1 @@
+ike ah from 1.1.1.1 to 2.2.2.2 quick auth hmac-md5
diff --git a/regress/sbin/ipsecctl/ike55.ok b/regress/sbin/ipsecctl/ike55.ok
new file mode 100644
index 00000000000..02d884ecc17
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike55.ok
@@ -0,0 +1,18 @@
+C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
+C set [peer-2.2.2.2]:Phase=1 force
+C set [peer-2.2.2.2]:Address=2.2.2.2 force
+C set [peer-2.2.2.2]:Configuration=mm-2.2.2.2 force
+C set [mm-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C set [IPsec-1.1.1.1-2.2.2.2]:Phase=2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Configuration=qm-1.1.1.1-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Remote-ID=rid-2.2.2.2 force
+C set [qm-1.1.1.1-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-2.2.2.2]:Suites=QM-AH-MD5-PFS-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-2.2.2.2]:ID-type=IPV4_ADDR force
+C set [rid-2.2.2.2]:Address=2.2.2.2 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-2.2.2.2
diff --git a/regress/sbin/ipsecctl/ikefail6.in b/regress/sbin/ipsecctl/ikefail6.in
new file mode 100644
index 00000000000..e13e85d46f0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail6.in
@@ -0,0 +1 @@
+ike ah from 1.1.1.1 to 2.2.2.2 quick enc aes
diff --git a/regress/sbin/ipsecctl/ikefail6.ok b/regress/sbin/ipsecctl/ikefail6.ok
new file mode 100644
index 00000000000..373f800c289
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail6.ok
@@ -0,0 +1,14 @@
+ipsecctl: illegal transform aes
+C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
+C set [peer-2.2.2.2]:Phase=1 force
+C set [peer-2.2.2.2]:Address=2.2.2.2 force
+C set [peer-2.2.2.2]:Configuration=mm-2.2.2.2 force
+C set [mm-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C set [IPsec-1.1.1.1-2.2.2.2]:Phase=2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Configuration=qm-1.1.1.1-2.2.2.2 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-2.2.2.2]:Remote-ID=rid-2.2.2.2 force
+C set [qm-1.1.1.1-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-2.2.2.2]:Suites=QM-AH-
\ No newline at end of file
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 8b08170b460..1257e139e1f 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike.c,v 1.46 2006/07/21 12:34:52 hshoexer Exp $	*/
+/*	$OpenBSD: ike.c,v 1.47 2006/08/29 17:52:40 naddy Exp $	*/
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -189,6 +189,9 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
 	case IPSEC_ESP:
 		fprintf(fd, "ESP");
 		break;
+	case IPSEC_AH:
+		fprintf(fd, "AH");
+		break;
 	default:
 		warnx("illegal satype %d", satype);
 		return (-1);
@@ -207,32 +210,38 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
 	}
 
 	if (qmxfs && qmxfs->encxf) {
-		switch (qmxfs->encxf->id) {
-		case ENCXF_3DES_CBC:
-			fprintf(fd, "3DES");
-			break;
-		case ENCXF_DES_CBC:
-			fprintf(fd, "DES");
-			break;
-		case ENCXF_AES:
-			fprintf(fd, "AES");
-			break;
-		case ENCXF_AESCTR:
-			fprintf(fd, "AESCTR");
-			break;
-		case ENCXF_BLOWFISH:
-			fprintf(fd, "BLF");
-			break;
-		case ENCXF_CAST128:
-			fprintf(fd, "CAST");
-			break;
-		default:
+		if (satype == IPSEC_ESP) {
+			switch (qmxfs->encxf->id) {
+			case ENCXF_3DES_CBC:
+				fprintf(fd, "3DES");
+				break;
+			case ENCXF_DES_CBC:
+				fprintf(fd, "DES");
+				break;
+			case ENCXF_AES:
+				fprintf(fd, "AES");
+				break;
+			case ENCXF_AESCTR:
+				fprintf(fd, "AESCTR");
+				break;
+			case ENCXF_BLOWFISH:
+				fprintf(fd, "BLF");
+				break;
+			case ENCXF_CAST128:
+				fprintf(fd, "CAST");
+				break;
+			default:
+				warnx("illegal transform %s",
+				    qmxfs->encxf->name);
+				return (-1);
+			}
+			fprintf(fd, "-");
+		} else {
 			warnx("illegal transform %s", qmxfs->encxf->name);
 			return (-1);
 		}
-	} else
-		fprintf(fd, "AES");
-	fprintf(fd, "-");
+	} else if (satype == IPSEC_ESP)
+		fprintf(fd, "AES-");
 
 	if (qmxfs && qmxfs->authxf) {
 		switch (qmxfs->authxf->id) {
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 98ea572233d..3e5bc2aceee 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.60 2006/07/22 16:47:49 jmc Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.61 2006/08/29 17:52:40 naddy Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -378,13 +378,14 @@ and
 .Sh AUTOMATIC KEYING USING ISAKMP/IKE
 Rules can also specify IPsec flows and SAs to be established automatically by
 .Xr isakmpd 8 .
-This is accomplished by the following rule:
+This is accomplished by the following rules:
 .Bl -tag -width xxxx
 .It Ic ike esp
 Creates an IPsec tunnel using ESP.
+.It Ic ike ah
+Creates an IPsec tunnel using AH.
 .El
 .Pp
-Note that AH is not yet supported.
 See
 .Xr isakmpd 8
 for details on ISAKMP/IKE.
@@ -403,7 +404,6 @@ as symbolic host names, interface names or interface group names.
 .It Xo
 .Ic ike
 .Aq Ar mode
-.Ic esp
 .Xc
 When
 .Ar passive
@@ -430,6 +430,18 @@ If omitted,
 .Ar active
 mode will be used.
 .It Xo
+.Aq Ar encap
+.Xc
+The encapsulation protocol to be used.
+Possible protocols are
+.Ar esp
+and
+.Ar ah .
+The default is
+.Ar esp .
+For details on ESP and AH see
+.Xr ipsec 4 .
+.It Xo
 .Aq Ar tmode
 .Xc
 The encapsulation mode to be used can be specified.