move ipsec tools into .

12 files changed, 1777 insertions, 0 deletions

diff --git a/sbin/ipsecadm/Makefile b/sbin/ipsecadm/Makefile
new file mode 100644
index 00000000000..734515dd7cb
--- /dev/null
+++ b/sbin/ipsecadm/Makefile
@@ -0,0 +1,7 @@
+#	$OpenBSD: Makefile,v 1.1 1998/11/14 23:37:20 deraadt Exp $
+
+PROG= ipsecadm
+SRCS= ipsecadm.c kernel.c xf_esp_new.c xf_esp_old.c xf_ah_old.c xf_ah_new.c \
+	xf_delspi.c xf_grp.c xf_ip4.c xf_flow.c
+
+.include <bsd.prog.mk>
diff --git a/sbin/ipsecadm/ipsecadm.1 b/sbin/ipsecadm/ipsecadm.1
new file mode 100644
index 00000000000..bfcf324712e
--- /dev/null
+++ b/sbin/ipsecadm/ipsecadm.1
@@ -0,0 +1,313 @@
+.\" $OpenBSD: ipsecadm.1,v 1.1 1998/11/14 23:37:20 deraadt Exp $
+.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Niels Provos.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd August 26, 1997
+.Dt IPSECADM 1
+.Os
+.Sh NAME
+.Nm ipsecadm
+.Nd interface to setup IPSec
+.Sh SYNOPSIS
+.Nm ipsecadm
+.Op command
+.Ar modifiers ...
+.Sh DESCRIPTION
+The
+.Nm ipsecadm
+utility allows sets up security associations in the kernel
+to be used with
+.Xr ipsec 4 .
+It can be used to specify the encryption and authentication
+algorithms and key material for the network layer security
+provided by IPSec.
+The possible commands are:
+.Bl -tag -width new_esp
+.It new esp
+Setup a Security Parameters Index (SPI) which uses the new esp transforms.
+Encryption and authentication algorithms can be applied.
+This is the default mode.
+Allowed
+modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl tunnel ,
+.Fl enc ,
+.Fl auth ,
+.Fl iv ,
+.Fl newpadding ,
+.Fl authkey ,
+and
+.Fl key .
+.It old esp
+Setup a SPI which uses the old esp transforms. Only
+encryption algorithms can be applied. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl tunnel ,
+.Fl enc ,
+.Fl iv
+and
+.Fl key .
+.It new ah
+Setup a SPI which uses the new ah transforms. Authentication
+will be done with HMAC using the specified hash algorithm. Allowed modifiers
+are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl tunnel ,
+.Fl auth ,
+and
+.Fl key .
+.It old ah
+Setup a SPI which uses the old ah transforms. Simple keyed
+hashes will be used for authentication. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl tunnel ,
+.Fl auth ,
+and
+.Fl key .
+.It ip4
+Setup an SPI which uses the IP-in-IP encapsulation protocol. This mode
+offers no security services by itself, but can be used to route other
+(experimental or otherwise) protocols over an IP network. The SPI value
+is not used for anything other than referencing the information, and
+does not appear on the wire. Unlike other setups, like new esp, there
+is no necessary setup in the receiving side. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+and
+.Fl tunnel .
+.It delspi
+The specified Security Association (SA) will be deleted. An SA consists of
+the destination address, SPI and security protocol. Allowed modifiers are:
+.Fl dst ,
+.Fl spi ,
+.Fl proto .
+and
+.Fl chain .
+.It group
+Group two SA's together. Allowed modifiers are:
+.Fl dst ,
+.Fl spi ,
+.Fl proto ,
+.Fl dst2 ,
+.Fl spi2 ,
+and
+.Fl proto2 .
+.It flow
+Create a flow determining which packets are routed via which Security
+Association. Allowed modifiers are:
+.Fl dst ,
+.Fl spi ,
+.Fl proto ,
+.Fl addr ,
+.Fl transport ,
+.Fl sport ,
+.Fl dport ,
+.FL local ,
+.Fl delete .
+The
+.Xr netstat 1
+command shows the existing flows.
+.El
+.Pp
+If no command is given
+.Xr ipsecadm 1
+defaults to new esp mode.
+.Pp
+The modifiers have the following meanings:
+.Bl -tag -width newpadding -offset indent
+.It src
+The source IP address for the SPI. This is necessary for incoming
+SAs to avoid source address spoofing between mutually
+suspicious hosts that have established SAs with us. For outgoing SAs, this
+field is used if the SA is for packets that originate from this host, and 
+its purpose is to slightly speedup packet processing. If this field is
+zero (0.0.0.0), no spoofing check will be done for incoming SAs, and an
+extra routing lookup may be necessary for certain classes of packets that
+originate from the local machine and make use of the SA. The value in this
+field is not used when processing outgoing packets in
+.Xr vpn 8
+mode (encrypting/authenticating other hosts' packets).
+.It dst
+The destination IP address for the SPI.
+.It spi
+The unique Security Parameter Index (SPI).
+.It tunnel
+The source and destination IP addresses for the external IP header.
+.It newpadding
+For new ESP, specify new style self-describing padding should be used.
+.It enc
+The encryption algorithm to be used with the SPI. Possible values
+are:
+.Nm des
+and
+.Nm 3des
+for both old and new esp.
+Notice that hardware crackers for DES can be (and have been) built for
+US$250,000. Use DES for encryption of critical information at your risk.
+We suggest using of 3DES instead. The DES support is kept for interoperability
+(with old implementations) purposes only.
+Blowfish encryption
+.Nm blf
+and
+.Nm cast
+can only be used with new esp.
+.It auth
+The authentication algorithm to be used with the SPI. Possible values
+are:
+.Nm md5
+and
+.Nm sha1
+for both old and new ah and also new esp. Also
+.Nm rmd160
+for both new ah and esp.
+.It key
+The secret symmetric key used for encryption and authentication. The size
+for
+.Nm des
+and
+.Nm 3des
+is fixed to 8 and 24 respectivly. For other ciphers like
+.Nm cast
+or
+.Nm blf
+the key length can be variable. The
+.Nm key
+should be given in hexadecimal digits.
+.It authkey
+The secret key material used for authentication
+if additional authentication in new esp mode is required. For
+old or new ah the key material for authentication is passed with the
+.Nm key
+option. The
+.Nm key
+should be given in hexadecimal digits.
+.It iv
+The initialization vector used for encryption. In old esp mode you need
+to specify it as either four or eight byte long value. In new esp mode
+the transforms can either use an eight byte iv or will derive one
+when none is specified with
+.Xr ipsecadm 1 .
+The
+.Nm iv
+should be given in hexadecimal digits.
+.It proto
+The security protocol needed by
+.Nm delspi ,
+.Nm flow
+or
+.Nm group
+to uniquely specify the SA.
+The default value is 50 which means
+.Nm IPPROTO_ESP .
+Other accepted values are 51
+.Nm ( IPPROTO_AH ),
+and 4
+.Nm ( IPPROTO_IP ) .
+One can also specify the symbolic names "esp", "ah", and "ip4",
+case insensitive.
+.It chain
+Delete the whole SPI chain, otherwise delete only the SPI given.
+.It dst2
+The second IP destination address used by
+.Nm group .
+.It spi2
+The second SPI used by
+.Nm group .
+.It proto2
+The second security protocol used by
+.Nm group .
+It defaults to
+.Nm IPPROTO_AH .
+Other accepted values are 50
+.Nm ( IPPROTO_ESP ),
+and 4
+.Nm ( IPPROTO_IP ) .
+One can also specify the symbolic names "esp", "ah", and "ip4",
+case insensitive.
+.It addr
+The source address, source network mask, destination address and destination
+network mask against which packets need to match to use the specified
+Security Association.
+.It transport
+The protocol number which packets need to match to use the specified
+Security Association. By default the protocol number is not used for
+matching. Instead of a number, a valid protocol name that appears in
+.Xr protocols 5
+can be used.
+.It sport
+The source port which packets have to match for the flow.
+By default the source port is not used for matching.
+Instead of a number, a valid service name that appears in
+.Xr services 5
+can be used.
+.It dport
+The destination port which packets have to match for the flow.
+By default the source port is not used for matching.
+Instead of a number, a valid service name that appears in
+.Xr services 5
+can be used.
+.It local
+The
+.Nm flow
+command also creates a flow which matches local packets. This is aquivalent
+to using a source address of 0.0.0.0 and a source network mask of
+255.255.255.0.
+.It delete
+Instead of creating a flow, an existing flow is deleted.
+.El
+.Sh EXAMPLE
+Setup a SPI which uses new esp with 3des encryption and HMAC-SHA1
+authentication:
+.Bd -literal
+ipsecadm -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
+-key 638063806380638063806380638063806380638063806380 -authp 1234123412341234
+.Ed
+.Pp
+Setup a SPI for authentication with old ah only:
+.Bd -literal
+ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
+-key 12341234deadbeef
+.Ed
+.Sh SEE ALSO
+.Xr services 5 ,
+.Xr protocols 5 ,
+.Xr netstat 1 ,
+.Xr ipsec 4 ,
+.Xr vpn 8 ,
+.Xr photurisd 8 .
diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c
new file mode 100644
index 00000000000..fbe86095392
--- /dev/null
+++ b/sbin/ipsecadm/ipsecadm.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ipsecadm.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+#include "netinet/ip_esp.h"
+
+#define ESP_OLD		0x01
+#define ESP_NEW		0x02
+#define AH_OLD		0x04
+#define AH_NEW		0x08
+
+#define XF_ENC		0x10
+#define XF_AUTH		0x20
+#define DEL_SPI		0x30
+#define GRP_SPI		0x40
+#define FLOW		0x50
+#define ENC_IP		0x80
+
+#define CMD_MASK	0xf0
+
+#define isencauth(x) ((x)&~CMD_MASK)
+#define iscmd(x,y)   (((x) & CMD_MASK) == (y))
+
+typedef struct {
+	char *name;
+	int   id, flags;
+}       transform;
+
+int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int, 
+    u_char *, u_char *, u_char *, struct in_addr, struct in_addr, int));
+int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
+    u_char *, struct in_addr, struct in_addr)); 
+int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
+    struct in_addr, struct in_addr));
+int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
+    struct in_addr, struct in_addr));
+
+int xf_delspi __P((struct in_addr, u_int32_t, int, int));
+int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int));
+int xf_flow __P((struct in_addr, u_int32_t, int, struct in_addr, 
+    struct in_addr, struct in_addr, struct in_addr, int, int, int, int, int));
+int xf_ip4 __P((struct in_addr, struct in_addr, u_int32_t, 
+    struct in_addr, struct in_addr));
+
+transform xf[] = {
+	{"des", ALG_ENC_DES,   XF_ENC |ESP_OLD|ESP_NEW},
+	{"3des", ALG_ENC_3DES, XF_ENC |ESP_OLD|ESP_NEW},
+	{"blf", ALG_ENC_BLF,   XF_ENC |        ESP_NEW},
+	{"cast", ALG_ENC_CAST, XF_ENC |        ESP_NEW},
+	{"md5", ALG_AUTH_MD5,  XF_AUTH|AH_OLD|AH_NEW|ESP_NEW},
+	{"sha1", ALG_AUTH_SHA1,XF_AUTH|AH_OLD|AH_NEW|ESP_NEW},
+	{"rmd160", ALG_AUTH_RMD160, XF_AUTH|AH_NEW|ESP_NEW},
+};
+
+char    buf[1024];
+
+int
+x2i(char *s)
+{
+	char    ss[3];
+	ss[0] = s[0];
+	ss[1] = s[1];
+	ss[2] = 0;
+
+	return strtoul(ss, NULL, 16);
+}
+
+int
+isvalid(char *option, int type, int mode)
+{
+     int i;
+
+     for (i = sizeof(xf) / sizeof(transform) - 1; i >= 0; i--)
+	  if (!strcmp(option, xf[i].name)) {
+	       if ((xf[i].flags & CMD_MASK) == type && 
+		   (xf[i].flags & mode))
+		    return xf[i].id;
+	       else
+		    return 0;
+	  }
+     return 0;
+}
+
+void
+usage()
+{
+     fprintf( stderr, "usage: ipsecadm [command] <modifier...>\n"
+	      "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4, flow\n"
+	      "\tPossible modifiers:\n"
+	      "\t\t-enc <alg>\t encryption algorithm\n"
+	      "\t\t-auth <alg>\t authentication algorithm\n"
+	      "\t\t-src <ip>\t source address to be used\n"
+              "\t\t-tunnel <ip> <ip> tunneling addresses\n"
+	      "\t\t-dst <ip>\t destination address to be used\n"
+	      "\t\t-spi <val>\t SPI to be used\n"
+	      "\t\t-key <val>\t key material to be used\n"
+	      "\t\t-authkey <val>\t key material for auth in new esp\n"
+	      "\t\t-iv <val>\t iv to be used\n"
+	      "\t\t-proto <val>\t security protocol\n"
+	      "\t\t-chain\t\t SPI chain delete\n"
+	      "\t\t-newpadding\t new style padding for new ESP\n"
+	      "\t\t-transport <val>\t protocol number for flow\n"
+	      "\t\t-addr <ip> <net> <ip> <net>\t subnets for flow\n"
+	      "\t\t-delete\t\t delete specified flow\n"
+	      "\t\t-local\t\t also create a local flow\n"
+	      "\talso: dst2, spi2, proto2\n"
+	  );
+}
+
+int
+main(argc, argv)
+	int     argc;
+	char  **argv;
+{
+	int i;
+	int mode = ESP_NEW, new = 1, flag = 0, newpadding = 0;
+	int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0;
+	int proto = IPPROTO_ESP, proto2 = IPPROTO_AH;
+	int dport = -1, sport = -1, tproto = -1;
+	int delete = 0, local = 0, result;
+	int chain = 0; 
+	u_int32_t spi = 0, spi2 = 0;
+	struct in_addr src, dst, dst2, osrc, odst, osmask, odmask;
+	u_char *ivp = NULL, *keyp = NULL, *authp = NULL;
+	struct protoent *tp;
+	struct servent *svp;
+	char *transportproto = NULL;
+
+	osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0;
+	osmask.s_addr = odmask.s_addr = 0;
+
+	if (argc < 2) {
+		usage();
+		exit(1);
+	}
+
+	for (i=1; i < argc; i++) {
+	     if (!strcmp(argv[i], "new") && !flag) {
+		  flag = 1;
+		  new = 1;
+	     } else if (!strcmp(argv[i], "old") && !flag) {
+		  flag = 1;
+		  new = 0;
+	     } else if (!strcmp(argv[i], "esp") && flag < 2) {
+		  flag = 2;
+		  mode = new ? ESP_NEW : ESP_OLD;
+	     } else if (!strcmp(argv[i], "ah") && flag < 2) {
+		  flag = 2;
+		  mode = new ? AH_NEW : AH_OLD;
+	     } else if (!strcmp(argv[i], "delspi") && flag < 2) {
+		  flag = 2;
+		  mode = DEL_SPI;
+	     } else if (!strcmp(argv[i], "group") && flag < 2) {
+		  flag = 2;
+		  mode = GRP_SPI;
+	     } else if (!strcmp(argv[i], "flow") && flag < 2) {
+		  flag = 2;
+		  mode = FLOW;
+	     } else if (!strcmp(argv[i], "ip4") && flag < 2) {
+		  flag = 2;
+		  mode = ENC_IP;
+	     } else if (argv[i][0] == '-') {
+		  break;
+	     } else {
+		  fprintf(stderr, "%s: Unknown command: %s", argv[0], argv[i]);
+		  exit(1);
+	     }
+	}
+
+	for (; i < argc; i++) {
+	     if (argv[i][0] != '-') {
+		  fprintf(stderr, "%s: Expected option, got %s\n", 
+			  argv[0], argv[i]);
+		  exit(1);
+	     } else if (!strcmp(argv[i]+1, "enc") && enc == 0 && i+1 < argc) {
+		  if ((enc = isvalid(argv[i+1], XF_ENC, mode)) == 0) {
+		       fprintf(stderr, "%s: Invalid encryption algorithm %s\n",
+			       argv[0], argv[i+1]);
+		       exit(1);
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "auth") && auth == 0 && i+1 < argc) {
+		  if ((auth = isvalid(argv[i+1], XF_AUTH, mode)) == 0) {
+		       fprintf(stderr, "%s: Invalid auth algorithm %s\n",
+			       argv[0], argv[i+1]);
+		       exit(1);
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "key") && keyp == NULL && i+1 < argc) {
+		  keyp = argv[++i];
+		  klen = strlen(keyp);
+	     } else if (!strcmp(argv[i]+1, "authkey") && authp == NULL && i+1 < argc) {
+		  if (!(mode & ESP_NEW)) {
+		       fprintf(stderr, "%s: Invalid option %s for selected mode\n",
+			       argv[0], argv[i]);
+		       exit(1);
+		  }
+		  authp = argv[++i];
+		  alen = strlen(authp);
+	     } else if (!strcmp(argv[i]+1, "iv") && ivp == NULL && i+1 < argc) {
+		  if (mode & (AH_OLD|AH_NEW)) {
+		       fprintf(stderr, "%s: Invalid option %s with auth\n",
+			       argv[0], argv[i]);
+		       exit(1);
+		  }
+		  ivp = argv[++i];
+		  ivlen = strlen(ivp);
+	     } else if (!strcmp(argv[i]+1, "spi") && spi == 0 && i+1 < argc) {
+		  if ((spi = htonl(strtoul(argv[i+1], NULL, 16))) == 0) {
+		       fprintf(stderr, "%s: Invalid spi %s\n", 
+			       argv[0], argv[i+1]);
+		       exit(1);
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "spi2") && spi2 == 0 && 
+			iscmd(mode, GRP_SPI) && i+1 < argc) {
+		  if ((spi2 = htonl(strtoul(argv[i+1], NULL, 16))) == 0) {
+		       fprintf(stderr, "%s: Invalid spi2 %s\n", 
+			       argv[0], argv[i+1]);
+		       exit(1);
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "src") && i+1 < argc) {
+		  src.s_addr = inet_addr(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "newpadding") && (mode & ESP_NEW)) {
+		  newpadding = 1;
+	     } else if (!strcmp(argv[i]+1, "delete") && iscmd(mode, FLOW)) {
+		  delete = 1;
+	     } else if (!strcmp(argv[i]+1, "local") && iscmd(mode, FLOW)) {
+		  local = 1;
+	     } else if (!strcmp(argv[i]+1, "tunnel") &&
+			(isencauth(mode) || mode == ENC_IP) && i+2 < argc) {
+		  osrc.s_addr = inet_addr(argv[i+1]);
+		  i++;
+		  odst.s_addr = inet_addr(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "addr") &&
+			iscmd(mode, FLOW) && i+4 < argc) {
+		  osrc.s_addr = inet_addr(argv[i+1]); i++;
+		  osmask.s_addr = inet_addr(argv[i+1]); i++;
+		  odst.s_addr = inet_addr(argv[i+1]); i++;
+		  odmask.s_addr = inet_addr(argv[i+1]); i++;
+	     } else if (!strcmp(argv[i]+1, "transport") && 
+			iscmd(mode, FLOW) && i+1 < argc) {
+		  if (isalpha(argv[i+1][0])) {
+			tp = getprotobyname(argv[i+1]);
+			if (tp == NULL) {
+				fprintf(stderr, "%s: unknown protocol %s\n", argv[0], argv[i+1]);
+				exit(1);
+			}
+			tproto = tp->p_proto;
+			transportproto = argv[i+1];
+		  } else {
+		  	tproto = atoi(argv[i+1]);
+			tp = getprotobynumber(tproto);
+			if (tp == NULL)
+				transportproto = "UNKNOWN";
+			else
+				transportproto = tp->p_name; /* This is static, but it doesn't matter for this application */
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "sport") && 
+			iscmd(mode, FLOW) && i+1 < argc) {
+		  if (isalpha(argv[i+1][0])) {
+			svp = getservbyname(argv[i+1], transportproto);
+			if (svp == NULL) {
+				fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto);
+				exit(1);
+			}
+			sport = svp->s_port;
+		  } else
+		  	sport = atoi(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "dport") && 
+			iscmd(mode, FLOW) && i+1 < argc) {
+		  if (isalpha(argv[i+1][0])) {
+			svp = getservbyname(argv[i+1], transportproto);
+			if (svp == NULL) {
+				fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto);
+				exit(1);
+			}
+			dport = svp->s_port;
+		  } else
+		  	dport = atoi(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "dst") && i+1 < argc) {
+		  dst.s_addr = inet_addr(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "dst2") && 
+			iscmd(mode, GRP_SPI) && i+1 < argc) {
+		  dst2.s_addr = inet_addr(argv[i+1]);
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "proto") && i+1 < argc) {
+		  if (isalpha(argv[i+1][0])) {
+			if (!strcasecmp(argv[i+1], "esp"))
+			 	proto = IPPROTO_ESP;
+			else if (!strcasecmp(argv[i+1], "ah"))
+				proto = IPPROTO_AH;
+			else if (!strcasecmp(argv[i+1], "ip4"))
+				proto = IPPROTO_IPIP;
+			else {
+				fprintf(stderr, "%s: unknown security protocol type %s\n", argv[0], argv[i+1]);
+				exit(1);
+			}
+		  } else {
+		  	proto = atoi(argv[i+1]);
+			if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
+			    proto != IPPROTO_IPIP) {
+				fprintf(stderr, "%s: unknown security protocol %d\n", argv[0], proto);
+				exit(1);
+			}
+		  }
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "proto2") && 
+			iscmd(mode, GRP_SPI) && i+1 < argc) {
+		  if (isalpha(argv[i+1][0])) {
+			if (!strcasecmp(argv[i+1], "esp"))
+			 	proto2 = IPPROTO_ESP;
+			else if (!strcasecmp(argv[i+1], "ah"))
+				proto2 = IPPROTO_AH;
+			else if (!strcasecmp(argv[i+1], "ip4"))
+				proto2 = IPPROTO_IPIP;
+			else {
+				fprintf(stderr, "%s: unknown security protocol2 type %s\n", argv[0], argv[i+1]);
+				exit(1);
+			}
+		  } else
+		  	proto2 = atoi(argv[i+1]);
+			if (proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH &&
+			    proto2 != IPPROTO_IPIP) {
+				fprintf(stderr, "%s: unknown security protocol %d\n", argv[0], proto);
+				exit(1);
+			}
+		  i++;
+	     } else if (!strcmp(argv[i]+1, "chain") && chain == 0 &&
+			iscmd(mode, DEL_SPI)) {
+		  chain = 1;
+	     } else {
+		  fprintf(stderr, "%s: Unkown option: %s\n", argv[0], argv[i]);
+		  exit(1);
+	     }
+	}
+
+
+	/* Sanity checks */
+	if ((mode & (ESP_NEW|ESP_OLD)) && enc == 0) {
+	     fprintf(stderr, "%s: No encryption algorithm specified\n", 
+		     argv[0]);
+	     exit(1);
+	} else if ((mode & (AH_NEW|AH_OLD)) && auth == 0) {
+	     fprintf(stderr, "%s: No authenication algorithm specified\n", 
+		     argv[0]);
+	     exit(1);
+	} else if (isencauth(mode) && keyp == NULL) {
+	     fprintf(stderr, "%s: No key material specified\n", argv[0]);
+	     exit(1);
+	} else if ((mode & ESP_NEW) && auth && authp == NULL) {
+	     fprintf(stderr, "%s: No auth key material specified\n", argv[0]);
+	     exit(1);
+	} else if (spi == 0) {
+	     fprintf(stderr, "%s: No SPI specified\n", argv[0]);
+	     exit(1);
+	} else if (iscmd(mode, GRP_SPI) && spi2 == 0) {
+	     fprintf(stderr, "%s: No SPI2 specified\n", argv[0]);
+	     exit(1);
+	} else if ((isencauth(mode) || iscmd(mode, ENC_IP)) && 
+		    src.s_addr == 0) {
+	     fprintf(stderr, "%s: No source address specified\n", argv[0]);
+	     exit(1);
+	} else if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || 
+		   iscmd(mode, FLOW)) && 
+		   proto != IPPROTO_ESP && proto != IPPROTO_AH &&
+		   proto != IPPROTO_IPIP) {
+	     fprintf(stderr, "%s: Security protocol is none of AH, ESP or IPIP\n", argv[0]);
+	     exit(1);
+	} else if (iscmd(mode, GRP_SPI) && 
+		   proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH &&
+		   proto2 != IPPROTO_IPIP) {
+	     fprintf(stderr, "%s: Security protocol2 is none of AH, ESP or IPIP\n", argv[0]);
+	     exit(1);
+	} else if (dst.s_addr == 0) {
+	     fprintf(stderr, "%s: No destination address specified\n", 
+		     argv[0]);
+	     exit(1);
+	} else if (iscmd(mode, ENC_IP) && 
+		   (odst.s_addr == 0 || osrc.s_addr == 0)) {
+	     fprintf(stderr, "%s: No tunnel addresses specified\n", 
+		     argv[0]);
+	     exit(1);
+	} else if (iscmd(mode, FLOW) && 
+		   (odst.s_addr == 0 && odmask.s_addr == 0 && 
+		    osrc.s_addr == 0 && osmask.s_addr == 0)) {
+	     fprintf(stderr, "%s: No subnets for flow specified\n", 
+		     argv[0]);
+	     exit(1);
+	} else if (iscmd(mode, GRP_SPI) && dst2.s_addr == 0) {
+	     fprintf(stderr, "%s: No destination address2 specified\n", 
+		     argv[0]);
+	     exit(1);
+	}
+
+	if (isencauth(mode)) {
+	     switch(mode) {
+	     case ESP_NEW:
+		  result = xf_esp_new(src, dst, spi, enc, auth, ivp, keyp,
+				     authp, osrc, odst, newpadding);
+		  break;
+	     case ESP_OLD:
+		  result = xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst);
+		  break;
+	     case AH_NEW:
+		  result = xf_ah_new(src, dst, spi, auth, keyp, osrc, odst);
+		  break;
+	     case AH_OLD:
+		  result = xf_ah_old(src, dst, spi, auth, keyp, osrc, odst);
+		  break;
+	     }
+	} else {
+	     switch(mode & CMD_MASK) {
+	     case GRP_SPI:
+		  result = xf_grp(dst, spi, proto, dst2, spi2, proto2);
+		  break;
+	     case DEL_SPI:
+		  result = xf_delspi(dst, spi, proto, chain);
+		  break;
+	     case ENC_IP:
+		  result = xf_ip4(src, dst, spi, osrc, odst);
+		  break;
+	     case FLOW:
+		  result = xf_flow(dst, spi, proto, osrc, osmask, odst, odmask,
+				  tproto, sport, dport, delete, local);
+		  break;
+	     }
+	}
+
+	exit (result ? 0 : 1);
+}
diff --git a/sbin/ipsecadm/kernel.c b/sbin/ipsecadm/kernel.c
new file mode 100644
index 00000000000..d17592ad4d4
--- /dev/null
+++ b/sbin/ipsecadm/kernel.c
@@ -0,0 +1,80 @@
+/* $OpenBSD: kernel.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+
+int
+xf_set(em)
+	struct encap_msghdr *em;
+{
+	int sd;
+
+	sd = socket(AF_ENCAP, SOCK_RAW, AF_UNSPEC);
+	if (sd < 0) {
+	  perror("socket");
+	  return 0;
+	}
+	
+	if (write(sd, (char *)em, em->em_msglen) != em->em_msglen) {
+	  perror("write");
+	  return 0;
+	}
+
+	close(sd);
+	return 1;
+}
diff --git a/sbin/ipsecadm/xf_ah_new.c b/sbin/ipsecadm/xf_ah_new.c
new file mode 100644
index 00000000000..bb1cbcc7571
--- /dev/null
+++ b/sbin/ipsecadm/xf_ah_new.c
@@ -0,0 +1,107 @@
+/* $OpenBSD: xf_ah_new.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+#include "netinet/ip_ah.h"
+
+extern char buf[]; 
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_ah_new(src, dst, spi, auth, keyp, osrc, odst)
+struct in_addr src, dst;
+u_int32_t spi;
+int auth;
+u_char *keyp;
+struct in_addr osrc, odst;
+{
+	int klen, i;
+
+	struct encap_msghdr *em;
+	struct ah_new_xencap *xd;
+
+	klen = strlen(keyp)/2;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN + klen;
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_NEW_AH;
+	em->em_sproto = IPPROTO_AH;
+
+	xd = (struct ah_new_xencap *)(em->em_dat);
+
+	xd->amx_hash_algorithm = auth;
+	xd->amx_wnd = -1;	/* Manual setup -- no sequence number */
+	xd->amx_keylen = klen;
+
+	bzero(xd->amx_key, klen);
+	for (i = 0; i < klen; i++ )
+	  xd->amx_key[i] = x2i(keyp+2*i);
+
+	return xf_set(em);
+}
diff --git a/sbin/ipsecadm/xf_ah_old.c b/sbin/ipsecadm/xf_ah_old.c
new file mode 100644
index 00000000000..9185b50e9a3
--- /dev/null
+++ b/sbin/ipsecadm/xf_ah_old.c
@@ -0,0 +1,105 @@
+/* $OpenBSD: xf_ah_old.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+#include "netinet/ip_ah.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_ah_old(src, dst, spi, auth, keyp, osrc, odst)
+struct in_addr src, dst;
+u_int32_t spi;
+int auth;
+u_char *keyp;
+struct in_addr osrc, odst;
+{
+	int klen, i;
+
+	struct encap_msghdr *em;
+	struct ah_old_xencap *xd;
+
+	klen = strlen(keyp)/2;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN + klen;
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_OLD_AH;
+	em->em_sproto = IPPROTO_AH;
+
+	xd = (struct ah_old_xencap *)(em->em_dat);
+
+	xd->amx_hash_algorithm = auth;
+	xd->amx_keylen = klen;
+
+	for (i = 0; i < klen; i++ )
+	  xd->amx_key[i] = x2i(keyp + 2*i);
+	
+	return xf_set(em);
+}
diff --git a/sbin/ipsecadm/xf_delspi.c b/sbin/ipsecadm/xf_delspi.c
new file mode 100644
index 00000000000..d98be70348f
--- /dev/null
+++ b/sbin/ipsecadm/xf_delspi.c
@@ -0,0 +1,91 @@
+/* $OpenBSD: xf_delspi.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+
+extern char buf[];
+
+int xf_set __P((struct encap_msghdr *));
+
+int
+xf_delspi(dst, spi, proto, chain)
+struct in_addr dst;
+u_int32_t spi;
+int proto, chain;
+{
+	struct encap_msghdr *em;
+
+	em = (struct encap_msghdr *)&buf[0];
+	em->em_version = PFENCAP_VERSION_1;
+	
+	if (chain) {
+	  em->em_msglen = EMT_DELSPICHAIN_FLEN;
+	  em->em_type = EMT_DELSPICHAIN;
+	} else {
+	  em->em_msglen = EMT_DELSPI_FLEN;
+	  em->em_type = EMT_DELSPI;
+	}
+	em->em_gen_spi = spi;
+	em->em_gen_dst = dst;
+	em->em_gen_sproto = proto;
+
+	return xf_set(em);
+}
+
+
diff --git a/sbin/ipsecadm/xf_esp_new.c b/sbin/ipsecadm/xf_esp_new.c
new file mode 100644
index 00000000000..5b8250f2af5
--- /dev/null
+++ b/sbin/ipsecadm/xf_esp_new.c
@@ -0,0 +1,127 @@
+/* $OpenBSD: xf_esp_new.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+#include "netinet/ip_esp.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, 
+	   osrc, odst, newpadding)
+struct in_addr src, dst;
+u_int32_t spi;
+int enc, auth;
+u_char *ivp, *keyp, *authp;
+struct in_addr osrc, odst;
+int newpadding;
+{
+	int i, klen, alen, ivlen;
+
+	struct encap_msghdr *em;
+	struct esp_new_xencap *xd;
+
+	klen = strlen(keyp)/2;
+	alen = authp == NULL ? 0 : strlen(authp)/2;
+	ivlen = ivp == NULL ? 0 : strlen(ivp)/2;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN + 
+	     ivlen + klen + alen;
+
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_NEW_ESP;
+	em->em_sproto = IPPROTO_ESP;
+
+	xd = (struct esp_new_xencap *)(em->em_dat);
+
+	xd->edx_enc_algorithm = enc;
+	xd->edx_hash_algorithm = auth;
+	xd->edx_ivlen = ivlen;
+	xd->edx_confkeylen = klen;
+	xd->edx_authkeylen = alen;
+	xd->edx_wnd = -1;	/* Manual keying -- no seq */
+	xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0;
+	
+	if (newpadding)
+	  xd->edx_flags |= ESP_NEW_FLAG_NPADDING;
+
+	for (i = 0; i < ivlen; i++)
+	     xd->edx_data[i] = x2i(ivp+2*i);
+
+	for (i = 0; i < klen; i++)
+	     xd->edx_data[i+ivlen] = x2i(keyp+2*i);
+
+	for (i = 0; i < alen; i++)
+	     xd->edx_data[i+ivlen+klen] = x2i(authp+2*i);
+
+	return xf_set(em);
+}
+
+
diff --git a/sbin/ipsecadm/xf_esp_old.c b/sbin/ipsecadm/xf_esp_old.c
new file mode 100644
index 00000000000..da1ac77de9d
--- /dev/null
+++ b/sbin/ipsecadm/xf_esp_old.c
@@ -0,0 +1,112 @@
+/* $OpenBSD: xf_esp_old.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+#include "netinet/ip_esp.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst)
+struct in_addr src, dst;
+u_int32_t spi;
+int enc;
+u_char *ivp, *keyp;
+struct in_addr osrc, odst;
+{
+	int i, ivlen, klen;
+
+	struct encap_msghdr *em;
+	struct esp_old_xencap *xd;
+
+	klen = strlen(keyp)/2;
+	ivlen = ivp == NULL ? 0 : strlen(ivp)/2;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + ivlen + klen;
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_OLD_ESP;
+	em->em_sproto = IPPROTO_ESP;
+
+	xd = (struct esp_old_xencap *)(em->em_dat);
+
+	xd->edx_enc_algorithm = enc;
+	xd->edx_ivlen = ivlen;
+	xd->edx_keylen = klen;
+
+	for (i = 0; i < ivlen; i++)
+	  xd->edx_data[i] = x2i(ivp+2*i);
+
+	for (i = 0; i < klen; i++)
+	  xd->edx_data[i+ivlen] = x2i(keyp+2*i);
+
+	return xf_set(em);
+}
+
+
diff --git a/sbin/ipsecadm/xf_flow.c b/sbin/ipsecadm/xf_flow.c
new file mode 100644
index 00000000000..9f66b27a7d0
--- /dev/null
+++ b/sbin/ipsecadm/xf_flow.c
@@ -0,0 +1,155 @@
+/*	$OpenBSD: xf_flow.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $	*/
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+
+extern char buf[];
+
+int
+xf_flow(struct in_addr dst, u_int32_t spi, int proto,
+	struct in_addr osrc, struct in_addr osmask,
+	struct in_addr odst, struct in_addr odmask,
+	int tproto, int sport, int dport, int delete, int local)
+{
+    struct sockaddr_encap *ddst, *msk, *gw;
+    struct rt_msghdr *rtm;
+    int sd, off, error = 0;
+
+    sd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+    if (sd < 0) {
+      perror("socket");
+      return 0;
+    }
+
+    bzero(buf, sizeof(*rtm) + SENT_IP4_LEN + SENT_IPSP_LEN + SENT_IP4_LEN);
+	
+    rtm = (struct rt_msghdr *)(&buf[0]);
+    ddst = (struct sockaddr_encap *) (&buf[sizeof (*rtm)]);
+    off = sizeof(*rtm) + SENT_IP4_LEN;
+    if (!delete) {
+	gw = (struct sockaddr_encap *) (&buf[off]);
+	off += SENT_IPSP_LEN;
+    }
+    msk = (struct sockaddr_encap *) (&buf[off]);
+	
+    rtm->rtm_version = RTM_VERSION;
+    rtm->rtm_type = delete ? RTM_DELETE : RTM_ADD;
+    rtm->rtm_index = 0;
+    rtm->rtm_pid = getpid();
+    rtm->rtm_addrs = RTA_DST | (delete ? 0 : RTA_GATEWAY) | RTA_NETMASK;
+    rtm->rtm_errno = 0;
+    rtm->rtm_flags = RTF_UP | (delete ? 0 : RTF_GATEWAY) | RTF_STATIC;
+    rtm->rtm_inits = 0;
+	
+    ddst->sen_len = SENT_IP4_LEN;
+    ddst->sen_family = AF_ENCAP;
+    ddst->sen_type = SENT_IP4;
+    ddst->sen_ip_src.s_addr = osrc.s_addr & osmask.s_addr;
+    ddst->sen_ip_dst.s_addr = odst.s_addr & odmask.s_addr;
+    ddst->sen_proto = ddst->sen_sport = ddst->sen_dport = 0;
+    
+    if (tproto > 0) {
+	ddst->sen_proto = tproto;
+	msk->sen_proto = 0xff;
+
+	if (sport > 0) {
+	    ddst->sen_sport = sport;
+	    msk->sen_sport = 0xffff;
+	}
+
+	if (dport > 0) {
+	    ddst->sen_dport = dport;
+	    msk->sen_dport = 0xffff;
+	}
+    }
+
+    if (!delete) {
+	gw->sen_len = SENT_IPSP_LEN;
+	gw->sen_family = AF_ENCAP;
+	gw->sen_type = SENT_IPSP;
+	gw->sen_ipsp_dst.s_addr = dst.s_addr;
+	gw->sen_ipsp_spi = spi;
+	gw->sen_ipsp_sproto = proto;
+    }
+
+    msk->sen_len = SENT_IP4_LEN;
+    msk->sen_family = AF_ENCAP;
+    msk->sen_type = SENT_IP4;
+    msk->sen_ip_src.s_addr = osmask.s_addr;
+    msk->sen_ip_dst.s_addr = odmask.s_addr;
+
+    rtm->rtm_msglen = sizeof(*rtm) + ddst->sen_len + 
+	(delete ? 0 : gw->sen_len) + msk->sen_len;
+	
+    if (write(sd, (caddr_t) buf, rtm->rtm_msglen) == -1) {
+	perror("write");
+	error = 1;
+    }
+
+    /* Additionally create/delete a flow for local packets */
+    if (local) {
+	 ddst->sen_ip_src.s_addr = INADDR_ANY;
+	 msk->sen_ip_src.s_addr = INADDR_BROADCAST;
+	 if (write(sd, (caddr_t) buf, rtm->rtm_msglen) == -1) {
+	      perror("write");
+	      error = 1;
+	 }
+    }
+    return (error ? 0 : 1);
+}
diff --git a/sbin/ipsecadm/xf_grp.c b/sbin/ipsecadm/xf_grp.c
new file mode 100644
index 00000000000..25e997a5003
--- /dev/null
+++ b/sbin/ipsecadm/xf_grp.c
@@ -0,0 +1,94 @@
+/* $OpenBSD: xf_grp.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_grp(dst, spi, proto, dst2, spi2, proto2)
+struct in_addr dst, dst2;
+u_int32_t spi, spi2;
+int proto, proto2;
+{
+     struct encap_msghdr *em;
+
+     bzero(buf, EMT_GRPSPIS_FLEN);
+
+     em = (struct encap_msghdr *)&buf[0];
+
+     em->em_msglen = EMT_GRPSPIS_FLEN;
+     em->em_version = PFENCAP_VERSION_1;
+     em->em_type = EMT_GRPSPIS;
+
+     em->em_rel_spi = spi;
+     em->em_rel_dst = dst;
+     em->em_rel_sproto = proto;
+
+     em->em_rel_spi2 = spi2;
+     em->em_rel_dst2 = dst2;
+     em->em_rel_sproto2 = proto2;
+	
+     return xf_set(em);
+}
+
+
diff --git a/sbin/ipsecadm/xf_ip4.c b/sbin/ipsecadm/xf_ip4.c
new file mode 100644
index 00000000000..8a2d073a76f
--- /dev/null
+++ b/sbin/ipsecadm/xf_ip4.c
@@ -0,0 +1,92 @@
+/* $OpenBSD: xf_ip4.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */
+/*
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
+ * and Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software. 
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_ip4(src, dst, spi, osrc, odst)
+struct in_addr src, dst;
+u_int32_t spi;
+struct in_addr osrc, odst;
+{
+	struct encap_msghdr *em;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + 1;
+
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_sproto = IPPROTO_IPIP;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_IP4;
+
+	return xf_set(em);
+}
+
+