document recent changes

ok deraadt

2 files changed, 167 insertions, 4 deletions

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index bce38a2fabb..815e054202a 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.17 2005/08/22 04:27:18 david Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.18 2005/08/22 22:10:02 hshoexer Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -224,6 +224,151 @@ will then generate the matching incoming SA using the second values for
 .Ar authkey ,
 and
 .Ar enckey .
+.Sh AUTOMATIC KEYING USING ISAKMP/IKE
+Rules can also specify IPsec flows and SAs to be established automatically by
+.Xr isakmpd 8 .
+This is accomplished by the following rule:
+.Bl -tag -width xxxx
+.It Ic ike esp
+Creates an IPsec tunnel using ESP.
+.El
+.Pp
+Note that AH and transport mode are not yet supported.
+See
+.Xr isakmpd 8
+for details on ISAKMP/IKE.
+.Pp
+Parameters specify the packets that will go through the tunnel and which
+cryptographic transforms are used for
+.Xr isakmpd 8 .
+Some parameters are optional.
+.Bl -tag -width xxxx
+.It Xo
+.Ar passive
+.Xc
+When
+.Ar passive
+is specified
+.Xr isakmpd 8
+will not immediately start negotiation of this tunnel, but wait for an incoming
+request of the remote peer.
+If not specified,
+.Xr isakmpd 8
+will start negotiation at once.
+.It Xo
+.Ar from
+.Aq Ar src
+.Ar to
+.Aq Ar dst
+.Ar peer
+.Aq Ar remote
+.Xc
+This rule applies for packets with source address
+.Aq Ar src
+and destination address
+.Aq Ar dst .
+All addresses are specified in CIDR notation.
+The
+.Ar peer
+parameter specifies the address of the remote endpoint of this particular
+flow.
+For host-to-host connections where
+.Aq Ar dst
+is identical to
+.Aq Ar remote ,
+the
+.Ar peer
+specification can be left out.
+.It Xo
+.Ar main auth
+.Aq Ar algorithm
+.Ar enc
+.Aq Ar algorithm
+.Xc
+These paramters define the cryptographic transforms to be used for main mode.
+Possible values for
+.Aq Ar auth
+are
+.Ar sha1
+and
+.Ar md5 .
+For
+.Aq Ar enc
+the values
+.Ar des ,
+.Ar 3des ,
+.Ar aes,
+.Ar blowfish
+and
+.Ar cast
+are allowed.
+If omitted,
+.Xr isakmpd 8
+will use the default values
+.Aq Ar sha1
+and
+.Aq Ar 3des .
+.It Xo
+.Ar quick auth
+.Aq Ar algorithm
+.Ar enc
+.Aq Ar algorithm
+.Xc
+Similar to
+.Ar main
+.Ar quick
+defines the transforms to be used for quick mode.
+However, the possible values for
+.Aq Ar auth
+are
+.Ar hmac-md5 ,
+.Ar hmac-sha1 ,
+.Ar hmac-ripemd160 ,
+.Ar hmac-sha2-256 ,
+.Ar hmac-sha2-384
+and
+.Ar hmac-sha2-512 .
+For
+.Ar enc
+valid values are again
+.Ar des ,
+.Ar 3des ,
+.Ar aes,
+.Ar blowfish
+and
+.Ar cast .
+If no quick mode transforms are specified
+the default values
+.Ar hmac-sha2-256
+and
+.Ar aes
+are choosen.
+.It Xo
+.Ar srcid
+.Aq Ar fqdn
+.Xc
+This optional parameter defines a FQDN that will be used by
+.Xr isakmpd 8
+as identity of the local peer.
+.It Xo
+.Ar dstid
+.Aq Ar fqdn
+.Xc
+Similar to
+.Ar srcid
+this optional parameter defines a FQDN to be used by the remote peer.
+.El
+.Pp
+Note that
+.Xr isamkpd 8
+will use RSA authentication.
+By default, the system startup script
+.Xr rc 8
+generates a key-pair when starting, if one does not already exist.
+.Pp
+See also
+.Sx ISAKMP EXAMPLES
+below .
 .Sh TCP MD5 SIGNATURES
 RFC 2385 describes a mechanism to protect
 .Xr tcp 4
@@ -297,7 +442,10 @@ flow esp in  from 192.168.8.0/24 to 192.168.7.0/24 peer 192.168.3.12
 esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \e
 	auth hmac-sha2-256 enc aesctr authkey file "auth14:auth12" \e
 	enckey file "enc14:enc12"
+.Ed
 
+.Sh TCPMD5 EXAMPLES
+.Bd -literal
 # Set up keys for TCP MD5 signatures
 tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e
 	authkey 0xdeadbeef:0xbeefdead
@@ -306,6 +454,15 @@ tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e
 tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e
 	authkey file "/path/to/key1:/path/to/key2"
 .Ed
+.Sh ISAKMP EXAMPLES
+.Bd -literal
+# Set up two tunnels:
+# First between the networks 10.1.1.0/24 and 10.1.2.0/24.
+# Second between the machines 192.168.3.1 and 192.168.3.2
+
+ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2
+ike esp from 192.168.3.1 to 192.168.3.2
+.Ed
 .Sh SEE ALSO
 .Xr ipsec 4 ,
 .Xr tcp 4 ,
diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8
index 466fb8ead47..3445c4fb59c 100644
--- a/sbin/ipsecctl/ipsecctl.8
+++ b/sbin/ipsecctl/ipsecctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsecctl.8,v 1.13 2005/07/10 07:11:37 jmc Exp $
+.\"	$OpenBSD: ipsecctl.8,v 1.14 2005/08/22 22:10:02 hshoexer Exp $
 .\"
 .\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
 .\"
@@ -30,10 +30,15 @@ The
 .Nm
 utility controls flows that determine which packets are to be processed by
 IPsec.
-It allows ruleset configuration and retrieval of status information from the
+It allows ruleset configuration, and retrieval of status information from the
 kernel's SPD (Security Policy Database) and SADB (Security Association
 Database).
 .Pp
+It also can control
+.Xr isakmpd 8
+and establish tunnels using automatic keying with
+.Xr isakmpd 8 .
+.Pp
 Additionally,
 .Nm
 can be used to configure the SADB for use with TCP MD5
@@ -96,7 +101,8 @@ will produce even more verbose output.
 .Sh SEE ALSO
 .Xr ipsec 4 ,
 .Xr tcp 4 ,
-.Xr ipsec.conf 5
+.Xr ipsec.conf 5 ,
+.Xr isakmpd 8
 .\" .Sh STANDARDS
 .\" .Sh HISTORY
 .\" .Sh AUTHORS