diff options
author | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-08-30 14:16:01 +0000 |
---|---|---|
committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-08-30 14:16:01 +0000 |
commit | dbc58bf999ca12688d2e1b22d4bbd20ed02ec90d (patch) | |
tree | 774461500c7b858587c3bc0b955cc4a7d7edf646 /sbin | |
parent | 2e3140aaba70ccb8c15f47c7b16456743435d5ca (diff) |
some tcp md5 bits;
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 32fdb412810..18fc19c9026 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.72 2006/08/30 14:08:11 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.73 2006/08/30 14:16:00 jmc Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -510,6 +510,16 @@ Some examples to set up SAs: esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \e auth hmac-sha2-256 enc aesctr authkey file "auth14:auth12" \e enckey file "enc14:enc12" + +Some examples to set up TCP MD5 signatures: + +# Set up keys for TCP MD5 signatures +tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e + authkey 0xdeadbeef:0xbeefdead + +# Set up keys for TCP MD5 signatures; read keys from files +tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e + authkey file "/path/to/key1:/path/to/key2" .Ed .Pp The following rules enter SAs in the SADB: @@ -523,6 +533,8 @@ Enter an AH SA. .\"Enter an IPCOMP SA. .It Ic ipip Enter an IPIP pseudo SA. +.It Ic tcpmd5 +Enter a TCP MD5 SA. .El .Pp Parameters specify the peers, Security Parameter Index (SPI), @@ -666,20 +678,6 @@ The encryption key is defined similarly to .Aq Ar keyspec .Xc .Pp -RFC 2385 describes a mechanism to protect -.Xr tcp 4 -sessions using MD5. -Some examples to set up TCP MD5 signatures: -.Bd -literal -offset 3n -# Set up keys for TCP MD5 signatures -tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e - authkey 0xdeadbeef:0xbeefdead - -# Set up keys for TCP MD5 signatures; read keys from files -tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e - authkey file "/path/to/key1:/path/to/key2" -.Ed -.Pp This rule applies for packets with source address .Aq Ar src and destination address @@ -692,6 +690,9 @@ The encryption key is defined similarly to .Pp For details on how to enable TCP MD5 signatures see .Xr tcp 4 . +The mechanism of protecting +.Xr tcp 4 +sessions using MD5 is described in RFC 2385. .El .Sh CRYPTO KEY SIZE Different cipher types may require different sized keys: |