diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-04-22 02:04:24 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-04-22 02:04:24 +0000 |
commit | 39daeeadd16f12c9a735eb0fb0f0c6e611407583 (patch) | |
tree | 03af0a4d70a279abc311e34a8d4f3cc662128080 /share/man/man8 | |
parent | 4b01db585bd101d9d55938f15f3e7b504f9d23d0 (diff) |
Change the example to use -keyfile/-authkeyfile, add a sentence on why
-key/-authkey are somewhat risky (command line snooping).
Diffstat (limited to 'share/man/man8')
-rw-r--r-- | share/man/man8/vpn.8 | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 020aaa90dfb..ac862e6281a 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.31 2000/04/21 21:37:49 deraadt Exp $ +.\" $OpenBSD: vpn.8,v 1.32 2000/04/22 02:04:23 angelos Exp $ .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -139,14 +139,24 @@ must be defined on each end of the VPN, e.g.: ipsecadm new esp -spi SPI_OUT -src A_EXTERNAL_IP -dst B_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 - -key ENCRYPTION_KEY -authkey AUTHENTICATION_KEY + -keyfile ENCRYPTION_KEY_FILE -authkeyfile AUTHENTICATION_KEY_FILE ipsecadm new esp -spi SPI_IN -src B_EXTERNAL_IP -dst A_EXTERNAL_IP -forcetunnel -enc 3des -auth sha1 - -key ENCRYPTION_KEY -authkey AUTHENTICATION_KEY + -keyfile ENCRYPTION_KEY_FILE -authkeyfile AUTHENTICATION_KEY_FILE .Ed .Pp +Note that the +.Fl key +and +.Fl authkey +may be used to specify the keys directly in the +.Xr ipsecadm 8 +command line. However, another user could view the files by using the +.Xr ps 1 +command at the appropriate time (or use a program for doing so). +.Pp .Ss Creating IPSec Flows Both IPsec gateways need to configure .Xr ipsec 4 @@ -289,15 +299,15 @@ c9fff55b501206a6607fb45c392c5e1568db2aaf Create the Security Associations (on both endpoints): .Pp .Bd -literal +# echo 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 > enc_key +# echo c9fff55b501206a6607fb45c392c5e1568db2aaf > auth_key # /sbin/ipsecadm new esp -src 192.168.2.1 -dst 192.168.1.254 \e\ -forcetunnel -spi 1000 -enc 3des -auth sha1 \e\ - -key 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 \e\ - -authkey c9fff55b501206a6607fb45c392c5e1568db2aaf + -keyfile enc_key -authkeyfile auth_key # /sbin/ipsecadm new esp -src 192.168.1.254 -dst 192.168.2.1 \e\ -forcetunnel -spi 1001 -enc 3des -auth sha1 \e\ - -key 596a96cc7bf9108cd896f33c44aedc8aa8acf0b8c74acd62 \e\ - -authkey c9fff55b501206a6607fb45c392c5e1568db2aaf + -keyfile enc_key -authkeyfile auth_key .Ed .Pp .It |