summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/ipsec/ipsecadm/Makefile3
-rw-r--r--sbin/ipsec/ipsecadm/ipsecadm.1183
-rw-r--r--sbin/ipsec/ipsecadm/ipsecadm.c17
3 files changed, 199 insertions, 4 deletions
diff --git a/sbin/ipsec/ipsecadm/Makefile b/sbin/ipsec/ipsecadm/Makefile
index 6d490bc2e3d..0ece7294427 100644
--- a/sbin/ipsec/ipsecadm/Makefile
+++ b/sbin/ipsec/ipsecadm/Makefile
@@ -1,8 +1,7 @@
-# $OpenBSD: Makefile,v 1.5 1997/08/26 12:04:34 provos Exp $
+# $OpenBSD: Makefile,v 1.6 1997/08/26 17:19:05 provos Exp $
PROG= ipsecadm
SRCS= ipsecadm.c kernel.c xf_esp_new.c xf_esp_old.c xf_ah_old.c xf_ah_new.c \
xf_delspi.c xf_grp.c
-NOMAN=
.include <bsd.prog.mk>
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1
new file mode 100644
index 00000000000..6bd0fda59cf
--- /dev/null
+++ b/sbin/ipsec/ipsecadm/ipsecadm.1
@@ -0,0 +1,183 @@
+.\" $OpenBSD: ipsecadm.1,v 1.1 1997/08/26 17:19:06 provos Exp $
+.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\" must display the following acknowledgement:
+.\" This product includes software developed by Niels Provos.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd August 26, 1997
+.Dt IPSECADM 1
+.Os
+.Sh NAME
+.Nm ipsecadm
+.Nd interface to setup IPSec
+.Sh SYNOPSIS
+.Nm ipsecadm
+.Op command
+.Ar modifiers ...
+.Sh DESCRIPTION
+The
+.Nm ipsecadm
+utility allows to setup securtiy associations in the kernel
+to be used with
+.Xr ipsec 4 .
+It can be used to specifiy the encryption and authentication
+alogrithmns and key material for the network layer security
+provided by IPSec.
+The possible commands are:
+.Pp
+.Bl -tag -width new_esp
+.It new esp
+Setup a SPI which uses the new esp transforms.
+Encryption and authentication algorithmns can be applied.
+This is the default mode.
+Allowed
+modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl enc ,
+.Fl auth ,
+.Fl iv
+and
+.Fl key .
+.It old esp
+Setup a SPI which uses the old esp transforms. Only
+encryption algorithmns can be applied. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl enc ,
+.Fl iv
+and
+.Fl key .
+.It new ah
+Setup a SPI which uses the new ah transforms. Authentication
+will be done with HMAC using the specified hash algorithm. Allowed modifiers
+are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl auth ,
+and
+.Fl key .
+.It old ah
+Setup a SPI which uses the old ah transforms. Simple keyed
+hashes will be used for authentication. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+.Fl auth ,
+and
+.Fl key .
+.It delspi
+The specified SA will be deleted. A SA consists of the
+destination address, SPI and security protocol. Allowed modifiers are:
+.Fl dst ,
+.Fl spi ,
+.Fl proto .
+and
+.Fl chain .
+.It group
+Group two SA's together. Allowed modifiers are:
+.Fl dst ,
+.Fl spi ,
+.Fl proto ,
+.Fl dst2 ,
+.Fl spi2 ,
+and
+.Fl proto2 .
+.El
+.Pp
+The modifiers have the following meanings:
+.Bl -tag -width proto2 -offset indent
+.It src
+The source IP address for the SPI.
+.It dst
+The destination IP address for the SPI.
+.It spi
+The unique Security Parameter Index (SPI).
+.It enc
+The encryption algorithm to be used with the SPI. Possible values
+are:
+.Nm des
+and
+.Nm 3des
+for both old and new esp.
+.It auth
+The authentication algorithm to be used with the SPI. Possible values
+are:
+.Nm md5
+and
+.Nm sha1
+for both old and new ah and also new esp.
+.It key
+The secret symmetric key used for encryption and authentication. The size
+for
+.Nm des
+and
+.Nm 3des
+is fixed to 8 and 24 respectivly. If you also use authentication in new
+esp mode the key has to be longer.
+.It iv
+The initialization vector used for encryption. In old esp mode you need
+to specify it as either four or eight byte long value, in new esp mode
+a derived iv will be used when none is specified.
+.It proto
+The security protocol needed by
+.Nm delspi
+or
+.Nm group
+to uniquely specifiy the SA.
+The default value is 50 which means
+.Nm IPPROTO_ESP .
+.It chain
+Delete the whole SPI chain, otherwise delete only the SPI given.
+.It dst2
+The second IP destination address used by
+.Nm group .
+.It spi2
+The second SPI used by
+.Nm group .
+.It proto2
+The second security protocol used by
+.Nm group .
+.El
+.Sh EXAMPLE
+Setup a SPI which uses new esp with 3des encryption and HMAC-SHA1
+authentication:
+.Pp
+ipsecadm -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
+-key 6380638063806380638063806380638063806380638063806380638063806380
+.Pp
+Setup a SPI for authentication with old ah only:
+.Pp
+ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
+-key 12341234deadbeef
+.Sh SEE ALSO
+.Xr ipsec 4 ,
+.Xr photurisd 1 .
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c
index 765500e6c31..7d63744a716 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.c
+++ b/sbin/ipsec/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.6 1997/08/26 12:04:35 provos Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.7 1997/08/26 17:19:06 provos Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
* (except when noted otherwise).
@@ -120,7 +120,20 @@ isvalid(char *option, int type, int mode)
void
usage()
{
- fprintf( stderr, "usage: ipsecadm [new|old] [esp|ah] <options...>\n\n" );
+ fprintf( stderr, "usage: ipsecadm [command] <modifier...>\n"
+ "\tCommands: new esp, old esp, new ah, old ah, group, delspi\n"
+ "\tPossible modifiers:\n"
+ "\t\t-enc <alg>\t encryption algorithm\n"
+ "\t\t-auth <alg>\t authentication algorithm\n"
+ "\t\t-src <ip>\t source address to be used\n"
+ "\t\t-dst <ip>\t destination address to be used\n"
+ "\t\t-spi <val>\t SPI to be used\n"
+ "\t\t-key <val>\t key material to be used\n"
+ "\t\t-iv <val>\t iv to be used\n"
+ "\t\t-proto <val>\t security protocol\n"
+ "\t\t-chain\t\t SPI chain delete\n"
+ "\talso: dst2, spi2, proto2\n"
+ );
}
int