summaryrefslogtreecommitdiff
path: root/sbin/ipsecadm
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipsecadm')
-rw-r--r--sbin/ipsecadm/ipsecadm.8161
1 files changed, 97 insertions, 64 deletions
diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8
index 34437cfa36f..e9eed806137 100644
--- a/sbin/ipsecadm/ipsecadm.8
+++ b/sbin/ipsecadm/ipsecadm.8
@@ -1,4 +1,5 @@
-.\" $OpenBSD: ipsecadm.8,v 1.20 2000/01/13 04:48:55 angelos Exp $
+.\" $OpenBSD: ipsecadm.8,v 1.21 2000/03/18 22:55:59 aaron Exp $
+.\"
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -85,8 +86,9 @@ modifiers are:
and
.Fl key .
.It old esp
-Setup a SA which uses the old esp transforms. Only
-encryption algorithms can be applied. Allowed modifiers are:
+Setup a SA which uses the old esp transforms.
+Only encryption algorithms can be applied.
+Allowed modifiers are:
.Fl dst ,
.Fl src ,
.Fl proxy ,
@@ -97,9 +99,9 @@ encryption algorithms can be applied. Allowed modifiers are:
and
.Fl key .
.It new ah
-Setup a SA which uses the new ah transforms. Authentication
-will be done with HMAC using the specified hash algorithm. Allowed modifiers
-are:
+Setup a SA which uses the new ah transforms.
+Authentication will be done with HMAC using the specified hash algorithm.
+Allowed modifiers are:
.Fl dst ,
.Fl src ,
.Fl proxy ,
@@ -109,8 +111,9 @@ are:
and
.Fl key .
.It old ah
-Setup a SA which uses the old ah transforms. Simple keyed
-hashes will be used for authentication. Allowed modifiers are:
+Setup a SA which uses the old ah transforms.
+Simple keyed hashes will be used for authentication.
+Allowed modifiers are:
.Fl dst ,
.Fl src ,
.Fl proxy ,
@@ -120,12 +123,16 @@ hashes will be used for authentication. Allowed modifiers are:
and
.Fl key .
.It ip4
-Setup an SA which uses the IP-in-IP encapsulation protocol. This mode
+Setup an SA which uses the IP-in-IP encapsulation protocol.
+This mode
offers no security services by itself, but can be used to route other
-(experimental or otherwise) protocols over an IP network. The SPI value
+(experimental or otherwise) protocols over an IP network.
+The SPI value
is not used for anything other than referencing the information, and
-does not appear on the wire. Unlike other setups, like new esp, there
-is no necessary setup in the receiving side. Allowed modifiers are:
+does not appear on the wire.
+Unlike other setups, like new esp, there
+is no necessary setup in the receiving side.
+Allowed modifiers are:
.Fl dst ,
.Fl src ,
and
@@ -135,11 +142,12 @@ The specified SA will be deleted.
Allowed modifiers are:
.Fl dst ,
.Fl spi ,
-.Fl proto .
+.Fl proto ,
and
.Fl chain .
.It group
-Group two SAs together. Allowed modifiers are:
+Group two SAs together.
+Allowed modifiers are:
.Fl dst ,
.Fl spi ,
.Fl proto ,
@@ -165,7 +173,8 @@ and
.Fl bypass .
The
.Xr netstat 1
-command shows the existing egress (outbound) flows. A
+command shows the existing egress (outbound) flows.
+A
.Nm bypass
flow is used to specify a flow for which IPSec processing will be
bypassed, i.e packets will not be processed by any SAs.
@@ -199,8 +208,10 @@ and
This can be useful while travelling where the IP address of potential
clients is not known.
.It flush
-Flush SAs from from kernel. This includes flushing any flows and
-routing entries associated with the SAs. Allowed modifiers are:
+Flush SAs from from kernel.
+This includes flushing any flows and
+routing entries associated with the SAs.
+Allowed modifiers are:
.Fl ah ,
.Fl esp ,
.Fl oldah ,
@@ -218,114 +229,134 @@ defaults to new esp mode.
The modifiers have the following meanings:
.Bl -tag -width forcetunnel -offset indent
.It src
-The source IP address for the SA. This is necessary for incoming
+The source IP address for the SA.
+This is necessary for incoming
SAs to avoid source address spoofing between mutually
-suspicious hosts that have established SAs with us. For outgoing SAs,
-this field is used to fill in the source address when doing
-tunneling.
+suspicious hosts that have established SAs with us.
+For outgoing SAs,
+this field is used to fill in the source address when doing tunneling.
.It dst
The destination IP address for the SA.
.It proxy
This IP address, if provided, is checked against the inner IP address when
-doing tunneling to a firewall, to prevent source spoofing attacks. It is
-strongly recommended that this option is provided when applicable. It is
+doing tunneling to a firewall, to prevent source spoofing attacks.
+It is
+strongly recommended that this option is provided when applicable.
+It is
applicable in a scenario when host A is using IPsec to communicate with
-firewall B, and through that to host C. In that case, the proxy address for
-the incoming SA should be C. This option is not necessary for outgoing SAs.
+firewall B, and through that to host C.
+In that case, the proxy address for
+the incoming SA should be C.
+This option is not necessary for outgoing SAs.
.It spi
The Security Parameter Index (SPI).
.It tunnel
-This option has been deprecated. The arguments are ignored, and it
-otherwise has the same effect as the
+This option has been deprecated.
+The arguments are ignored, and it otherwise has the same effect as the
.Nm forcetunnel
option.
.It newpadding
This option has been deprecated.
.It forcetunnel
Force IP-inside-IP encapsulation before ESP or AH processing is performed for
-outgoing packets. The source/destination addresses of the outgoing IP packet
+outgoing packets.
+The source/destination addresses of the outgoing IP packet
will be those provided in the
.Nm src
and
.Nm dst
-options. Notice that the IPsec stack will perform IP-inside-IP encapsulation
+options.
+Notice that the IPsec stack will perform IP-inside-IP encapsulation
when deemed necessary, even if this flag has not been set.
.It enc
-The encryption algorithm to be used with the SA. Possible values
-are:
+The encryption algorithm to be used with the SA.
+Possible values are:
.Bl -tag -width skipjack
.It Nm des
This is available for both old and new esp.
Notice that hardware crackers for DES can be (and have been) built for
-US$250,000 (in 1998). Use DES for encryption of critical information
-at your own risk.
-We suggest using 3DES instead. DES support is kept for interoperability
-(with old implementations) purposes only. See
+US$250,000 (in 1998).
+Use DES for encryption of critical information at your own risk.
+We suggest using 3DES instead.
+DES support is kept for interoperability
+(with old implementations) purposes only.
+See
.Xr des_cipher 3 .
.It Nm 3des
-This is available for both old and new esp. It is considered
-more secure than straight DES, since it uses larger keys.
+This is available for both old and new esp.
+It is considered more secure than straight DES, since it uses larger keys.
.It Nm blf
-Blowfish encryption is available only in new esp. See
+Blowfish encryption is available only in new esp.
+See
.Xr blf_key 3 .
.It Nm cast
CAST encryption is available only in new esp.
.It Nm skipjack
-SKIPJACK encryption is available only in new esp. This algorithm designed
-by the NSA is faster than 3DES. However, since it was designed by the NSA
+SKIPJACK encryption is available only in new esp.
+This algorithm designed by the NSA and is faster than 3DES.
+However, since it was designed by the NSA
it is a poor choice.
.El
.Pp
.It auth
-The authentication algorithm to be used with the SA. Possible values
-are:
+The authentication algorithm to be used with the SA.
+Possible values are:
.Nm md5
and
.Nm sha1
-for both old and new ah and also new esp. Also
+for both old and new ah and also new esp.
+Also
.Nm rmd160
for both new ah and esp.
.It key
-The secret symmetric key used for encryption and authentication. The size
-for
+The secret symmetric key used for encryption and authentication.
+The size for
.Nm des
and
.Nm 3des
-is fixed to 8 and 24 respectively. For other ciphers like
+is fixed to 8 and 24 respectively.
+For other ciphers like
.Nm cast
or
.Nm blf
-the key length can be variable. The
+the key length can be variable.
+The
.Nm key
-should be given in hexadecimal digits. The
+should be given in hexadecimal digits.
+The
.Nm key
should be chosen in random (ideally, using some true-random source like
-coin flipping). It is very important that the key is not guessable. One
-practical way of generating keys is by using the
+coin flipping).
+It is very important that the key is not guessable.
+One practical way of generating keys is by using the
.Xr random 4
device (e.g., dd if=/dev/urandom bs=1024 count=1 | sha1)
.It authkey
The secret key material used for authentication
-if additional authentication in new esp mode is required. For
-old or new ah the key material for authentication is passed with the
+if additional authentication in new esp mode is required.
+For old or new ah the key material for authentication is passed with the
.Nm key
-option. The
+option.
+The
.Nm key
-should be given in hexadecimal digits. The
+should be given in hexadecimal digits.
+The
.Nm key
should be chosen in random (ideally, using some true-random source like
-coin flipping). It is very important that the key is not guessable. One
-practical way of generating keys is by using the
+coin flipping).
+It is very important that the key is not guessable.
+One practical way of generating keys is by using the
.Xr random 4
device (e.g., dd if=/dev/urandom bs=1024 count=1 | sha1)
.It iv
-This option has been deprecated. The argument is ignored. When applicable,
-it has the same behaviour as the
+This option has been deprecated.
+The argument is ignored.
+When applicable, it has the same behaviour as the
.Nm halfiv
option.
.It halfiv
-This option causes use of a 4 byte IV in old ESP (as opposed to 8 bytes). It
-may only be used with old ESP.
+This option causes use of a 4 byte IV in old ESP (as opposed to 8 bytes).
+It may only be used with old ESP.
.It proto
The security protocol needed by
.Nm delspi ,
@@ -364,12 +395,14 @@ case insensitive.
.It addr
The source address, source network mask, destination address and destination
network mask against which packets need to match to use the specified
-Security Association. All addresses must be of the same address family
+Security Association.
+All addresses must be of the same address family
(IPv4 or IPv6).
.It transport
The protocol number which packets need to match to use the specified
-Security Association. By default the protocol number is not used for
-matching. Instead of a number, a valid protocol name that appears in
+Security Association.
+By default the protocol number is not used for matching.
+Instead of a number, a valid protocol name that appears in
.Xr protocols 5
can be used.
.It sport
@@ -432,7 +465,7 @@ For
.Nm flush ,
only flush SAs of type ip4.
.El
-.Sh EXAMPLE
+.Sh EXAMPLES
Setup a SA which uses new esp with 3des encryption and HMAC-SHA1
authentication:
.Bd -literal