.\" $OpenBSD: photurisd.1,v 1.6 1997/07/24 23:47:18 provos Exp $ .\" Copyright 1997 Niels Provos .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by Niels Provos. .\" 4. The name of the author may not be used to endorse or promote products .\" derived from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" Manual page, using -mandoc macros .\" .Dd July 18, 1997 .Dt PHOTURISD 1 .Os .Sh NAME .Nm photurisd .Nd IPSec key management daemon .Sh SYNOPSIS .Nm photurisd .Op Fl ci .Op Fl d Ar directory .Sh DESCRIPTION The .Nm photuris daemon establisches security associations for encrypted and/or authenticated network traffic. .Pp The daemon listens to a named pipe .Pa photuris.pipe for user requests and on a .Nm PF_ENCAP socket for kernel requests. .Pp The options are as follows: .Bl -tag -width Ds .It Fl c The .Fl c option is used to force a primality check of the bootstrapped moduli. .It Fl i The .Fl i option can be used to ignore the .Pa photuris.startup file. Otherwise the exchanges in that file will be initiated on startup. .It Fl d The .Fl d option specifies the directory in which .Nm photurisd looks for its startup files. The default is .Pa /etc/photuris/ . .El .Pp The file .Pa photuris.conf contains the moduli for the DH exchange and the actual exchange schemes used to establish a shared secret. The following keywords are understood: .Bl -tag -width exchange -offset indent .It modulus This keyword is followed by the numeric generator and modulus. Those two values describe the group in which exchange values for the .Nm Diffie-Hellmann key exchange are generated. The modulus needs to be a .Nm safe prime . .It exchange The supported exchange schemes are specified here with. The scheme is followed either by zero or the number of bits of the modulus to be used with this scheme. If zero is specified the given scheme acts as modifier to the base scheme. The base scheme is .Nm DH_G_2_MD5 (generator of two and MD5 identification). Extended schemes are .Nm DH_G_2_DES_MD5 and .Nm DH_G_2_3DES_SHA1 . An exchange can only be configured if an apropriate modulus has be given before. .It config This is used to configure the LifeTimes of SPIs and exchanges. The configurable values are: .Nm exchange_max_retries , .Nm exchange_retransmit_timeout , .Nm exchange_timeout , .Nm exchange_lifetime and .Nm spi_lifetime . They are followed by an integer. .El .Pp The file .Pa attributes.conf contains the attributes, i.e. different choices of encryption and authenication, offered to the other peer. If a line starts with an ip address and a space seperated netmask the following attributes are only offered to hosts lying in that net range. Possible attributes are: .Bl -tag -width AT_ESP_ATTRIB -offset indent .It AT_AH_ATTRIB Starts the list of authentication attributes. .It AT_ESP_ATTRIB Starts the list of encryption attributes. .It AT_MD5_DP MD5 symmetric identification. This attribute must be offered. .It AT_SHA1_DP SHA1 symmetric identification. .It AT_MD5_KDP Simple MD5 keyed authentication. .It AT_DES_CBC DES CBC encryption. .El .Pp The file .Pa secrets.conf contains the party preconfigured symmetric secrets for the identity exchange. User secrets files can be included. .Pp Finally the file .Pa photuris.startup contains parameters for exchanges which are created during startup. .Pp The keywords .Nm dst , .Nm port , .Nm options , .Nm tsrc , .Nm tdsr , .Nm exchange_lifetime , .Nm spi_lifetime and .Nm user are understood in the .Pa photuris.startup file. The values are as follows: .Bl -tag -width exchange_lifetime -offset indent .It dst The destination IP address with which the exchange is to be established. .It port The port number of the destination .Nm photuris daemon. .It options The options to be used in the exchange. Possible values are .Nm enc and .Nm auth . .It tsrc The source address with netmask from which packets are accepted for the tunnel to be created. .It tdst The destination address with netmask for which packets are accepted for the tunnel being created. .It exchange_lifetime Determines the lifetime of the exchange. After an exchange expires no new SPIs are created. .It spi_lifetime Determines the lifetime of each created SPI in the exchange. .It user The user name for whom the keying shall be done. Preconfigured secrets are taken from the users secret file. .El .Pp Exchanges are separated by newlines. .Pp .Sh EXAMPLE A sample photuris.startup entry: .Pp .Bl -item -width foo -compact .It dst=134.100.106.2 port=468 options=auth .It tsrc=134.100.104.0/255.255.255.255 .It tdst=134.100.106.0/255.255.255.255 .El .Pp .Sh SEE ALSO .Xr startkey 1 . .Sh HISTORY The photuris keymanagement protocol is described in the internet draft .Nm draft-simpson-photuris by the authors Phil Karn and William Allen Simpson. This implementation was done 1997 by Niels Provos and appeared in .Bx Open 2.1.