[apple/ipsec.git] / ipsec-tools / racoon / racoon.8

.\" $Id: racoon.8,v 1.3.10.1 2005/04/18 11:10:55 manubsd Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd November 20, 2000
.Dt RACOON 8
.Os
.\"
.Sh NAME
.Nm racoon
.Nd IKE (ISAKMP/Oakley) key management daemon
.\"
.Sh SYNOPSIS
.Nm racoon
.Bk -words
.Op Fl 46BdFLv
.Ek
.Bk -words
.Op Fl f Ar configfile
.Ek
.Bk -words
.Op Fl l Ar logfile
.Ek
.\"
.Sh DESCRIPTION
.Nm
is used to setup and maintain an IPSec tunnel or transport channel, 
between two devices, over which network traffic is conveyed securely. 
This security is made possible by cryptographic keys and operations 
on both devices.
.\"
.Nm
relies on a standardized network protocol (IKE) to automatically 
negotiate and manage the cryptographic keys (e.g. security 
associations) that are necessary for the 
IPSec tunnel or transport channel to function.
.\"
.Nm
speaks the IKE
.Pq ISAKMP/Oakley
key management protocol,
to establish security associations with other hosts.
The SPD
.Pq Security Policy Database
in the kernel usually triggers
.Nm .
.Nm
usually sends all informational messages, warnings and error messages to
.Xr syslogd 8
with the facility
.Dv LOG_DAEMON
and the priority
.Dv LOG_INFO .
Debugging messages are sent with the priority
.Dv LOG_DEBUG .
You should configure
.Xr syslog.conf 5
appropriately to see these messages.
.Bl -tag -width Ds
.It Fl 4
.It Fl 6
Specify the default address family for the sockets.
.It Fl B
Install SA(s) from the file which is specified in
.Xr racoon.conf 5 .
.It Fl d
Increase the debug level.
Multiple
.Fl d
arguments will increase the debug level even more.
.It Fl F
Run
.Nm
in the foreground.
.It Fl f Ar configfile
Use
.Ar configfile
as the configuration file instead of the default.
.It Fl L
Include
.Ar file_name:line_number:function_name
in all messages.
.It Fl l Ar logfile
Use
.Ar logfile
as the logging file instead of
.Xr syslogd 8 .
.It Fl v
This flag causes the packet dump be more verbose, with higher
debugging level.
.El
.Pp
.Nm
assumes the presence of the kernel random number device
.Xr rnd 4
at
.Pa /dev/urandom .
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.Sh FILES
.Bl -tag -width /private/etc/racoon/remote/anonymous -compact
.It Pa /private/etc/racoon/racoon.conf 
default configuration file.
.It Pa /private/etc/racoon/psk.txt 
default pre-shared key file.
.El
.\"
.Sh SEE ALSO
.Xr ipsec 4 ,
.Xr racoon.conf 5 ,
.Xr syslog.conf 5 ,
.Xr setkey 8 ,
.Xr syslogd 8
.\"
.Sh HISTORY
The
.Nm
command first appeared in the
.Dq YIPS
Yokogawa IPsec implementation.
.\"
.Sh SECURITY CONSIDERATIONS
The use of IKE phase 1 aggressive mode is not recommended,
as described in
.Pa http://www.kb.cert.org/vuls/id/886601 .
Commit	Line	Data
52b7d2ce A	1	.\" $Id: racoon.8,v 1.3.10.1 2005/04/18 11:10:55 manubsd Exp $
	2	.\"
	3	.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	4	.\" All rights reserved.
	5	.\"
	6	.\" Redistribution and use in source and binary forms, with or without
	7	.\" modification, are permitted provided that the following conditions
	8	.\" are met:
	9	.\" 1. Redistributions of source code must retain the above copyright
	10	.\" notice, this list of conditions and the following disclaimer.
	11	.\" 2. Redistributions in binary form must reproduce the above copyright
	12	.\" notice, this list of conditions and the following disclaimer in the
	13	.\" documentation and/or other materials provided with the distribution.
	14	.\" 3. Neither the name of the project nor the names of its contributors
	15	.\" may be used to endorse or promote products derived from this software
	16	.\" without specific prior written permission.
	17	.\"
	18	.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	19	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	20	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	21	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	22	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	23	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	24	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	25	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	26	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	27	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	28	.\" SUCH DAMAGE.
	29	.\"
	30	.Dd November 20, 2000
	31	.Dt RACOON 8
	32	.Os
	33	.\"
	34	.Sh NAME
	35	.Nm racoon
	36	.Nd IKE (ISAKMP/Oakley) key management daemon
	37	.\"
	38	.Sh SYNOPSIS
	39	.Nm racoon
	40	.Bk -words
	41	.Op Fl 46BdFLv
	42	.Ek
	43	.Bk -words
	44	.Op Fl f Ar configfile
	45	.Ek
	46	.Bk -words
	47	.Op Fl l Ar logfile
	48	.Ek
52b7d2ce A	49	.\"
	50	.Sh DESCRIPTION
	51	.Nm
e8d9021d A	52	is used to setup and maintain an IPSec tunnel or transport channel,
	53	between two devices, over which network traffic is conveyed securely.
	54	This security is made possible by cryptographic keys and operations
	55	on both devices.
	56	.\"
	57	.Nm
	58	relies on a standardized network protocol (IKE) to automatically
	59	negotiate and manage the cryptographic keys (e.g. security
	60	associations) that are necessary for the
	61	IPSec tunnel or transport channel to function.
	62	.\"
	63	.Nm
52b7d2ce A	64	speaks the IKE
	65	.Pq ISAKMP/Oakley
	66	key management protocol,
	67	to establish security associations with other hosts.
	68	The SPD
	69	.Pq Security Policy Database
	70	in the kernel usually triggers
	71	.Nm .
	72	.Nm
	73	usually sends all informational messages, warnings and error messages to
	74	.Xr syslogd 8
	75	with the facility
	76	.Dv LOG_DAEMON
	77	and the priority
	78	.Dv LOG_INFO .
	79	Debugging messages are sent with the priority
	80	.Dv LOG_DEBUG .
	81	You should configure
	82	.Xr syslog.conf 5
	83	appropriately to see these messages.
	84	.Bl -tag -width Ds
	85	.It Fl 4
	86	.It Fl 6
	87	Specify the default address family for the sockets.
	88	.It Fl B
	89	Install SA(s) from the file which is specified in
	90	.Xr racoon.conf 5 .
	91	.It Fl d
	92	Increase the debug level.
	93	Multiple
	94	.Fl d
	95	arguments will increase the debug level even more.
	96	.It Fl F
	97	Run
	98	.Nm
	99	in the foreground.
	100	.It Fl f Ar configfile
	101	Use
	102	.Ar configfile
	103	as the configuration file instead of the default.
	104	.It Fl L
	105	Include
	106	.Ar file_name:line_number:function_name
	107	in all messages.
	108	.It Fl l Ar logfile
	109	Use
	110	.Ar logfile
	111	as the logging file instead of
	112	.Xr syslogd 8 .
52b7d2ce A	113	.It Fl v
	114	This flag causes the packet dump be more verbose, with higher
	115	debugging level.
	116	.El
	117	.Pp
	118	.Nm
	119	assumes the presence of the kernel random number device
	120	.Xr rnd 4
	121	at
	122	.Pa /dev/urandom .
	123	.\"
	124	.Sh RETURN VALUES
	125	The command exits with 0 on success, and non-zero on errors.
	126	.\"
	127	.Sh FILES
	128	.Bl -tag -width /private/etc/racoon/remote/anonymous -compact
	129	.It Pa /private/etc/racoon/racoon.conf
	130	default configuration file.
52b7d2ce A	131	.It Pa /private/etc/racoon/psk.txt
	132	default pre-shared key file.
	133	.El
	134	.\"
	135	.Sh SEE ALSO
	136	.Xr ipsec 4 ,
	137	.Xr racoon.conf 5 ,
	138	.Xr syslog.conf 5 ,
	139	.Xr setkey 8 ,
	140	.Xr syslogd 8
	141	.\"
	142	.Sh HISTORY
	143	The
	144	.Nm
	145	command first appeared in the
	146	.Dq YIPS
	147	Yokogawa IPsec implementation.
	148	.\"
	149	.Sh SECURITY CONSIDERATIONS
	150	The use of IKE phase 1 aggressive mode is not recommended,
	151	as described in
	152	.Pa http://www.kb.cert.org/vuls/id/886601 .