]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/setkey/setkey.8
ipsec-326.120.2.tar.gz
[apple/ipsec.git] / ipsec-tools / setkey / setkey.8
1 .\" $NetBSD: setkey.8,v 1.17 2005/09/15 08:42:09 wiz Exp $
2 .\"
3 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
4 .\" All rights reserved.
5 .\"
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
8 .\" are met:
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. Neither the name of the project nor the names of its contributors
15 .\" may be used to endorse or promote products derived from this software
16 .\" without specific prior written permission.
17 .\"
18 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" SUCH DAMAGE.
29 .\"
30 .Dd March 19, 2004
31 .Dt SETKEY 8
32 .Os
33 .\"
34 .Sh NAME
35 .Nm setkey
36 .Nd manually manipulate the IPsec SA/SP database
37 .\"
38 .Sh SYNOPSIS
39 .Nm setkey
40 .Op Fl knrv
41 .Ar file ...
42 .Nm setkey
43 .Op Fl knrv
44 .Fl c
45 .Nm setkey
46 .Op Fl krv
47 .Fl f Ar filename
48 .Nm setkey
49 .Op Fl aklPrv
50 .Fl D
51 .Nm setkey
52 .Op Fl Pvp
53 .Fl F
54 .Nm setkey
55 .Op Fl H
56 .Fl x
57 .Nm setkey
58 .Op Fl ?V
59 .\"
60 .Sh DESCRIPTION
61 .Nm
62 adds, updates, dumps, or flushes
63 Security Association Database (SAD) entries
64 as well as Security Policy Database (SPD) entries in the kernel.
65 .Pp
66 .Nm
67 takes a series of operations from standard input
68 .Po
69 if invoked with
70 .Fl c
71 .Pc
72 or the file named
73 .Ar filename
74 .Po
75 if invoked with
76 .Fl f Ar filename
77 .Pc .
78 .Bl -tag -width Ds
79 .It (no flag)
80 Dump the SAD entries or SPD entries contained in the specified
81 .Ar file .
82 .It Fl ?
83 Print short help.
84 .It Fl a
85 .Nm
86 usually does not display dead SAD entries with
87 .Fl D .
88 If
89 .Fl a
90 is also specified, the dead SAD entries will be displayed as well.
91 A dead SAD entry is one that has expired but remains in the
92 system because it is referenced by some SPD entries.
93 .It Fl D
94 Dump the SAD entries.
95 If
96 .Fl P
97 is also specified, the SPD entries are dumped.
98 If
99 .Fl p
100 is specified, the ports are displayed.
101 .It Fl F
102 Flush the SAD entries.
103 If
104 .Fl P
105 is also specified, the SPD entries are flushed.
106 .It Fl H
107 Add hexadecimal dump in
108 .Fl x
109 mode.
110 .It Fl h
111 On
112 .Nx ,
113 synonym for
114 .Fl H .
115 On other systems, synonym for
116 .Fl ? .
117 .It Fl k
118 Use semantics used in kernel.
119 Available only in Linux.
120 See also
121 .Fl r .
122 .It Fl l
123 Loop forever with short output on
124 .Fl D .
125 .It Fl n
126 No action.
127 The program will check validity of the input, but no changes to
128 the SPD will be made.
129 .It Fl r
130 Use semantics described in IPsec RFCs.
131 This mode is default.
132 For details see section
133 .Sx RFC vs Linux kernel semantics .
134 Available only in Linux.
135 See also
136 .Fl k .
137 .It Fl x
138 Loop forever and dump all the messages transmitted to the
139 .Dv PF_KEY
140 socket.
141 .Fl xx
142 prints the unformatted timestamps.
143 .It Fl V
144 Print version string.
145 .It Fl v
146 Be verbose.
147 The program will dump messages exchanged on the
148 .Dv PF_KEY
149 socket, including messages sent from other processes to the kernel.
150 .El
151 .Ss Configuration syntax
152 With
153 .Fl c
154 or
155 .Fl f
156 on the command line,
157 .Nm
158 accepts the following configuration syntax.
159 Lines starting with hash signs
160 .Pq Sq #
161 are treated as comment lines.
162 .Bl -tag -width Ds
163 .It Xo
164 .Li add
165 .Op Fl 46n
166 .Ar src Ar dst Ar protocol Ar spi
167 .Op Ar extensions
168 .Ar algorithm ...
169 .Li ;
170 .Xc
171 Add an SAD entry.
172 .Li add
173 can fail for multiple reasons, including when the key length does
174 not match the specified algorithm.
175 .\"
176 .It Xo
177 .Li get
178 .Op Fl 46n
179 .Ar src Ar dst Ar protocol Ar spi
180 .Li ;
181 .Xc
182 Show an SAD entry.
183 .\"
184 .It Xo
185 .Li delete
186 .Op Fl 46n
187 .Ar src Ar dst Ar protocol Ar spi
188 .Li ;
189 .Xc
190 Remove an SAD entry.
191 .\"
192 .It Xo
193 .Li deleteall
194 .Op Fl 46n
195 .Ar src Ar dst Ar protocol
196 .Li ;
197 .Xc
198 Remove all SAD entries that match the specification.
199 .\"
200 .It Xo
201 .Li flush
202 .Op Ar protocol
203 .Li ;
204 .Xc
205 Clear all SAD entries matched by the options.
206 .Fl F
207 on the command line achieves the same functionality.
208 .\"
209 .It Xo
210 .Li dump
211 .Op Ar protocol
212 .Li ;
213 .Xc
214 Dumps all SAD entries matched by the options.
215 .Fl D
216 on the command line achieves the same functionality.
217 .\"
218 .It Xo
219 .Li spdadd
220 .Op Fl 46n
221 .Ar src_range Ar dst_range Ar upperspec Ar policy
222 .Li ;
223 .Xc
224 Add an SPD entry.
225 .\"
226 .It Xo
227 .Li spdadd tagged
228 .Ar tag Ar policy
229 .Li ;
230 .Xc
231 Add an SPD entry based on a PF tag.
232 .Ar tag
233 must be a string surrounded by double quotes.
234 .\"
235 .It Xo
236 .Li spddelete
237 .Op Fl 46n
238 .Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
239 .Li ;
240 .Xc
241 Delete an SPD entry.
242 .\"
243 .It Xo
244 .Li spdflush
245 .Li ;
246 .Xc
247 Clear all SPD entries.
248 .Fl FP
249 on the command line achieves the same functionality.
250 .\"
251 .It Xo
252 .Li spddump
253 .Li ;
254 .Xc
255 Dumps all SPD entries.
256 .Fl DP
257 on the command line achieves the same functionality.
258 .El
259 .\"
260 .Pp
261 Meta-arguments are as follows:
262 .Pp
263 .Bl -tag -compact -width Ds
264 .It Ar src
265 .It Ar dst
266 Source/destination of the secure communication is specified as
267 an IPv4/v6 address, and an optional port number between square
268 brackets.
269 .Nm
270 can resolve a FQDN into numeric addresses.
271 If the FQDN resolves into multiple addresses,
272 .Nm
273 will install multiple SAD/SPD entries into the kernel
274 by trying all possible combinations.
275 .Fl 4 ,
276 .Fl 6 ,
277 and
278 .Fl n
279 restrict the address resolution of FQDN in certain ways.
280 .Fl 4
281 and
282 .Fl 6
283 restrict results into IPv4/v6 addresses only, respectively.
284 .Fl n
285 avoids FQDN resolution and requires addresses to be numeric addresses.
286 .\"
287 .Pp
288 .It Ar protocol
289 .Ar protocol
290 is one of following:
291 .Bl -tag -width Fl -compact
292 .It Li esp
293 ESP based on rfc2406
294 .It Li esp-old
295 ESP based on rfc1827
296 .It Li ah
297 AH based on rfc2402
298 .It Li ah-old
299 AH based on rfc1826
300 .It Li ipcomp
301 IPComp
302 .It Li tcp
303 TCP-MD5 based on rfc2385
304 .El
305 .\"
306 .Pp
307 .It Ar spi
308 Security Parameter Index
309 .Pq SPI
310 for the SAD and the SPD.
311 .Ar spi
312 must be a decimal number, or a hexadecimal number with a
313 .Dq Li 0x
314 prefix.
315 SPI values between 0 and 255 are reserved for future use by IANA
316 and cannot be used.
317 TCP-MD5 associations must use 0x1000 and therefore only have per-host
318 granularity at this time.
319 .\"
320 .Pp
321 .It Ar extensions
322 take some of the following:
323 .Bl -tag -width Fl -compact
324 .\"
325 .It Fl m Ar mode
326 Specify a security protocol mode for use.
327 .Ar mode
328 is one of following:
329 .Li transport , tunnel ,
330 or
331 .Li any .
332 The default value is
333 .Li any .
334 .\"
335 .It Fl r Ar size
336 Specify window size of bytes for replay prevention.
337 .Ar size
338 must be decimal number in 32-bit word.
339 If
340 .Ar size
341 is zero or not specified, replay checks don't take place.
342 .\"
343 .It Fl u Ar id
344 Specify the identifier of the policy entry in the SPD.
345 See
346 .Ar policy .
347 .\"
348 .It Fl f Ar pad_option
349 defines the content of the ESP padding.
350 .Ar pad_option
351 is one of following:
352 .Bl -tag -width random-pad -compact
353 .It Li zero-pad
354 All the paddings are zero.
355 .It Li random-pad
356 A series of randomized values are used.
357 .It Li seq-pad
358 A series of sequential increasing numbers started from 1 are used.
359 .El
360 .\"
361 .It Fl f Li nocyclic-seq
362 Don't allow cyclic sequence numbers.
363 .\"
364 .It Fl lh Ar time
365 .It Fl ls Ar time
366 Specify hard/soft life time duration of the SA measured in seconds.
367 .\"
368 .It Fl bh Ar bytes
369 .It Fl bs Ar bytes
370 Specify hard/soft life time duration of the SA measured in bytes transported.
371 .El
372 .\"
373 .Pp
374 .It Ar algorithm
375 .Bl -tag -width Fl -compact
376 .It Fl E Ar ealgo Ar key
377 Specify an encryption algorithm
378 .Ar ealgo
379 for ESP.
380 .It Xo
381 .Fl E Ar ealgo Ar key
382 .Fl A Ar aalgo Ar key
383 .Xc
384 Specify an encryption algorithm
385 .Ar ealgo ,
386 as well as a payload authentication algorithm
387 .Ar aalgo ,
388 for ESP.
389 .It Fl A Ar aalgo Ar key
390 Specify an authentication algorithm for AH.
391 .It Fl C Ar calgo Op Fl R
392 Specify a compression algorithm for IPComp.
393 If
394 .Fl R
395 is specified, the
396 .Ar spi
397 field value will be used as the IPComp CPI
398 .Pq compression parameter index
399 on wire as-is.
400 If
401 .Fl R
402 is not specified,
403 the kernel will use well-known CPI on wire, and
404 .Ar spi
405 field will be used only as an index for kernel internal usage.
406 .El
407 .Pp
408 .Ar key
409 must be a double-quoted character string, or a series of hexadecimal
410 digits preceded by
411 .Dq Li 0x .
412 .Pp
413 Possible values for
414 .Ar ealgo ,
415 .Ar aalgo ,
416 and
417 .Ar calgo
418 are specified in the
419 .Sx Algorithms
420 sections.
421 .\"
422 .Pp
423 .It Ar src_range
424 .It Ar dst_range
425 These select the communications that should be secured by IPsec.
426 They can be an IPv4/v6 address or an IPv4/v6 address range, and
427 may be accompanied by a TCP/UDP port specification.
428 This takes the following form:
429 .Bd -literal -offset
430 .Ar address
431 .Ar address/prefixlen
432 .Ar address[port]
433 .Ar address/prefixlen[port]
434 .Ed
435 .Pp
436 .Ar prefixlen
437 and
438 .Ar port
439 must be decimal numbers.
440 The square brackets around
441 .Ar port
442 are really necessary,
443 they are not man page meta-characters.
444 For FQDN resolution, the rules applicable to
445 .Ar src
446 and
447 .Ar dst
448 apply here as well.
449 .\"
450 .Pp
451 .It Ar upperspec
452 Upper-layer protocol to be used.
453 You can use one of the words in
454 .Pa /etc/protocols
455 as
456 .Ar upperspec ,
457 or
458 .Li icmp6 ,
459 .Li ip4 ,
460 or
461 .Li any .
462 .Li any
463 stands for
464 .Dq any protocol .
465 You can also use the protocol number.
466 You can specify a type and/or a code of ICMPv6 when the
467 upper-layer protocol is ICMPv6.
468 The specification can be placed after
469 .Li icmp6 .
470 A type is separated from a code by single comma.
471 A code must always be specified.
472 When a zero is specified, the kernel deals with it as a wildcard.
473 Note that the kernel can not distinguish a wildcard from an ICPMv6
474 type of zero.
475 For example, the following means that the policy doesn't require IPsec
476 for any inbound Neighbor Solicitation.
477 .Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
478 .Pp
479 .Em Note :
480 .Ar upperspec
481 does not work against forwarding case at this moment,
482 as it requires extra reassembly at the forwarding node
483 .Pq not implemented at this moment .
484 There are many protocols in
485 .Pa /etc/protocols ,
486 but all protocols except of TCP, UDP, and ICMP may not be suitable
487 to use with IPsec.
488 You have to consider carefully what to use.
489 .\"
490 .Pp
491 .It Ar policy
492 .Ar policy
493 is in one of the following three formats:
494 .Bd -literal -offset indent
495 .It Fl P Ar direction [priority specification] Li discard
496 .It Fl P Ar direction [priority specification] Li none
497 .It Xo Fl P Ar direction [priority specification] Li ipsec
498 .Ar protocol/mode/src-dst/level Op ...
499 .Xc
500 .Ed
501 .Pp
502 You must specify the direction of its policy as
503 .Ar direction .
504 Either
505 .Ar out ,
506 .Ar in ,
507 or
508 .Ar fwd
509 can be used.
510 .Pp
511 .Ar priority specification
512 is used to control the placement of the policy within the SPD.
513 Policy position is determined by
514 a signed integer where higher priorities indicate the policy is placed
515 closer to the beginning of the list and lower priorities indicate the
516 policy is placed closer to the end of the list.
517 Policies with equal priorities are added at the end of groups
518 of such policies.
519 .Pp
520 Priority can only
521 be specified when setkey has been compiled against kernel headers that
522 support policy priorities (Linux \*[Gt]= 2.6.6).
523 If the kernel does not support priorities, a warning message will
524 be printed the first time a priority specification is used.
525 Policy priority takes one of the following formats:
526 .Bl -tag -width "discard"
527 .It Xo
528 .Ar {priority,prio} offset
529 .Xc
530 .Ar offset
531 is an integer in the range from \-2147483647 to 214783648.
532 .It Xo
533 .Ar {priority,prio} base {+,\-} offset
534 .Xc
535 .Ar base
536 is either
537 .Li low (\-1073741824) ,
538 .Li def (0) ,
539 or
540 .Li high (1073741824)
541 .Pp
542 .Ar offset
543 is an unsigned integer.
544 It can be up to 1073741824 for
545 positive offsets, and up to 1073741823 for negative offsets.
546 .El
547 .Pp
548 .Li discard
549 means the packet matching indexes will be discarded.
550 .Li none
551 means that IPsec operation will not take place onto the packet.
552 .Li ipsec
553 means that IPsec operation will take place onto the packet.
554 .Pp
555 The
556 .Ar protocol/mode/src-dst/level
557 part specifies the rule how to process the packet.
558 Either
559 .Li ah ,
560 .Li esp ,
561 or
562 .Li ipcomp
563 must be used as
564 .Ar protocol .
565 .Ar mode
566 is either
567 .Li transport
568 or
569 .Li tunnel .
570 If
571 .Ar mode
572 is
573 .Li tunnel ,
574 you must specify the end-point addresses of the SA as
575 .Ar src
576 and
577 .Ar dst
578 with
579 .Sq -
580 between these addresses, which is used to specify the SA to use.
581 If
582 .Ar mode
583 is
584 .Li transport ,
585 both
586 .Ar src
587 and
588 .Ar dst
589 can be omitted.
590 .Ar level
591 is to be one of the following:
592 .Li default , use , require ,
593 or
594 .Li unique .
595 If the SA is not available in every level, the kernel will
596 ask the key exchange daemon to establish a suitable SA.
597 .Li default
598 means the kernel consults the system wide default for the protocol
599 you specified, e.g. the
600 .Li esp_trans_deflev
601 sysctl variable, when the kernel processes the packet.
602 .Li use
603 means that the kernel uses an SA if it's available,
604 otherwise the kernel keeps normal operation.
605 .Li require
606 means SA is required whenever the kernel sends a packet matched
607 with the policy.
608 .Li unique
609 is the same as
610 .Li require ;
611 in addition, it allows the policy to match the unique out-bound SA.
612 You just specify the policy level
613 .Li unique ,
614 .Xr racoon 8
615 will configure the SA for the policy.
616 If you configure the SA by manual keying for that policy,
617 you can put a decimal number as the policy identifier after
618 .Li unique
619 separated by a colon
620 .Sq \&:
621 like:
622 .Li unique:number
623 in order to bind this policy to the SA.
624 .Li number
625 must be between 1 and 32767.
626 It corresponds to
627 .Ar extensions Fl u
628 of the manual SA configuration.
629 When you want to use SA bundle, you can define multiple rules.
630 For example, if an IP header was followed by an AH header followed
631 by an ESP header followed by an upper layer protocol header, the
632 rule would be:
633 .Dl esp/transport//require ah/transport//require ;
634 The rule order is very important.
635 .Pp
636 When NAT-T is enabled in the kernel, policy matching for ESP over
637 UDP packets may be done on endpoint addresses and port
638 (this depends on the system.
639 System that do not perform the port check cannot support
640 multiple endpoints behind the same NAT).
641 When using ESP over UDP, you can specify port numbers in the endpoint
642 addresses to get the correct matching.
643 Here is an example:
644 .Bd -literal -offset
645 spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any -P out ipsec
646 esp/tunnel/192.168.0.1[4500]-192.168.1.2[30000]/require ;
647
648 .Ed
649 These ports must be left unspecified (which defaults to 0) for
650 anything other than ESP over UDP.
651 They can be displayed in SPD dump using
652 .Nm
653 .Fl DPp .
654 .Pp
655 Note that
656 .Dq Li discard
657 and
658 .Dq Li none
659 are not in the syntax described in
660 .Xr ipsec_set_policy 3 .
661 There are a few differences in the syntax.
662 See
663 .Xr ipsec_set_policy 3
664 for detail.
665 .El
666 .\"
667 .Ss Algorithms
668 The following list shows the supported algorithms.
669 .Sy protocol
670 and
671 .Sy algorithm
672 are almost orthogonal.
673 These authentication algorithms can be used as
674 .Ar aalgo
675 in
676 .Fl A Ar aalgo
677 of the
678 .Ar protocol
679 parameter:
680 .Pp
681 .Bd -literal -offset indent
682 algorithm keylen (bits)
683 hmac-md5 128 ah: rfc2403
684 128 ah-old: rfc2085
685 hmac-sha1 160 ah: rfc2404
686 160 ah-old: 128bit ICV (no document)
687 keyed-md5 128 ah: 96bit ICV (no document)
688 128 ah-old: rfc1828
689 keyed-sha1 160 ah: 96bit ICV (no document)
690 160 ah-old: 128bit ICV (no document)
691 null 0 to 2048 for debugging
692 hmac-sha256 256 ah: 96bit ICV
693 (draft-ietf-ipsec-ciph-sha-256-00)
694 256 ah-old: 128bit ICV (no document)
695 hmac-sha384 384 ah: 96bit ICV (no document)
696 384 ah-old: 128bit ICV (no document)
697 hmac-sha512 512 ah: 96bit ICV (no document)
698 512 ah-old: 128bit ICV (no document)
699 hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
700 ah-old: 128bit ICV (no document)
701 aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
702 128 ah-old: 128bit ICV (no document)
703 tcp-md5 8 to 640 tcp: rfc2385
704 .Ed
705 .Pp
706 These encryption algorithms can be used as
707 .Ar ealgo
708 in
709 .Fl E Ar ealgo
710 of the
711 .Ar protocol
712 parameter:
713 .Pp
714 .Bd -literal -offset indent
715 algorithm keylen (bits)
716 des-cbc 64 esp-old: rfc1829, esp: rfc2405
717 3des-cbc 192 rfc2451
718 null 0 to 2048 rfc2410
719 blowfish-cbc 40 to 448 rfc2451
720 cast128-cbc 40 to 128 rfc2451
721 des-deriv 64 ipsec-ciph-des-derived-01
722 3des-deriv 192 no document
723 rijndael-cbc 128/192/256 rfc3602
724 twofish-cbc 0 to 256 draft-ietf-ipsec-ciph-aes-cbc-01
725 aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
726 .Ed
727 .Pp
728 Note that the first 128 bits of a key for
729 .Li aes-ctr
730 will be used as AES key, and the remaining 32 bits will be used as nonce.
731 .Pp
732 These compression algorithms can be used as
733 .Ar calgo
734 in
735 .Fl C Ar calgo
736 of the
737 .Ar protocol
738 parameter:
739 .Pp
740 .Bd -literal -offset indent
741 algorithm
742 deflate rfc2394
743 .Ed
744 .\"
745 .Ss RFC vs Linux kernel semantics
746 The Linux kernel uses the
747 .Ar fwd
748 policy instead of the
749 .Ar in
750 policy for packets what are forwarded through that particular box.
751 .Pp
752 In
753 .Ar kernel
754 mode,
755 .Nm
756 manages and shows policies and SAs exactly as they are stored in the kernel.
757 .Pp
758 In
759 .Ar RFC
760 mode,
761 .Nm
762 .Bl -item
763 .It
764 creates
765 .Ar fwd
766 policies for every
767 .Ar in
768 policy inserted
769 .It
770 (not implemented yet) filters out all
771 .Ar fwd
772 policies
773 .El
774 .Sh RETURN VALUES
775 The command exits with 0 on success, and non-zero on errors.
776 .\"
777 .Sh EXAMPLES
778 .Bd -literal -offset
779 add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
780 -E des-cbc 0x3ffe05014819ffff ;
781
782 add -6 myhost.example.com yourhost.example.com ah 123456
783 -A hmac-sha1 "AH SA configuration!" ;
784
785 add 10.0.11.41 10.0.11.33 esp 0x10001
786 -E des-cbc 0x3ffe05014819ffff
787 -A hmac-md5 "authentication!!" ;
788
789 get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
790
791 flush ;
792
793 dump esp ;
794
795 spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
796 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
797
798 add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
799 .Ed
800 .\"
801 .Sh SEE ALSO
802 .Xr ipsec_set_policy 3 ,
803 .Xr racoon 8 ,
804 .Xr sysctl 8
805 .Rs
806 .%T "Changed manual key configuration for IPsec"
807 .%O "http://www.kame.net/newsletter/19991007/"
808 .%D "October 1999"
809 .Re
810 .\"
811 .Sh HISTORY
812 The
813 .Nm
814 command first appeared in the WIDE Hydrangea IPv6 protocol stack
815 kit.
816 The command was completely re-designed in June 1998.
817 .\"
818 .Sh BUGS
819 .Nm
820 should report and handle syntax errors better.
821 .Pp
822 For IPsec gateway configuration,
823 .Ar src_range
824 and
825 .Ar dst_range
826 with TCP/UDP port numbers does not work, as the gateway does not
827 reassemble packets
828 .Pq it cannot inspect upper-layer headers .