Changeset View
Changeset View
Standalone View
Standalone View
head/sbin/setkey/setkey.8
Show All 23 Lines | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd April 9, 2017 | .Dd May 01, 2020 | ||||
.Dt SETKEY 8 | .Dt SETKEY 8 | ||||
.Os | .Os | ||||
.\" | .\" | ||||
.Sh NAME | .Sh NAME | ||||
.Nm setkey | .Nm setkey | ||||
.Nd "manually manipulate the IPsec SA/SP database" | .Nd "manually manipulate the IPsec SA/SP database" | ||||
.\" | .\" | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
▲ Show 20 Lines • Show All 542 Lines • ▼ Show 20 Lines | |||||
.Ar aalgo | .Ar aalgo | ||||
in the | in the | ||||
.Fl A Ar aalgo | .Fl A Ar aalgo | ||||
of the | of the | ||||
.Ar protocol | .Ar protocol | ||||
parameter: | parameter: | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
algorithm keylen (bits) comment | algorithm keylen (bits) comment | ||||
hmac-md5 128 ah: rfc2403 | |||||
128 ah-old: rfc2085 | |||||
hmac-sha1 160 ah: rfc2404 | hmac-sha1 160 ah: rfc2404 | ||||
160 ah-old: 128bit ICV (no document) | 160 ah-old: 128bit ICV (no document) | ||||
keyed-md5 128 ah: 96bit ICV (no document) | |||||
128 ah-old: rfc1828 | |||||
keyed-sha1 160 ah: 96bit ICV (no document) | |||||
160 ah-old: 128bit ICV (no document) | |||||
null 0 to 2048 for debugging | null 0 to 2048 for debugging | ||||
hmac-sha2-256 256 ah: 128bit ICV (RFC4868) | hmac-sha2-256 256 ah: 128bit ICV (RFC4868) | ||||
256 ah-old: 128bit ICV (no document) | 256 ah-old: 128bit ICV (no document) | ||||
hmac-sha2-384 384 ah: 192bit ICV (RFC4868) | hmac-sha2-384 384 ah: 192bit ICV (RFC4868) | ||||
384 ah-old: 128bit ICV (no document) | 384 ah-old: 128bit ICV (no document) | ||||
hmac-sha2-512 512 ah: 256bit ICV (RFC4868) | hmac-sha2-512 512 ah: 256bit ICV (RFC4868) | ||||
512 ah-old: 128bit ICV (no document) | 512 ah-old: 128bit ICV (no document) | ||||
hmac-ripemd160 160 ah: 96bit ICV (RFC2857) | |||||
ah-old: 128bit ICV (no document) | |||||
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) | aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) | ||||
128 ah-old: 128bit ICV (no document) | 128 ah-old: 128bit ICV (no document) | ||||
tcp-md5 8 to 640 tcp: rfc2385 | tcp-md5 8 to 640 tcp: rfc2385 | ||||
.Ed | .Ed | ||||
.Pp | .Pp | ||||
The following is the list of encryption algorithms that can be used as the | The following is the list of encryption algorithms that can be used as the | ||||
.Ar ealgo | .Ar ealgo | ||||
in the | in the | ||||
.Fl E Ar ealgo | .Fl E Ar ealgo | ||||
of the | of the | ||||
.Ar protocol | .Ar protocol | ||||
parameter: | parameter: | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
algorithm keylen (bits) comment | algorithm keylen (bits) comment | ||||
des-cbc 64 esp-old: rfc1829, esp: rfc2405 | |||||
3des-cbc 192 rfc2451 | |||||
null 0 to 2048 rfc2410 | null 0 to 2048 rfc2410 | ||||
blowfish-cbc 40 to 448 rfc2451 | |||||
cast128-cbc 40 to 128 rfc2451 | |||||
des-deriv 64 ipsec-ciph-des-derived-01 | |||||
rijndael-cbc 128/192/256 rfc3602 | rijndael-cbc 128/192/256 rfc3602 | ||||
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 | aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 | ||||
aes-gcm-16 160/224/288 rfc4106 | aes-gcm-16 160/224/288 rfc4106 | ||||
camellia-cbc 128/192/256 rfc4312 | |||||
.Ed | .Ed | ||||
.Pp | .Pp | ||||
Note that the first 128/192/256 bits of a key for | Note that the first 128/192/256 bits of a key for | ||||
.Li aes-ctr or aes-gcm-16 | .Li aes-ctr or aes-gcm-16 | ||||
will be used as AES key, and remaining 32 bits will be used as nonce. | will be used as AES key, and remaining 32 bits will be used as nonce. | ||||
.Pp | .Pp | ||||
The following are the list of compression algorithms that can be used | The following are the list of compression algorithms that can be used | ||||
as the | as the | ||||
.Ar calgo | .Ar calgo | ||||
in the | in the | ||||
.Fl C Ar calgo | .Fl C Ar calgo | ||||
of the | of the | ||||
.Ar protocol | .Ar protocol | ||||
parameter: | parameter: | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
algorithm comment | algorithm comment | ||||
deflate rfc2394 | deflate rfc2394 | ||||
.Ed | .Ed | ||||
.\" | .\" | ||||
.Sh EXIT STATUS | .Sh EXIT STATUS | ||||
.Ex -std | .Ex -std | ||||
.\" | .\" | ||||
.Sh EXAMPLES | .Sh EXAMPLES | ||||
Add an ESP SA between two IPv6 addresses using the | Add an ESP SA between two IPv6 addresses using the | ||||
des-cbc encryption algorithm. | AES-GCM encryption algorithm. | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 | add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 | ||||
-E des-cbc 0x3ffe05014819ffff ; | -E aes-gcm-16 0x3ffe050148193ffe050148193ffe050148193ffe ; | ||||
.Pp | .Pp | ||||
.Ed | .Ed | ||||
.\" | .\" | ||||
Add an authentication SA between two FQDN specified hosts: | Add an authentication SA between two FQDN specified hosts: | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
add -6 myhost.example.com yourhost.example.com ah 123456 | add -6 myhost.example.com yourhost.example.com ah 123456 | ||||
-A hmac-sha1 "AH SA configuration!" ; | -A hmac-sha2-256 "AH SA configuration!" ; | ||||
.Pp | |||||
.Ed | |||||
Use both ESP and AH between two numerically specified hosts: | |||||
.Bd -literal -offset indent | |||||
add 10.0.11.41 10.0.11.33 esp 0x10001 | |||||
-E des-cbc 0x3ffe05014819ffff | |||||
-A hmac-md5 "authentication!!" ; | |||||
.Pp | .Pp | ||||
.Ed | .Ed | ||||
Get the SA information associated with first example above: | Get the SA information associated with first example above: | ||||
.Bd -literal -offset indent | .Bd -literal -offset indent | ||||
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; | get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; | ||||
.Pp | .Pp | ||||
.Ed | .Ed | ||||
Flush all entries from the database: | Flush all entries from the database: | ||||
▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines |