Page MenuHomeFreeBSD
Differential D24342 Diff 71263 head/sbin/setkey/setkey.8

Changeset View

Standalone View

View Options

head/sbin/setkey/setkey.8

Show All 23 Lines
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd April 9, 2017 .Dd May 01, 2020
.Dt SETKEY 8 .Dt SETKEY 8
.Os .Os
.\" .\"
.Sh NAME .Sh NAME
.Nm setkey .Nm setkey
.Nd "manually manipulate the IPsec SA/SP database" .Nd "manually manipulate the IPsec SA/SP database"
.\" .\"
.Sh SYNOPSIS .Sh SYNOPSIS
▲ Show 20 LinesShow All 542 Lines▼ Show 20 Lines
.Ar aalgo .Ar aalgo
in the in the
.Fl A Ar aalgo .Fl A Ar aalgo
of the of the
.Ar protocol .Ar protocol
parameter: parameter:
.Bd -literal -offset indent .Bd -literal -offset indent
algorithm keylen (bits) comment algorithm keylen (bits) comment
hmac-md5 128 ah: rfc2403
128 ah-old: rfc2085
hmac-sha1 160 ah: rfc2404 hmac-sha1 160 ah: rfc2404
160 ah-old: 128bit ICV (no document) 160 ah-old: 128bit ICV (no document)
keyed-md5 128 ah: 96bit ICV (no document)
128 ah-old: rfc1828
keyed-sha1 160 ah: 96bit ICV (no document)
160 ah-old: 128bit ICV (no document)
null 0 to 2048 for debugging null 0 to 2048 for debugging
hmac-sha2-256 256 ah: 128bit ICV (RFC4868) hmac-sha2-256 256 ah: 128bit ICV (RFC4868)
256 ah-old: 128bit ICV (no document) 256 ah-old: 128bit ICV (no document)
hmac-sha2-384 384 ah: 192bit ICV (RFC4868) hmac-sha2-384 384 ah: 192bit ICV (RFC4868)
384 ah-old: 128bit ICV (no document) 384 ah-old: 128bit ICV (no document)
hmac-sha2-512 512 ah: 256bit ICV (RFC4868) hmac-sha2-512 512 ah: 256bit ICV (RFC4868)
512 ah-old: 128bit ICV (no document) 512 ah-old: 128bit ICV (no document)
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document) 128 ah-old: 128bit ICV (no document)
tcp-md5 8 to 640 tcp: rfc2385 tcp-md5 8 to 640 tcp: rfc2385
.Ed .Ed
.Pp .Pp
The following is the list of encryption algorithms that can be used as the The following is the list of encryption algorithms that can be used as the
.Ar ealgo .Ar ealgo
in the in the
.Fl E Ar ealgo .Fl E Ar ealgo
of the of the
.Ar protocol .Ar protocol
parameter: parameter:
.Bd -literal -offset indent .Bd -literal -offset indent
algorithm keylen (bits) comment algorithm keylen (bits) comment
des-cbc 64 esp-old: rfc1829, esp: rfc2405
3des-cbc 192 rfc2451
null 0 to 2048 rfc2410 null 0 to 2048 rfc2410
blowfish-cbc 40 to 448 rfc2451
cast128-cbc 40 to 128 rfc2451
des-deriv 64 ipsec-ciph-des-derived-01
rijndael-cbc 128/192/256 rfc3602 rijndael-cbc 128/192/256 rfc3602
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
aes-gcm-16 160/224/288 rfc4106 aes-gcm-16 160/224/288 rfc4106
camellia-cbc 128/192/256 rfc4312
.Ed .Ed
.Pp .Pp
Note that the first 128/192/256 bits of a key for Note that the first 128/192/256 bits of a key for
.Li aes-ctr or aes-gcm-16 .Li aes-ctr or aes-gcm-16
will be used as AES key, and remaining 32 bits will be used as nonce. will be used as AES key, and remaining 32 bits will be used as nonce.
.Pp .Pp
The following are the list of compression algorithms that can be used The following are the list of compression algorithms that can be used
as the as the
.Ar calgo .Ar calgo
in the in the
.Fl C Ar calgo .Fl C Ar calgo
of the of the
.Ar protocol .Ar protocol
parameter: parameter:
.Bd -literal -offset indent .Bd -literal -offset indent
algorithm comment algorithm comment
deflate rfc2394 deflate rfc2394
.Ed .Ed
.\" .\"
.Sh EXIT STATUS .Sh EXIT STATUS
.Ex -std .Ex -std
.\" .\"
.Sh EXAMPLES .Sh EXAMPLES
Add an ESP SA between two IPv6 addresses using the Add an ESP SA between two IPv6 addresses using the
des-cbc encryption algorithm. AES-GCM encryption algorithm.
.Bd -literal -offset indent .Bd -literal -offset indent
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc 0x3ffe05014819ffff ; -E aes-gcm-16 0x3ffe050148193ffe050148193ffe050148193ffe ;
.Pp .Pp
.Ed .Ed
.\" .\"
Add an authentication SA between two FQDN specified hosts: Add an authentication SA between two FQDN specified hosts:
.Bd -literal -offset indent .Bd -literal -offset indent
add -6 myhost.example.com yourhost.example.com ah 123456 add -6 myhost.example.com yourhost.example.com ah 123456
-A hmac-sha1 "AH SA configuration!" ; -A hmac-sha2-256 "AH SA configuration!" ;
.Pp
.Ed
Use both ESP and AH between two numerically specified hosts:
.Bd -literal -offset indent
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc 0x3ffe05014819ffff
-A hmac-md5 "authentication!!" ;
.Pp .Pp
.Ed .Ed
Get the SA information associated with first example above: Get the SA information associated with first example above:
.Bd -literal -offset indent .Bd -literal -offset indent
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
.Pp .Pp
.Ed .Ed
Flush all entries from the database: Flush all entries from the database:
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines