diff options
Diffstat (limited to 'sbin/setkey/setkey.8')
| -rw-r--r-- | sbin/setkey/setkey.8 | 90 |
1 files changed, 71 insertions, 19 deletions
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index 79e28b99f950..88b4dc6fc91f 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -27,9 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" -.Dd April 27, 2022 +.Dd October 31, 2023 .Dt SETKEY 8 .Os .\" @@ -45,6 +43,9 @@ .Op Fl v .Fl f Ar filename .Nm +.Op Fl v +.Fl e Ar script +.Nm .Op Fl Pgltv .Fl D .Nm @@ -65,11 +66,14 @@ The .Nm utility takes a series of operations from the standard input (if invoked with -.Fl c ) -or the file named +.Fl c ) , +from the file named .Ar filename (if invoked with -.Fl f Ar filename ) . +.Fl f Ar filename ) , +or from the command line argument following the option +(if invoked with +.Fl e Ar script ) . .Bl -tag -width indent .It Fl D Dump the SAD entries. @@ -226,7 +230,7 @@ IPv4/v6 address. The .Nm utility -can resolve a FQDN into numeric addresses. +can resolve an FQDN into numeric addresses. If the FQDN resolves into multiple addresses, .Nm will install multiple SAD/SPD entries into the kernel @@ -277,7 +281,7 @@ and they cannot be used. .Pp .It Ar extensions take some of the following: -.Bl -tag -width Fl -compact +.Bl -tag -width Fl natt_mtu -compact .\" .It Fl m Ar mode Specify a security protocol mode for use. @@ -322,6 +326,21 @@ Do not allow cyclic sequence number. .It Fl lh Ar time .It Fl ls Ar time Specify hard/soft life time duration of the SA. +.It Fl natt Ar oai \([ Ar sport \(] Ar oar \([ Ar dport \(] +Manually configure NAT-T for the SA, by specifying initiator +.Ar oai +and +requestor +.Ar oar +ip addresses and ports. +Note that the +.Sq \([ +and +.Sq \(] +symbols are part of the syntax for the ports specification, +not indication of the optional components. +.It Fl natt_mtu Ar fragsize +Configure NAT-T fragment size. .El .\" .Pp @@ -453,26 +472,43 @@ is expressed in one of the following three formats: .Xc .El .Pp -The direction of a policy must be specified as -one of: -.Li out , -.Li in , +.Bl -tag -compact -width "policy level" +.It Ar direction +The +.Ar direction +of a policy must be specified as one of: +.Li out +or +.Li in . +.It Ar policy level +The direction is followed by one of the following policy levels: .Li discard , .Li none , or .Li ipsec . +.Bl -compact -bullet +.It The .Li discard -direction -means that packets matching the supplied indices will be discarded -while +policy level means that packets matching the supplied indices will +be discarded. +.It +The .Li none -means that IPsec operations will not take place on the packet and +policy level means that IPsec operations will not take place on +the packet. +.It +The .Li ipsec -means that IPsec operation will take place onto the packet. +policy level means that IPsec operation will take place onto +the packet. +.El +.It Ar protocol/mode/src-dst/level The .Ar protocol/mode/src-dst/level statement gives the rule for how to process the packet. +.Bl -compact -bullet +.It The .Ar protocol is specified as @@ -480,12 +516,15 @@ is specified as .Li esp or .Li ipcomp . +.It The .Ar mode is either .Li transport or .Li tunnel . +.El +.Pp If .Ar mode is @@ -497,6 +536,7 @@ and with a dash, .Sq - , between the addresses. +.Pp If .Ar mode is @@ -506,6 +546,7 @@ both and .Ar dst can be omitted. +.Pp The .Ar level is one of the following: @@ -514,28 +555,35 @@ or .Li unique . If the SA is not available in every level, the kernel will request the SA from the key exchange daemon. +.Pp +.Bl -compact -bullet +.It A value of .Li default tells the kernel to use the system wide default protocol e.g.,\& the one from the .Li esp_trans_deflev sysctl variable, when the kernel processes the packet. +.It A value of .Li use means that the kernel will use an SA if it is available, otherwise the kernel will pass the packet as it would normally. +.It A value of .Li require means that an SA is required whenever the kernel sends a packet matched that matches the policy. +.It The .Li unique level is the same as .Li require but, in addition, it allows the policy to bind with the unique out-bound SA. +.Pp For example, if you specify the policy level .Li unique , -.Xr racoon 8 +.Xr racoon 8 Pq Pa ports/security/ipsec-tools will configure the SA for the policy. If you configure the SA by manual keying for that policy, you can put the decimal number as the policy identifier after @@ -550,6 +598,8 @@ must be between 1 and 32767, which corresponds to .Ar extensions Fl u of manual SA configuration. +.El +.El .Pp When you want to use an SA bundle, you can define multiple rules. For @@ -597,6 +647,7 @@ hmac-sha2-512 512 ah/esp: 256bit ICV (RFC4868) aes-xcbc-mac 128 ah/esp: 96bit ICV (RFC3566) 128 ah-old/esp-old: 128bit ICV (no document) tcp-md5 8 to 640 tcp: rfc2385 +chacha20-poly1305 256 ah/esp: 128bit ICV (RFC7634) .Ed .Ss Encryption Algorithms The following encryption algorithms can be used as the @@ -612,6 +663,7 @@ null 0 to 2048 rfc2410 aes-cbc 128/192/256 rfc3602 aes-ctr 160/224/288 rfc3686 aes-gcm-16 160/224/288 AEAD; rfc4106 +chacha20-poly1305 256 rfc7634 .Ed .Pp Note that the first 128/192/256 bits of a key for @@ -688,7 +740,7 @@ add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ; .Sh SEE ALSO .Xr ipsec_set_policy 3 , .Xr if_ipsec 4 , -.Xr racoon 8 , +.Xr racoon 8 Pq Pa ports/security/ipsec-tools , .Xr sysctl 8 .Rs .%T "Changed manual key configuration for IPsec" |