1 Content-type: text/html
3 <HTML><HEAD><TITLE>Manpage of IPSEC_MANUAL</TITLE>
6 Section: Maintenance Commands (8)<BR>Updated: 28 Nov 2000<BR><A HREF="#index">Index</A>
7 <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
10 <A NAME="lbAB"> </A>
13 ipsec manual - take manually-keyed IPsec connections up and down
14 <A NAME="lbAC"> </A>
36 address<B>@</B>interface
45 operation connection
58 <A NAME="lbAD"> </A>
63 manipulates manually-keyed FreeS/WAN IPsec connections,
64 setting them up and shutting them down,
65 based on the information in the IPsec configuration file.
69 is the name of a connection specification in the configuration file;
84 generates setup (<B>--route</B>
90 teardown (<B>--down</B>
95 commands for the connection and feeds them to a shell for execution.
101 operation brings the specified connection up, including establishing a
102 suitable route for it if necessary.
108 operation just establishes the route for a connection.
112 operation is done, packets routed by that route will simply be discarded.
118 operation tears the specified connection down,
121 that it leaves the route in place.
125 operation is done, packets routed by that route will simply be discarded.
126 This permits establishing another connection to the same destination
127 without any ``window'' in which packets can pass without encryption.
133 operation (and only the
136 operation) deletes any route established for a connection.
145 is the name of a partial connection specification in the configuration file,
146 and the union of all the partial specifications is the
147 connection specification used.
148 The effect is as if the contents of the partial specifications were
149 concatenated together;
150 restrictions on duplicate parameters, etc., do apply to the result.
151 (The same effect can now be had, more gracefully, using the
154 parameter in connection descriptions;
156 <I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)
167 option of the shell used to execute the commands,
168 so each command is shown as it is executed.
177 to show the commands it would run, on standard output,
187 to pretend it is the other end of the connection.
188 This is probably not useful except in combination with
199 to believe it is running on the host with the specified IP
202 and that it should use the specified
205 (normally it determines all this automatically,
206 based on what IPsec interfaces are up and how they are configured).
212 option specifies a non-standard location for the FreeS/WAN IPsec
213 configuration file (default
214 <I>/etc/ipsec.conf</I>).
219 <I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)
221 for details of the configuration file.
222 Apart from the basic parameters which specify the endpoints and routing
223 of a connection (<B>left</B>
241 a non-<B>passthrough</B>
250 parameter and some parameters specifying encryption, authentication, or
259 Moderately-secure keys can be obtained from
260 <I><A HREF="ipsec_ranbits.8.html">ipsec_ranbits</A></I>(8).
262 For production use of manually-keyed connections,
263 it is strongly recommended that the keys be kept in a separate file
273 facilities of the configuration file (see
274 <I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)).
284 uses that value as the SPI number for all the SAs
285 (which are in separate number spaces anyway).
289 parameter is given instead,
292 assigns SPI values by altering the bottom digit
294 SAs going from left to right get even digits starting at 0,
295 SAs going from right to left get odd digits starting at 1.
296 Either way, it is suggested that manually-keyed connections use
297 three-digit SPIs with the first digit non-zero,
304 FreeS/WAN reserves those for manual keying and will not
305 attempt to use them for automatic keying (unless requested to,
306 presumably by a non-FreeS/WAN other end).
307 <A NAME="lbAE"> </A>
312 /etc/ipsec.conf<TT> </TT>default IPsec configuration file<BR>
315 /var/run/ipsec.info<TT> </TT><B>%defaultroute</B> information<BR>
316 <A NAME="lbAF"> </A>
319 <A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec.conf.5.html">ipsec.conf</A>(5), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8), <A HREF="ipsec_eroute.8.html">ipsec_eroute</A>(8), <A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8),
320 <A HREF="route.8.html">route</A>(8)
321 <A NAME="lbAG"> </A>
324 Written for the FreeS/WAN project
325 <<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
327 <A NAME="lbAH"> </A>
330 It's not nearly as generous about the syntax of subnets,
331 addresses, etc. as the usual FreeS/WAN user interfaces.
332 Four-component dotted-decimal must be used for all addresses.
336 smart enough to translate bit-count netmasks to dotted-decimal form.
339 If the connection specification for a connection is changed between an
351 operation is not smart enough to notice whether the connection is already up.
356 is not smart enough to reject insecure combinations of algorithms,
357 e.g. encryption with no authentication at all.
360 Any non-IPsec route to the other end which is replaced by the
366 operation will not be re-established by
369 Whether this is a feature or a bug depends on your viewpoint.
372 The optional parameters which
373 override the automatic
376 SPI assignment are a messy area of the code and bugs are likely.
379 ``Road warrior'' handling,
380 and other special forms of setup which
381 require negotiation between the two security gateways,
382 inherently cannot be done with
389 does not (yet) do IPComp content compression.
393 <A NAME="index"> </A><H2>Index</H2>
395 <DT><A HREF="#lbAB">NAME</A><DD>
396 <DT><A HREF="#lbAC">SYNOPSIS</A><DD>
397 <DT><A HREF="#lbAD">DESCRIPTION</A><DD>
398 <DT><A HREF="#lbAE">FILES</A><DD>
399 <DT><A HREF="#lbAF">SEE ALSO</A><DD>
400 <DT><A HREF="#lbAG">HISTORY</A><DD>
401 <DT><A HREF="#lbAH">BUGS</A><DD>
404 This document was created by
405 <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
406 using the manual pages.<BR>
407 Time: 05:09:32 GMT, June 19, 2001