1 .TH IPSEC_MANUAL 8 "17 July 2001"
2 .\" RCSID $Id: manual.8,v 1.52 2001/07/17 20:45:55 henry Exp $
4 ipsec manual \- take manually-keyed IPsec connections up and down
18 .RB address "@" interface
24 \ \ \ operation connection
35 manipulates manually-keyed FreeS/WAN IPsec connections,
36 setting them up and shutting them down,
37 based on the information in the IPsec configuration file.
40 is the name of a connection specification in the configuration file;
58 commands for the connection and feeds them to a shell for execution.
62 operation brings the specified connection up, including establishing a
63 suitable route for it if necessary.
67 operation just establishes the route for a connection.
70 operation is done, packets routed by that route will simply be discarded.
74 operation tears the specified connection down,
76 that it leaves the route in place.
79 operation is done, packets routed by that route will simply be discarded.
80 This permits establishing another connection to the same destination
81 without any ``window'' in which packets can pass without encryption.
85 operation (and only the
87 operation) deletes any route established for a connection.
93 is the name of a partial connection specification in the configuration file,
94 and the union of all the partial specifications is the
95 connection specification used.
96 The effect is as if the contents of the partial specifications were
97 concatenated together;
98 restrictions on duplicate parameters, etc., do apply to the result.
99 (The same effect can now be had, more gracefully, using the
101 parameter in connection descriptions;
110 option of the shell used to execute the commands,
111 so each command is shown as it is executed.
117 to show the commands it would run, on standard output,
124 to pretend it is the other end of the connection.
125 This is probably not useful except in combination with
132 to believe it is running on the host with the specified IP
134 and that it should use the specified
136 (normally it determines all this automatically,
137 based on what IPsec interfaces are up and how they are configured).
141 option specifies a non-standard location for the FreeS/WAN IPsec
142 configuration file (default
143 .IR /etc/ipsec.conf ).
147 for details of the configuration file.
148 Apart from the basic parameters which specify the endpoints and routing
149 of a connection (\fBleft\fR
161 a non-\fBpassthrough\fR
167 parameter and some parameters specifying encryption, authentication, or
173 Moderately-secure keys can be obtained from
174 .IR ipsec_ranbits (8).
175 For production use of manually-keyed connections,
176 it is strongly recommended that the keys be kept in a separate file
178 .BR rw\-\-\-\-\-\-\- )
183 facilities of the configuration file (see
190 uses that value as the SPI number for all the SAs
191 (which are in separate number spaces anyway).
194 parameter is given instead,
196 assigns SPI values by altering the bottom digit
198 SAs going from left to right get even digits starting at 0,
199 SAs going from right to left get odd digits starting at 1.
200 Either way, it is suggested that manually-keyed connections use
201 three-digit SPIs with the first digit non-zero,
206 FreeS/WAN reserves those for manual keying and will not
207 attempt to use them for automatic keying (unless requested to,
208 presumably by a non-FreeS/WAN other end).
210 .ta \w'/var/run/ipsec.nexthop'u+4n
211 /etc/ipsec.conf default IPsec configuration file
213 /var/run/ipsec.info \fB%defaultroute\fR information
215 ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spigrp(8),
218 Written for the FreeS/WAN project
219 <http://www.freeswan.org/>
222 It's not nearly as generous about the syntax of subnets,
223 addresses, etc. as the usual FreeS/WAN user interfaces.
224 Four-component dotted-decimal must be used for all addresses.
227 smart enough to translate bit-count netmasks to dotted-decimal form.
229 If the connection specification for a connection is changed between an
237 operation is not smart enough to notice whether the connection is already up.
240 is not smart enough to reject insecure combinations of algorithms,
241 e.g. encryption with no authentication at all.
243 Any non-IPsec route to the other end which is replaced by the
247 operation will not be re-established by
249 Whether this is a feature or a bug depends on your viewpoint.
251 The optional parameters which
252 override the automatic
254 SPI assignment are a messy area of the code and bugs are likely.
256 ``Road warrior'' handling,
257 and other special forms of setup which
258 require negotiation between the two security gateways,
259 inherently cannot be done with
263 generally lags behind
265 in support of various features,
266 even when implementation \fIwould\fR be possible.
267 For example, currently it does not do IPComp content compression.