Lines Matching +full:spi +full:- +full:3 +full:wire

14 .\" 3. Neither the name of the project nor the names of its contributors
77 .Bl -tag -width indent
133 .Bl -tag -width indent
137 .Ar src Ar dst Ar protocol Ar spi
150 .Ar src Ar dst Ar protocol Ar spi
158 .Ar src Ar dst Ar protocol Ar spi
223 Meta-arguments are as follows:
225 .Bl -tag -compact -width indent
254 .Bl -tag -width Fl -compact
257 .It Li esp-old
261 .It Li ah-old
266 TCP-MD5 based on rfc2385
270 .It Ar spi
274 .Ar spi
284 .Bl -tag -width Fl natt_mtu -compact
297 Specify the bitmap size in octets of the anti-replay window.
299 is a 32-bit unsigned integer, and its value is one eighth of the
300 anti-replay window size in packets.
303 is zero or not specified, an anti-replay check does not take place.
314 .Bl -tag -width random-pad -compact
315 .It Li zero-pad
317 .It Li random-pad
319 .It Li seq-pad
323 .It Fl f Li nocyclic-seq
330 Manually configure NAT-T for the SA, by specifying initiator
343 Configure NAT-T fragment size.
355 .Bl -tag -width Fl -compact
377 .Ar spi
380 on wire as is.
384 the kernel will use well-known CPI on wire, and
385 .Ar spi
390 must be double-quoted character string, or a series of hexadecimal digits
408 .Bd -unfilled
458 .Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;"
474 .Bl -tag -width 2n -compact
478 .Ar protocol/mode/src-dst/level Op ...
482 .Bl -tag -compact -width "policy level"
496 .Bl -compact -bullet
513 .It Ar protocol/mode/src-dst/level
515 .Ar protocol/mode/src-dst/level
517 .Bl -compact -bullet
539 you must specify the end-point addresses of the SA as
544 .Sq - ,
566 .Bl -compact -bullet
589 but, in addition, it allows the policy to bind with the unique out-bound SA.
593 .Xr racoon 8 Pq Pa ports/security/ipsec-tools
626 .Xr ipsec_set_policy 3 .
629 .Xr ipsec_set_policy 3
643 .Bd -literal -offset indent
645 hmac-sha1 160 ah/esp: rfc2404
646 160 ah-old/esp-old: 128bit ICV (no document)
648 hmac-sha2-256 256 ah/esp: 128bit ICV (RFC4868)
649 256 ah-old/esp-old: 128bit ICV (no document)
650 hmac-sha2-384 384 ah/esp: 192bit ICV (RFC4868)
651 384 ah-old/esp-old: 128bit ICV (no document)
652 hmac-sha2-512 512 ah/esp: 256bit ICV (RFC4868)
653 512 ah-old/esp-old: 128bit ICV (no document)
654 aes-xcbc-mac 128 ah/esp: 96bit ICV (RFC3566)
655 128 ah-old/esp-old: 128bit ICV (no document)
656 tcp-md5 8 to 640 tcp: rfc2385
657 chacha20-poly1305 256 ah/esp: 128bit ICV (RFC7634)
667 .Bd -literal -offset indent
670 aes-cbc 128/192/256 rfc3602
671 aes-ctr 160/224/288 rfc3686
672 aes-gcm-16 160/224/288 AEAD; rfc4106
673 chacha20-poly1305 256 rfc7634
677 .Li aes-ctr
679 .Li aes-gcm-16
684 .Li aes-gcm-16
697 .Bd -literal -offset indent
703 .Ex -std
707 AES-GCM AEAD algorithm.
708 .Bd -literal -offset indent
709 add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
710 -E aes-gcm-16 0x3ffe050148193ffe050148193ffe050148193ffe ;
715 .Bd -literal -offset indent
716 add -6 myhost.example.com yourhost.example.com ah 123456
717 -A hmac-sha2-256 "AH SA configuration!" ;
721 .Bd -literal -offset indent
722 get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
726 .Bd -literal -offset indent
731 .Bd -literal -offset indent
736 .Bd -literal -offset indent
738 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
742 .Bd -literal -offset indent
743 add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
744 add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ;
748 .Xr ipsec_set_policy 3 ,
750 .Xr racoon 8 Pq Pa ports/security/ipsec-tools ,
762 The utility was completely re-designed in June 1998.
778 (cannot inspect upper-layer headers).