Lines Matching +full:ddr +full:- +full:config
8 ipsecconf \- configure system wide IPsec policy
16 \fB/usr/sbin/ipsecconf\fR \fB-a\fR \fIfile\fR [\fB-q\fR]
21 \fB/usr/sbin/ipsecconf\fR \fB-c\fR \fIfile\fR
26 \fB/usr/sbin/ipsecconf\fR \fB-d\fR [\fB-i\fR \fItunnel-name\fR] {\fIindex\fR, \fItunnel-name\fR, \…
31 \fB/usr/sbin/ipsecconf\fR \fB-f\fR [\fB-i\fR \fItunnel-name\fR]
36 \fB/usr/sbin/ipsecconf\fR \fB-F\fR
41 \fB/usr/sbin/ipsecconf\fR \fB-l\fR [\fB-i\fR \fItunnel-name\fR] [\fB-n\fR]
46 \fB/usr/sbin/ipsecconf\fR \fB-L\fR [\fB-n\fR]
73 entries loaded are shown. To display the (\fBspd p.e.\fRs) use the \fB-l\fR
75 tunnel's SPD, use the \fB-i\fR option in combination with \fB-l\fR. To specify
76 all SPDs, both host and for all tunnels, use \fB-L\fR.
85 You can use the \fB-d\fR option with the index to delete a given policy in the
86 system. If the \fB-d\fR option removes an FPE entry that produces multiple
91 As with \fB-l\fR, \fB-d\fR can use the \fB-i\fR flag to indicate a tunnel. An
100 To view the order in which the traffic match will take place, use the \fB-l\fR
126 \fB\fB-a\fR \fIfile\fR\fR
141 socket with an existing non-null policy. Thus, make sure that there are no
152 \fB\fB-c\fR \fIfile\fR\fR
164 \fB\fB-d\fR \fIindex\fR\fR
169 \fBipsecconf\fR without any arguments, or with the \fB-l\fR option. See
174 deleted. It is advisable to use the \fB-l\fR option to find the correct policy
181 \fB\fB-d\fR \fIname\fR,\fIindex\fR\fR
186 \fIname\fR. Since tunnels affect traffic that might originate off-node,
188 \fB-d\fR \fIindex\fR \fB-i\fR \fIname\fR.
194 \fB\fB-f\fR\fR
198 Flush all the policies in the system. Constraints are similar to the \fB-d\fR
199 option with respect to latching and host versus per-tunnel behavior.
205 \fB\fB-F\fR\fR
215 \fB\fB-i\fR \fIname\fR\fR
219 Specify a tunnel interface name for use with the \fB-d\fR, \fB-f\fR, or
220 \fB-l\fR flags.
226 \fB\fB-l\fR\fR
233 table can differ from the previous one if, for example, a multi-homed entry was
235 \fBspd\fR rules In the case of a multi-homed entry, all the addresses are
245 \fB\fB-L\fR\fR
252 If \fB-i\fR is specified, \fB-L\fR lists the policy table for a specific tunnel
259 \fB\fB-n\fR\fR
263 Show network addresses, ports, protocols in numbers. The \fB-n\fR option may
264 only be used with the \fB-l\fR option.
270 \fB\fB-q\fR\fR
300 section or immediately before the first (left-hand) brace of a braced section.
310 If there is an \fBor\fR in the rule (multiple action-properties for a given
311 pattern), a transmitter will use the first action-property pair that works,
315 \fIpattern\fR and \fIproperties\fR are name-value pairs where name and value
316 are separated by a <space>, <tab> or <newline>. Multiple name-value pairs
321 Files can contain multiple policy entries. An unspecified name-value pair in
366 type <icmp-type> |
367 type <number>-<number> |
368 code <icmp-code>
369 code <number>-<number>
370 tunnel <interface-name> |
381 type <icmp-type> |
382 type <number>-<number> |
383 code <icmp-code> |
384 code <number>-<number>
386 tunnel <interface-name> |
417 auth_algname ::= any | md5 | hmac-md5 | sha | sha1 | hmac-sha |
418 hmac-sha1 | hmac-sha256 | hmac-sha384 |
419 hmac-sha512 |<number>
422 encr_algname ::= any | aes | aes-cbc | des | des-cbc | 3des |
423 3des-cbc | blowfish | blowfish-cbc | <number>
434 icmp-type ::= <number> | unreach | echo | echorep | squench |
438 router-sol6 | router-ad6 | neigh-sol6 | neigh-ad6 |
441 icmp-code ::= <number> | net-unr | host-unr | proto-unr | port-unr |
442 needfrag | srcfail | net-unk | host-unk | isolate |
443 net-prohib | host-prohib | net-tos | host-tos |
444 filter-prohib | host-preced | cutoff-preced |
445 no-route6 | adm-prohib6 | addr-unr6 | port-unr6 |
446 hop-limex6 | frag-re-timex6 | err-head6 | unrec-head6 |
447 unreq-opt6
550 address-destination address pair will be added to the system.
565 contiguous and the behavior is not defined for non-contiguous masks.
642 \fBicmp\fR or \fBipv6-icmp\fR, any action applying IPsec must be the same for
649 \fB\fBtype\fR \fInum\fR or \fInum\fR-\fInum\fR\fR
655 \fBicmp-type\fR keywords. Also, \fIulp\fR must be present and must specify
656 either \fBicmp\fR or \fBipv6-icmp\fR. A range of types can be specified with a
663 \fB\fBcode\fR \fInum\fR or \fInum\fR-\fInum\fR\fR
669 254 or one of the appropriate \fBicmp-code\fR keywords. Also, \fBtype\fR must
697 For per-tunnel security, specify whether the IPsec SAs protecting the traffic
698 should be tunnel-mode SAs or transport-mode SAs. If transport-mode SAs are
699 specified, no addresses can appear in the policy entry. Transport-mode is
706 Policy entries may contain the following (name-value) pairs in the properties
707 field. Each (name-value) pair may appear only once in a given policy entry.
729 This should be either \fBMD5\fR or \fBHMAC-MD5\fR denoting the \fBHMAC-MD5\fR
730 algorithm as described in \fIRFC 2403\fR, and \fBSHA1\fR, or \fBHMAC-SHA1\fR or
731 \fBSHA\fR or \fBHMAC-SHA\fR denoting the \fBHMAC-SHA\fR algorithm described in
735 The string can also be \fBANY\fR, which denotes no-preference for the
738 \fBSA\fRs. Strings are not case-sensitive.
748 A number in the range 1-255. This is useful when new algorithms can be
770 case-sensitive.
787 DES or DES-CBC DES-CBC 2405
788 3DES or 3DES-CBC 3DES-CBC 2451
789 BLOWFISH or BLOWFISH-CBC BLOWFISH-CBC 2451
790 AES or AES-CBC AES-CBC 2451
798 can also be \fBANY\fR, which indicates no-preference for the algorithm. Default
801 not case-sensitive.
811 A decimal number in the range 1-255. This is useful when new algorithms can be
829 either a string or a number. Strings are case-insensitive.
847 This should be a decimal number in the range 1-255. This is useful when new
949 For tunnel-mode tunnels, \fBunique\fR is ignored. SAs are assigned per-rule in
950 tunnel-mode tunnels. For transport-mode tunnels, \fBunique\fR is implicit,
951 because the enforcement happens only on the outer-packet addresses and protocol
952 value of either IPv4-in-IP or IPv6-in-IP.
962 Shared association. If an \fBSA\fR exists already for this source-destination
1067 authentication, which will allow cut-and-paste or replay attacks, or without
1083 and before any \fBAH\fR-only and \fBESP\fR-only entries. In all other cases the
1097 To prevent non-privileged users from modifying the security policy, ensure that
1252 \fBExample 5 \fRVerifying Inbound Traffic is Null-Encrypted
1255 The first entry specifies that any packet with address host-B should not be
1257 traffic from network-B should be encrypted with a \fBNULL\fR encryption
1268 # Make sure that all inbound traffic from network-B is NULL
1269 # encrypted, but bypass for host-B alone from that network.
1272 raddr host-B
1276 # Now add for network-B.
1278 raddr network-B/16
1304 {raddr spiderweb } ipsec {encr_algs any sa unique}
1316 {raddr spiderweb dir out} ipsec {auth_algs any sa unique}
1342 same properties. Use \fBipsecconf\fR \fB-l\fR to view all the policy entries
1352 # to network-b which should be authenticated and bypass anything
1353 # to network-c
1355 {raddr network-b/16 dir out} ipsec {auth_algs any}
1357 {raddr network-c/16 dir out} bypass {} # NULL properties
1372 hosts with IPv6 link-local addresses \fBfe80::a00:20ff:fe21:4483\fR and
1394 site-local network \fBfec0:abcd::0/32\fR be authenticated with \fBSHA1\fR.
1399 {raddr fec0:abcd::0/32} ipsec { auth_algs SHA1 }
1409 {raddr spiderweb} ipsec {encr_algs aes}
1412 {raddr spiderweb} ipsec {encr_algs aes(192)}
1416 {raddr spiderweb} ipsec {encr_algs aes(..192)}
1420 {raddr spiderweb} ipsec {encr_algs aes(192..)}
1423 {raddr spiderweb} ipsec {encr_algs aes(192..256)}
1426 {raddr spiderweb} ipsec {encr_algs any(192..)}
1485 site-local network \fBfec0:abcd::0/32\fR be authenticated with SHA1. The second
1491 {raddr fec0:abcd::0/32} ipsec { auth_algs SHA1 }
1492 {raddr fec0:abcd::0/32 ulp ipv6-icmp type 133-137 dir both }
1507 {raddr spiderweb} ipsec {encr_algs aes} or ipsec {encr_algs blowfish}
1512 \fBExample 15 \fRConfiguring a Tunnel to be Backward-Compatible with Solaris 9
1536 # Unlike route(8), the default route has to be spelled-out.
1537 {tunnel ip.tun0 negotiate tunnel raddr client-inside/32
1547 between two tunnelled subnets and a third subnet that is on-link. Consider
1548 remote-site A, remote-site B, and local site C, each with a \fB/24\fR address
1554 # ip.tun0 between me (C) and remote-site A.
1555 # Cover remote-site A to remote-side B.
1556 {tunnel ip.tun0 negotiate tunnel raddr A-prefix/24 laddr
1557 B-prefix/24} ipsec {encr_algs 3des encr_auth_algs md5}
1559 # Cover remote-site A traffic to my subnet.
1560 {tunnel ip.tun0 negotiate tunnel raddr A-prefix/24 laddr
1561 C-prefix/24} ipsec {encr_algs 3des encr_auth_algs md5}
1563 # ip.tun1 between me (C) and remote-site B.
1564 # Cover remote-site B to remote-site A.
1565 {tunnel ip.tun1 negotiate tunnel raddr B-prefix/24 laddr
1566 A-prefix/24} ipsec {encr_algs aes encr_auth_algs sha1}
1568 # Cover remote-site B traffic to my subnet.
1569 {tunnel ip.tun1 negotiate tunnel raddr B-prefix/24 laddr
1570 C-prefix/24} ipsec {encr_algs aes encr_auth_algs md5}
1665 Madsen, C. and Glenn, R. \fIRFC 2403, The Use of HMAC-MD5-96 within ESP and
1669 Madsen, C. and Glenn, R. \fIRFC 2404, The Use of HMAC-SHA-1-96 within ESP and
1673 Madsen, C. and Doraswamy, N. \fIRFC 2405, The ESP DES-CBC Cipher Algorithm With
1677 Pereira, R. and Adams, R. \fIRFC 2451, The ESP CBC-Mode Cipher Algorithms\fR.
1707 Dual use of \fB-i\fR \fIname\fR and \fIname\fR,\fIindex\fR for an index.
1723 \fBNon-existent index\fR
1750 svc:/network/ipsec/manual-key:default (disabled)
1758 The manual-key service is delivered disabled. The system administrator must
1773 enabling them. See \fBike.config\fR(5) for the \fBike\fR service.
1795 The \fBsmf\fR(7) framework will record any errors in the service-specific log
1800 example# \fBsvcs -l policy\fR
1802 example# \fBsvccfg -s policy listprop\fR
1813 config/config_file
1836 property is effective. General non-modifiable properties can be viewed with the
1841 # \fBsvccfg -s ipsec/policy setprop config/config_file = /new/config_file\fR