1.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the project nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $ 29.\" $FreeBSD$ 30.\" 31.Dd May 17, 1998 32.Dt SETKEY 8 33.Os KAME 34.\" 35.Sh NAME 36.Nm setkey 37.Nd manually manipulate the SA/SP database. 38.\" 39.Sh SYNOPSIS 40.Nm setkey 41.Op Fl dv 42.Fl c 43.Nm setkey 44.Op Fl dv 45.Fl f Ar filename 46.Nm setkey 47.Op Fl adPlv 48.Fl D 49.Nm setkey 50.Op Fl dPv 51.Fl F 52.Nm setkey 53.Op Fl h 54.Fl x 55.\" 56.Sh DESCRIPTION 57.Nm 58updates, or lists the content of, Security Association Database (SAD) entries 59in the kernel as well as Security Policy Database (SPD) entries. 60.Pp 61.Nm 62takes a series of operation from standard input 63.Po 64if invoked with 65.Fl c 66.Pc 67or file named 68.Ar filename 69.Po 70if invoked with 71.Fl f Ar filename 72.Pc . 73.Bl -tag -width Ds 74.It Fl D 75Dump the SAD entries. 76If with 77.Fl P , 78the SPD entries are dumped. 79.It Fl F 80Flush the SAD. 81If with 82.Fl P , 83the SPD are flushed. 84.It Fl a 85.Nm 86usually do not display dead SAD entries on 87.Fl D . 88With 89.Fl a , 90dead SAD entries will be displayed as well. 91Dead SAD entries are kept in the kernel, 92when they are referenced from any of SPD entries in the kernel. 93.It Fl d 94Enable debugging messages. 95.It Fl x 96Loop forever and dump all the messages transmitted to 97.Dv PF_KEY 98socket. 99.It Fl h 100Add hexadecimal dump on 101.Fl x 102mode. The order is significant. 103.It Fl l 104Loop forever with short output on 105.Fl D . 106.It Fl v 107Be verbose. 108.Dv PF_KEY 109socket 110.Po 111including messages sent from other processes 112.Pc . 113.El 114.Pp 115Operation has the following grammar. Note that lines, that start with a 116hashmark ('#') are treated as comment lines. 117Description of meta-arguments follows. 118.Bl -tag -width Ds 119.It Xo 120.Li add 121.Ar src Ar dst Ar protocol Ar spi 122.Op Ar extensions 123.Ar algorithm... 124.Li ; 125.Xc 126Add a SAD entry. 127.\" 128.It Xo 129.Li get 130.Ar src Ar dst Ar protocol Ar spi 131.Op Ar mode 132.Li ; 133.Xc 134Show a SAD entry. 135.\" 136.It Xo 137.Li delete 138.Ar src Ar dst Ar protocol Ar spi 139.Op Ar mode 140.Li ; 141.Xc 142Remove a SAD entry. 143.\" 144.It Xo 145.Li flush 146.Op Ar protocol 147.Li ; 148.Xc 149Clear all SAD entries that matches the options. 150.\" 151.It Xo 152.Li dump 153.Op Ar protocol 154.Li ; 155.Xc 156Dumps all SAD entries that matches the options. 157.\" 158.It Xo 159.Li spdadd 160.Ar src_range Ar dst_range Ar upperspec Ar policy 161.Li ; 162.Xc 163Add a SPD entry. 164.\" 165.It Xo 166.Li spddelete 167.Ar src_range Ar dst_range Ar upperspec 168.Li ; 169.Xc 170Delete a SPD entry. 171.\" 172.It Xo 173.Li spdflush 174.Li ; 175.Xc 176Clear all SPD entries. 177.\" 178.It Xo 179.Li spddump 180.Li ; 181.Xc 182Dumps all SAD entries. 183.El 184.\" 185.Pp 186Meta-arguments are as follows: 187.Bl -tag -compact -width Ds 188.It Ar src 189.It Ar dst 190Source/destination of the secure communication is specified as 191IPv4/v6 address. 192.Nm 193does not consult hostname-to-address for arguments 194.Ar src 195and 196.Ar dst . 197They must be in numeric form. 198.\" 199.Pp 200.It Ar protocol 201.Ar protocol 202is one of following: 203.Bl -tag -width Fl -compact 204.It Li esp 205ESP based on rfc2405 206.It Li esp-old 207ESP based on rfc1827 208.It Li ah 209AH based on rfc2402 210.It Li ah-old 211AH based on rfc1826 212.It Li ipcomp 213IPCOMP 214.El 215.\" 216.Pp 217.It Ar spi 218Security Parameter Index (SPI) for the SA and SPD. 219It must be decimal number or hexadecimal number 220.Po 221with 222.Li 0x 223attached 224.Pc . 225.\" 226.Pp 227.It Ar extensions 228takes some of the following: 229.Bl -tag -width Fl -compact 230.It Fl m Ar mode 231Specify an security protocol mode for use. By default, 232.Li any . 233.Ar mode 234is one of following: 235.Li transport , tunnel 236or 237.Li any . 238.It Fl r Ar size 239Specify window size of bytes for replay prevention. 240.Ar size 241must be decimal number in 32-bit word. If 242.Ar size 243is zero or not specified, replay check don't take place. 244.It Fl f Ar pad_option 245.Ar pad_option 246is one of following: 247.Li zero-pad , random-pad 248or 249.Li seq-pad 250.It Fl f Li cyclic-seq 251Allow cyclic sequence number. 252.It Fl lh Ar time 253.It Fl ls Ar time 254Specify hard/soft lifetime. 255.El 256.\" 257.Pp 258.It Ar algorithm 259.Bl -tag -width Fl -compact 260.It Fl E Ar ealgo Ar key 261Specify encryption algorithm. 262.It Fl A Ar ealgo Ar key 263Specify authentication algorithm. 264If 265.Fl A 266is used for esp, it will be treated as ESP payload authentication algorithm. 267.It Fl C Ar calgo Op Fl R 268Specify compression algorithm. 269If 270.Fl R 271is specified with 272.Li ipcomp 273line, the kernel will use well-known IPComp CPI 274.Pq compression parameter index 275on IPComp CPI field on packets, and 276.Ar spi 277field will be ignored. 278.Ar spi 279field is only for kernel internal use in this case. 280.\"Therefore, compression protocol number will appear on IPComp CPI field. 281If 282.Fl R 283is not used, 284the value on 285.Ar spi 286field will appear on IPComp CPI field on outgoing packets. 287.Ar spi 288field needs to be smaller than 289.Li 0x10000 290in this case. 291.El 292.Pp 293.Li esp 294SAs accept 295.Fl E 296and 297.Fl A . 298.Li esp-old 299SAs accept 300.Fl E 301only. 302.Li ah 303and 304.Li ah-old 305SAs accept 306.Fl A 307only. 308.Li ipcomp 309SAs accept 310.Fl C 311only. 312.Pp 313.Ar key 314must be double-quoted character string or a series of hexadecimal digits. 315.Pp 316Possible values for 317.Ar ealgo , 318.Ar aalgo 319and 320.Ar calgo 321are specified in separate section. 322.\" 323.It Ar src_range 324.It Ar dst_range 325These are selection of the secure communication is specified as 326IPv4/v6 address or IPv4/v6 address range, and it may accompany 327TCP/UDP port specification. 328This takes the following form: 329.Bd -literal -offset 330.Ar address 331.Ar address/prefixlen 332.Ar address[port] 333.Ar address/prefixlen[port] 334.Ed 335.Pp 336.Ar prefixlen 337and 338.Ar port 339must be decimal number. 340The square bracket around 341.Ar port 342is really necessary. 343They are not manpage metacharacters. 344.Pp 345.Nm 346does not consult hostname-to-address for arguments 347.Ar src 348and 349.Ar dst . 350They must be in numeric form. 351.\" 352.It Ar upperspec 353Upper-layer protocol to be used. 354Currently 355.Li tcp , 356.Li udp 357and 358.Li any 359can be specified. 360.Li any 361stands for 362.Dq any protocol . 363.Pp 364NOTE: 365.Ar upperspec 366does not work against forwarding case at this moment, 367as it requires extra reassembly at forwarding node 368.Pq not implemented as this moment . 369.\" 370.It Ar policy 371.Ar policy 372is the one of following: 373.Bd -literal -offset 374.Xo 375.Fl P 376.Ar direction 377.Li discard 378.Xc 379.Xo 380.Fl P 381.Ar direction 382.Li none 383.Xc 384.Xo 385.Fl P 386.Ar direction 387.Li ipsec 388.Ar protocol/mode/src-dst/level 389.Xc 390.Ed 391.Pp 392You must specify the direction of its policy as 393.Ar direction . 394Either 395.Li out 396or 397.Li in 398are used. 399.Li discard 400means the packet matching indexes will be discarded. 401.Li none 402means that IPsec operation will not take place onto the packet. 403.Li ipsec 404means that IPsec operation will take place onto the packet. 405Either 406.Li ah , 407.Li esp 408or 409.Li ipcomp 410is to be set as 411.Ar protocol . 412.Ar mode 413is either 414.Li transport 415or 416.Li tunnel . 417You must specify the end-points addresses of the SA as 418.Ar src 419and 420.Ar dst 421with 422.Sq - 423between these addresses which is used to specify the SA to use. 424.Ar level 425is to be one of the following: 426.Li default , use 427or 428.Li require . 429.Li default 430means kernel consults to the system wide default against protocol you 431specified, e.g. 432.Li esp_trans_deflev 433sysctl variable, when kernel processes the packet. 434.Li use 435means that kernel use a SA if it's available, 436otherwise kernel keeps normal operation. 437.Li require 438means SA is required whenever kernel deals with the packet. 439Note that 440.Dq Li discard 441and 442.Dq Li none 443are not in the syntax described in 444.Xr ipsec_set_policy 3 . 445There are little differences in the syntax. 446See 447.Xr ipsec_set_policy 3 448for detail. 449.Pp 450.El 451.Pp 452.\" 453.Sh ALGORITHMS 454The following list shows the supported algorithms. 455.Sy protocol 456and 457.Sy algorithm 458are almost orthogonal. 459Following are the list of authentication algorithms that can be used as 460.Ar aalgo 461in 462.Fl A Ar aalgo 463of 464.Ar protocol 465parameter: 466.Pp 467.Bd -literal -offset indent 468algorithm keylen (bits) comment 469hmac-md5 128 ah: rfc2403 470 128 ah-old: rfc2085 471hmac-sha1 160 ah: rfc2404 472 160 ah-old: 128bit ICV (no document) 473keyed-md5 128 ah: 96bit ICV (no document) 474 128 ah-old: rfc1828 475keyed-sha1 160 ah: 96bit ICV (no document) 476 160 ah-old: 128bit ICV (no document) 477null 0 to 2048 for debugging 478.Ed 479.Pp 480Following are the list of encryption algorithms that can be used as 481.Ar ealgo 482in 483.Fl E Ar ealgo 484of 485.Ar protocol 486parameter: 487.Pp 488.Bd -literal -offset indent 489algorithm keylen (bits) comment 490des-cbc 64 esp-old: rfc1829, esp: rfc2405 4913des-cbc 192 rfc2451 492simple 0 to 2048 rfc2410 493blowfish-cbc 40 to 448 rfc2451 494cast128-cbc 40 to 128 rfc2451 495rc5-cbc 40 to 2040 rfc2451 496des-deriv 64 ipsec-ciph-des-derived-01 (expired) 4973des-deriv 192 no document 498.Ed 499.Pp 500Following are the list of compression algorithms that can be used as 501.Ar calgo 502in 503.Fl C Ar calgo 504of 505.Ar protocol 506parameter: 507.Pp 508.Bd -literal -offset indent 509algorithm comment 510deflate rfc2394 511lzs rfc2395 512.Ed 513.\" 514.Sh EXAMPLES 515.Bd -literal -offset 516add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 517 -E des-cbc "ESP SA!!" 518 519add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 520 -A hmac-sha1 "AH SA configuration!" ; 521 522add 10.0.11.41 10.0.11.33 esp 0x10001 523 -E des-cbc "ESP with" 524 -A hmac-md5 "authentication!!" ; 525 526get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; 527 528flush ; 529 530dump esp ; 531 532spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 533 -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; 534 535.Ed 536.\" 537.Sh RETURN VALUES 538The command exits with 0 on success, and non-zero on errors. 539.\" 540.Sh SEE ALSO 541.Xr ipsec_set_policy 3 , 542.Xr sysctl 8 543.\" 544.Sh HISTORY 545The 546.Nm 547command first appeared in WIDE Hydrangea IPv6 protocol stack kit. 548The command was completely re-designed in June 1998. 549.\" 550.\" .Sh BUGS 551