summaryrefslogtreecommitdiff
path: root/man/ipsec.secrets.5
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
commit7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
treee4d14b4dc180db20356b6b01ce0112f3a2d7897e /man/ipsec.secrets.5
parentc1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
downloadvyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
Imported Upstream version 5.0.2
Diffstat (limited to 'man/ipsec.secrets.5')
-rw-r--r--man/ipsec.secrets.533
1 files changed, 17 insertions, 16 deletions
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index c7c092502..127f18f20 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
.SH NAME
ipsec.secrets \- secrets for IKE/IPsec authentication
.SH DESCRIPTION
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
colon.
.LP
A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure. To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
.LP
Matching IDs with selectors is fairly straightforward: they have to be
equal. In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
.B EAP
defines EAP credentials
.TP
+.B NTLM
+defines NTLM credentials
+.TP
.B XAUTH
defines XAUTH credentials
.TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
.br
\fBEAP\fP secrets are IKEv2 only.
.TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
.B [ <servername> ] <username> : XAUTH <password>
The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
\fBXAUTH\fP secrets are IKEv1 only.
.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
.B %prompt
can be specified, which causes the daemons to ask the user for the pin code.
.LP