Import initial strongswan 2.7.0 version into SVN.

13 files changed, 2086 insertions, 0 deletions

diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore
new file mode 100644
index 000000000..405492384
--- /dev/null
+++ b/programs/_confread/.cvsignore
@@ -0,0 +1,7 @@
+_confread
+ipsec.conf
+block
+clear
+private
+clear-or-private
+private-or-clear
diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile
new file mode 100644
index 000000000..1bdc9a3f0
--- /dev/null
+++ b/programs/_confread/Makefile
@@ -0,0 +1,27 @@
+# Makefile for miscelaneous programs
+# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM=_confread
+PROGRAMDIR=${LIBDIR}
+EXTRA5MAN=ipsec.conf.5
+CONFFILES=ipsec.conf
+
+CONFDSUBDIR=policies
+CONFDFILES=clear clear-or-private private-or-clear private block
+
+include ../Makefile.program
diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2
new file mode 100644
index 000000000..244e245c5
--- /dev/null
+++ b/programs/_confread/README.conf.V2
@@ -0,0 +1,103 @@
+Subject: [Design] changes to ipsec.conf
+# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $
+
+We are changing ipsec.conf for the 2.0 series of FreeS/WAN.
+
+OE is enabled by default.  This is accomplished by automatically
+defining a conn "OEself" UNLESS the sysadmin defines one with the same
+name:
+
+conn OEself
+	# authby=rsasig   # default
+	left=%defaultroute
+	leftrsasigkey=%dnsondemand	# default
+	right=%opportunistic
+	rightrsasigkey=%dnsondemand	# default
+	keyingtries=3
+	ikelifetime=1h
+	keylife=1h	# default
+	rekey=no
+	# disablearrivalcheck=no  # default
+	auto=route
+
+This will only work if %defaultroute works.
+The leftid will be the resulting IP address (won't work if
+you haven't filled in the reverse DNS entry).
+Unlike other conns, nothing in this implicit conn is changed by conn %default.
+
+We'd like a better name.  A conn name starting with % cannot be
+defined by the sysadmin, so that is out.  Names that haven't grabbed
+us: OEhost, OElocalhost, OEthishost, OEforself, OE4self.
+
+There is no requirement to have /etc/ipsec.conf.  If you do, the first
+significant line (non-blank, non-comment) must be (not indented):
+version 2.0
+This signifies that the file was intended for FreeS/WAN version 2.0.
+
+
+The following table shows most changes.  "-" means that the option
+doesn't exist.  "Recent Boilerplate" shows the effect of the "conn
+%default" in the automatically installed /etc/ipsec.conf (not
+installed if you already had one).
+
+Option		Old Default	Recent Boilerplate	New Default
+======		===========	==================	===========
+
+config setup:
+interfaces	""		%defaultroute		%defaultroute
+plutoload	""		%search			- [same as %search]
+plutostart	""		%search			- [same as %search]
+uniqueids	no		yes			yes
+rp_filter	-		-			0
+plutowait	yes		yes			no
+dump		no		no			- [use dumpdir]
+plutobackgroundload ignored	ignored			-
+no_eroute_pass	no		no			- [use packetdefault]
+
+conn %default:
+keyingtries	3		0			%forever [0 means this]
+disablearrivalcheck  yes	no			no
+authby		secret		rsasig			rsasig
+leftrsasigkey	""		%dnsondemand		%dnsondemand
+rightrsasigkey	""		%dnsondemand		%dnsondemand
+lifetime	==keylife	==keylife		- [use keylife]
+rekeystart	==rekeymargin	==rekeymargin		- [use rekeymargin]
+rekeytries	==keyingtries	==keyingtries		- [use keyingtries]
+
+======		===========	==================	===========
+Option		Old Default	Recent Boilerplate	New Default
+
+
+The auto= mechanism has been extended to support manual conns.  If you
+specify auto=manual in a conn, an "ipsec manual" will be performed on
+it at startup (ipsec setup start).
+
+
+There is a new config setup option "rp_filter".  It controls
+	/proc/sys/net/ipv4/conf/PHYS/rp_filter
+for each PHYSical IP interface used by FreeS/WAN.  Settings are:
+	%unchanged	do not touch (but warn if wrong)
+	0		set to 0; default; means: no filtering
+	1		set to 1; means: loose filter
+	2		set to 1; means: strict filter
+0 is often necessary for FreeS/WAN to function.  Some folks
+want other settings.  Shutting down FreeS/WAN does not restore
+the original value.
+
+Currently ikelife defaults to 1 hour and keylife defaults to 8 hours.
+There have been some rumblings that these are the wrong defaults, but
+it isn't clear what would be best.  Perhaps both should be closer.
+Any thoughts of what these should be?  Any Road Warrior or OE conn
+should probably have carefully thought-out values explicitly
+specified.  The settings don't matter much for VPN connections.
+
+keyingtries=%forever is the new improved notation for keyingtries=0.
+Eventually the 0 notation will be eliminated.
+
+Some options can now be set to %none to signify no setting.  Otherwise
+there would be no way for the user to override a default setting:
+	leftrsasigkey, rightrsasigkey [added in 1.98]
+	interfaces
+
+Hugh Redelmeier
+hugh@mimosa.com  voice: +1 416 482-8253
diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8
new file mode 100644
index 000000000..20d92a002
--- /dev/null
+++ b/programs/_confread/_confread.8
@@ -0,0 +1,28 @@
+.TH _CONFREAD 8 "25 Apr 2002"
+.\"
+.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $
+.\"
+.SH NAME
+ipsec _confread \- internal routing to parse config file
+.SH DESCRIPTION
+.I _confread 
+is an internal script used for parsing /etc/ipsec.conf into a canonical format.
+.SH "SEE ALSO"
+ipsec(8), ipsec_conf(8)
+.SH HISTORY
+Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
+by Michael Richardson. Program written by Henry Spencer.
+.\"
+.\" $Log: _confread.8,v $
+.\" Revision 1.1  2004/03/15 20:35:27  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.3  2002/09/16 01:28:43  dhr
+.\"
+.\" typo
+.\"
+.\" Revision 1.2  2002/04/29 22:39:31  mcr
+.\" 	added basic man page for all internal commands.
+.\"
+.\"
+.\"
diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in
new file mode 100755
index 000000000..4561af9fe
--- /dev/null
+++ b/programs/_confread/_confread.in
@@ -0,0 +1,520 @@
+#!/bin/sh
+# configuration-file reader utility
+# Copyright (C) 1999-2002  Henry Spencer.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $
+#
+# Extract configuration info from /etc/ipsec.conf, repackage as assignments
+# to shell variables or tab-delimited fields.  Success or failure is reported
+# inline, as extra data, due to the vagaries of shell backquote handling.
+# In the absence of --varprefix, output is tab-separated fields, like:
+#	=	sectionname
+#	:	parameter	value
+#	!	status (empty for success, else complaint)
+# In the presence of (say) "--varprefix IPSEC", output is like:
+#	IPSEC_confreadsection="sectionname"
+#	IPSECparameter="value"
+#	IPSEC_confreadstatus="status" (same empty/complaint convention)
+#
+# The "--search parametername" option inverts the search:  instead of
+# yielding the parameters of the specified name(s), it yields the names
+# of sections with parameter <parametername> having (one of) the
+# specified value(s).  In this case, --varprefix output is a list of
+# names in the <prefix>_confreadnames variable.  Search values with
+# white space in them are currently not handled properly.
+#
+# Typical usage:
+# eval `ipsec _confread --varprefix IPSEC --type config setup`
+# if test " $IPSEC_confreadstatus" != " "
+# then
+#	echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1
+#	exit 1
+# fi
+
+# absent default config file treated as empty
+config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf
+if test ! -f "$config" ; then config=/dev/null ; fi
+
+include=yes
+type=conn
+fieldfmt=yes
+prefix=
+search=
+export=0
+version=
+optional=0
+me="ipsec _confread"
+
+for dummy
+do
+	case "$1" in
+	--config)	config="$2" ; shift	;;
+	--noinclude)	include=		;;
+	--type)		type="$2" ; shift	;;
+	--varprefix)	fieldfmt=
+			prefix="$2"
+			shift			;;
+	--export)	export=1		;;
+	--search)	search="$2" ; shift	;;
+	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
+	--optional)	optional=1		;;
+	--)		shift ; break		;;
+	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
+	*)		break			;;
+	esac
+	shift
+done
+
+if test "$include"
+then
+	ipsec _include --inband $config
+else
+	cat $config
+fi |
+awk 'BEGIN {
+	type = "'"$type"'"
+	names = "'"$*"'"
+	prefix = "'"$prefix"'"
+	export = "'"$export"'"
+	optional = 0 + '"$optional"'
+	myid = "'"$IPSECmyid"'"
+	search = "'"$search"'"
+	searching = 0
+	if (search != "") {
+		searching = 1
+		searchpat = search "[ \t]*=[ \t]*"
+	}
+	fieldfmt = 0
+	if ("'"$fieldfmt"'" == "yes")
+		fieldfmt = 1
+	including = 0
+	if ("'"$include"'" == "yes")
+		including = 1
+	filename = "'"$config"'"
+	lineno = 0
+	originalfilename = filename
+	if (fieldfmt)
+		bq = eq = "\""
+	else
+		bq = eq = "\\\""
+	failed = 0
+	insection = 0
+	wrongtype = 0
+	indefault = 0
+	outputting = 0
+	sawnondefault = 0
+	OFS = "\t"
+	o_status = "!"
+	o_parm = ":"
+	o_section = "="
+	o_names = "%"
+	o_end = "."
+	n = split(names, na, " ")
+	if (n == 0)
+		fail("no section names supplied")
+	for (i = 1; i <= n; i++) {
+		if (na[i] in wanted)
+			fail("section " bq na[i] eq " requested more than once")
+		wanted[na[i]] = 1
+		pending[na[i]] = 1
+		if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
+			fail("invalid section name " bq na[i] eq)
+	}
+
+	good = "also alsoflip type auto authby _plutodevel"
+	left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown"
+	akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
+	akey = akey " dpdaction dpddelay dpdtimeout"
+	akey = akey " pfsgroup compress"
+	akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike"
+	mkey = " spibase spi esp espenckey espauthkey espreplay_window"
+	left = left " leftespenckey leftespauthkey leftahkey"
+	left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2"
+	left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport"
+	left = left " leftgroups leftsourceip"
+	mkey = mkey " ah ahkey ahreplay_window"
+	right = left
+	gsub(/left/, "right", right)
+	n = split(good left right akey mkey, g)
+	for (i = 1; i <= n; i++)
+		goodnames["conn:" g[i]] = 1
+
+	good = "also interfaces forwardcontrol myid"
+	good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog"
+	good = good " plutorestartoncrash"
+	good = good " dumpdir manualstart pluto"
+	good = good " plutowait prepluto postpluto"
+	good = good " fragicmp hidetos rp_filter uniqueids"
+	good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy"
+	good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls"
+	good = good " nat_traversal keep_alive force_keepalive"
+	good = good " disable_port_floating virtual_private"
+
+	n = split(good, g)
+	for (i = 1; i <= n; i++)
+		goodnames["config:" g[i]] = 1
+
+	good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri"
+	good = good " strictcrlpolicy"
+
+	n = split(good, g)
+	for (i = 1; i <= n; i++)
+		goodnames["ca:" g[i]] = 1
+
+	goodtypes["conn"] = 1
+	goodtypes["config"] = 1
+	goodtypes["ca"] = 1
+
+	badchars = ""
+	for (i = 1; i < 32; i++)
+		badchars = badchars sprintf("%c", i)
+	for (i = 127; i < 128+32; i++)
+		badchars = badchars sprintf("%c", i)
+	badchar = "[" badchars "]"
+
+	# if searching, seen is set of sectionnames which match
+	# if not searching, seen is set of parameter names found
+	seen[""] = ""
+	defaults[""] = ""
+	usesdefault[""] = ""
+	orientation = 1
+}
+
+
+
+function output(code, v1, v2) {
+	if (code == o_parm) {
+		if (v2 == "")		# suppress empty parameters
+			return
+		if (privatename(v1))	# and private ones
+			return
+		if (v2 ~ badchar)
+			fail("parameter value " bq v2 eq " contains unprintable character")
+	}
+
+	if (fieldfmt) {
+		print code, v1, v2
+		return
+	}
+
+	if (code == o_status) {
+		v2 = v1
+		v1 = "_confreadstatus"
+	} else if (code == o_section) {
+		v2 = v1
+		v1 = "_confreadsection"
+	} else if (code == o_names) {
+		v2 = v1
+		v1 = "_confreadnames"
+	} else if (code != o_parm)
+		return		# currently no variable version of o_end
+
+	print prefix v1 "=\"" v2 "\""
+	if (export)
+		print "export " prefix v1
+}
+function searchfound(sectionname,    n, i, reflist) {
+	# a hit in x is a hit in everybody who refers to x too
+	n = split(refsto[sectionname], reflist, ";")
+	for (i = 1; i <= n; i++)
+		if (reflist[i] in seen)
+			fail("duplicated parameter " bq search eq)
+		else
+			seen[reflist[i]] = 1
+	seen[sectionname] = 1
+}
+function fail(msg) {
+	output(o_status, ("(" filename ", line " lineno ") " msg))
+	failed = 1
+	while ((getline junk) > 0)
+		continue
+	exit
+}
+function badname(n) {
+	if ((type ":" n) in goodnames)
+		return 0
+	if (privatename(n))
+		return 0
+	return 1
+}
+function privatename(n) {
+	if (n ~ /^[xX][-_]/)
+		return 1
+	return 0
+}
+function orient(n) {
+	if (orientation == -1) {
+		if (n ~ /left/)
+			gsub(/left/, "right", n)
+		else if (n ~ /right/)
+			gsub(/right/, "left", n)
+	}
+	return n
+}
+# in searching, referencing is transitive:  xyz->from->to
+function chainref(from, to,    i, reflist, listnum) {
+	if (from in refsto) {
+		listnum = split(refsto[from], reflist, ";")
+		for (i = 1; i <= listnum; i++)
+			chainref(reflist[i], to)
+	}
+	if (to in refsto)
+		refsto[to] = refsto[to] ";" from
+	else
+		refsto[to] = from
+}
+
+# start of rules
+
+{
+	lineno++
+	# lineno is now the number of this line
+
+	# we must remember indentation because comment stripping loses it
+	exdented = $0 !~ /^[ \t]/
+	sub(/^[ \t]+/, "")		# get rid of leading white space
+	sub(/[ \t]+$/, "")		# get rid of trailing white space
+}
+including && $0 ~ /^#[<>:]/ {
+	# _include control line
+	if ($1 ~ /^#[<>]$/) {
+		filename = $2
+		lineno = $3 - 1
+	} else if ($0 ~ /^#:/) {
+		msg = substr($0, 3)
+		gsub(/"/, "\\\"", msg)
+		fail(msg)
+	}
+	next
+}
+exdented {
+	# any non-leading-white-space line is a section end
+	### but not the end of relevant stuff, might be also= sections later
+	###if (insection && !indefault && !searching && outputting)
+	###	output(o_end)
+	insection = 0
+	wrongtype = 0
+	indefault = 0
+	outputting = 0
+}
+/[ \t]#/ {
+	# strip trailing comments including the leading whitespace
+	# tricky because we must respect quotes
+	q = 0
+	for (i = 1; i <= NF; i++) {
+		if ($i ~ /^#/ && q % 2 == 0) {
+			NF = i - 1;
+			break
+		}
+		# using $i in gsub loses whitespace?!?
+		junk = $i
+		q += gsub(/"/, "&", junk)
+	}
+}
+$0 == "" || $0 ~ /^#/ {
+	# empty lines and comments are ignored
+	next
+}
+exdented && NF != 2 {
+	# bad section header
+	fail("section header " bq $0 eq " has wrong number of fields (" NF ")")
+}
+exdented && $1 == "version" {
+	version = $2 + 0
+	if (version < 2.0 || 2.0 < version)
+		fail("we only support version 2.0 ipsec.conf files, not " bq version eq)
+	next
+}
+version == "" {
+	fail("we only support version 2 ipsec.conf files")
+}
+exdented && !($1 in goodtypes) {
+	# unknown section type
+	fail("section type " bq $1 eq " not recognized")
+}
+exdented && $1 != type {
+	# section header, but not of the type we want
+	insection = 1
+	wrongtype = 1
+	next
+}
+extented {
+	# type fits
+	wrongtype = 0
+}
+exdented && $1 == "config" && $2 != "setup" {
+	fail("unknown config section " bq $2 eq)
+}
+exdented && $2 != "%default" {
+	# non-default section header of our type
+	sawnondefault = 1
+}
+exdented && searching && $2 != "%default" {
+	# section header, during search
+	insection = 1
+	sectionname = $2
+	usesdefault[sectionname] = 1		# tentatively
+	next
+}
+exdented && !searching && $2 in wanted {
+	# one of our wanted section headers
+	if (!($2 in pending))
+		fail("duplicate " type " section " bq $2 eq)
+	delete pending[$2]
+	tag = bq type " " $2 eq
+	outputting = 1
+	insection = 1
+	orientation = wanted[$2]
+	output(o_section, $2)
+	next
+}
+exdented && $2 == "%default" {
+	# relevant default section header
+	if (sawnondefault)
+		fail(bq $1 " %default" eq " sections must precede non-default ones")
+	tag = bq type " " $2 eq
+	indefault = 1
+	next
+}
+exdented {
+	# section header, but not one we want
+	insection = 1
+	next
+}
+!insection && !indefault {
+	# starts with white space but not in a section... oops
+	fail("parameter is not within a section")
+}
+!wrongtype && searching && $0 ~ searchpat {
+	# search found the right parameter name
+	match($0, searchpat)
+	rest = substr($0, RLENGTH+1)
+	if (rest ~ /^".*"$/)
+		rest = substr(rest, 2, length(rest)-2)
+	if (!indefault) {
+		if (!usesdefault[sectionname])
+			fail("duplicated parameter " bq search eq)
+		usesdefault[sectionname] = 0
+	} else if (search in defaults)
+		fail("duplicated parameter " bq search eq)
+	if (rest in wanted) {	# a hit
+		if (indefault)
+			defaults[search] = rest
+		else
+			searchfound(sectionname)
+	} else {
+		# rather a kludge, but must check this somewhere
+		if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/)
+			fail("illegal auto value " bq rest eq)
+	}
+	next
+}
+!searching && !outputting && !indefault {
+	# uninteresting line
+	next
+}
+$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ {
+	if (!searching)
+		fail("mismatched quotes in parameter value")
+	else
+		gsub(/"/, "", $0)
+}
+$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ {
+	if (searching)
+		next			# just ignore it
+	fail("syntax error or illegal parameter name")
+}
+{
+	sub(/[ \t]*=[ \t]*/, "=")	# get rid of white space around =
+}
+$0 ~ /^(also|alsoflip)=/ {
+	v = orientation
+	if ($0 ~ /^alsoflip/)
+		v = -v;
+	if (indefault)
+		fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter")
+	sub(/^(also|alsoflip)=/, "")
+	if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
+		fail("invalid section name " bq $0 eq)
+	if (!searching) {
+		if ($0 in wanted)
+			fail("section " bq $0 eq " requested more than once")
+		wanted[$0] = v
+		pending[$0] = 1
+	} else
+		chainref(sectionname, $0)
+	next
+}
+!outputting && !indefault {
+	# uninteresting line even for a search
+	next
+}
+{
+	equal = match($0, /[=]/)
+	name = substr($0, 1, equal-1)
+	if (badname(name))
+		fail("unknown parameter name " bq name eq)
+	value = substr($0, equal+1)
+	if (value ~ /^"/)
+		value = substr(value, 2, length(value)-2)
+	else if (value ~ /[ \t]/)
+		fail("white space within non-quoted parameter " bq name eq)
+}
+indefault {
+	if (name in defaults)
+		fail("duplicated default parameter " bq name eq)
+	defaults[name] = value
+	next
+}
+{
+	name = orient(name)
+	if (name in seen)
+		fail("duplicated parameter " bq name eq)
+	seen[name] = 1
+	output(o_parm, name, value)
+}
+END {
+	if (failed)
+		exit 1
+
+	filename = originalfilename
+	unseen = ""
+	for (i in pending)
+		unseen = unseen " " i
+	if (!optional && !searching && unseen != "")
+		fail("did not find " type " section(s) " bq substr(unseen, 2) eq)
+	if (!searching) {
+		for (name in defaults)
+			if (!(name in seen))
+				output(o_parm, name, defaults[name])
+	} else {
+		if (defaults[search] in wanted)
+			for (name in usesdefault)
+				if (usesdefault[name])
+					seen[name] = 1
+		delete seen[""]
+		if (fieldfmt)
+			for (name in seen)
+				output(o_section, name)
+		else {
+			outlist = ""
+			for (name in seen)
+				if (outlist == "")
+					outlist = name
+				else
+					outlist = outlist " " name
+			output(o_names, outlist)
+		}
+	}
+	output(o_status, "")
+}'
diff --git a/programs/_confread/block.in b/programs/_confread/block.in
new file mode 100644
index 000000000..e3a4b2dd5
--- /dev/null
+++ b/programs/_confread/block.in
@@ -0,0 +1,8 @@
+# This file defines the set of CIDRs (network/mask-length) to which
+# communication should never be allowed.
+#
+# See @FINALDOCDIR@/policygroups.html for details.
+#
+# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $
+#
+
diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in
new file mode 100644
index 000000000..800093d94
--- /dev/null
+++ b/programs/_confread/clear-or-private.in
@@ -0,0 +1,8 @@
+# This file defines the set of CIDRs (network/mask-length) to which
+# we will communicate in the clear, or, if the other side initiates IPSEC,
+# using encryption.  This behaviour is also called "Opportunistic Responder".
+#
+# See @FINALDOCDIR@/policygroups.html for details.
+#
+# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $
+#
diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in
new file mode 100644
index 000000000..46e63388e
--- /dev/null
+++ b/programs/_confread/clear.in
@@ -0,0 +1,7 @@
+# This file defines the set of CIDRs (network/mask-length) to which
+# communication should always be in the clear.
+#
+# See @FINALDOCDIR@/policygroups.html for details.
+#
+# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
+#
diff --git a/programs/_confread/ipsec.conf.5 b/programs/_confread/ipsec.conf.5
new file mode 100644
index 000000000..af6fae6bd
--- /dev/null
+++ b/programs/_confread/ipsec.conf.5
@@ -0,0 +1,1286 @@
+.TH IPSEC.CONF 5 "20 Jan 2006"
+.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $
+.SH NAME
+ipsec.conf \- IPsec configuration and connections
+.SH DESCRIPTION
+The optional
+.I ipsec.conf
+file
+specifies most configuration and control information for the
+strongSwan IPsec subsystem.
+(The major exception is secrets for authentication;
+see
+.IR ipsec.secrets (5).)
+Its contents are not security-sensitive
+.I unless
+manual keying is being done for more than just testing,
+in which case the encryption/authentication keys in the
+descriptions for the manually-keyed connections are very sensitive
+(and those connection descriptions
+are probably best kept in a separate file,
+via the include facility described below).
+.PP
+The file is a text file, consisting of one or more
+.IR sections .
+White space followed by
+.B #
+followed by anything to the end of the line
+is a comment and is ignored,
+as are empty lines which are not within a section.
+.PP
+A line which contains
+.B include
+and a file name, separated by white space,
+is replaced by the contents of that file,
+preceded and followed by empty lines.
+If the file name is not a full pathname,
+it is considered to be relative to the directory containing the
+including file.
+Such inclusions can be nested.
+Only a single filename may be supplied, and it may not contain white space,
+but it may include shell wildcards (see
+.IR sh (1));
+for example:
+.PP
+.B include
+.B "ipsec.*.conf"
+.PP
+The intention of the include facility is mostly to permit keeping
+information on connections, or sets of connections,
+separate from the main configuration file.
+This permits such connection descriptions to be changed,
+copied to the other security gateways involved, etc.,
+without having to constantly extract them from the configuration
+file and then insert them back into it.
+Note also the
+.B also
+parameter (described below) which permits splitting a single logical
+section (e.g. a connection description) into several actual sections.
+.PP
+The first significant line of the file must specify the version
+of this specification that it conforms to:
+.PP
+\fBversion 2\fP
+.PP
+A section
+begins with a line of the form:
+.PP
+.I type
+.I name
+.PP
+where
+.I type
+indicates what type of section follows, and
+.I name
+is an arbitrary name which distinguishes the section from others
+of the same type.
+(Names must start with a letter and may contain only
+letters, digits, periods, underscores, and hyphens.)
+All subsequent non-empty lines
+which begin with white space are part of the section;
+comments within a section must begin with white space too.
+There may be only one section of a given type with a given name.
+.PP
+Lines within the section are generally of the form
+.PP
+\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
+.PP
+(note the mandatory preceding white space).
+There can be white space on either side of the
+.BR = .
+Parameter names follow the same syntax as section names,
+and are specific to a section type.
+Unless otherwise explicitly specified,
+no parameter name may appear more than once in a section.
+.PP
+An empty
+.I value
+stands for the system default value (if any) of the parameter,
+i.e. it is roughly equivalent to omitting the parameter line entirely.
+A
+.I value
+may contain white space only if the entire
+.I value
+is enclosed in double quotes (\fB"\fR);
+a
+.I value
+cannot itself contain a double quote,
+nor may it be continued across more than one line.
+.PP
+Numeric values are specified to be either an ``integer''
+(a sequence of digits) or a ``decimal number''
+(sequence of digits optionally followed by `.' and another sequence of digits).
+.PP
+There is currently one parameter which is available in any type of
+section:
+.TP
+.B also
+the value is a section name;
+the parameters of that section are appended to this section,
+as if they had been written as part of it.
+The specified section must exist, must follow the current one,
+and must have the same section type.
+(Nesting is permitted,
+and there may be more than one
+.B also
+in a single section,
+although it is forbidden to append the same section more than once.)
+This allows, for example, keeping the encryption keys
+for a connection in a separate file
+from the rest of the description, by using both an
+.B also
+parameter and an
+.B include
+line.
+.PP
+Parameter names beginning with
+.B x-
+(or
+.BR X- ,
+or
+.BR x_ ,
+or
+.BR X_ )
+are reserved for user extensions and will never be assigned meanings
+by IPsec.
+Parameters with such names must still observe the syntax rules
+(limits on characters used in the name;
+no white space in a non-quoted value;
+no newlines or double quotes within the value).
+All other as-yet-unused parameter names are reserved for future IPsec
+improvements.
+.PP
+A section with name
+.B %default
+specifies defaults for sections of the same type.
+For each parameter in it,
+any section of that type which does not have a parameter of the same name
+gets a copy of the one from the
+.B %default
+section.
+There may be multiple
+.B %default
+sections of a given type,
+but only one default may be supplied for any specific parameter name,
+and all
+.B %default
+sections of a given type must precede all non-\c
+.B %default
+sections of that type.
+.B %default
+sections may not contain the
+.B also
+parameter.
+.PP
+Currently there are three types of sections:
+a
+.B config
+section specifies general configuration information for IPsec, a
+.B conn
+section specifies an IPsec connection, while a
+.B ca
+section specifies special properties a certification authority.
+.SH "CONN SECTIONS"
+A
+.B conn
+section contains a
+.IR "connection specification" ,
+defining a network connection to be made using IPsec.
+The name given is arbitrary, and is used to identify the connection to
+.IR ipsec_auto (8)
+and
+.IR ipsec_manual (8).
+Here's a simple example:
+.PP
+.ne 10
+.nf
+.ft B
+.ta 1c
+conn snt
+	left=10.11.11.1
+	leftsubnet=10.0.1.0/24
+	leftnexthop=172.16.55.66
+	right=192.168.22.1
+	rightsubnet=10.0.2.0/24
+	rightnexthop=172.16.88.99
+	keyingtries=%forever
+.ft
+.fi
+.PP
+A note on terminology...
+In automatic keying, there are two kinds of communications going on:
+transmission of user IP packets, and gateway-to-gateway negotiations for
+keying, rekeying, and general control.
+The data path (a set of ``IPsec SAs'') used for user packets is herein
+referred to as the ``connection'';
+the path used for negotiations (built with ``ISAKMP SAs'') is referred to as
+the ``keying channel''.
+.PP
+To avoid trivial editing of the configuration file to suit it to each system
+involved in a connection,
+connection specifications are written in terms of
+.I left
+and
+.I right
+participants,
+rather than in terms of local and remote.
+Which participant is considered
+.I left
+or
+.I right
+is arbitrary;
+IPsec figures out which one it is being run on based on internal information.
+This permits using identical connection specifications on both ends.
+There are cases where there is no symmetry; a good convention is to
+use
+.I left
+for the local side and
+.I right
+for the remote side (the first letters are a good mnemonic).
+.PP
+Many of the parameters relate to one participant or the other;
+only the ones for
+.I left
+are listed here, but every parameter whose name begins with
+.B left
+has a
+.B right
+counterpart,
+whose description is the same but with
+.B left
+and
+.B right
+reversed.
+.PP
+Parameters are optional unless marked ``(required)'';
+a parameter required for manual keying need not be included for
+a connection which will use only automatic keying, and vice versa.
+.SS "CONN PARAMETERS:  GENERAL"
+The following parameters are relevant to both automatic and manual keying.
+Unless otherwise noted,
+for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+.TP 14
+.B type
+the type of the connection; currently the accepted values
+are
+.B tunnel
+(the default)
+signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
+.BR transport ,
+signifying host-to-host transport mode;
+.BR passthrough ,
+signifying that no IPsec processing should be done at all;
+.BR drop ,
+signifying that packets should be discarded; and
+.BR reject ,
+signifying that packets should be discarded and a diagnostic ICMP returned.
+.TP
+.B left
+(required)
+the IP address of the left participant's public-network interface,
+in any form accepted by
+.IR ipsec_ttoaddr (3)
+or one of several magic values.
+If it is
+.BR %defaultroute ,
+and
+the
+.B config
+.B setup
+section's,
+.B interfaces
+specification contains
+.BR %defaultroute,
+.B left
+will be filled in automatically with the local address
+of the default-route interface (as determined at IPsec startup time);
+this also overrides any value supplied for
+.BR leftnexthop .
+(Either
+.B left
+or
+.B right
+may be
+.BR %defaultroute ,
+but not both.)
+The value
+.B %any
+signifies an address to be filled in (by automatic keying) during
+negotiation.
+The value
+.B %opportunistic
+signifies that both
+.B left
+and
+.B leftnexthop
+are to be filled in (by automatic keying) from DNS data for
+.BR left 's
+client.
+The values
+.B %group
+and
+.B %opportunisticgroup
+makes this a policy group conn: one that will be instantiated
+into a regular or opportunistic conn for each CIDR block listed in the
+policy group file with the same name as the conn.
+.TP
+.B leftsubnet
+private subnet behind the left participant, expressed as
+\fInetwork\fB/\fInetmask\fR
+(actually, any form acceptable to
+.IR ipsec_ttosubnet (3));
+if omitted, essentially assumed to be \fIleft\fB/32\fR,
+signifying that the left end of the connection goes to the left participant only
+.TP
+.B leftnexthop
+next-hop gateway IP address for the left participant's connection
+to the public network;
+defaults to
+.B %direct
+(meaning
+.IR right ).
+If the value is to be overridden by the
+.B left=%defaultroute
+method (see above),
+an explicit value must
+.I not
+be given.
+If that method is not being used,
+but
+.B leftnexthop
+is
+.BR %defaultroute ,
+and
+.B interfaces=%defaultroute
+is used in the
+.B config
+.B setup
+section,
+the next-hop gateway address of the default-route interface
+will be used.
+The magic value
+.B %direct
+signifies a value to be filled in (by automatic keying)
+with the peer's address.
+Relevant only locally, other end need not agree on it.
+.TP
+.B leftupdown
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR ipsec_pluto (8)
+for details.
+Relevant only locally, other end need not agree on it.
+.TP
+.B leftfirewall
+whether the left participant is doing forwarding-firewalling
+(including masquerading) for traffic from \fIleftsubnet\fR,
+which should be turned off (for traffic to the other subnet)
+once the connection is established;
+acceptable values are
+.B yes
+and (the default)
+.BR no .
+May not be used in the same connection description with
+.BR leftupdown .
+Implemented as a parameter to the default
+.I updown
+script.
+See notes below.
+Relevant only locally, other end need not agree on it.
+.PP
+If one or both security gateways are doing forwarding firewalling
+(possibly including masquerading),
+and this is specified using the firewall parameters,
+tunnels established with IPsec are exempted from it
+so that packets can flow unchanged through the tunnels.
+(This means that all subnets connected in this manner must have
+distinct, non-overlapping subnet address blocks.)
+This is done by the default
+.I updown
+script (see
+.IR ipsec_pluto (8)).
+.PP
+The implementation of this makes certain assumptions about firewall setup,
+notably the use of the old
+.I ipfwadm
+interface to the firewall.
+In situations calling for more control,
+it may be preferable for the user to supply his own
+.I updown
+script,
+which makes the appropriate adjustments for his system.
+.SS "CONN PARAMETERS:  AUTOMATIC KEYING"
+The following parameters are relevant only to automatic keying,
+and are ignored in manual keying.
+Unless otherwise noted,
+for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+.TP 14
+.B auto
+what operation, if any, should be done automatically at IPsec startup;
+currently-accepted values are
+.B add
+(signifying an
+.B ipsec auto
+.BR \-\-add ),
+.B route
+(signifying that plus an
+.B ipsec auto
+.BR \-\-route ),
+.B start
+(signifying that plus an
+.B ipsec auto
+.BR \-\-up ),
+.B manual
+(signifying an
+.B ipsec
+.B manual
+.BR \-\-up ),
+and
+.B ignore
+(also the default) (signifying no automatic startup operation).
+See the
+.B config
+.B setup
+discussion below.
+Relevant only locally, other end need not agree on it
+(but in general, for an intended-to-be-permanent connection,
+both ends should use
+.B auto=start
+to ensure that any reboot causes immediate renegotiation).
+.TP
+.B auth
+whether authentication should be done as part of
+ESP encryption, or separately using the AH protocol;
+acceptable values are
+.B esp
+(the default) and
+.BR ah .
+.TP
+.B authby
+how the two security gateways should authenticate each other;
+acceptable values are
+.B secret
+for shared secrets,
+.B rsasig
+for RSA digital signatures (the default),
+.B secret|rsasig
+for either, and
+.B never
+if negotiation is never to be attempted or accepted (useful for shunt-only conns).
+Digital signatures are superior in every way to shared secrets.
+.TP
+.B compress
+whether IPComp compression of content is proposed on the connection
+(link-level compression does not work on encrypted data,
+so to be effective, compression must be done \fIbefore\fR encryption);
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+The two ends need not agree.
+A value of
+.B yes
+causes IPsec to propose both compressed and uncompressed,
+and prefer compressed.
+A value of
+.B no
+prevents IPsec from proposing compression;
+a proposal to compress will still be accepted.
+.TP
+.B disablearrivalcheck
+whether KLIPS's normal tunnel-exit check
+(that a packet emerging from a tunnel has plausible addresses in its header)
+should be disabled;
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+Tunnel-exit checks improve security and do not break any normal configuration.
+Relevant only locally, other end need not agree on it.
+.TP
+.B dpdaction
+controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
+R_U_THERE IKE notification messages are periodically sent in order to check the
+liveliness of the IPsec peer. The default is..
+.B none
+which disables the active sending of R_U_THERE notifications.
+Nevertheless pluto will always send the DPD Vendor ID during connection set up
+in order to signal the readiness to act passively as a responder if the peer
+wants to use DPD. The values
+.B clear
+and
+.B hold
+both activate DPD. If no activity is detected, all connections with a dead peer
+are stopped and unrouted (
+.B clear
+) or put in the hold state (
+.B hold
+).
+.TP
+.B dpddelay
+defines the period time interval with which R_U_THERE messages are sent to the peer.
+.TP
+.B dpdtimeout
+defines the timeout interval, after which all connections to a peer are deleted
+in case of inactivity.
+.TP
+.B failureshunt
+what to do with packets when negotiation fails.
+The default is
+.BR none :
+no shunt;
+.BR passthrough ,
+.BR drop ,
+and
+.B reject
+have the obvious meanings.
+.TP
+.B ikelifetime
+how long the keying channel of a connection (buzzphrase:  ``ISAKMP SA'')
+should last before being renegotiated;
+acceptable values as for
+.B keyexchange
+method of key exchange;
+the default and currently the only accepted value is
+.B ike
+.TP
+.B keylife
+(default set by
+.IR ipsec_pluto (8),
+currently
+.BR 3h ,
+maximum
+.BR 24h ).
+The two-ends-disagree case is similar to that of
+.BR keylife .
+.TP
+.B keyingtries
+how many attempts (a whole number or \fB%forever\fP) should be made to
+negotiate a connection, or a replacement for one, before giving up
+(default
+.BR %forever ).
+The value \fB%forever\fP
+means ``never give up'' (obsolete: this can be written \fB0\fP).
+Relevant only locally, other end need not agree on it.
+.TP
+.B keylife
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires.
+The two ends need not exactly agree on
+.BR keylife ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer.
+.TP
+.B leftca
+the distinguished name of a certificate authority which is required to
+lie in the trust path going from the left participant's certificate up
+to the root certification authority. 
+.TP
+.B leftcert
+the path to the left participant's X.509 certificate. The file can be coded either in
+PEM or DER format. OpenPGP certificates are supported as well.
+Both absolute paths or paths relative to
+.B /etc/ipsec.d/certs
+are accepted. By default
+.B leftcert
+sets 
+.B leftid
+to the distinguished name of the certificate's subject and
+.B leftca
+to the distinguished name of the certificate's issuer.
+The left participant's ID can be overriden by specifying a
+.B leftid
+value which must be certified by the certificate, though.
+.TP
+.B leftgroups
+a comma separated list of group names. If the
+.B leftgroups
+parameter is present then the peer must be a member of at least one
+of the groups defined by the parameter. Group membership must be certified
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been
+issued to the peer by a trusted Authorization Authority stored in
+\fI/etc/ipsec.d/aacerts\fP.
+.TP
+.B leftid
+how
+the left participant
+should be identified for authentication;
+defaults to
+.BR left .
+Can be an IP address (in any
+.IR ipsec_ttoaddr (3)
+syntax)
+or a fully-qualified domain name preceded by
+.B @
+(which is used as a literal string and not resolved).
+The magic value
+.B %myid
+stands for the current setting of \fImyid\fP.
+This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set,
+it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
+it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
+.TP
+.B leftrsasigkey
+the left participant's
+public key for RSA signature authentication,
+in RFC 2537 format using
+.IR ipsec_ttodata (3)
+encoding.
+The magic value
+.B %none
+means the same as not specifying a value (useful to override a default).
+The value
+.B %cert
+(the default)
+means that the key is extracted from a certificate.
+The value
+.B %dnsondemand
+means the key is to be fetched from DNS at the time it is needed.
+The value
+.B %dnsonload
+means the key is to be fetched from DNS at the time
+the connection description is read from
+.IR ipsec.conf ;
+currently this will be treated as
+.B %none
+if
+.B right=%any
+or
+.BR right=%opportunistic .
+The value
+.B %dns
+is currently treated as
+.B %dnsonload
+but will change to
+.B %dnsondemand
+in the future.
+The identity used for the left participant
+must be a specific host, not
+.B %any
+or another magic value.
+.B Caution:
+if two connection descriptions
+specify different public keys for the same
+.BR leftid ,
+confusion and madness will ensue.
+.TP
+.B leftrsasigkey2
+if present, a second public key.
+Either key can authenticate the signature, allowing for key rollover.
+.TP
+.B leftsourceip
+.TP
+.B leftsubnetwithin
+.TP
+.B pfs
+whether Perfect Forward Secrecy of keys is desired on the connection's
+keying channel
+(with PFS, penetration of the key-exchange protocol
+does not compromise keys negotiated earlier);
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+.TP
+.B rekey
+whether a connection should be renegotiated when it is about to expire;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+The two ends need not agree,
+but while a value of
+.B no
+prevents Pluto from requesting renegotiation,
+it does not prevent responding to renegotiation requested from the other end,
+so
+.B no
+will be largely ineffective unless both ends agree on it.
+.TP
+.B rekeyfuzz
+maximum percentage by which
+.B rekeymargin
+should be randomly increased to randomize rekeying intervals
+(important for hosts with many connections);
+acceptable values are an integer,
+which may exceed 100,
+followed by a `%'
+(default set by
+.IR ipsec_pluto (8),
+currently
+.BR 100% ).
+The value of
+.BR rekeymargin ,
+after this random increase,
+must not exceed
+.BR keylife .
+The value
+.B 0%
+will suppress time randomization.
+Relevant only locally, other end need not agree on it.
+.TP
+.B rekeymargin
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B keylife
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it.
+.SS "CONN PARAMETERS:  MANUAL KEYING"
+The following parameters are relevant only to manual keying,
+and are ignored in automatic keying.
+Unless otherwise noted,
+for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+A manually-keyed
+connection must specify at least one of AH or ESP.
+.TP 14
+.B spi
+(this or
+.B spibase
+required for manual keying)
+the SPI number to be used for the connection (see
+.IR ipsec_manual (8));
+must be of the form \fB0x\fIhex\fB\fR,
+where
+.I hex
+is one or more hexadecimal digits
+(note, it will generally be necessary to make
+.I spi
+at least
+.B 0x100
+to be acceptable to KLIPS,
+and use of SPIs in the range
+.BR 0x100 - 0xfff
+is recommended)
+.TP 14
+.B spibase
+(this or
+.B spi
+required for manual keying)
+the base number for the SPIs to be used for the connection (see
+.IR ipsec_manual (8));
+must be of the form \fB0x\fIhex\fB0\fR,
+where
+.I hex
+is one or more hexadecimal digits
+(note, it will generally be necessary to make
+.I spibase
+at least
+.B 0x100
+for the resulting SPIs
+to be acceptable to KLIPS,
+and use of numbers in the range
+.BR 0x100 - 0xff0
+is recommended)
+.TP
+.B esp
+ESP encryption/authentication algorithm to be used
+for the connection, e.g.
+.B 3des-md5-96
+(must be suitable as a value of
+.IR ipsec_spi (8)'s
+.B \-\-esp
+option);
+default is not to use ESP
+.TP
+.B espenckey
+ESP encryption key
+(must be suitable as a value of
+.IR ipsec_spi (8)'s
+.B \-\-enckey
+option)
+(may be specified separately for each direction using
+.B leftespenckey
+(leftward SA)
+and
+.B rightespenckey
+parameters)
+.TP
+.B espauthkey
+ESP authentication key
+(must be suitable as a value of
+.IR ipsec_spi (8)'s
+.B \-\-authkey
+option)
+(may be specified separately for each direction using
+.B leftespauthkey
+(leftward SA)
+and
+.B rightespauthkey
+parameters)
+.TP
+.B espreplay_window
+ESP replay-window setting,
+an integer from
+.B 0
+(the
+.IR ipsec_manual
+default, which turns off replay protection) to
+.BR 64 ;
+relevant only if ESP authentication is being used
+.TP
+.B leftespspi
+SPI to be used for the leftward ESP SA, overriding
+automatic assignment using
+.B spi
+or
+.BR spibase ;
+typically a hexadecimal number beginning with
+.B 0x
+.TP
+.B ah
+AH authentication algorithm to be used
+for the connection, e.g.
+.B hmac-md5-96
+(must be suitable as a value of
+.IR ipsec_spi (8)'s
+.B \-\-ah
+option);
+default is not to use AH
+.TP
+.B ahkey
+(required if
+.B ah
+is present) AH authentication key
+(must be suitable as a value of
+.IR ipsec_spi (8)'s
+.B \-\-authkey
+option)
+(may be specified separately for each direction using
+.B leftahkey
+(leftward SA)
+and
+.B rightahkey
+parameters)
+.TP
+.B ahreplay_window
+AH replay-window setting,
+an integer from
+.B 0
+(the
+.I ipsec_manual
+default, which turns off replay protection) to
+.B 64
+.TP
+.B leftahspi
+SPI to be used for the leftward AH SA, overriding
+automatic assignment using
+.B spi
+or
+.BR spibase ;
+typically a hexadecimal number beginning with
+.B 0x
+.SH "CA SECTIONS"
+This are optional sections that can be used to assign special
+parameters to a Certification Authority (CA).
+.TP 10
+.B auto
+currently can have either the value
+.B ignore
+or
+.B add
+. 
+.TP
+.B cacert
+defines a path to the CA certificate either relative to 
+\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.TP
+.B crluri
+defines a CRL distribution point (ldap, http, or file URI)
+.TP
+.B crluri2
+defines an alternative CRL distribution point (ldap, http, or file URI)
+.TP
+.B ldaphost
+defines an ldap host.
+.TP
+.B ocspuri
+defines an OCSP URI.
+.SH "CONFIG SECTIONS"
+At present, the only
+.B config
+section known to the IPsec software is the one named
+.BR setup ,
+which contains information used when the software is being started
+(see
+.IR ipsec_setup (8)).
+Here's an example:
+.PP
+.ne 8
+.nf
+.ft B
+.ta 1c
+config setup
+	interfaces="ipsec0=eth1 ipsec1=ppp0"
+	klipsdebug=none
+	plutodebug=all
+	manualstart=
+.ft
+.fi
+.PP
+Parameters are optional unless marked ``(required)''.
+The currently-accepted
+.I parameter
+names in a
+.B config
+.B setup
+section are:
+.TP 14
+.B myid
+the identity to be used for
+.BR %myid .
+.B %myid
+is used in the implicit policy group conns and can be used as
+an identity in explicit conns.
+If unspecified,
+.B %myid
+is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
+the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
+An explicit value generally starts with ``\fB@\fP''.
+.TP
+.B interfaces
+virtual and physical interfaces for IPsec to use:
+a single
+\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
+by white space, or
+.BR %none .
+One of the pairs may be written as
+.BR %defaultroute ,
+which means: find the interface \fId\fR that the default route points to,
+and then act as if the value was ``\fBipsec0=\fId\fR''.
+.B %defaultroute
+is the default;
+.B %none
+must be used to denote no interfaces.
+If
+.B %defaultroute
+is used (implicitly or explicitly)
+information about the default route and its interface is noted for
+use by
+.IR ipsec_manual (8)
+and
+.IR ipsec_auto (8).)
+.TP
+.B forwardcontrol
+whether
+.I setup
+should turn IP forwarding on
+(if it's not already on) as IPsec is started,
+and turn it off again (if it was off) as IPsec is stopped;
+acceptable values are
+.B yes
+and (the default)
+.BR no .
+For this to have full effect, forwarding must be
+disabled before the hardware interfaces are brought
+up (e.g.,
+.B "net.ipv4.ip_forward\ =\ 0"
+in Red Hat 6.x
+.IR /etc/sysctl.conf ),
+because IPsec doesn't get control early enough to do that.
+.TP
+.B rp_filter
+whether and how
+.I setup
+should adjust the reverse path filtering mechanism for the
+physical devices to be used.
+Values are \fB%unchanged\fP (to leave it alone)
+or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to).
+\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP
+is badly documented; it must be \fB0\fP in many cases
+for ipsec to function.
+The default value for the parameter is \fB0\fP.
+.TP
+.B syslog
+the
+.IR syslog (2)
+``facility'' name and priority to use for
+startup/shutdown log messages,
+default
+.BR daemon.error .
+.TP
+.B klipsdebug
+how much KLIPS debugging output should be logged.
+An empty value,
+or the magic value
+.BR none ,
+means no debugging output (the default).
+The magic value
+.B all
+means full output.
+Otherwise only the specified types of output
+(a quoted list, names separated by white space) are enabled;
+for details on available debugging types, see
+.IR ipsec_klipsdebug (8).
+.TP
+.B plutodebug
+how much Pluto debugging output should be logged.
+An empty value,
+or the magic value
+.BR none ,
+means no debugging output (the default).
+The magic value
+.B all
+means full output.
+Otherwise only the specified types of output
+(a quoted list, names without the
+.B \-\-debug\-
+prefix,
+separated by white space) are enabled;
+for details on available debugging types, see
+.IR ipsec_pluto (8).
+.TP
+.B plutoopts
+additional options to pass to pluto upon startup. See
+.IR ipsec_pluto (8).
+.TP
+.B plutostderrlog
+do not use syslog, but rather log to stderr, and direct stderr to the
+argument file.
+.TP
+.B dumpdir
+in what directory should things started by
+.I setup
+(notably the Pluto daemon) be allowed to
+dump core?
+The empty value (the default) means they are not
+allowed to.
+.TP
+.B manualstart
+which manually-keyed connections to set up at startup
+(empty, a name, or a quoted list of names separated by white space);
+see
+.IR ipsec_manual (8).
+Default is none.
+.TP
+.B pluto
+whether to start Pluto or not;
+Values are
+.B yes
+(the default)
+or
+.B no
+(useful only in special circumstances).
+.TP
+.B plutowait
+should Pluto wait for each
+negotiation attempt that is part of startup to
+finish before proceeding with the next?
+Values are
+.B yes
+or
+.BR no
+(the default).
+.TP
+.B prepluto
+shell command to run before starting Pluto
+(e.g., to decrypt an encrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.B postpluto
+shell command to run after starting Pluto
+(e.g., to remove a decrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.B fragicmp
+whether a tunnel's need to fragment a packet should be reported
+back with an ICMP message,
+in an attempt to make the sender lower his PMTU estimate;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+.TP
+.B hidetos
+whether a tunnel packet's TOS field should be set to
+.B 0
+rather than copied from the user packet inside;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+.TP
+.B overridemtu
+value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
+overriding IPsec's (large) default.
+This parameter is needed only in special situations.
+.TP
+.B nat_traversal
+.TP
+.B crlcheckinterval
+.TP
+.B strictcrlpolicy
+.TP
+.B pkcs11module
+.TP
+.B pkcs11keepstate
+
+.SH CHOOSING A CONNECTION
+.PP
+When choosing a connection to apply to an outbound packet caught with a 
+.BR %trap,
+the system prefers the one with the most specific eroute that
+includes the packet's source and destination IP addresses.
+Source subnets are examined before destination subnets.
+For initiating, only routed connections are considered. For responding,
+unrouted but added connections are considered.
+.PP
+When choosing a connection to use to respond to a negotiation which
+doesn't match an ordinary conn, an opportunistic connection
+may be instantiated. Eventually, its instance will be /32 -> /32, but
+for earlier stages of the negotiation, there will not be enough
+information about the client subnets to complete the instantiation.
+.SH FILES
+.nf
+/etc/ipsec.conf
+/etc/ipsec.d/cacerts
+/etc/ipsec.d/certs
+/etc/ipsec.d/crls
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
+
+.SH SEE ALSO
+ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8)
+.SH HISTORY
+Written  for  the  FreeS/WAN project
+<http://www.freeswan.org>
+by Henry Spencer.  Extended for the strongSwan project
+<http://www.strongswan.org>
+by Andreas Steffen.
+.SH BUGS
+.PP
+When
+.B type
+or 
+.B failureshunt
+is set to
+.B drop
+or
+.BR reject,
+strongSwan blocks outbound packets using eroutes, but assumes inbound
+blocking is handled by the firewall. strongSwan offers firewall hooks 
+via an ``updown'' script.  However, the default 
+.B ipsec _updown
+provides no help in controlling a modern firewall.
+.PP
+Including attributes of the keying channel
+(authentication methods,
+.BR ikelifetime ,
+etc.)
+as an attribute of a connection,
+rather than of a participant pair, is dubious and incurs limitations.
+.PP
+.IR Ipsec_manual
+is not nearly as generous about the syntax of subnets,
+addresses, etc. as the usual strongSwan user interfaces.
+Four-component dotted-decimal must be used for all addresses.
+It
+.I is
+smart enough to translate bit-count netmasks to dotted-decimal form.
+.PP
+It would be good to have a line-continuation syntax,
+especially for the very long lines involved in
+RSA signature keys.
+.PP
+The ability to specify different identities,
+.BR authby ,
+and public keys for different automatic-keyed connections
+between the same participants is misleading;
+this doesn't work dependably because the identity of the participants
+is not known early enough.
+This is especially awkward for the ``Road Warrior'' case,
+where the remote IP address is specified as
+.BR 0.0.0.0 ,
+and that is considered to be the ``participant'' for such connections.
+.PP
+In principle it might be necessary to control MTU on an
+interface-by-interface basis,
+rather than with the single global override that
+.B overridemtu
+provides.
+.PP
+A number of features which \fIcould\fR be implemented in
+both manual and automatic keying
+actually are not yet implemented for manual keying.
+This is unlikely to be fixed any time soon.
+.PP
+If conns are to be added before DNS is available,
+\fBleft=\fP\fIFQDN\fP,
+\fBleftnextop=\fP\fIFQDN\fP,
+and
+.B leftrsasigkey=%dnsonload
+will fail.
+.IR ipsec_pluto (8)
+does not actually use the public key for our side of a conn but it
+isn't generally known at a add-time which side is ours (Road Warrior
+and Opportunistic conns are currently exceptions).
+.PP
+The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns.
diff --git a/programs/_confread/ipsec.conf.in b/programs/_confread/ipsec.conf.in
new file mode 100644
index 000000000..296986459
--- /dev/null
+++ b/programs/_confread/ipsec.conf.in
@@ -0,0 +1,44 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $
+
+# Manual:    ipsec.conf.5
+# Help:      http://www.strongswan.org/docs/readme.htm
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+# basic configuration
+
+config setup
+	# Debug-logging controls: "none" for (almost) none, "all" for lots.
+	# plutodebug=all
+	# crlcheckinterval=600
+	# strictcrlpolicy=yes
+	# cachecrls=yes
+	# nat_traversal=yes
+
+# Uncomment to activate Opportunistic Encryption (OE)
+# include /etc/ipsec.d/examples/oe.conf
+
+# Add connections here.
+
+# Sample VPN connections
+
+#conn sample-self-signed
+#      left=%defaultroute
+#      leftsubnet=10.1.0.0/16
+#      leftcert=selfCert.der
+#      leftsendcert=never
+#      right=192.168.0.2
+#      rightsubnet=10.2.0.0/16
+#      rightcert=peerCert.der
+#      auto=start
+
+#conn sample-with-ca-cert
+#      left=%defaultroute
+#      leftsubnet=10.1.0.0/16
+#      leftcert=myCert.pem
+#      right=192.168.0.2
+#      rightsubnet=10.2.0.0/16
+#      rightid="C=CH, O=Linux strongSwan CN=peer name"
+#      auto=start
diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in
new file mode 100644
index 000000000..c66b1d29f
--- /dev/null
+++ b/programs/_confread/private-or-clear.in
@@ -0,0 +1,14 @@
+# This file defines the set of CIDRs (network/mask-length) to which
+# communication should be private, if possible, but in the clear otherwise.
+#
+# If the target has a TXT (later IPSECKEY) record that specifies
+# authentication material, we will require private (i.e. encrypted)
+# communications.  If no such record is found, communications will be
+# in the clear.
+#
+# See @FINALDOCDIR@/policygroups.html for details.
+#
+# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
+#
+
+0.0.0.0/0
diff --git a/programs/_confread/private.in b/programs/_confread/private.in
new file mode 100644
index 000000000..9d4bd6c67
--- /dev/null
+++ b/programs/_confread/private.in
@@ -0,0 +1,6 @@
+# This file defines the set of CIDRs (network/mask-length) to which
+# communication should always be private (i.e. encrypted).
+# See @FINALDOCDIR@/policygroups.html for details.
+#
+# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $
+#
diff --git a/programs/_confread/randomize b/programs/_confread/randomize
new file mode 100755
index 000000000..26d80a8f3
--- /dev/null
+++ b/programs/_confread/randomize
@@ -0,0 +1,28 @@
+#! /bin/sh
+# internal utility for putting random keys into sample configuration file
+# Copyright (C) 1998, 1999  Henry Spencer.
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $
+
+awk '/`[0-9]+`/ {
+	match($0, /`[0-9]+`/)
+	n = substr($0, RSTART+1, RLENGTH-2)
+	cmd = "./ranbits --quick " n
+	cmd | getline key
+	cmd | getline eof
+	close(cmd)
+	sub(/`[0-9]+`/, key, $0)
+	print
+	next
+}
+{ print }' $*