Import initial strongswan 2.7.0 version into SVN.

5 files changed, 819 insertions, 0 deletions

diff --git a/programs/klipsdebug/.cvsignore b/programs/klipsdebug/.cvsignore
new file mode 100644
index 000000000..03c1d474c
--- /dev/null
+++ b/programs/klipsdebug/.cvsignore
@@ -0,0 +1 @@
+klipsdebug
diff --git a/programs/klipsdebug/Makefile b/programs/klipsdebug/Makefile
new file mode 100644
index 000000000..6c98e7592
--- /dev/null
+++ b/programs/klipsdebug/Makefile
@@ -0,0 +1,80 @@
+# Makefile for the KLIPS interface utilities
+# Copyright (C) 1998, 1999  Henry Spencer.
+# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM:=klipsdebug
+EXTRA5PROC=${PROGRAM}.5
+
+LIBS:=${FREESWANLIB}
+
+include ../Makefile.program
+
+#
+# $Log: Makefile,v $
+# Revision 1.1  2004/03/15 20:35:28  as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.4  2002/06/03 20:25:31  mcr
+# 	man page for files actually existant in /proc/net changed back to
+# 	ipsec_foo via new EXTRA5PROC process.
+#
+# Revision 1.3  2002/06/02 22:02:14  mcr
+# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
+# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
+# 	kernel sense.)
+#
+# Revision 1.2  2002/04/26 01:21:26  mcr
+# 	while tracking down a missing (not installed) /etc/ipsec.conf,
+# 	MCR has decided that it is not okay for each program subdir to have
+# 	some subset (determined with -f) of possible files.
+# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
+# 	Optional PROGRAM.5 files have been added to the makefiles.
+#
+# Revision 1.1  2002/04/24 07:55:32  mcr
+# 	#include patches and Makefiles for post-reorg compilation.
+#
+#
+#
+
+
+#
+# $Log: Makefile,v $
+# Revision 1.1  2004/03/15 20:35:28  as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.4  2002/06/03 20:25:31  mcr
+# 	man page for files actually existant in /proc/net changed back to
+# 	ipsec_foo via new EXTRA5PROC process.
+#
+# Revision 1.3  2002/06/02 22:02:14  mcr
+# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
+# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
+# 	kernel sense.)
+#
+# Revision 1.2  2002/04/26 01:21:26  mcr
+# 	while tracking down a missing (not installed) /etc/ipsec.conf,
+# 	MCR has decided that it is not okay for each program subdir to have
+# 	some subset (determined with -f) of possible files.
+# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
+# 	Optional PROGRAM.5 files have been added to the makefiles.
+#
+# Revision 1.1  2002/04/24 07:55:32  mcr
+# 	#include patches and Makefiles for post-reorg compilation.
+#
+#
+#
diff --git a/programs/klipsdebug/klipsdebug.5 b/programs/klipsdebug/klipsdebug.5
new file mode 100644
index 000000000..8e5f985f0
--- /dev/null
+++ b/programs/klipsdebug/klipsdebug.5
@@ -0,0 +1,138 @@
+.TH IPSEC_KLIPSDEBUG 5 "26 Jun 2000"
+.\"
+.\" RCSID $Id: klipsdebug.5,v 1.1 2004/03/15 20:35:28 as Exp $
+.\"
+.SH NAME
+ipsec_klipsdebug \- list KLIPS (kernel IPSEC support) debug features and level
+.SH SYNOPSIS
+.B ipsec
+.B klipsdebug
+.PP
+.B cat
+.B /proc/net/ipsec_klipsdebug
+.SH DESCRIPTION
+.I /proc/net/ipsec_klipsdebug
+lists flags that control various parts of the debugging output of Klips
+(the kernel portion of FreeS/WAN IPSEC).
+At this point it is a read-only file.
+.PP
+A table entry consists of:
+.IP + 3
+a KLIPS debug variable
+.IP +
+a '=' separator for visual and automated parsing between the variable
+name and its current value
+.IP +
+hexadecimal bitmap of variable's flags.
+.PP
+The variable names roughly describe the scope of the debugging variable.
+Currently, no flags are documented or individually accessible yet except
+tunnel-xmit.
+.ne 5
+.PP
+The variable names are:
+.TP 8
+.B tunnel
+tunnelling code
+.TP
+.B netlink
+userspace communication code (obsolete)
+.TP
+.B xform
+transform selection and manipulation code
+.TP
+.B eroute
+eroute table manipulation code
+.TP
+.B spi
+SA table manipulation code
+.TP
+.B radij
+radij tree manipulation code
+.TP
+.B esp
+encryptions transforms code
+.TP
+.B ah
+authentication transforms code
+.TP
+.B rcv
+receive code
+.TP
+.B ipcomp
+ip compression transforms code
+.TP
+.B verbose
+give even more information, beware this will probably trample the 4k kernel printk buffer giving inaccurate output
+.PP
+All KLIPS debug output appears as
+.B kernel.info
+messages to
+.IR syslogd (8).
+Most systems are set up
+to log these messages to
+.IR /var/log/messages .
+.PP
+.SH EXAMPLES
+.LP
+.B debug_tunnel=00000010.
+.br
+.B debug_netlink=00000000.
+.br
+.B debug_xform=00000000.
+.br
+.B debug_eroute=00000000.
+.br
+.B debug_spi=00000000.
+.br
+.B debug_radij=00000000.
+.br
+.B debug_esp=00000000.
+.br
+.B debug_ah=00000000.
+.br
+.B debug_rcv=00000000.
+.br
+.B debug_pfkey=ffffffff.
+.LP
+means that one
+.B tunnel
+flag has been set (tunnel-xmit),
+full
+.B pfkey
+sockets debugging has been set and everything else is not set.
+.LP
+.SH FILES
+/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
+.SH "SEE ALSO"
+ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
+ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5), ipsec_version(5),
+ipsec_pf_key(5)
+.SH HISTORY
+Written for the Linux FreeS/WAN project
+<http://www.freeswan.org/>
+by Richard Guy Briggs.
+.\"
+.\" $Log: klipsdebug.5,v $
+.\" Revision 1.1  2004/03/15 20:35:28  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.5  2002/04/24 07:35:38  mcr
+.\" Moved from ./klips/utils/klipsdebug.5,v
+.\"
+.\" Revision 1.4  2000/10/10 20:10:19  rgb
+.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
+.\"
+.\" Revision 1.3  2000/06/30 18:21:55  rgb
+.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
+.\" and correct FILES sections to no longer refer to /dev/ipsec which has
+.\" been removed since PF_KEY does not use it.
+.\"
+.\" Revision 1.2  2000/06/28 12:44:12  henry
+.\" format touchup
+.\"
+.\" Revision 1.1  2000/06/28 05:43:00  rgb
+.\" Added manpages for all 5 klips utils.
+.\"
+.\"
+.\"
diff --git a/programs/klipsdebug/klipsdebug.8 b/programs/klipsdebug/klipsdebug.8
new file mode 100644
index 000000000..60d018eec
--- /dev/null
+++ b/programs/klipsdebug/klipsdebug.8
@@ -0,0 +1,164 @@
+.TH IPSEC_KLIPSDEBUG 8 "21 Jun 2000"
+.\"
+.\" RCSID $Id: klipsdebug.8,v 1.1 2004/03/15 20:35:28 as Exp $
+.\"
+.SH NAME
+ipsec klipsdebug \- set KLIPS (kernel IPSEC support) debug features and level
+.SH SYNOPSIS
+.B ipsec
+.B klipsdebug
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-set
+flagname
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-clear
+flagname
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-all
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-none
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-help
+.PP
+.B ipsec
+.B klipsdebug
+.B \-\-version
+.SH DESCRIPTION
+.I Klipsdebug
+sets and clears flags that control
+various parts of the debugging output of Klips
+(the kernel portion of FreeS/WAN IPSEC).
+The form with no additional arguments lists the present contents of
+/proc/net/ipsec_klipsdebug.
+The
+.B \-\-set
+form turns the specified flag on,
+while the
+.B \-\-clear
+form turns the specified flag off.
+The 
+.B \-\-all
+form 
+turns all flags on except verbose, while the
+.B \-\-none
+form turns all flags off.
+.PP
+The current flag names are:
+.TP 8
+.B tunnel
+tunnelling code
+.TP
+.B tunnel-xmit
+tunnelling transmit only code
+.TP
+.B pfkey
+userspace communication code
+.TP
+.B xform
+transform selection and manipulation code
+.TP
+.B eroute
+eroute table manipulation code
+.TP
+.B spi
+SA table manipulation code
+.TP
+.B radij
+radij tree manipulation code
+.TP
+.B esp
+encryptions transforms code
+.TP
+.B ah
+authentication transforms code
+.B rcv
+receive code
+.TP
+.B ipcomp
+ip compression transforms code
+.TP
+.B verbose
+give even more information, BEWARE:
+a)this will print authentication and encryption keys in the logs
+b)this will probably trample the 4k kernel printk buffer giving inaccurate output
+.PP
+All Klips debug output appears as
+.B kernel.info
+messages to
+.IR syslogd (8).
+Most systems are set up
+to log these messages to
+.IR /var/log/messages .
+Beware that
+.B klipsdebug
+.B \-\-all
+produces a lot of output and the log file will grow quickly.
+.PP
+The file format for /proc/net/ipsec_klipsdebug is discussed in
+ipsec_klipsdebug(5).
+.SH EXAMPLES
+.TP
+.B klipsdebug \-\-all
+turns on all KLIPS debugging except verbose.
+.TP
+.B klipsdebug \-\-clear tunnel
+turns off only the
+.B tunnel
+debugging messages.
+.LP
+.SH FILES
+/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
+.SH "SEE ALSO"
+ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
+ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5)
+.SH HISTORY
+Written for the Linux FreeS/WAN project
+<http://www.freeswan.org/>
+by Richard Guy Briggs.
+.SH BUGS
+It really ought to be possible to set or unset selective combinations
+of flags.
+.\"
+.\" $Log: klipsdebug.8,v $
+.\" Revision 1.1  2004/03/15 20:35:28  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.18  2002/04/24 07:35:39  mcr
+.\" Moved from ./klips/utils/klipsdebug.8,v
+.\"
+.\" Revision 1.17  2000/10/10 20:10:19  rgb
+.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
+.\"
+.\" Revision 1.16  2000/08/18 17:33:11  rgb
+.\" Updated obsolete netlink reference and added pfkey and tunnel-xmit.
+.\"
+.\" Revision 1.15  2000/06/30 18:21:55  rgb
+.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
+.\" and correct FILES sections to no longer refer to /dev/ipsec which has
+.\" been removed since PF_KEY does not use it.
+.\"
+.\" Revision 1.14  2000/06/28 05:53:09  rgb
+.\" Mention that netlink is obsolete.
+.\"
+.\" Revision 1.13  2000/06/21 16:54:58  rgb
+.\" Added 'no additional args' text for listing contents of
+.\" /proc/net/ipsec_* files.
+.\"
+.\" Revision 1.12  1999/07/19 18:47:24  henry
+.\" fix slightly-misformed comments
+.\"
+.\" Revision 1.11  1999/04/06 04:54:37  rgb
+.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+.\" patch shell fixes.
+.\"
+.\"
diff --git a/programs/klipsdebug/klipsdebug.c b/programs/klipsdebug/klipsdebug.c
new file mode 100644
index 000000000..c205038a1
--- /dev/null
+++ b/programs/klipsdebug/klipsdebug.c
@@ -0,0 +1,436 @@
+/*
+ * control KLIPS debugging options
+ * Copyright (C) 1996  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
+ *                                 2001  Michael Richardson <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char klipsdebug_c_version[] = "RCSID $Id: klipsdebug.c,v 1.2 2004/06/07 15:16:34 as Exp $";
+
+
+#include <sys/types.h>
+#include <linux/types.h> /* new */
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h> /* system(), strtoul() */
+#include <sys/stat.h> /* open() */
+#include <fcntl.h> /* open() */
+
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+
+#include <unistd.h>
+#include <freeswan.h>
+#if 0
+#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
+#endif
+
+/* permanently turn it on since netlink support has been disabled */
+#include <signal.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "freeswan/radij.h"
+#include "freeswan/ipsec_encap.h"
+#ifndef CONFIG_IPSEC_DEBUG
+#define CONFIG_IPSEC_DEBUG
+#endif /* CONFIG_IPSEC_DEBUG */
+#include "freeswan/ipsec_tunnel.h"
+
+#include <stdio.h>
+#include <getopt.h>
+
+__u32 bigbuf[1024];
+char *program_name;
+
+int pfkey_sock;
+fd_set pfkey_socks;
+uint32_t pfkey_seq = 0;
+
+char copyright[] =
+"Copyright (C) 1999 Henry Spencer, Richard Guy Briggs, D. Hugh Redelmeier,\n\
+	Sandy Harris, Angelos D. Keromytis, John Ioannidis.\n\
+\n\
+   This program is free software; you can redistribute it and/or modify it\n\
+   under the terms of the GNU General Public License as published by the\n\
+   Free Software Foundation; either version 2 of the License, or (at your\n\
+   option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.\n\
+\n\
+   This program is distributed in the hope that it will be useful, but\n\
+   WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY\n\
+   or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License\n\
+   (file COPYING in the distribution) for more details.\n";
+
+static void
+usage(char * arg)
+{
+	fprintf(stdout, "usage: %s {--set|--clear} {tunnel|tunnel-xmit|netlink|xform|eroute|spi|radij|esp|ah|rcv|pfkey|ipcomp|verbose}\n", arg);
+	fprintf(stdout, "       %s {--all|--none}\n", arg);
+	fprintf(stdout, "       %s --help\n", arg);
+	fprintf(stdout, "       %s --version\n", arg);
+	fprintf(stdout, "       %s\n", arg);
+	fprintf(stdout, "        [ --debug ] is optional to any %s command\n", arg);
+	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", arg);
+	exit(1);
+}
+
+static struct option const longopts[] =
+{
+	{"set", 1, 0, 's'},
+	{"clear", 1, 0, 'c'},
+	{"all", 0, 0, 'a'},
+	{"none", 0, 0, 'n'},
+	{"help", 0, 0, 'h'},
+	{"version", 0, 0, 'v'},
+	{"label", 1, 0, 'l'},
+	{"optionsfrom", 1, 0, '+'},
+	{"debug", 0, 0, 'd'},
+	{0, 0, 0, 0}
+};
+
+int
+main(int argc, char **argv)
+{
+/*	int fd; */
+	unsigned char action = 0;
+	int c, previous = -1;
+	
+	int debug = 0;
+	int error = 0;
+	int argcount = argc;
+	int em_db_tn, em_db_nl, em_db_xf, em_db_er, em_db_sp;
+	int em_db_rj, em_db_es, em_db_ah, em_db_rx, em_db_ky;
+	int em_db_gz, em_db_vb;
+
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+	struct sadb_msg *pfkey_msg;
+	
+	em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
+	em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
+	em_db_gz=em_db_vb=0;
+
+
+	program_name = argv[0];
+
+	while((c = getopt_long(argc, argv, ""/*"s:c:anhvl:+:d"*/, longopts, 0)) != EOF) {
+		switch(c) {
+		case 'd':
+			debug = 1;
+			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
+			argcount--;
+			break;
+		case 's':
+			if(action) {
+				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
+					program_name);
+				exit(1);
+			}
+			action = 's';
+			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
+			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
+			em_db_gz=em_db_vb=0;
+			if(strcmp(optarg, "tunnel") == 0) {
+				em_db_tn = -1L;
+			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
+				em_db_tn = DB_TN_XMIT;
+			} else if(strcmp(optarg, "netlink") == 0) {
+				em_db_nl = -1L;
+			} else if(strcmp(optarg, "xform") == 0) {
+				em_db_xf = -1L;
+			} else if(strcmp(optarg, "eroute") == 0) {
+				em_db_er = -1L;
+			} else if(strcmp(optarg, "spi") == 0) {
+				em_db_sp = -1L;
+			} else if(strcmp(optarg, "radij") == 0) {
+				em_db_rj = -1L;
+			} else if(strcmp(optarg, "esp") == 0) {
+				em_db_es = -1L;
+			} else if(strcmp(optarg, "ah") == 0) {
+				em_db_ah = -1L;
+			} else if(strcmp(optarg, "rcv") == 0) {
+				em_db_rx = -1L;
+			} else if(strcmp(optarg, "pfkey") == 0) {
+				em_db_ky = -1L;
+			} else if(strcmp(optarg, "comp") == 0) {
+				em_db_gz = -1L;
+			} else if(strcmp(optarg, "verbose") == 0) {
+				em_db_vb = -1L;
+			} else {
+				usage(program_name);
+			}
+			em_db_nl |= 1 << (sizeof(em_db_nl) * 8 -1);
+			break;
+		case 'c':
+			if(action) {
+				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
+					program_name);
+				exit(1);
+			}
+			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
+			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
+			em_db_gz=em_db_vb=-1;
+
+			action = 'c';
+			if(strcmp(optarg, "tunnel") == 0) {
+				em_db_tn = 0;
+			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
+				em_db_tn = ~DB_TN_XMIT;
+			} else if(strcmp(optarg, "netlink") == 0) {
+				em_db_nl = 0;
+			} else if(strcmp(optarg, "xform") == 0) {
+				em_db_xf = 0;
+			} else if(strcmp(optarg, "eroute") == 0) {
+				em_db_er = 0;
+			} else if(strcmp(optarg, "spi") == 0) {
+				em_db_sp = 0;
+			} else if(strcmp(optarg, "radij") == 0) {
+				em_db_rj = 0;
+			} else if(strcmp(optarg, "esp") == 0) {
+				em_db_es = 0;
+			} else if(strcmp(optarg, "ah") == 0) {
+				em_db_ah = 0;
+			} else if(strcmp(optarg, "rcv") == 0) {
+				em_db_rx = 0;
+			} else if(strcmp(optarg, "pfkey") == 0) {
+				em_db_ky = 0;
+			} else if(strcmp(optarg, "comp") == 0) {
+				em_db_gz = 0;
+			} else if(strcmp(optarg, "verbose") == 0) {
+				em_db_vb = 0;
+			} else {
+				usage(program_name);
+			}
+			em_db_nl &= ~(1 << (sizeof(em_db_nl) * 8 -1));
+			break;
+		case 'a':
+			if(action) {
+				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
+					program_name);
+				exit(1);
+			}
+			action = 'a';
+			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
+			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
+			em_db_gz=-1;
+			em_db_vb= 0;
+			break;
+		case 'n':
+			if(action) {
+				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
+					program_name);
+				exit(1);
+			}
+			action = 'n';
+			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
+			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
+			em_db_gz=em_db_vb=0;
+			break;
+		case 'h':
+		case '?':
+			usage(program_name);
+			exit(1);
+		case 'v':
+			fprintf(stdout, "klipsdebug (Linux FreeS/WAN %s) %s\n",
+				ipsec_version_code(), klipsdebug_c_version);
+			fputs(copyright, stdout);
+			exit(0);
+		case 'l':
+			program_name = malloc(strlen(argv[0])
+					      + 10 /* update this when changing the sprintf() */
+					      + strlen(optarg));
+			sprintf(program_name, "%s --label %s",
+				argv[0],
+				optarg);
+			argcount -= 2;
+			break;
+		case '+': /* optionsfrom */
+			optionsfrom(optarg, &argc, &argv, optind, stderr);
+			/* no return on error */
+			break;
+		default:
+			break;
+		}
+		previous = c;
+	}
+
+	if(argcount == 1) {
+		system("cat /proc/net/ipsec_klipsdebug");
+		exit(0);
+	}
+
+	if(!action) {
+		usage(program_name);
+	}
+
+	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
+		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
+			program_name);
+		switch(errno) {
+		case ENOENT:
+			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
+			break;
+		case EACCES:
+			fprintf(stderr, "access denied.  ");
+			if(getuid() == 0) {
+				fprintf(stderr, "Check permissions.  Should be 600.\n");
+			} else {
+				fprintf(stderr, "You must be root to open this file.\n");
+			}
+			break;
+		case EUNATCH:
+			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
+			break;
+		case ENODEV:
+			fprintf(stderr, "KLIPS not loaded or enabled.\n");
+			break;
+		case EBUSY:
+			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
+			break;
+		case EINVAL:
+			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
+			break;
+		case ENOBUFS:
+			fprintf(stderr, "No kernel memory to allocate SA.\n");
+			break;
+		case ESOCKTNOSUPPORT:
+			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
+			break;
+		case EEXIST:
+			fprintf(stderr, "SA already in use.  Delete old one first.\n");
+			break;
+		case ENXIO:
+			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
+			break;
+		case EAFNOSUPPORT:
+			fprintf(stderr, "KLIPS not loaded or enabled.\n");
+			break;
+		default:
+			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
+		}
+		exit(1);
+	}
+
+	pfkey_extensions_init(extensions);
+
+	if((error = pfkey_msg_hdr_build(&extensions[0],
+					SADB_X_DEBUG,
+					0,
+					0,
+					++pfkey_seq,
+					getpid()))) {
+		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
+			program_name, error);
+		pfkey_extensions_free(extensions);
+		exit(1);
+	}
+	
+	if((error = pfkey_x_debug_build(&extensions[SADB_X_EXT_DEBUG],
+					em_db_tn,
+					em_db_nl,
+					em_db_xf,
+					em_db_er,
+					em_db_sp,
+					em_db_rj,
+					em_db_es,
+					em_db_ah,
+					em_db_rx,
+					em_db_ky,
+					em_db_gz,
+					em_db_vb))) {
+		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
+			program_name, error);
+		pfkey_extensions_free(extensions);
+		exit(1);
+	}
+	
+	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
+		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
+			program_name, error);
+		pfkey_extensions_free(extensions);
+		pfkey_msg_free(&pfkey_msg);
+		exit(1);
+	}
+	
+	if((error = write(pfkey_sock,
+			  pfkey_msg,
+			  pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
+	   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
+		fprintf(stderr,
+			"%s: pfkey write failed, tried to write %u octets, returning %d with errno=%d.\n",
+			program_name,
+			(unsigned)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN),
+			error,
+			errno);
+		pfkey_extensions_free(extensions);
+		pfkey_msg_free(&pfkey_msg);
+		switch(errno) {
+		case EACCES:
+			fprintf(stderr, "access denied.  ");
+			if(getuid() == 0) {
+				fprintf(stderr, "Check permissions.  Should be 600.\n");
+			} else {
+				fprintf(stderr, "You must be root to open this file.\n");
+			}
+			break;
+		case EUNATCH:
+			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
+			break;
+		case EBUSY:
+			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
+			break;
+		case EINVAL:
+			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
+			break;
+		case ENODEV:
+			fprintf(stderr, "KLIPS not loaded or enabled.\n");
+			fprintf(stderr, "No device?!?\n");
+			break;
+		case ENOBUFS:
+			fprintf(stderr, "No kernel memory to allocate SA.\n");
+			break;
+		case ESOCKTNOSUPPORT:
+			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
+			break;
+		case EEXIST:
+			fprintf(stderr, "SA already in use.  Delete old one first.\n");
+			break;
+		case ENOENT:
+			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
+			break;
+		case ENXIO:
+			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
+			break;
+		case ENOSPC:
+			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
+			break;
+		case ESPIPE:
+			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
+			break;
+		default:
+			fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n", errno);
+		}
+		exit(1);
+	}
+
+	if(pfkey_msg) {
+		pfkey_extensions_free(extensions);
+		pfkey_msg_free(&pfkey_msg);
+	}
+
+	(void) close(pfkey_sock);  /* close the socket */
+	exit(0);
+}