summaryrefslogtreecommitdiff
path: root/doc/manpage.d/ipsec.secrets.5.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/manpage.d/ipsec.secrets.5.html')
-rw-r--r--doc/manpage.d/ipsec.secrets.5.html227
1 files changed, 227 insertions, 0 deletions
diff --git a/doc/manpage.d/ipsec.secrets.5.html b/doc/manpage.d/ipsec.secrets.5.html
new file mode 100644
index 000000000..8abc1f492
--- /dev/null
+++ b/doc/manpage.d/ipsec.secrets.5.html
@@ -0,0 +1,227 @@
+Content-type: text/html
+
+<HTML><HEAD><TITLE>Manpage of IPSEC.SECRETS</TITLE>
+</HEAD><BODY>
+<H1>IPSEC.SECRETS</H1>
+Section: File Formats (5)<BR>Updated: 28 March 1999<BR><A HREF="#index">Index</A>
+<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
+
+<A NAME="lbAB">&nbsp;</A>
+<H2>NAME</H2>
+
+ipsec.secrets - secrets for IKE/IPsec authentication
+<A NAME="lbAC">&nbsp;</A>
+<H2>DESCRIPTION</H2>
+
+The file <I>ipsec.secrets</I> holds a table of secrets.
+These secrets are used by <I><A HREF="ipsec_pluto.8.html">ipsec_pluto</A></I>(8), the FreeS/WAN Internet Key
+Exchange daemon, to authenticate other hosts.
+Currently there are two kinds of secrets: preshared secrets and
+
+RSA private keys.
+<P>
+
+It is vital that these secrets be protected. The file should be owned
+by the super-user,
+and its permissions should be set to block all access by others.
+<P>
+
+The file is a sequence of entries and include directives.
+Here is an example. Each entry or directive must start at the
+left margin, but if it continues beyond a single line, each continuation
+line must be indented.
+<P>
+
+<DL COMPACT><DT><DD>
+<PRE>
+# sample /etc/ipsec.secrets file for 10.1.0.1
+10.1.0.1 10.2.0.1: PSK &quot;secret shared by two hosts&quot;
+
+# an entry may be split across lines,
+# but indentation matters
+<A HREF="http://www.xs4all.nl">www.xs4all.nl</A> @<A HREF="http://www.kremvax.ru">www.kremvax.ru</A>
+&nbsp;&nbsp;&nbsp;&nbsp;10.6.0.1 10.7.0.1 1.8.0.1: PSK &quot;secret shared by 5&quot;
+
+# an RSA private key.
+# note that the lines are too wide for a
+# man page, so ... has been substituted for
+# the truncated part
+@my.com: rsa {
+&nbsp;&nbsp;&nbsp;&nbsp;Modulus:&nbsp;0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
+&nbsp;&nbsp;&nbsp;&nbsp;PublicExponent:&nbsp;0sAw==
+&nbsp;&nbsp;&nbsp;&nbsp;PrivateExponent:&nbsp;0shlGbVR1m8Z+7rhzSyenCaBN...
+&nbsp;&nbsp;&nbsp;&nbsp;Prime1:&nbsp;0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
+&nbsp;&nbsp;&nbsp;&nbsp;Prime2:&nbsp;0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
+&nbsp;&nbsp;&nbsp;&nbsp;Exponent1:&nbsp;0soaXj85ihM5M2inVf/NfHmtLutVz4r...
+&nbsp;&nbsp;&nbsp;&nbsp;Exponent2:&nbsp;0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
+&nbsp;&nbsp;&nbsp;&nbsp;Coefficient:&nbsp;0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
+&nbsp;&nbsp;&nbsp;&nbsp;}
+
+include ipsec.*.secrets # get secrets from other files
+</PRE>
+
+</DL>
+
+<P>
+
+Each entry in the file is a list of indices, followed by a secret.
+The two parts are separated by a colon (<B>:</B>) that is
+followed by whitespace or a newline. For compatability
+with the previous form of this file, if the key part is just a
+double-quoted string the colon may be left out.
+<P>
+
+An index is an IP address, or a Fully Qualified Domain Name, <A HREF="mailto:user@FQDN">user@FQDN</A>,
+<B>%any</B> or <B>%any6</B> (other kinds may come). An IP address may be written
+in the familiar dotted quad form or as a domain name to be looked up
+when the file is loaded
+(or in any of the forms supported by the FreeS/WAN <I><A HREF="ipsec_ttoaddr.3.html">ipsec_ttoaddr</A></I>(3)
+routine). In many cases it is a bad idea to use domain names because
+the name server may not be running or may be insecure. To denote a
+Fully Qualified Domain Name (as opposed to an IP address denoted by
+its domain name), precede the name with an at sign (<B>@</B>).
+<P>
+
+Matching IDs with indices is fairly straightforward: they have to be
+equal. In the case of a ``Road Warrior'' connection, if an equal
+match is not found for the Peer's ID, and it is in the form of an IP
+address, an index of <B>%any</B> will match the peer's IP address if IPV4
+and <B>%any6</B> will match a the peer's IP address if IPV6.
+Currently, the obsolete notation <B>0.0.0.0</B> may be used in place of
+<B>%any</B>.
+<P>
+
+An additional complexity
+arises in the case of authentication by preshared secret: the
+responder will need to look up the secret before the Peer's ID payload has
+been decoded, so the ID used will be the IP address.
+<P>
+
+To authenticate a connection between two hosts, the entry that most
+specifically matches the host and peer IDs is used. An entry with no
+index will match any host and peer. More specifically, an entry with one index will
+match a host and peer if the index matches the host's ID (the peer isn't
+considered). Still more specifically, an entry with multiple indices will match a host and
+peer if the host ID and peer ID each match one of the indices. If the key
+is for an asymmetric authentication technique (i.e. a public key
+system such as RSA), an entry with multiple indices will match a host
+and peer even if only the host ID matches an index (it is presumed that the
+multiple indices are all identities of the host).
+It is acceptable for two entries to be the best match as
+long as they agree about the secret or private key.
+<P>
+
+Authentication by preshared secret requires that both systems find the
+identical secret (the secret is not actually transmitted by the IKE
+protocol). If both the host and peer appear in the index list, the
+same entry will be suitable for both systems so verbatim copying
+between systems can be used. This naturally extends to larger groups
+sharing the same secret. Thus multiple-index entries are best for PSK
+authentication.
+<P>
+
+Authentication by RSA Signatures requires that each host have its own private
+key. A host could reasonably use a different private keys
+for different interfaces and for different peers. But it would not
+be normal to share entries between systems. Thus thus no-index and
+one-index forms of entry often make sense for RSA Signature authentication.
+<P>
+
+The key part of an entry may start with a token indicating the kind of
+key. ``RSA'' signifies RSA private key and ``PSK'' signifies
+PreShared Key (case is ignored). For compatability with previous
+forms of this file, PSK is the default.
+<P>
+
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by the double-quote
+character (<B>&quot;</B>). The sequence cannot contain a newline or
+double-quote. Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+A preshared secret may also be represented, without quotes, in any form supported by
+<I><A HREF="ipsec_ttodata.3.html">ipsec_ttodata</A></I>(3).
+<P>
+
+An RSA private key is a composite of eight generally large numbers. The notation
+used is a brace-enclosed list of field name and value pairs (see the example above).
+A suitable key, in a suitable format, may be generated by <I><A HREF="ipsec_rsasigkey.8.html">ipsec_rsasigkey</A></I>(8).
+The structure is very similar to that used by BIND 8.2.2 or later, but note that
+the numbers must have a ``0s'' prefix if they are in base 64. The order of
+the fields is fixed.
+<P>
+
+The first token an entry must start in
+the first column of its line. Subsequent tokens must be
+separated by whitespace,
+except for a colon token, which only needs to be followed by whitespace.
+A newline is taken as whitespace, but every
+line of an entry after the first must be indented.
+<P>
+
+Whitespace at the end of a line is ignored (except in the 0t
+notation for a key). At the start of line or
+after whitespace, <B>#</B> and the following text up to the end of the
+line is treated as a comment. Within entries, all lines must be
+indented (except for lines with no tokens).
+Outside entries, no line may be indented (this is to make sure that
+the file layout reflects its structure).
+<P>
+
+An include directive causes the contents of the named file to be processed
+before continuing with the current file. The filename is subject to
+``globbing'' as in <I><A HREF="sh.1.html">sh</A></I>(1), so every file with a matching name
+is processed. Includes may be nested to a modest
+depth (10, currently). If the filename doesn't start with a <B>/</B>, the
+directory containing the current file is prepended to the name. The
+include directive is a line that starts with the word <B>include</B>,
+followed by whitespace, followed by the filename (which must not contain
+whitespace).
+<A NAME="lbAD">&nbsp;</A>
+<H2>FILES</H2>
+
+/etc/ipsec.secrets
+<A NAME="lbAE">&nbsp;</A>
+<H2>SEE ALSO</H2>
+
+The rest of the FreeS/WAN distribution, in particular
+<I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5),
+<I><A HREF="ipsec.8.html">ipsec</A></I>(8),
+<I><A HREF="ipsec_newhostkey.8.html">ipsec_newhostkey</A></I>(8),
+<I><A HREF="ipsec_rsasigkey.8.html">ipsec_rsasigkey</A></I>(8),
+<I><A HREF="ipsec_showhostkey.8.html">ipsec_showhostkey</A></I>(8),
+<I><A HREF="ipsec_auto.8.html">ipsec_auto</A></I>(8) <B>--rereadsecrets</B>,
+and <I><A HREF="ipsec_pluto.8.html">ipsec_pluto</A></I>(8) <B>--listen</B>,.
+<BR>
+
+BIND 8.2.2 or later, <A HREF="ftp://ftp.isc.org/isc/bind/src/">ftp://ftp.isc.org/isc/bind/src/</A>
+<A NAME="lbAF">&nbsp;</A>
+<H2>HISTORY</H2>
+
+Designed for the FreeS/WAN project
+&lt;<A HREF="http://www.freeswan.org">http://www.freeswan.org</A>&gt;
+by D. Hugh Redelmeier.
+<A NAME="lbAG">&nbsp;</A>
+<H2>BUGS</H2>
+
+If an ID is <B>0.0.0.0</B>, it will match <B>%any</B>;
+if it is <B>0::0</B>, it will match <B>%any6</B>.
+<P>
+
+<HR>
+<A NAME="index">&nbsp;</A><H2>Index</H2>
+<DL>
+<DT><A HREF="#lbAB">NAME</A><DD>
+<DT><A HREF="#lbAC">DESCRIPTION</A><DD>
+<DT><A HREF="#lbAD">FILES</A><DD>
+<DT><A HREF="#lbAE">SEE ALSO</A><DD>
+<DT><A HREF="#lbAF">HISTORY</A><DD>
+<DT><A HREF="#lbAG">BUGS</A><DD>
+</DL>
+<HR>
+This document was created by
+<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
+using the manual pages.<BR>
+Time: 21:40:17 GMT, November 11, 2003
+</BODY>
+</HTML>