summaryrefslogtreecommitdiff
path: root/man/ipsec.secrets.5.in
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipsec.secrets.5.in')
-rw-r--r--man/ipsec.secrets.5.in31
1 files changed, 16 insertions, 15 deletions
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index aa1b5c9c1..319d4856b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
colon.
.LP
A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure. To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
.LP
Matching IDs with selectors is fairly straightforward: they have to be
equal. In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
.B EAP
defines EAP credentials
.TP
+.B NTLM
+defines NTLM credentials
+.TP
.B XAUTH
defines XAUTH credentials
.TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
.br
\fBEAP\fP secrets are IKEv2 only.
.TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
.B [ <servername> ] <username> : XAUTH <password>
The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
\fBXAUTH\fP secrets are IKEv1 only.
.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
.B %prompt
can be specified, which causes the daemons to ask the user for the pin code.
.LP