diff options
Diffstat (limited to 'man/ipsec.secrets.5.in')
-rw-r--r-- | man/ipsec.secrets.5.in | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in index aa1b5c9c1..319d4856b 100644 --- a/man/ipsec.secrets.5.in +++ b/man/ipsec.secrets.5.in @@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a colon. .LP A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written -in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded. -In many cases it is a bad idea to use domain names because -the name server may not be running or may be insecure. To denote a -Fully Qualified Domain Name (as opposed to an IP address denoted by -its domain name), precede the name with an at sign (\fB@\fP). +\fB%any\fP or \fB%any6\fP (other kinds may come). .LP Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal @@ -100,6 +94,9 @@ defines an ECDSA private key .B EAP defines EAP credentials .TP +.B NTLM +defines NTLM credentials +.TP .B XAUTH defines XAUTH credentials .TP @@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. .br \fBEAP\fP secrets are IKEv2 only. .TP +.B <user id> : NTLM <secret> +The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the +secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as +cleartext. +.br +\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin. +.TP .B [ <servername> ] <username> : XAUTH <password> The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets. \fBXAUTH\fP secrets are IKEv1 only. .TP -.B : PIN <smartcard selector> <pin code> | %prompt -IKEv1 uses the format -.B "%smartcard[<slot nr>[:<key id>]]" -to specify the smartcard selector (e.g. %smartcard1:50). -The IKEv2 daemon supports multiple modules with the format -.B "%smartcard[<slot nr>[@<module>]]:<keyid>" -, but always requires a keyid to uniquely select the correct key. Instead of -specifying the pin code statically, +.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt +The smartcard selector always requires a keyid to uniquely select the correct +key. The slot number defines the slot on the token, the module name refers to +the module name defined in strongswan.conf(5). +Instead of specifying the pin code statically, .B %prompt can be specified, which causes the daemons to ask the user for the pin code. .LP |