diff options
Diffstat (limited to 'man/ipsec.secrets.5')
| -rw-r--r-- | man/ipsec.secrets.5 | 54 |
1 files changed, 34 insertions, 20 deletions
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index c7c092502..a4a58f261 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan" +.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION @@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a colon. .LP A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written -in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded. -In many cases it is a bad idea to use domain names because -the name server may not be running or may be insecure. To denote a -Fully Qualified Domain Name (as opposed to an IP address denoted by -its domain name), precede the name with an at sign (\fB@\fP). +\fB%any\fP or \fB%any6\fP (other kinds may come). .LP Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal @@ -97,9 +91,15 @@ defines an RSA private key .B ECDSA defines an ECDSA private key .TP +.B P12 +defines a PKCS#12 container +.TP .B EAP defines EAP credentials .TP +.B NTLM +defines NTLM credentials +.TP .B XAUTH defines XAUTH credentials .TP @@ -136,35 +136,49 @@ Similarly, a character sequence beginning with .B 0s is interpreted as Base64 encoded binary data. .TP -.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] +.B : RSA <private key file> [ <passphrase> | %prompt ] .TQ -.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] +.B : ECDSA <private key file> [ <passphrase> | %prompt ] For the private key file both absolute paths or paths relative to \fI/etc/ipsec.d/private\fP are accepted. If the private key file is encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase .B %prompt -can be used which then causes the daemons to ask the user for the password +can be used which then causes the daemon to ask the user for the password whenever it is required to decrypt the key. .TP +.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ] +For the PKCS#12 file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the container is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemon to ask the user for the password +whenever it is required to decrypt the container. Private keys, client and CA +certificates are extracted from the container. To use such a client certificate +in a connection set leftid to one of the subjects of the certificate. +.TP .B <user id> : EAP <secret> The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. .br \fBEAP\fP secrets are IKEv2 only. .TP +.B <user id> : NTLM <secret> +The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the +secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as +cleartext. +.br +\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin. +.TP .B [ <servername> ] <username> : XAUTH <password> The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets. \fBXAUTH\fP secrets are IKEv1 only. .TP -.B : PIN <smartcard selector> <pin code> | %prompt -IKEv1 uses the format -.B "%smartcard[<slot nr>[:<key id>]]" -to specify the smartcard selector (e.g. %smartcard1:50). -The IKEv2 daemon supports multiple modules with the format -.B "%smartcard[<slot nr>[@<module>]]:<keyid>" -, but always requires a keyid to uniquely select the correct key. Instead of -specifying the pin code statically, +.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt +The smartcard selector always requires a keyid to uniquely select the correct +key. The slot number defines the slot on the token, the module name refers to +the module name defined in strongswan.conf(5). +Instead of specifying the pin code statically, .B %prompt -can be specified, which causes the daemons to ask the user for the pin code. +can be specified, which causes the daemon to ask the user for the pin code. .LP .SH FILES |