diff options
Diffstat (limited to 'programs/_confread')
| -rw-r--r-- | programs/_confread/.cvsignore | 7 | ||||
| -rw-r--r-- | programs/_confread/Makefile | 27 | ||||
| -rw-r--r-- | programs/_confread/README.conf.V2 | 103 | ||||
| -rw-r--r-- | programs/_confread/_confread.8 | 28 | ||||
| -rwxr-xr-x | programs/_confread/_confread.in | 520 | ||||
| -rw-r--r-- | programs/_confread/block.in | 8 | ||||
| -rw-r--r-- | programs/_confread/clear-or-private.in | 8 | ||||
| -rw-r--r-- | programs/_confread/clear.in | 7 | ||||
| -rw-r--r-- | programs/_confread/ipsec.conf.5 | 1286 | ||||
| -rw-r--r-- | programs/_confread/ipsec.conf.in | 44 | ||||
| -rw-r--r-- | programs/_confread/private-or-clear.in | 14 | ||||
| -rw-r--r-- | programs/_confread/private.in | 6 | ||||
| -rwxr-xr-x | programs/_confread/randomize | 28 |
13 files changed, 0 insertions, 2086 deletions
diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore deleted file mode 100644 index 405492384..000000000 --- a/programs/_confread/.cvsignore +++ /dev/null @@ -1,7 +0,0 @@ -_confread -ipsec.conf -block -clear -private -clear-or-private -private-or-clear diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile deleted file mode 100644 index 1bdc9a3f0..000000000 --- a/programs/_confread/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_confread -PROGRAMDIR=${LIBDIR} -EXTRA5MAN=ipsec.conf.5 -CONFFILES=ipsec.conf - -CONFDSUBDIR=policies -CONFDFILES=clear clear-or-private private-or-clear private block - -include ../Makefile.program diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2 deleted file mode 100644 index 244e245c5..000000000 --- a/programs/_confread/README.conf.V2 +++ /dev/null @@ -1,103 +0,0 @@ -Subject: [Design] changes to ipsec.conf -# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $ - -We are changing ipsec.conf for the 2.0 series of FreeS/WAN. - -OE is enabled by default. This is accomplished by automatically -defining a conn "OEself" UNLESS the sysadmin defines one with the same -name: - -conn OEself - # authby=rsasig # default - left=%defaultroute - leftrsasigkey=%dnsondemand # default - right=%opportunistic - rightrsasigkey=%dnsondemand # default - keyingtries=3 - ikelifetime=1h - keylife=1h # default - rekey=no - # disablearrivalcheck=no # default - auto=route - -This will only work if %defaultroute works. -The leftid will be the resulting IP address (won't work if -you haven't filled in the reverse DNS entry). -Unlike other conns, nothing in this implicit conn is changed by conn %default. - -We'd like a better name. A conn name starting with % cannot be -defined by the sysadmin, so that is out. Names that haven't grabbed -us: OEhost, OElocalhost, OEthishost, OEforself, OE4self. - -There is no requirement to have /etc/ipsec.conf. If you do, the first -significant line (non-blank, non-comment) must be (not indented): -version 2.0 -This signifies that the file was intended for FreeS/WAN version 2.0. - - -The following table shows most changes. "-" means that the option -doesn't exist. "Recent Boilerplate" shows the effect of the "conn -%default" in the automatically installed /etc/ipsec.conf (not -installed if you already had one). - -Option Old Default Recent Boilerplate New Default -====== =========== ================== =========== - -config setup: -interfaces "" %defaultroute %defaultroute -plutoload "" %search - [same as %search] -plutostart "" %search - [same as %search] -uniqueids no yes yes -rp_filter - - 0 -plutowait yes yes no -dump no no - [use dumpdir] -plutobackgroundload ignored ignored - -no_eroute_pass no no - [use packetdefault] - -conn %default: -keyingtries 3 0 %forever [0 means this] -disablearrivalcheck yes no no -authby secret rsasig rsasig -leftrsasigkey "" %dnsondemand %dnsondemand -rightrsasigkey "" %dnsondemand %dnsondemand -lifetime ==keylife ==keylife - [use keylife] -rekeystart ==rekeymargin ==rekeymargin - [use rekeymargin] -rekeytries ==keyingtries ==keyingtries - [use keyingtries] - -====== =========== ================== =========== -Option Old Default Recent Boilerplate New Default - - -The auto= mechanism has been extended to support manual conns. If you -specify auto=manual in a conn, an "ipsec manual" will be performed on -it at startup (ipsec setup start). - - -There is a new config setup option "rp_filter". It controls - /proc/sys/net/ipv4/conf/PHYS/rp_filter -for each PHYSical IP interface used by FreeS/WAN. Settings are: - %unchanged do not touch (but warn if wrong) - 0 set to 0; default; means: no filtering - 1 set to 1; means: loose filter - 2 set to 1; means: strict filter -0 is often necessary for FreeS/WAN to function. Some folks -want other settings. Shutting down FreeS/WAN does not restore -the original value. - -Currently ikelife defaults to 1 hour and keylife defaults to 8 hours. -There have been some rumblings that these are the wrong defaults, but -it isn't clear what would be best. Perhaps both should be closer. -Any thoughts of what these should be? Any Road Warrior or OE conn -should probably have carefully thought-out values explicitly -specified. The settings don't matter much for VPN connections. - -keyingtries=%forever is the new improved notation for keyingtries=0. -Eventually the 0 notation will be eliminated. - -Some options can now be set to %none to signify no setting. Otherwise -there would be no way for the user to override a default setting: - leftrsasigkey, rightrsasigkey [added in 1.98] - interfaces - -Hugh Redelmeier -hugh@mimosa.com voice: +1 416 482-8253 diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8 deleted file mode 100644 index 20d92a002..000000000 --- a/programs/_confread/_confread.8 +++ /dev/null @@ -1,28 +0,0 @@ -.TH _CONFREAD 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _confread \- internal routing to parse config file -.SH DESCRIPTION -.I _confread -is an internal script used for parsing /etc/ipsec.conf into a canonical format. -.SH "SEE ALSO" -ipsec(8), ipsec_conf(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/> -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _confread.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.3 2002/09/16 01:28:43 dhr -.\" -.\" typo -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" -.\" diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in deleted file mode 100755 index 4561af9fe..000000000 --- a/programs/_confread/_confread.in +++ /dev/null @@ -1,520 +0,0 @@ -#!/bin/sh -# configuration-file reader utility -# Copyright (C) 1999-2002 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $ -# -# Extract configuration info from /etc/ipsec.conf, repackage as assignments -# to shell variables or tab-delimited fields. Success or failure is reported -# inline, as extra data, due to the vagaries of shell backquote handling. -# In the absence of --varprefix, output is tab-separated fields, like: -# = sectionname -# : parameter value -# ! status (empty for success, else complaint) -# In the presence of (say) "--varprefix IPSEC", output is like: -# IPSEC_confreadsection="sectionname" -# IPSECparameter="value" -# IPSEC_confreadstatus="status" (same empty/complaint convention) -# -# The "--search parametername" option inverts the search: instead of -# yielding the parameters of the specified name(s), it yields the names -# of sections with parameter <parametername> having (one of) the -# specified value(s). In this case, --varprefix output is a list of -# names in the <prefix>_confreadnames variable. Search values with -# white space in them are currently not handled properly. -# -# Typical usage: -# eval `ipsec _confread --varprefix IPSEC --type config setup` -# if test " $IPSEC_confreadstatus" != " " -# then -# echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1 -# exit 1 -# fi - -# absent default config file treated as empty -config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf -if test ! -f "$config" ; then config=/dev/null ; fi - -include=yes -type=conn -fieldfmt=yes -prefix= -search= -export=0 -version= -optional=0 -me="ipsec _confread" - -for dummy -do - case "$1" in - --config) config="$2" ; shift ;; - --noinclude) include= ;; - --type) type="$2" ; shift ;; - --varprefix) fieldfmt= - prefix="$2" - shift ;; - --export) export=1 ;; - --search) search="$2" ; shift ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --optional) optional=1 ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -if test "$include" -then - ipsec _include --inband $config -else - cat $config -fi | -awk 'BEGIN { - type = "'"$type"'" - names = "'"$*"'" - prefix = "'"$prefix"'" - export = "'"$export"'" - optional = 0 + '"$optional"' - myid = "'"$IPSECmyid"'" - search = "'"$search"'" - searching = 0 - if (search != "") { - searching = 1 - searchpat = search "[ \t]*=[ \t]*" - } - fieldfmt = 0 - if ("'"$fieldfmt"'" == "yes") - fieldfmt = 1 - including = 0 - if ("'"$include"'" == "yes") - including = 1 - filename = "'"$config"'" - lineno = 0 - originalfilename = filename - if (fieldfmt) - bq = eq = "\"" - else - bq = eq = "\\\"" - failed = 0 - insection = 0 - wrongtype = 0 - indefault = 0 - outputting = 0 - sawnondefault = 0 - OFS = "\t" - o_status = "!" - o_parm = ":" - o_section = "=" - o_names = "%" - o_end = "." - n = split(names, na, " ") - if (n == 0) - fail("no section names supplied") - for (i = 1; i <= n; i++) { - if (na[i] in wanted) - fail("section " bq na[i] eq " requested more than once") - wanted[na[i]] = 1 - pending[na[i]] = 1 - if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) - fail("invalid section name " bq na[i] eq) - } - - good = "also alsoflip type auto authby _plutodevel" - left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown" - akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz" - akey = akey " dpdaction dpddelay dpdtimeout" - akey = akey " pfsgroup compress" - akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike" - mkey = " spibase spi esp espenckey espauthkey espreplay_window" - left = left " leftespenckey leftespauthkey leftahkey" - left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2" - left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport" - left = left " leftgroups leftsourceip" - mkey = mkey " ah ahkey ahreplay_window" - right = left - gsub(/left/, "right", right) - n = split(good left right akey mkey, g) - for (i = 1; i <= n; i++) - goodnames["conn:" g[i]] = 1 - - good = "also interfaces forwardcontrol myid" - good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog" - good = good " plutorestartoncrash" - good = good " dumpdir manualstart pluto" - good = good " plutowait prepluto postpluto" - good = good " fragicmp hidetos rp_filter uniqueids" - good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy" - good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls" - good = good " nat_traversal keep_alive force_keepalive" - good = good " disable_port_floating virtual_private" - - n = split(good, g) - for (i = 1; i <= n; i++) - goodnames["config:" g[i]] = 1 - - good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri" - good = good " strictcrlpolicy" - - n = split(good, g) - for (i = 1; i <= n; i++) - goodnames["ca:" g[i]] = 1 - - goodtypes["conn"] = 1 - goodtypes["config"] = 1 - goodtypes["ca"] = 1 - - badchars = "" - for (i = 1; i < 32; i++) - badchars = badchars sprintf("%c", i) - for (i = 127; i < 128+32; i++) - badchars = badchars sprintf("%c", i) - badchar = "[" badchars "]" - - # if searching, seen is set of sectionnames which match - # if not searching, seen is set of parameter names found - seen[""] = "" - defaults[""] = "" - usesdefault[""] = "" - orientation = 1 -} - - - -function output(code, v1, v2) { - if (code == o_parm) { - if (v2 == "") # suppress empty parameters - return - if (privatename(v1)) # and private ones - return - if (v2 ~ badchar) - fail("parameter value " bq v2 eq " contains unprintable character") - } - - if (fieldfmt) { - print code, v1, v2 - return - } - - if (code == o_status) { - v2 = v1 - v1 = "_confreadstatus" - } else if (code == o_section) { - v2 = v1 - v1 = "_confreadsection" - } else if (code == o_names) { - v2 = v1 - v1 = "_confreadnames" - } else if (code != o_parm) - return # currently no variable version of o_end - - print prefix v1 "=\"" v2 "\"" - if (export) - print "export " prefix v1 -} -function searchfound(sectionname, n, i, reflist) { - # a hit in x is a hit in everybody who refers to x too - n = split(refsto[sectionname], reflist, ";") - for (i = 1; i <= n; i++) - if (reflist[i] in seen) - fail("duplicated parameter " bq search eq) - else - seen[reflist[i]] = 1 - seen[sectionname] = 1 -} -function fail(msg) { - output(o_status, ("(" filename ", line " lineno ") " msg)) - failed = 1 - while ((getline junk) > 0) - continue - exit -} -function badname(n) { - if ((type ":" n) in goodnames) - return 0 - if (privatename(n)) - return 0 - return 1 -} -function privatename(n) { - if (n ~ /^[xX][-_]/) - return 1 - return 0 -} -function orient(n) { - if (orientation == -1) { - if (n ~ /left/) - gsub(/left/, "right", n) - else if (n ~ /right/) - gsub(/right/, "left", n) - } - return n -} -# in searching, referencing is transitive: xyz->from->to -function chainref(from, to, i, reflist, listnum) { - if (from in refsto) { - listnum = split(refsto[from], reflist, ";") - for (i = 1; i <= listnum; i++) - chainref(reflist[i], to) - } - if (to in refsto) - refsto[to] = refsto[to] ";" from - else - refsto[to] = from -} - -# start of rules - -{ - lineno++ - # lineno is now the number of this line - - # we must remember indentation because comment stripping loses it - exdented = $0 !~ /^[ \t]/ - sub(/^[ \t]+/, "") # get rid of leading white space - sub(/[ \t]+$/, "") # get rid of trailing white space -} -including && $0 ~ /^#[<>:]/ { - # _include control line - if ($1 ~ /^#[<>]$/) { - filename = $2 - lineno = $3 - 1 - } else if ($0 ~ /^#:/) { - msg = substr($0, 3) - gsub(/"/, "\\\"", msg) - fail(msg) - } - next -} -exdented { - # any non-leading-white-space line is a section end - ### but not the end of relevant stuff, might be also= sections later - ###if (insection && !indefault && !searching && outputting) - ### output(o_end) - insection = 0 - wrongtype = 0 - indefault = 0 - outputting = 0 -} -/[ \t]#/ { - # strip trailing comments including the leading whitespace - # tricky because we must respect quotes - q = 0 - for (i = 1; i <= NF; i++) { - if ($i ~ /^#/ && q % 2 == 0) { - NF = i - 1; - break - } - # using $i in gsub loses whitespace?!? - junk = $i - q += gsub(/"/, "&", junk) - } -} -$0 == "" || $0 ~ /^#/ { - # empty lines and comments are ignored - next -} -exdented && NF != 2 { - # bad section header - fail("section header " bq $0 eq " has wrong number of fields (" NF ")") -} -exdented && $1 == "version" { - version = $2 + 0 - if (version < 2.0 || 2.0 < version) - fail("we only support version 2.0 ipsec.conf files, not " bq version eq) - next -} -version == "" { - fail("we only support version 2 ipsec.conf files") -} -exdented && !($1 in goodtypes) { - # unknown section type - fail("section type " bq $1 eq " not recognized") -} -exdented && $1 != type { - # section header, but not of the type we want - insection = 1 - wrongtype = 1 - next -} -extented { - # type fits - wrongtype = 0 -} -exdented && $1 == "config" && $2 != "setup" { - fail("unknown config section " bq $2 eq) -} -exdented && $2 != "%default" { - # non-default section header of our type - sawnondefault = 1 -} -exdented && searching && $2 != "%default" { - # section header, during search - insection = 1 - sectionname = $2 - usesdefault[sectionname] = 1 # tentatively - next -} -exdented && !searching && $2 in wanted { - # one of our wanted section headers - if (!($2 in pending)) - fail("duplicate " type " section " bq $2 eq) - delete pending[$2] - tag = bq type " " $2 eq - outputting = 1 - insection = 1 - orientation = wanted[$2] - output(o_section, $2) - next -} -exdented && $2 == "%default" { - # relevant default section header - if (sawnondefault) - fail(bq $1 " %default" eq " sections must precede non-default ones") - tag = bq type " " $2 eq - indefault = 1 - next -} -exdented { - # section header, but not one we want - insection = 1 - next -} -!insection && !indefault { - # starts with white space but not in a section... oops - fail("parameter is not within a section") -} -!wrongtype && searching && $0 ~ searchpat { - # search found the right parameter name - match($0, searchpat) - rest = substr($0, RLENGTH+1) - if (rest ~ /^".*"$/) - rest = substr(rest, 2, length(rest)-2) - if (!indefault) { - if (!usesdefault[sectionname]) - fail("duplicated parameter " bq search eq) - usesdefault[sectionname] = 0 - } else if (search in defaults) - fail("duplicated parameter " bq search eq) - if (rest in wanted) { # a hit - if (indefault) - defaults[search] = rest - else - searchfound(sectionname) - } else { - # rather a kludge, but must check this somewhere - if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/) - fail("illegal auto value " bq rest eq) - } - next -} -!searching && !outputting && !indefault { - # uninteresting line - next -} -$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ { - if (!searching) - fail("mismatched quotes in parameter value") - else - gsub(/"/, "", $0) -} -$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ { - if (searching) - next # just ignore it - fail("syntax error or illegal parameter name") -} -{ - sub(/[ \t]*=[ \t]*/, "=") # get rid of white space around = -} -$0 ~ /^(also|alsoflip)=/ { - v = orientation - if ($0 ~ /^alsoflip/) - v = -v; - if (indefault) - fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter") - sub(/^(also|alsoflip)=/, "") - if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) - fail("invalid section name " bq $0 eq) - if (!searching) { - if ($0 in wanted) - fail("section " bq $0 eq " requested more than once") - wanted[$0] = v - pending[$0] = 1 - } else - chainref(sectionname, $0) - next -} -!outputting && !indefault { - # uninteresting line even for a search - next -} -{ - equal = match($0, /[=]/) - name = substr($0, 1, equal-1) - if (badname(name)) - fail("unknown parameter name " bq name eq) - value = substr($0, equal+1) - if (value ~ /^"/) - value = substr(value, 2, length(value)-2) - else if (value ~ /[ \t]/) - fail("white space within non-quoted parameter " bq name eq) -} -indefault { - if (name in defaults) - fail("duplicated default parameter " bq name eq) - defaults[name] = value - next -} -{ - name = orient(name) - if (name in seen) - fail("duplicated parameter " bq name eq) - seen[name] = 1 - output(o_parm, name, value) -} -END { - if (failed) - exit 1 - - filename = originalfilename - unseen = "" - for (i in pending) - unseen = unseen " " i - if (!optional && !searching && unseen != "") - fail("did not find " type " section(s) " bq substr(unseen, 2) eq) - if (!searching) { - for (name in defaults) - if (!(name in seen)) - output(o_parm, name, defaults[name]) - } else { - if (defaults[search] in wanted) - for (name in usesdefault) - if (usesdefault[name]) - seen[name] = 1 - delete seen[""] - if (fieldfmt) - for (name in seen) - output(o_section, name) - else { - outlist = "" - for (name in seen) - if (outlist == "") - outlist = name - else - outlist = outlist " " name - output(o_names, outlist) - } - } - output(o_status, "") -}' diff --git a/programs/_confread/block.in b/programs/_confread/block.in deleted file mode 100644 index e3a4b2dd5..000000000 --- a/programs/_confread/block.in +++ /dev/null @@ -1,8 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should never be allowed. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# - diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in deleted file mode 100644 index 800093d94..000000000 --- a/programs/_confread/clear-or-private.in +++ /dev/null @@ -1,8 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# we will communicate in the clear, or, if the other side initiates IPSEC, -# using encryption. This behaviour is also called "Opportunistic Responder". -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in deleted file mode 100644 index 46e63388e..000000000 --- a/programs/_confread/clear.in +++ /dev/null @@ -1,7 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should always be in the clear. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/ipsec.conf.5 b/programs/_confread/ipsec.conf.5 deleted file mode 100644 index af6fae6bd..000000000 --- a/programs/_confread/ipsec.conf.5 +++ /dev/null @@ -1,1286 +0,0 @@ -.TH IPSEC.CONF 5 "20 Jan 2006" -.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $ -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -(The major exception is secrets for authentication; -see -.IR ipsec.secrets (5).) -Its contents are not security-sensitive -.I unless -manual keying is being done for more than just testing, -in which case the encryption/authentication keys in the -descriptions for the manually-keyed connections are very sensitive -(and those connection descriptions -are probably best kept in a separate file, -via the include facility described below). -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -The first significant line of the file must specify the version -of this specification that it conforms to: -.PP -\fBversion 2\fP -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -(Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens.) -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -This allows, for example, keeping the encryption keys -for a connection in a separate file -from the rest of the description, by using both an -.B also -parameter and an -.B include -line. -.PP -Parameter names beginning with -.B x- -(or -.BR X- , -or -.BR x_ , -or -.BR X_ ) -are reserved for user extensions and will never be assigned meanings -by IPsec. -Parameters with such names must still observe the syntax rules -(limits on characters used in the name; -no white space in a non-quoted value; -no newlines or double quotes within the value). -All other as-yet-unused parameter names are reserved for future IPsec -improvements. -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection to -.IR ipsec_auto (8) -and -.IR ipsec_manual (8). -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=10.11.11.1 - leftsubnet=10.0.1.0/24 - leftnexthop=172.16.55.66 - right=192.168.22.1 - rightsubnet=10.0.2.0/24 - rightnexthop=172.16.88.99 - keyingtries=%forever -.ft -.fi -.PP -A note on terminology... -In automatic keying, there are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The data path (a set of ``IPsec SAs'') used for user packets is herein -referred to as the ``connection''; -the path used for negotiations (built with ``ISAKMP SAs'') is referred to as -the ``keying channel''. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -IPsec figures out which one it is being run on based on internal information. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked ``(required)''; -a parameter required for manual keying need not be included for -a connection which will use only automatic keying, and vice versa. -.SS "CONN PARAMETERS: GENERAL" -The following parameters are relevant to both automatic and manual keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -.TP -.B left -(required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ipsec_ttoaddr (3) -or one of several magic values. -If it is -.BR %defaultroute , -and -the -.B config -.B setup -section's, -.B interfaces -specification contains -.BR %defaultroute, -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time); -this also overrides any value supplied for -.BR leftnexthop . -(Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. -The value -.B %opportunistic -signifies that both -.B left -and -.B leftnexthop -are to be filled in (by automatic keying) from DNS data for -.BR left 's -client. -The values -.B %group -and -.B %opportunisticgroup -makes this a policy group conn: one that will be instantiated -into a regular or opportunistic conn for each CIDR block listed in the -policy group file with the same name as the conn. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ipsec_ttosubnet (3)); -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant only -.TP -.B leftnexthop -next-hop gateway IP address for the left participant's connection -to the public network; -defaults to -.B %direct -(meaning -.IR right ). -If the value is to be overridden by the -.B left=%defaultroute -method (see above), -an explicit value must -.I not -be given. -If that method is not being used, -but -.B leftnexthop -is -.BR %defaultroute , -and -.B interfaces=%defaultroute -is used in the -.B config -.B setup -section, -the next-hop gateway address of the default-route interface -will be used. -The magic value -.B %direct -signifies a value to be filled in (by automatic keying) -with the peer's address. -Relevant only locally, other end need not agree on it. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR ipsec_pluto (8) -for details. -Relevant only locally, other end need not agree on it. -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and (the default) -.BR no . -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default -.I updown -script. -See notes below. -Relevant only locally, other end need not agree on it. -.PP -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default -.I updown -script (see -.IR ipsec_pluto (8)). -.PP -The implementation of this makes certain assumptions about firewall setup, -notably the use of the old -.I ipfwadm -interface to the firewall. -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.SS "CONN PARAMETERS: AUTOMATIC KEYING" -The following parameters are relevant only to automatic keying, -and are ignored in manual keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.B add -(signifying an -.B ipsec auto -.BR \-\-add ), -.B route -(signifying that plus an -.B ipsec auto -.BR \-\-route ), -.B start -(signifying that plus an -.B ipsec auto -.BR \-\-up ), -.B manual -(signifying an -.B ipsec -.B manual -.BR \-\-up ), -and -.B ignore -(also the default) (signifying no automatic startup operation). -See the -.B config -.B setup -discussion below. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -for shared secrets, -.B rsasig -for RSA digital signatures (the default), -.B secret|rsasig -for either, and -.B never -if negotiation is never to be attempted or accepted (useful for shunt-only conns). -Digital signatures are superior in every way to shared secrets. -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). -The two ends need not agree. -A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B disablearrivalcheck -whether KLIPS's normal tunnel-exit check -(that a packet emerging from a tunnel has plausible addresses in its header) -should be disabled; -acceptable values are -.B yes -and -.B no -(the default). -Tunnel-exit checks improve security and do not break any normal configuration. -Relevant only locally, other end need not agree on it. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE IKE notification messages are periodically sent in order to check the -liveliness of the IPsec peer. The default is.. -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. The values -.B clear -and -.B hold -both activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted ( -.B clear -) or put in the hold state ( -.B hold -). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages are sent to the peer. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. -.TP -.B failureshunt -what to do with packets when negotiation fails. -The default is -.BR none : -no shunt; -.BR passthrough , -.BR drop , -and -.B reject -have the obvious meanings. -.TP -.B ikelifetime -how long the keying channel of a connection (buzzphrase: ``ISAKMP SA'') -should last before being renegotiated; -acceptable values as for -.B keyexchange -method of key exchange; -the default and currently the only accepted value is -.B ike -.TP -.B keylife -(default set by -.IR ipsec_pluto (8), -currently -.BR 3h , -maximum -.BR 24h ). -The two-ends-disagree case is similar to that of -.BR keylife . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means ``never give up'' (obsolete: this can be written \fB0\fP). -Relevant only locally, other end need not agree on it. -.TP -.B keylife -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires. -The two ends need not exactly agree on -.BR keylife , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be coded either in -PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to -.B /etc/ipsec.d/certs -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been -issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts\fP. -.TP -.B leftid -how -the left participant -should be identified for authentication; -defaults to -.BR left . -Can be an IP address (in any -.IR ipsec_ttoaddr (3) -syntax) -or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -The magic value -.B %myid -stands for the current setting of \fImyid\fP. -This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set, -it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ipsec_ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The value -.B %dnsondemand -means the key is to be fetched from DNS at the time it is needed. -The value -.B %dnsonload -means the key is to be fetched from DNS at the time -the connection description is read from -.IR ipsec.conf ; -currently this will be treated as -.B %none -if -.B right=%any -or -.BR right=%opportunistic . -The value -.B %dns -is currently treated as -.B %dnsonload -but will change to -.B %dnsondemand -in the future. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftrsasigkey2 -if present, a second public key. -Either key can authenticate the signature, allowing for key rollover. -.TP -.B leftsourceip -.TP -.B leftsubnetwithin -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, -but while a value of -.B no -prevents Pluto from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.B rekeymargin -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(default set by -.IR ipsec_pluto (8), -currently -.BR 100% ). -The value of -.BR rekeymargin , -after this random increase, -must not exceed -.BR keylife . -The value -.B 0% -will suppress time randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B keylife -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.SS "CONN PARAMETERS: MANUAL KEYING" -The following parameters are relevant only to manual keying, -and are ignored in automatic keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -A manually-keyed -connection must specify at least one of AH or ESP. -.TP 14 -.B spi -(this or -.B spibase -required for manual keying) -the SPI number to be used for the connection (see -.IR ipsec_manual (8)); -must be of the form \fB0x\fIhex\fB\fR, -where -.I hex -is one or more hexadecimal digits -(note, it will generally be necessary to make -.I spi -at least -.B 0x100 -to be acceptable to KLIPS, -and use of SPIs in the range -.BR 0x100 - 0xfff -is recommended) -.TP 14 -.B spibase -(this or -.B spi -required for manual keying) -the base number for the SPIs to be used for the connection (see -.IR ipsec_manual (8)); -must be of the form \fB0x\fIhex\fB0\fR, -where -.I hex -is one or more hexadecimal digits -(note, it will generally be necessary to make -.I spibase -at least -.B 0x100 -for the resulting SPIs -to be acceptable to KLIPS, -and use of numbers in the range -.BR 0x100 - 0xff0 -is recommended) -.TP -.B esp -ESP encryption/authentication algorithm to be used -for the connection, e.g. -.B 3des-md5-96 -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-esp -option); -default is not to use ESP -.TP -.B espenckey -ESP encryption key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-enckey -option) -(may be specified separately for each direction using -.B leftespenckey -(leftward SA) -and -.B rightespenckey -parameters) -.TP -.B espauthkey -ESP authentication key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-authkey -option) -(may be specified separately for each direction using -.B leftespauthkey -(leftward SA) -and -.B rightespauthkey -parameters) -.TP -.B espreplay_window -ESP replay-window setting, -an integer from -.B 0 -(the -.IR ipsec_manual -default, which turns off replay protection) to -.BR 64 ; -relevant only if ESP authentication is being used -.TP -.B leftespspi -SPI to be used for the leftward ESP SA, overriding -automatic assignment using -.B spi -or -.BR spibase ; -typically a hexadecimal number beginning with -.B 0x -.TP -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5-96 -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-ah -option); -default is not to use AH -.TP -.B ahkey -(required if -.B ah -is present) AH authentication key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-authkey -option) -(may be specified separately for each direction using -.B leftahkey -(leftward SA) -and -.B rightahkey -parameters) -.TP -.B ahreplay_window -AH replay-window setting, -an integer from -.B 0 -(the -.I ipsec_manual -default, which turns off replay protection) to -.B 64 -.TP -.B leftahspi -SPI to be used for the leftward AH SA, overriding -automatic assignment using -.B spi -or -.BR spibase ; -typically a hexadecimal number beginning with -.B 0x -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. -.TP -.B ocspuri -defines an OCSP URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started -(see -.IR ipsec_setup (8)). -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - interfaces="ipsec0=eth1 ipsec1=ppp0" - klipsdebug=none - plutodebug=all - manualstart= -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section are: -.TP 14 -.B myid -the identity to be used for -.BR %myid . -.B %myid -is used in the implicit policy group conns and can be used as -an identity in explicit conns. -If unspecified, -.B %myid -is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. -An explicit value generally starts with ``\fB@\fP''. -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -If -.B %defaultroute -is used (implicitly or explicitly) -information about the default route and its interface is noted for -use by -.IR ipsec_manual (8) -and -.IR ipsec_auto (8).) -.TP -.B forwardcontrol -whether -.I setup -should turn IP forwarding on -(if it's not already on) as IPsec is started, -and turn it off again (if it was off) as IPsec is stopped; -acceptable values are -.B yes -and (the default) -.BR no . -For this to have full effect, forwarding must be -disabled before the hardware interfaces are brought -up (e.g., -.B "net.ipv4.ip_forward\ =\ 0" -in Red Hat 6.x -.IR /etc/sysctl.conf ), -because IPsec doesn't get control early enough to do that. -.TP -.B rp_filter -whether and how -.I setup -should adjust the reverse path filtering mechanism for the -physical devices to be used. -Values are \fB%unchanged\fP (to leave it alone) -or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to). -\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP -is badly documented; it must be \fB0\fP in many cases -for ipsec to function. -The default value for the parameter is \fB0\fP. -.TP -.B syslog -the -.IR syslog (2) -``facility'' name and priority to use for -startup/shutdown log messages, -default -.BR daemon.error . -.TP -.B klipsdebug -how much KLIPS debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names separated by white space) are enabled; -for details on available debugging types, see -.IR ipsec_klipsdebug (8). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR ipsec_pluto (8). -.TP -.B plutoopts -additional options to pass to pluto upon startup. See -.IR ipsec_pluto (8). -.TP -.B plutostderrlog -do not use syslog, but rather log to stderr, and direct stderr to the -argument file. -.TP -.B dumpdir -in what directory should things started by -.I setup -(notably the Pluto daemon) be allowed to -dump core? -The empty value (the default) means they are not -allowed to. -.TP -.B manualstart -which manually-keyed connections to set up at startup -(empty, a name, or a quoted list of names separated by white space); -see -.IR ipsec_manual (8). -Default is none. -.TP -.B pluto -whether to start Pluto or not; -Values are -.B yes -(the default) -or -.B no -(useful only in special circumstances). -.TP -.B plutowait -should Pluto wait for each -negotiation attempt that is part of startup to -finish before proceeding with the next? -Values are -.B yes -or -.BR no -(the default). -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -This parameter is needed only in special situations. -.TP -.B nat_traversal -.TP -.B crlcheckinterval -.TP -.B strictcrlpolicy -.TP -.B pkcs11module -.TP -.B pkcs11keepstate - -.SH CHOOSING A CONNECTION -.PP -When choosing a connection to apply to an outbound packet caught with a -.BR %trap, -the system prefers the one with the most specific eroute that -includes the packet's source and destination IP addresses. -Source subnets are examined before destination subnets. -For initiating, only routed connections are considered. For responding, -unrouted but added connections are considered. -.PP -When choosing a connection to use to respond to a negotiation which -doesn't match an ordinary conn, an opportunistic connection -may be instantiated. Eventually, its instance will be /32 -> /32, but -for earlier stages of the negotiation, there will not be enough -information about the client subnets to complete the instantiation. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts - -.SH SEE ALSO -ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8) -.SH HISTORY -Written for the FreeS/WAN project -<http://www.freeswan.org> -by Henry Spencer. Extended for the strongSwan project -<http://www.strongswan.org> -by Andreas Steffen. -.SH BUGS -.PP -When -.B type -or -.B failureshunt -is set to -.B drop -or -.BR reject, -strongSwan blocks outbound packets using eroutes, but assumes inbound -blocking is handled by the firewall. strongSwan offers firewall hooks -via an ``updown'' script. However, the default -.B ipsec _updown -provides no help in controlling a modern firewall. -.PP -Including attributes of the keying channel -(authentication methods, -.BR ikelifetime , -etc.) -as an attribute of a connection, -rather than of a participant pair, is dubious and incurs limitations. -.PP -.IR Ipsec_manual -is not nearly as generous about the syntax of subnets, -addresses, etc. as the usual strongSwan user interfaces. -Four-component dotted-decimal must be used for all addresses. -It -.I is -smart enough to translate bit-count netmasks to dotted-decimal form. -.PP -It would be good to have a line-continuation syntax, -especially for the very long lines involved in -RSA signature keys. -.PP -The ability to specify different identities, -.BR authby , -and public keys for different automatic-keyed connections -between the same participants is misleading; -this doesn't work dependably because the identity of the participants -is not known early enough. -This is especially awkward for the ``Road Warrior'' case, -where the remote IP address is specified as -.BR 0.0.0.0 , -and that is considered to be the ``participant'' for such connections. -.PP -In principle it might be necessary to control MTU on an -interface-by-interface basis, -rather than with the single global override that -.B overridemtu -provides. -.PP -A number of features which \fIcould\fR be implemented in -both manual and automatic keying -actually are not yet implemented for manual keying. -This is unlikely to be fixed any time soon. -.PP -If conns are to be added before DNS is available, -\fBleft=\fP\fIFQDN\fP, -\fBleftnextop=\fP\fIFQDN\fP, -and -.B leftrsasigkey=%dnsonload -will fail. -.IR ipsec_pluto (8) -does not actually use the public key for our side of a conn but it -isn't generally known at a add-time which side is ours (Road Warrior -and Opportunistic conns are currently exceptions). -.PP -The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns. diff --git a/programs/_confread/ipsec.conf.in b/programs/_confread/ipsec.conf.in deleted file mode 100644 index 296986459..000000000 --- a/programs/_confread/ipsec.conf.in +++ /dev/null @@ -1,44 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $ - -# Manual: ipsec.conf.5 -# Help: http://www.strongswan.org/docs/readme.htm - -version 2.0 # conforms to second version of ipsec.conf specification - -# basic configuration - -config setup - # Debug-logging controls: "none" for (almost) none, "all" for lots. - # plutodebug=all - # crlcheckinterval=600 - # strictcrlpolicy=yes - # cachecrls=yes - # nat_traversal=yes - -# Uncomment to activate Opportunistic Encryption (OE) -# include /etc/ipsec.d/examples/oe.conf - -# Add connections here. - -# Sample VPN connections - -#conn sample-self-signed -# left=%defaultroute -# leftsubnet=10.1.0.0/16 -# leftcert=selfCert.der -# leftsendcert=never -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightcert=peerCert.der -# auto=start - -#conn sample-with-ca-cert -# left=%defaultroute -# leftsubnet=10.1.0.0/16 -# leftcert=myCert.pem -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightid="C=CH, O=Linux strongSwan CN=peer name" -# auto=start diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in deleted file mode 100644 index c66b1d29f..000000000 --- a/programs/_confread/private-or-clear.in +++ /dev/null @@ -1,14 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should be private, if possible, but in the clear otherwise. -# -# If the target has a TXT (later IPSECKEY) record that specifies -# authentication material, we will require private (i.e. encrypted) -# communications. If no such record is found, communications will be -# in the clear. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# - -0.0.0.0/0 diff --git a/programs/_confread/private.in b/programs/_confread/private.in deleted file mode 100644 index 9d4bd6c67..000000000 --- a/programs/_confread/private.in +++ /dev/null @@ -1,6 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should always be private (i.e. encrypted). -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/randomize b/programs/_confread/randomize deleted file mode 100755 index 26d80a8f3..000000000 --- a/programs/_confread/randomize +++ /dev/null @@ -1,28 +0,0 @@ -#! /bin/sh -# internal utility for putting random keys into sample configuration file -# Copyright (C) 1998, 1999 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $ - -awk '/`[0-9]+`/ { - match($0, /`[0-9]+`/) - n = substr($0, RSTART+1, RLENGTH-2) - cmd = "./ranbits --quick " n - cmd | getline key - cmd | getline eof - close(cmd) - sub(/`[0-9]+`/, key, $0) - print - next -} -{ print }' $* |