From 7585facf05d927eb6df3929ce09ed5e60d905437 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 7 Feb 2013 13:27:27 +0100 Subject: Imported Upstream version 5.0.2 --- man/ipsec.secrets.5.in | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'man/ipsec.secrets.5.in') diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in index aa1b5c9c1..319d4856b 100644 --- a/man/ipsec.secrets.5.in +++ b/man/ipsec.secrets.5.in @@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a colon. .LP A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written -in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded. -In many cases it is a bad idea to use domain names because -the name server may not be running or may be insecure. To denote a -Fully Qualified Domain Name (as opposed to an IP address denoted by -its domain name), precede the name with an at sign (\fB@\fP). +\fB%any\fP or \fB%any6\fP (other kinds may come). .LP Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal @@ -100,6 +94,9 @@ defines an ECDSA private key .B EAP defines EAP credentials .TP +.B NTLM +defines NTLM credentials +.TP .B XAUTH defines XAUTH credentials .TP @@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. .br \fBEAP\fP secrets are IKEv2 only. .TP +.B : NTLM +The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the +secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as +cleartext. +.br +\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin. +.TP .B [ ] : XAUTH The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets. \fBXAUTH\fP secrets are IKEv1 only. .TP -.B : PIN | %prompt -IKEv1 uses the format -.B "%smartcard[[:]]" -to specify the smartcard selector (e.g. %smartcard1:50). -The IKEv2 daemon supports multiple modules with the format -.B "%smartcard[[@]]:" -, but always requires a keyid to uniquely select the correct key. Instead of -specifying the pin code statically, +.B : PIN %smartcard[[@]]: | %prompt +The smartcard selector always requires a keyid to uniquely select the correct +key. The slot number defines the slot on the token, the module name refers to +the module name defined in strongswan.conf(5). +Instead of specifying the pin code statically, .B %prompt can be specified, which causes the daemons to ask the user for the pin code. .LP -- cgit v1.2.3