diff options
author | Christian Pointner <equinox@anytun.org> | 2009-11-11 06:17:40 +0000 |
---|---|---|
committer | Christian Pointner <equinox@anytun.org> | 2009-11-11 06:17:40 +0000 |
commit | 3ff9b7f1f056317e4291473b8f96a0621fd7bb06 (patch) | |
tree | 8d7493f1608fcdd205410f6d33c5d48639950522 /src | |
parent | updated Readme (diff) |
updated manpages
Diffstat (limited to 'src')
-rw-r--r-- | src/man/Makefile | 35 | ||||
-rw-r--r-- | src/man/anyrtpproxy.8.txt | 145 | ||||
-rw-r--r-- | src/man/anytun-config.8.txt | 268 | ||||
-rw-r--r-- | src/man/anytun-controld.8.txt | 145 | ||||
-rw-r--r-- | src/man/anytun-showtables.8.txt | 16 | ||||
-rw-r--r-- | src/man/anytun.8.txt | 615 |
6 files changed, 507 insertions, 717 deletions
diff --git a/src/man/Makefile b/src/man/Makefile index 33acd77..aeab45e 100644 --- a/src/man/Makefile +++ b/src/man/Makefile @@ -30,29 +30,26 @@ ## along with anytun. If not, see <http://www.gnu.org/licenses/>. ## -all: manpage - -anytun.8: anytun.8.txt - a2x -f manpage anytun.8.txt +VERSION=$(shell cat ../../version) -anytun-controld.8: anytun-controld.8.txt - a2x -f manpage anytun-controld.8.txt +MANPAGES := anytun.8 anytun-controld.8 anytun-config.8 anytun-showtables.8 anyrtpproxy.8 +XML := $(MANPAGES:%.8=%.8.xml) -anytun-config.8: anytun-config.8.txt - a2x -f manpage anytun-config.8.txt - -anytun-showtables.8: anytun-showtables.8.txt - a2x -f manpage anytun-showtables.8.txt +all: manpage -anyrtpproxy.8: anyrtpproxy.8.txt - a2x -f manpage anyrtpproxy.8.txt +define create-manpage + a2x -f manpage $(1) + @ sed -i -e 's/\[FIXME: source\]/anytun ${VERSION}/' $(2) + @ sed -i -e 's/\[FIXME: manual\]/$(2:.8=) user manual/' $(2) + @ sed -i -e 's/^\($(subst -,\\-,$(2:.8=))\)$$/\\fB\1\\fR/' $(2) + @ sed -i -e 's/^ \[ \([^ ]*\)/ [ \\fB\1\\fR/' $(2) +endef +%.8: %.8.txt + $(call create-manpage,$<,$@) -manpage: anytun.8 anytun-controld.8 anytun-config.8 anytun-showtables.8 anyrtpproxy.8 +manpage: $(MANPAGES) clean: - rm -f anytun.8 anytun.8.xml - rm -f anytun-controld.8 anytun-controld.8.xml - rm -f anytun-config.8 anytun-config.8.xml - rm -f anytun-showtables.8 anytun-showtables.8.xml - rm -f anyrtpproxy.8 anyrtpproxy.8.xml
\ No newline at end of file + rm -f $(MANPAGES) + rm -f $(XML) diff --git a/src/man/anyrtpproxy.8.txt b/src/man/anyrtpproxy.8.txt index 7885832..a92d2e6 100644 --- a/src/man/anyrtpproxy.8.txt +++ b/src/man/anyrtpproxy.8.txt @@ -8,20 +8,22 @@ anyrtpproxy - anycast rtpproxy SYNOPSIS -------- -*anyrtpproxy* -[ *-h|--help* ] -[ *-D|--nodaemonize* ] -[ *-C|--chroot* ] -[ *-u|--username* <username> ] -[ *-H|--chroot-dir* <directory> ] -[ *-P|--write-pid* <filename> ] -[ *-i|--interface* <ip-address> ] -[ *-s|--control* <hostname|ip>[:<port>] ] -[ *-p|--port-range* <start> <end> ] -[ *-n|--nat* ] -[ *-o|--no-nat-once* ] -[ *-S|--sync-port* port> ] -[ *-M|--sync-hosts* <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] ] +.... +anyrtpproxy + [ -h|--help ] + [ -D|--nodaemonize ] + [ -C|--chroot ] + [ -u|--username <username> ] + [ -H|--chroot-dir <directory> ] + [ -P|--write-pid <filename> ] + [ -i|--interface <ip-address> ] + [ -s|--control <hostname|ip>[:<port>] ] + [ -p|--port-range <start> <end> ] + [ -n|--nat ] + [ -o|--no-nat-once ] + [ -S|--sync-port port> ] + [ -M|--sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] ] +.... DESCRIPTION @@ -29,89 +31,62 @@ DESCRIPTION *anyrtpproxy* is a rtpproxy which can be used in combination with anycast. It uses the same control protocol than rtpproxy though it can be controled through the nathelper -plugin of openser. *anyrtpproxy* uses the same synchronisation protocol than *anytun* +plugin of openser. *anyrtpproxy* uses the same synchronisation protocol than *Anytun* to sync the session information among all anycast instances. OPTIONS ------- --D|--nodaemonize -~~~~~~~~~~~~~~~~ +*-D, --nodaemonize*:: + This option instructs *anyrtpproxy* to run in the foreground + instead of becoming a daemon. -This option instructs *anyrtpproxy* to run in the foreground -instead of becoming a daemon. +*-C, --chroot*:: + chroot and drop privileges --C|--chroot -~~~~~~~~~~~ +*-u, --username <username>*:: + if chroot change to this user -chroot and drop privileges +*-H, --chroot-dir <directory>*:: + chroot to this directory --u|--username <username> -~~~~~~~~~~~~~~~~~~~~~~~~ +*-P, --write-pid <filename>*:: + write pid to this file -if chroot change to this user +*-i, --interface <ip address>*:: + The local interface to listen on for RTP packets --H|--chroot-dir <directory> -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*-s, --control <hostname|ip>[:<port>]*:: + The local address and port to listen on for control messages from openser -chroot to this directory +*-p, --port-range <start> <end>*:: + A pool of ports which should be used by *anyrtpproxy* to relay RTP packets. + The range may not overlap between the anycast instances --P|--write-pid <filename> -~~~~~~~~~~~~~~~~~~~~~~~~~ +*-n, --nat*:: + Allow to learn the remote address and port in order to handle clients behind nat. + This option should only be enabled if the source is authenticated (i.e. through + *anytun*) -write pid to this file +*-o, --no-nat-once*:: + Disable learning of remote address and port in case the first packet does not + come from the client which is specified by openser during configuration. Invoking + this parameter increases the security level of the system but in case of nat needs + a working nat transversal such as stun. --i|--interface <ip address> -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*-S, --sync-port <port>*:: + local unicast(sync) port to bind to + + This port is used by anycast hosts to synchronize information about tunnel + endpoints. No payload data is transmitted via this port. + + It is possible to obtain a list of active connections by telnetting into + this port. This port is read-only and unprotected by default. It is advised + to protect this port using firewall rules and, eventually, IPsec. -The local interface to listen on for RTP packets - --s|--control <hostname|ip>[:<port>] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The local address and port to listen on for control messages from openser - --p|--port-range <start> <end> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -A pool of ports which should be used by *anyrtpproxy* to relay RTP packets. -The range may not overlap between the anycast instances - --n|--nat -~~~~~~~~ - -Allow to learn the remote address and port in order to handle clients behind nat. -This option should only be enabled if the source is authenticated (i.e. through -*anytun*) - --o|--no-nat-once -~~~~~~~~~~~~~~~~ - -Disable learning of remote address and port in case the first packet does not -come from the client which is specified by openser during configuration. Invoking -this parameter increases the security level of the system but in case of nat needs -a working nat transversal such as stun. - --S|--sync-port <port> -~~~~~~~~~~~~~~~~~~~~~ - -local unicast(sync) port to bind to - -This port is used by anycast hosts to synchronize information about tunnel -endpoints. No payload data is transmitted via this port. - -It is possible to obtain a list of active connections by telnetting into -this port. This port is read-only and unprotected by default. It is advised -to protect this port using firewall rules and, eventually, IPsec. - --M|--sync-hosts <hostname|ip>:<port>,[<hostname|ip>:<port>[...]] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -remote hosts to sync with - -Here, one has to specify all unicast IP addresses of all -other anycast hosts that comprise the anycast tunnel endpoint. +*-M, --sync-hosts <hostname|ip>:<port>,[<hostname|ip>:<port>[...]]*:: + remote hosts to sync with + + Here, one has to specify all unicast IP addresses of all + other anycast hosts that comprise the anycast tunnel endpoint. EXAMPLES -------- @@ -141,8 +116,6 @@ hostname anycast.anytun.org: -------------------------------------------------------------------------------------- - - BUGS ---- Most likely there are some bugs in *anyrtpproxy*. If you find a bug, please let @@ -154,19 +127,11 @@ anytun(8) AUTHORS ------- -Design of SATP and wizards of this implementation: Othmar Gsenger <otti@anytun.org> Erwin Nindl <nine@anytun.org> Christian Pointner <equinox@anytun.org> -Debian packaging: - -Andreas Hirczy <ahi@itp.tu-graz.ac.at> - -Manual page: - -Alexander List <alex@debian.org> RESOURCES --------- diff --git a/src/man/anytun-config.8.txt b/src/man/anytun-config.8.txt index 827b64f..6a80b4d 100644 --- a/src/man/anytun-config.8.txt +++ b/src/man/anytun-config.8.txt @@ -8,21 +8,23 @@ anytun-config - anycast tunneling configuration utility SYNOPSIS -------- -*anytun-config* -[ *-h|--help* ] -[ *-L|--log* <target>:<level>[,<param1>[,<param2>[..]]] -[ *-r|--remote-host* <hostname|ip> ] -[ *-o|--remote-port* <port> ] -[ *-4|--ipv4-only* ] -[ *-6|--ipv6-only* ] -[ *-R|--route* <net>/<prefix length> ] -[ *-m|--mux* <mux-id> ] -[ *-w|--window-size* <window size> ] -[ *-k|--kd-prf* <kd-prf type> ] -[ *-e|--role <role>* ] -[ *-E|--passphrase* <pass phrase> ] -[ *-K|--key* <master key> ] -[ *-A|--salt* <master salt> ] +.... +anytun-config + [ -h|--help ] + [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] + [ -r|--remote-host <hostname|ip> ] + [ -o|--remote-port <port> ] + [ -4|--ipv4-only ] + [ -6|--ipv6-only ] + [ -R|--route <net>/<prefix length> ] + [ -m|--mux <mux-id> ] + [ -w|--window-size <window size> ] + [ -k|--kd-prf <kd-prf type> ] + [ -e|--role <role> ] + [ -E|--passphrase <pass phrase> ] + [ -K|--key <master key> ] + [ -A|--salt <master salt> ] +.... DESCRIPTION ----------- @@ -32,138 +34,100 @@ DESCRIPTION OPTIONS ------- --L|--log <target>:<level>[,<param1>[,<param2>[..]]] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -add log target to logging system. This can be invoked several times -in order to log to different targets at the same time. Every target -hast its own log level which is a number between 0 and 5. Where 0 means -disabling log and 5 means debug messages are enabled. - -The following targets are supported: - -* *syslog* - log to syslog daemon, parameters <level>[,<logname>[,<facility>]] -* *file* - log to file, parameters <level>[,<path>] -* *stdout* - log to standard output, parameters <level> -* *stderr* - log to standard error, parameters <level> - -The file target can be used more the once with different levels. -If no target is provided at the command line a single target with the -following config is added: - -*syslog:3,uanytun,daemon* - --r|--remote-host <hostname|ip> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -remote host - -This option can be used to specify the remote tunnel -endpoint. In case of anycast tunnel endpoints, the -anycast IP address has to be used. If you do not specify -an address, it is automatically determined after receiving -the first data packet. - --o|--remote-port <port> -~~~~~~~~~~~~~~~~~~~~~~~ -remote port - -The UDP port used for payload data by the remote host -(specified with -p on the remote host). If you do not specify -a port, it is automatically determined after receiving -the first data packet. - --4|--ipv4-only -~~~~~~~~~~~~~~ - -Resolv to IPv4 addresses only. The default is to resolv both -IPv4 and IPv6 addresses. - --6|--ipv6-only -~~~~~~~~~~~~~~ - -Resolv to IPv6 addresses only. The default is to resolv both -IPv4 and IPv6 addresses. - --R|--route <net>/<prefix length> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -add a route to connection. This can be invoked several times. - --m|--mux <mux-id> -~~~~~~~~~~~~~~~~~ - -the multiplex id to use. default: 0 - --w|--window-size <window size> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -seqence window size - -Sometimes, packets arrive out of order on the receiver -side. This option defines the size of a list of received -packets' sequence numbers. If, according to this list, -a received packet has been previously received or has -been transmitted in the past, and is therefore not in -the list anymore, this is interpreted as a replay attack -and the packet is dropped. A value of 0 deactivates this -list and, as a consequence, the replay protection employed -by filtering packets according to their secuence number. -By default the sequence window is disabled and therefore a -window size of 0 is used. - --k|--kd--prf <kd-prf type> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -key derivation pseudo random function. - -The pseudo random function which is used for calculating the -session keys and session salt. - -Possible values: - -* *null* - no random function, keys and salt are set to 0..00 -* *aes-ctr* - AES in counter mode with 128 Bits, default value -* *aes-ctr-128* - AES in counter mode with 128 Bits -* *aes-ctr-192* - AES in counter mode with 192 Bits -* *aes-ctr-256* - AES in counter mode with 256 Bits - --e|--role <role> -~~~~~~~~~~~~~~~~ - -SATP uses different session keys for inbound and outbound traffic. The -role parameter is used to determine which keys to use for outbound or -inbound packets. On both sides of a vpn connection different roles have -to be used. Possible values are *left* and *right*. You may also use -*alice* or *server* as a replacement for *left* and *bob* or *client* as -a replacement for *right*. By default *left* is used. - --E|--passphrase <pass phrase> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This passphrase is used to generate the master key and master salt. -For the master key the last n bits of the SHA256 digest of the -passphrase (where n is the length of the master key in bits) is used. -The master salt gets generated with the SHA1 digest. -You may force a specific key and or salt by using *--key* and *--salt*. - --K|--key <master key> -~~~~~~~~~~~~~~~~~~~~~ - -master key to use for key derivation - -Master key in hexadecimal notation, eg -01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length -of 32, 48 or 64 characters (128, 192 or 256 bits). - --A|--salt <master salt> -~~~~~~~~~~~~~~~~~~~~~~~ - -master salt to use for key derivation - -Master salt in hexadecimal notation, eg -01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length -of 28 characters (14 bytes). +*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: + add log target to logging system. This can be invoked several times + in order to log to different targets at the same time. Every target + hast its own log level which is a number between 0 and 5. Where 0 means + disabling log and 5 means debug messages are enabled. + + The file target can be used more the once with different levels. + If no target is provided at the command line a single target with the + config *syslog:3,anytun-config,daemon* is added. + + The following targets are supported: + + *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] + *file*;; log to file, parameters <level>[,<path>] + *stdout*;; log to standard output, parameters <level> + *stderr*;; log to standard error, parameters <level> + +*-r, --remote-host <hostname|ip>*:: + This option can be used to specify the remote tunnel + endpoint. In case of anycast tunnel endpoints, the + anycast IP address has to be used. If you do not specify + an address, it is automatically determined after receiving + the first data packet. + +*-o, --remote-port <port>*:: + The UDP port used for payload data by the remote host + (specified with -p on the remote host). If you do not specify + a port, it is automatically determined after receiving + the first data packet. + +*-4, --ipv4-only*:: + Resolv to IPv4 addresses only. The default is to resolv both + IPv4 and IPv6 addresses. + +*-6, --ipv6-only*:: + Resolv to IPv6 addresses only. The default is to resolv both + IPv4 and IPv6 addresses. + +*-R, --route <net>/<prefix length>*:: + add a route to connection. This can be invoked several times. + +*-m, --mux <mux-id>*:: + the multiplex id to use. default: 0 + +*-w, --window-size <window size>*:: + seqence window size + + Sometimes, packets arrive out of order on the receiver + side. This option defines the size of a list of received + packets' sequence numbers. If, according to this list, + a received packet has been previously received or has + been transmitted in the past, and is therefore not in + the list anymore, this is interpreted as a replay attack + and the packet is dropped. A value of 0 deactivates this + list and, as a consequence, the replay protection employed + by filtering packets according to their secuence number. + By default the sequence window is disabled and therefore a + window size of 0 is used. + +*-k, --kd--prf <kd-prf type>*:: + key derivation pseudo random function + + The pseudo random function which is used for calculating the + session keys and session salt. + + Possible values: + + *null*;; no random function, keys and salt are set to 0..00 + *aes-ctr*;; AES in counter mode with 128 Bits, default value + *aes-ctr-128*;; AES in counter mode with 128 Bits + *aes-ctr-192*;; AES in counter mode with 192 Bits + *aes-ctr-256*;; AES in counter mode with 256 Bits + +*-e, --role <role>*:: + SATP uses different session keys for inbound and outbound traffic. The + role parameter is used to determine which keys to use for outbound or + inbound packets. On both sides of a vpn connection different roles have + to be used. Possible values are *left* and *right*. You may also use + *alice* or *server* as a replacement for *left* and *bob* or *client* as + a replacement for *right*. By default *left* is used. + +*-E, --passphrase <pass phrase>*:: + This passphrase is used to generate the master key and master salt. + For the master key the last n bits of the SHA256 digest of the + passphrase (where n is the length of the master key in bits) is used. + The master salt gets generated with the SHA1 digest. + You may force a specific key and or salt by using *--key* and *--salt*. + +*-K, --key <master key>*:: + master key to use for key derivation + + Master key in hexadecimal notation, e.g. + 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length + of 32, 48 or 64 characters (128, 192 or 256 bits). + +*-A, --salt <master salt>*:: + master salt to use for key derivation + + Master salt in hexadecimal notation, e.g. + 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length + of 28 characters (14 bytes). EXAMPLES @@ -178,7 +142,7 @@ Add a client with Connection ID (Mux) 12 and add 2 Routes to this client BUGS ---- -Most likely there are some bugs in *anytun*. If you find a bug, please let +Most likely there are some bugs in *Anytun*. If you find a bug, please let the developers know at satp@anytun.org. Of course, patches are preferred. SEE ALSO @@ -187,19 +151,11 @@ anytun(8), anytun-controld(8), anytun-showtables(8) AUTHORS ------- -Design of SATP and wizards of this implementation: Othmar Gsenger <otti@anytun.org> Erwin Nindl <nine@anytun.org> Christian Pointner <equinox@anytun.org> -Debian packaging: - -Andreas Hirczy <ahi@itp.tu-graz.ac.at> - -Manual page: - -Alexander List <alex@debian.org> RESOURCES --------- diff --git a/src/man/anytun-controld.8.txt b/src/man/anytun-controld.8.txt index 532dd5f..0d3e0b8 100644 --- a/src/man/anytun-controld.8.txt +++ b/src/man/anytun-controld.8.txt @@ -8,96 +8,77 @@ anytun-controld - anycast tunneling control daemon SYNOPSIS -------- -*anytun-controld* -[ *-h|--help* ] -[ *-D|--nodaemonize* ] -[ *-u|--username* <username> ] -[ *-g|--groupname* <groupname> ] -[ *-C|--chroot* <path> ] -[ *-P|--write-pid* <filename> ] -[ *-L|--log* <target>:<level>[,<param1>[,<param2>[..]]] ] -[ *-f|--file* <path> ] -[ *-X|--control-host* < <host>[:port>] | :<port> > ] +.... +anytun-controld + [ -h|--help ] + [ -D|--nodaemonize ] + [ -u|--username <username> ] + [ -g|--groupname <groupname> ] + [ -C|--chroot <path> ] + [ -P|--write-pid <filename> ] + [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] + [ -f|--file <path> ] + [ -X|--control-host < <host>[:port>] | :<port> > ] +.... DESCRIPTION ----------- -*anytun-controld* configures the multi-connection support for *anytun*. It reads a connection/routing table and outputs it via a tcp socket to all connected *anytun* servers. When the control daemon is restarted with a new connection/routing table all *anytun* servers automatically load the new configuration. Please make sure to protect that information as it contains the connection keys. +*anytun-controld* configures the multi-connection support for *Anytun*. It reads a connection/routing table and outputs it via a tcp socket to all connected *Anytun* servers. When the control daemon is restarted with a new connection/routing table all *Anytun* servers automatically load the new configuration. Please make sure to protect that information as it contains the connection keys. OPTIONS ------- --D|--nodaemonize -~~~~~~~~~~~~~~~~ - -This option instructs *anytun* to run in foreground -instead of becoming a daemon which is the default. - --u|--username <username> -~~~~~~~~~~~~~~~~~~~~~~~~ - -run as this user. If no group is specified (*-g*) the default group of -the user is used. The default is to not drop privileges. - --g|--groupname <groupname> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -run as this group. If no username is specified (*-u*) this gets ignored. -The default is to not drop privileges. - --C|--chroot <path> -~~~~~~~~~~~~~~~~~~ - -Instruct *anytun* to run in a chroot jail. The default is -to not run in chroot. - --P|--write-pid <filename> -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Instruct *anytun* to write it's pid to this file. The default is -to not create a pid file. - --L|--log <target>:<level>[,<param1>[,<param2>[..]]] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -add log target to logging system. This can be invoked several times -in order to log to different targets at the same time. Every target -hast its own log level which is a number between 0 and 5. Where 0 means -disabling log and 5 means debug messages are enabled. - -The following targets are supported: - -* *syslog* - log to syslog daemon, parameters <level>[,<logname>[,<facility>]] -* *file* - log to file, parameters <level>[,<path>] -* *stdout* - log to standard output, parameters <level> -* *stderr* - log to standard error, parameters <level> - -The file target can be used more the once with different levels. -If no target is provided at the command line a single target with the -following config is added: - -*syslog:3,uanytun,daemon* - --f|--file <path> -~~~~~~~~~~~~~~~~ - -The path to the file which holds the sync information. - --X|--control-host < <host>[:<port>] | :<port> > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The local ip address and or tcp port to bind to. Mind that if an -address is given the port can be omitted in which case port 2323 -is used. You can also specify to listen on an specific port but on -all interfaces by omitting the address. If you want to specify an -ipv6 address and a port you have to use [ and ] to seperate the address -from the port, eg.: [::1]:1234. If you want to use the default port -[ and ] can be omitted. default: 127.0.0.1:2323 +*-D, --nodaemonize*:: + This option instructs *anytun-controld* to run in foreground + instead of becoming a daemon which is the default. + +*-u, --username <username>*:: + run as this user. If no group is specified (*-g*) the default group of + the user is used. The default is to not drop privileges. + +*-g, --groupname <groupname>*:: + run as this group. If no username is specified (*-u*) this gets ignored. + The default is to not drop privileges. + +*-C, --chroot <path>*:: + Instruct *anytun-controld* to run in a chroot jail. The default is + to not run in chroot. + +*-P, --write-pid <filename>*:: + Instruct *anytun-controld* to write it's pid to this file. The default is + to not create a pid file. + +*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: + add log target to logging system. This can be invoked several times + in order to log to different targets at the same time. Every target + hast its own log level which is a number between 0 and 5. Where 0 means + disabling log and 5 means debug messages are enabled. + + The file target can be used more the once with different levels. + If no target is provided at the command line a single target with the + config *syslog:3,anytun-controld,daemon* is added. + + The following targets are supported: + + *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] + *file*;; log to file, parameters <level>[,<path>] + *stdout*;; log to standard output, parameters <level> + *stderr*;; log to standard error, parameters <level> + +*-f, --file <path>*:: + The path to the file which holds the sync information. + +*-X, --control-host <hostname|ip>[:<port>]*:: + fetch the config from this host. The default is not to use a control + host and therefore this is empty. Mind that the port can be omitted + in which case port 2323 is used. If you want to specify an + ipv6 address and a port you have to use [ and ] to seperate the address + from the port, eg.: [::1]:1234. If you want to use the default port + [ and ] can be omitted. BUGS ---- -Most likely there are some bugs in *anytun*. If you find a bug, please let +Most likely there are some bugs in *Anytun*. If you find a bug, please let the developers know at satp@anytun.org. Of course, patches are preferred. SEE ALSO @@ -106,19 +87,11 @@ anytun(8), anytun-config(8), anytun-showtables(8) AUTHORS ------- -Design of SATP and wizards of this implementation: Othmar Gsenger <otti@anytun.org> Erwin Nindl <nine@anytun.org> Christian Pointner <equinox@anytun.org> -Debian packaging: - -Andreas Hirczy <ahi@itp.tu-graz.ac.at> - -Manual page: - -Alexander List <alex@debian.org> RESOURCES --------- diff --git a/src/man/anytun-showtables.8.txt b/src/man/anytun-showtables.8.txt index a2f51db..3a1fa8d 100644 --- a/src/man/anytun-showtables.8.txt +++ b/src/man/anytun-showtables.8.txt @@ -8,12 +8,14 @@ anytun-showtables - anycast tunneling routing table visualization utility SYNOPSIS -------- -*anytun-showtables* +.... +anytun-showtables +.... DESCRIPTION ----------- -*anytun-showtables* displays routing and connection tables used by *anytun*. It can be used to display a saved routing/connection table used by *anytun-controld* or to connect to a the sync port of *anytun*. +*anytun-showtables* displays routing and connection tables used by *Anytun*. It can be used to display a saved routing/connection table used by *anytun-controld* or to connect to a the sync port of *Anytun*. OPTIONS ------- @@ -38,7 +40,7 @@ Print current routing table and watch changes BUGS ---- -Most likely there are some bugs in *anytun*. If you find a bug, please let +Most likely there are some bugs in *Anytun*. If you find a bug, please let the developers know at satp@anytun.org. Of course, patches are preferred. SEE ALSO @@ -47,19 +49,11 @@ anytun(8), anytun-controld(8), anytun-config(8) AUTHORS ------- -Design of SATP and wizards of this implementation: Othmar Gsenger <otti@anytun.org> Erwin Nindl <nine@anytun.org> Christian Pointner <equinox@anytun.org> -Debian packaging: - -Andreas Hirczy <ahi@itp.tu-graz.ac.at> - -Manual page: - -Alexander List <alex@debian.org> RESOURCES --------- diff --git a/src/man/anytun.8.txt b/src/man/anytun.8.txt index 38dd187..21c469e 100644 --- a/src/man/anytun.8.txt +++ b/src/man/anytun.8.txt @@ -8,40 +8,42 @@ anytun - anycast tunneling daemon SYNOPSIS -------- -*anytun* -[ *-h|--help* ] -[ *-D|--nodaemonize* ] -[ *-u|--username* <username> ] -[ *-g|--groupname* <groupname> ] -[ *-C|--chroot* <path> ] -[ *-P|--write-pid* <filename> ] -[ *-L|--log* <target>:<level>[,<param1>[,<param2>[..]]] ] -[ *-i|--interface* <ip-address> ] -[ *-p|--port* <port> ] -[ *-r|--remote-host* <hostname|ip> ] -[ *-o|--remote-port* <port> ] -[ *-4|--ipv4-only* ] -[ *-6|--ipv6-only* ] -[ *-I|--sync-interface* <ip-address> ] -[ *-S|--sync-port* port> ] -[ *-M|--sync-hosts* <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ] -[ *-X|--control-host* <hostname|ip>[:<port>] -[ *-d|--dev* <name> ] -[ *-t|--type* <tun|tap> ] -[ *-n|--ifconfig* <local>/<prefix> ] -[ *-x|--post-up-script* <script> ] -[ *-R|--route* <net>/<prefix length> ] -[ *-m|--mux* <mux-id> ] -[ *-s|--sender-id* <sender id> ] -[ *-w|--window-size* <window size> ] -[ *-k|--kd-prf* <kd-prf type> ] -[ *-e|--role <role>* ] -[ *-E|--passphrase* <pass phrase> ] -[ *-K|--key* <master key> ] -[ *-A|--salt* <master salt> ] -[ *-c|--cipher* <cipher type> ] -[ *-a|--auth-algo* <algo type> ] -[ *-b|--auth-tag-length* <length> ] +.... +anytun + [ -h|--help ] + [ -D|--nodaemonize ] + [ -u|--username <username> ] + [ -g|--groupname <groupname> ] + [ -C|--chroot <path> ] + [ -P|--write-pid <filename> ] + [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] + [ -i|--interface <ip-address> ] + [ -p|--port <port> ] + [ -r|--remote-host <hostname|ip> ] + [ -o|--remote-port <port> ] + [ -4|--ipv4-only ] + [ -6|--ipv6-only ] + [ -I|--sync-interface <ip-address> ] + [ -S|--sync-port port> ] + [ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ] + [ -X|--control-host <hostname|ip>[:<port>] + [ -d|--dev <name> ] + [ -t|--type <tun|tap> ] + [ -n|--ifconfig <local>/<prefix> ] + [ -x|--post-up-script <script> ] + [ -R|--route <net>/<prefix length> ] + [ -m|--mux <mux-id> ] + [ -s|--sender-id <sender id> ] + [ -w|--window-size <window size> ] + [ -k|--kd-prf <kd-prf type> ] + [ -e|--role <role> ] + [ -E|--passphrase <pass phrase> ] + [ -K|--key <master key> ] + [ -A|--salt <master salt> ] + [ -c|--cipher <cipher type> ] + [ -a|--auth-algo <algo type> ] + [ -b|--auth-tag-length <length> ] +.... DESCRIPTION ----------- @@ -59,318 +61,229 @@ OPTIONS no difference between client and server. The following options can be passed to the daemon: --D|--nodaemonize -~~~~~~~~~~~~~~~~ - -This option instructs *anytun* to run in foreground -instead of becoming a daemon which is the default. - --u|--username <username> -~~~~~~~~~~~~~~~~~~~~~~~~ - -run as this user. If no group is specified (*-g*) the default group of -the user is used. The default is to not drop privileges. - --g|--groupname <groupname> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -run as this group. If no username is specified (*-u*) this gets ignored. -The default is to not drop privileges. - --C|--chroot <path> -~~~~~~~~~~~~~~~~~~ - -Instruct *anytun* to run in a chroot jail. The default is -to not run in chroot. - --P|--write-pid <filename> -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Instruct *anytun* to write it's pid to this file. The default is -to not create a pid file. - --L|--log <target>:<level>[,<param1>[,<param2>[..]]] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -add log target to logging system. This can be invoked several times -in order to log to different targets at the same time. Every target -hast its own log level which is a number between 0 and 5. Where 0 means -disabling log and 5 means debug messages are enabled. - -The following targets are supported: - -* *syslog* - log to syslog daemon, parameters <level>[,<logname>[,<facility>]] -* *file* - log to file, parameters <level>[,<path>] -* *stdout* - log to standard output, parameters <level> -* *stderr* - log to standard error, parameters <level> - -The file target can be used more the once with different levels. -If no target is provided at the command line a single target with the -following config is added: - -*syslog:3,uanytun,daemon* - --i|--interface <ip address> -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This IP address is used as the sender address for outgoing -packets. In case of anycast tunnel endpoints, the anycast -IP has to be used. In case of unicast endpoints, the -address is usually derived correctly from the routing -table. The default is to not use a special inteface and just -bind on all interfaces. - --p|--port <port> -~~~~~~~~~~~~~~~~ - -local anycast(data) port to bind to - -The local UDP port that is used to send and receive the -payload data. The two tunnel endpoints can use different -ports. If a tunnel endpoint consists of multiple anycast -hosts, all hosts have to use the same port. default: 4444 - --r|--remote-host <hostname|ip> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -remote host - -This option can be used to specify the remote tunnel -endpoint. In case of anycast tunnel endpoints, the -anycast IP address has to be used. If you do not specify -an address, it is automatically determined after receiving -the first data packet. - --o|--remote-port <port> -~~~~~~~~~~~~~~~~~~~~~~~ -remote port - -The UDP port used for payload data by the remote host -(specified with -p on the remote host). If you do not specify -a port, it is automatically determined after receiving -the first data packet. - --4|--ipv4-only -~~~~~~~~~~~~~~ - -Resolv to IPv4 addresses only. The default is to resolv both -IPv4 and IPv6 addresses. - --6|--ipv6-only -~~~~~~~~~~~~~~ - -Resolv to IPv6 addresses only. The default is to resolv both -IPv4 and IPv6 addresses. - --I|--sync-interface <ip-address> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -local unicast(sync) ip address to bind to - -This option is only needed for tunnel endpoints consisting -of multiple anycast hosts. The unicast IP address of -the anycast host can be used here. This is needed for -communication with the other anycast hosts. The default is to -not use a special inteface and just bind on all interfaces. However -this is only the case if synchronisation is active see *--sync-port*. - --S|--sync-port <port> -~~~~~~~~~~~~~~~~~~~~~ - -local unicast(sync) port to bind to - -This option is only needed for tunnel endpoints -consisting of multiple anycast hosts. This port is used -by anycast hosts to synchronize information about tunnel -endpoints. No payload data is transmitted via this port. -By default the synchronisation is disabled an therefore the -port is kept empty. - -It is possible to obtain a list of active connections -by telnetting into this port. This port is read-only -and unprotected by default. It is advised to protect -this port using firewall rules and, eventually, IPsec. - --M|--sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -remote hosts to sync with - -This option is only needed for tunnel endpoints consisting -of multiple anycast hosts. Here, one has to specify all -unicast IP addresses of all other anycast hosts that -comprise the anycast tunnel endpoint. By default synchronisation is -disabled and therefore this is empty. Mind that the port can be -omitted in which case port 2323 is used. If you want to specify an -ipv6 address and a port you have to use [ and ] to seperate the address -from the port, eg.: [::1]:1234. If you want to use the default port -[ and ] can be omitted. - --X|--control-host <hostname|ip>[:<port>] -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -fetch the config from this host. The default is not to use a control -host and therefore this is empty. Mind that the port can be omitted -in which case port 2323 is used. If you want to specify an -ipv6 address and a port you have to use [ and ] to seperate the address -from the port, eg.: [::1]:1234. If you want to use the default port -[ and ] can be omitted. - --d|--dev <name> -~~~~~~~~~~~~~~~ -device name - -By default, tapN is used for Ethernet tunnel interfaces, -and tunN for IP tunnels, respectively. This option can -be used to manually override these defaults. - --t|--type <tun|tap> -~~~~~~~~~~~~~~~~~~~ - -device type - -Type of the tunnels to create. Use tap for Ethernet -tunnels, tun for IP tunnels. - --n|--ifconfig <local>/<prefix> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -*<local>* the local IP address for the tun/tap device - -*<prefix>* the prefix length of the network - -The local IP address and prefix length. The remote tunnel endpoint -has to use a different IP address in the same subnet - --x|--post-up-script <script> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This option instructs *anytun* to run this script after the interface -is created. By default no script will be executed. - --R|--route <net>/<prefix length> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -add a route to connection. This can be invoked several times. - --m|--mux <mux-id> -~~~~~~~~~~~~~~~~~ - -the multiplex id to use. default: 0 - --s|--sender-id <sender id> -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Each anycast tunnel endpoint needs a uniqe sender id -(1, 2, 3, ...). It is needed to distinguish the senders -in case of replay attacks. This option can be ignored on -unicast endpoints. default: 0 - --w|--window-size <window size> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -seqence window size - -Sometimes, packets arrive out of order on the receiver -side. This option defines the size of a list of received -packets' sequence numbers. If, according to this list, -a received packet has been previously received or has -been transmitted in the past, and is therefore not in -the list anymore, this is interpreted as a replay attack -and the packet is dropped. A value of 0 deactivates this -list and, as a consequence, the replay protection employed -by filtering packets according to their secuence number. -By default the sequence window is disabled and therefore a -window size of 0 is used. - --k|--kd--prf <kd-prf type> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -key derivation pseudo random function. - -The pseudo random function which is used for calculating the -session keys and session salt. - -Possible values: - -* *null* - no random function, keys and salt are set to 0..00 -* *aes-ctr* - AES in counter mode with 128 Bits, default value -* *aes-ctr-128* - AES in counter mode with 128 Bits -* *aes-ctr-192* - AES in counter mode with 192 Bits -* *aes-ctr-256* - AES in counter mode with 256 Bits - --e|--role <role> -~~~~~~~~~~~~~~~~ - -SATP uses different session keys for inbound and outbound traffic. The -role parameter is used to determine which keys to use for outbound or -inbound packets. On both sides of a vpn connection different roles have -to be used. Possible values are *left* and *right*. You may also use -*alice* or *server* as a replacement for *left* and *bob* or *client* as -a replacement for *right*. By default *left* is used. - --E|--passphrase <pass phrase> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This passphrase is used to generate the master key and master salt. -For the master key the last n bits of the SHA256 digest of the -passphrase (where n is the length of the master key in bits) is used. -The master salt gets generated with the SHA1 digest. -You may force a specific key and or salt by using *--key* and *--salt*. - --K|--key <master key> -~~~~~~~~~~~~~~~~~~~~~ - -master key to use for key derivation - -Master key in hexadecimal notation, eg -01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length -of 32, 48 or 64 characters (128, 192 or 256 bits). - --A|--salt <master salt> -~~~~~~~~~~~~~~~~~~~~~~~ - -master salt to use for key derivation - -Master salt in hexadecimal notation, eg -01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length -of 28 characters (14 bytes). - --c|--cipher <cipher type> -~~~~~~~~~~~~~~~~~~~~~~~~~ - -payload encryption algorithm - -Encryption algorithm used for encrypting the payload - -Possible values: - -* *null* - no encryption -* *aes-ctr* - AES in counter mode with 128 Bits, default value -* *aes-ctr-128* - AES in counter mode with 128 Bits -* *aes-ctr-192* - AES in counter mode with 192 Bits -* *aes-ctr-256* - AES in counter mode with 256 Bits - --a|--auth-algo <algo type> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -message authentication algorithm - -This option sets the message authentication algorithm. - -Possible values: - -* *null* - no message authentication -* *sha1* - HMAC-SHA1, default value - -If HMAC-SHA1 is used, the packet length is increased. The additional bytes -contain the authentication data. see *-b|--auth-tag-length* for more info. - --b|--auth-tag-length <length> -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The number of bytes to use for the auth tag. This value defaults to 10 bytes -unless the *null* auth algo is used in which case it defaults to 0. +*-D, --nodaemonize*:: + This option instructs *Anytun* to run in foreground + instead of becoming a daemon which is the default. + +*-u, --username <username>*:: + run as this user. If no group is specified (*-g*) the default group of + the user is used. The default is to not drop privileges. + +*-g, --groupname <groupname>*:: + run as this group. If no username is specified (*-u*) this gets ignored. + The default is to not drop privileges. + +*-C, --chroot <path>*:: + Instruct *Anytun* to run in a chroot jail. The default is + to not run in chroot. + +*-P, --write-pid <filename>*:: + Instruct *Anytun* to write it's pid to this file. The default is + to not create a pid file. + +*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: + add log target to logging system. This can be invoked several times + in order to log to different targets at the same time. Every target + hast its own log level which is a number between 0 and 5. Where 0 means + disabling log and 5 means debug messages are enabled. + + The file target can be used more the once with different levels. + If no target is provided at the command line a single target with the + config *syslog:3,anytun,daemon* is added. + + The following targets are supported: + + *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] + *file*;; log to file, parameters <level>[,<path>] + *stdout*;; log to standard output, parameters <level> + *stderr*;; log to standard error, parameters <level> + +*-i, --interface <ip address>*:: + This IP address is used as the sender address for outgoing + packets. In case of anycast tunnel endpoints, the anycast + IP has to be used. In case of unicast endpoints, the + address is usually derived correctly from the routing + table. The default is to not use a special inteface and just + bind on all interfaces. + +*-p, --port <port>*:: + The local UDP port that is used to send and receive the + payload data. The two tunnel endpoints can use different + ports. If a tunnel endpoint consists of multiple anycast + hosts, all hosts have to use the same port. default: 4444 + +*-r, --remote-host <hostname|ip>*:: + This option can be used to specify the remote tunnel + endpoint. In case of anycast tunnel endpoints, the + anycast IP address has to be used. If you do not specify + an address, it is automatically determined after receiving + the first data packet. + +*-o, --remote-port <port>*:: + The UDP port used for payload data by the remote host + (specified with -p on the remote host). If you do not specify + a port, it is automatically determined after receiving + the first data packet. + +*-4, --ipv4-only*:: + Resolv to IPv4 addresses only. The default is to resolv both + IPv4 and IPv6 addresses. + +*-6, --ipv6-only*:: + Resolv to IPv6 addresses only. The default is to resolv both + IPv4 and IPv6 addresses. + +*-I, --sync-interface <ip-address>*:: + local unicast(sync) ip address to bind to + + This option is only needed for tunnel endpoints consisting + of multiple anycast hosts. The unicast IP address of + the anycast host can be used here. This is needed for + communication with the other anycast hosts. The default is to + not use a special inteface and just bind on all interfaces. However + this is only the case if synchronisation is active see *--sync-port*. + +*-S, --sync-port <port>*:: + local unicast(sync) port to bind to + + This option is only needed for tunnel endpoints + consisting of multiple anycast hosts. This port is used + by anycast hosts to synchronize information about tunnel + endpoints. No payload data is transmitted via this port. + By default the synchronisation is disabled an therefore the + port is kept empty. + + It is possible to obtain a list of active connections + by telnetting into this port. This port is read-only + and unprotected by default. It is advised to protect + this port using firewall rules and, eventually, IPsec. + +*-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*:: + remote hosts to sync with + + This option is only needed for tunnel endpoints consisting + of multiple anycast hosts. Here, one has to specify all + unicast IP addresses of all other anycast hosts that + comprise the anycast tunnel endpoint. By default synchronisation is + disabled and therefore this is empty. Mind that the port can be + omitted in which case port 2323 is used. If you want to specify an + ipv6 address and a port you have to use [ and ] to seperate the address + from the port, eg.: [::1]:1234. If you want to use the default port + [ and ] can be omitted. + +*-X, --control-host <hostname|ip>[:<port>]*:: + fetch the config from this host. The default is not to use a control + host and therefore this is empty. Mind that the port can be omitted + in which case port 2323 is used. If you want to specify an + ipv6 address and a port you have to use [ and ] to seperate the address + from the port, eg.: [::1]:1234. If you want to use the default port + [ and ] can be omitted. + +*-d, --dev <name>*:: + device name + + By default, tapN is used for Ethernet tunnel interfaces, + and tunN for IP tunnels, respectively. This option can + be used to manually override these defaults. + +*-t, --type <tun|tap>*:: + device type + + Type of the tunnels to create. Use tap for Ethernet + tunnels, tun for IP tunnels. + +*-n, --ifconfig <local>/<prefix>*:: + The local IP address and prefix length. The remote tunnel endpoint + has to use a different IP address in the same subnet. + + *<local>*;; the local IP address for the tun/tap device + *<prefix>*;; the prefix length of the network + +*-x, --post-up-script <script>*:: + This option instructs *Anytun* to run this script after the interface + is created. By default no script will be executed. + +*-R, --route <net>/<prefix length>*:: + add a route to connection. This can be invoked several times. + +*-m, --mux <mux-id>*:: + the multiplex id to use. default: 0 + +*-s, --sender-id <sender id>*:: + Each anycast tunnel endpoint needs a uniqe sender id + (1, 2, 3, ...). It is needed to distinguish the senders + in case of replay attacks. This option can be ignored on + unicast endpoints. default: 0 + +*-w, --window-size <window size>*:: + seqence window size + + Sometimes, packets arrive out of order on the receiver + side. This option defines the size of a list of received + packets' sequence numbers. If, according to this list, + a received packet has been previously received or has + been transmitted in the past, and is therefore not in + the list anymore, this is interpreted as a replay attack + and the packet is dropped. A value of 0 deactivates this + list and, as a consequence, the replay protection employed + by filtering packets according to their secuence number. + By default the sequence window is disabled and therefore a + window size of 0 is used. + +*-k, --kd--prf <kd-prf type>*:: + key derivation pseudo random function + + The pseudo random function which is used for calculating the + session keys and session salt. + + Possible values: + + *null*;; no random function, keys and salt are set to 0..00 + *aes-ctr*;; AES in counter mode with 128 Bits, default value + *aes-ctr-128*;; AES in counter mode with 128 Bits + *aes-ctr-192*;; AES in counter mode with 192 Bits + *aes-ctr-256*;; AES in counter mode with 256 Bits + +*-e, --role <role>*:: + SATP uses different session keys for inbound and outbound traffic. The + role parameter is used to determine which keys to use for outbound or + inbound packets. On both sides of a vpn connection different roles have + to be used. Possible values are *left* and *right*. You may also use + *alice* or *server* as a replacement for *left* and *bob* or *client* as + a replacement for *right*. By default *left* is used. + +*-E, --passphrase <pass phrase>*:: + This passphrase is used to generate the master key and master salt. + For the master key the last n bits of the SHA256 digest of the + passphrase (where n is the length of the master key in bits) is used. + The master salt gets generated with the SHA1 digest. + You may force a specific key and or salt by using *--key* and *--salt*. + +*-K, --key <master key>*:: + master key to use for key derivation + + Master key in hexadecimal notation, e.g. + 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length + of 32, 48 or 64 characters (128, 192 or 256 bits). + +*-A, --salt <master salt>*:: + master salt to use for key derivation + + Master salt in hexadecimal notation, e.g. + 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length + of 28 characters (14 bytes). + +*-c, --cipher <cipher type>*:: + payload encryption algorithm + + Encryption algorithm used for encrypting the payload + + Possible values: + + *null*;; no encryption + *aes-ctr*;; AES in counter mode with 128 Bits, default value + *aes-ctr-128*;; AES in counter mode with 128 Bits + *aes-ctr-192*;; AES in counter mode with 192 Bits + *aes-ctr-256*;; AES in counter mode with 256 Bits + +*-a, --auth-algo <algo type>*:: + message authentication algorithm + + This option sets the message authentication algorithm. + + If HMAC-SHA1 is used, the packet length is increased. The additional bytes + contain the authentication data. see *--auth-tag-length* for more info. + + Possible values: + + *null*;; no message authentication + *sha1*;; HMAC-SHA1, default value + +*-b, --auth-tag-length <length>*:: + The number of bytes to use for the auth tag. This value defaults to 10 bytes + unless the *null* auth algo is used in which case it defaults to 0. EXAMPLES @@ -429,7 +342,7 @@ anycast tunnel endpoint) please consult the man page of anytun-config(8). BUGS ---- -Most likely there are some bugs in *anytun*. If you find a bug, please let +Most likely there are some bugs in *Anytun*. If you find a bug, please let the developers know at satp@anytun.org. Of course, patches are preferred. SEE ALSO @@ -438,19 +351,11 @@ anytun-config(8), anytun-controld(8), anytun-showtables(8) AUTHORS ------- -Design of SATP and wizards of this implementation: Othmar Gsenger <otti@anytun.org> Erwin Nindl <nine@anytun.org> Christian Pointner <equinox@anytun.org> -Debian packaging: - -Andreas Hirczy <ahi@itp.tu-graz.ac.at> - -Manual page: - -Alexander List <alex@debian.org> RESOURCES --------- |