summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/isakmpd.8
diff options
context:
space:
mode:
Diffstat (limited to 'keyexchange/isakmpd-20041012/isakmpd.8')
-rw-r--r--keyexchange/isakmpd-20041012/isakmpd.8603
1 files changed, 0 insertions, 603 deletions
diff --git a/keyexchange/isakmpd-20041012/isakmpd.8 b/keyexchange/isakmpd-20041012/isakmpd.8
deleted file mode 100644
index e7f6987..0000000
--- a/keyexchange/isakmpd-20041012/isakmpd.8
+++ /dev/null
@@ -1,603 +0,0 @@
-.\" $OpenBSD: isakmpd.8,v 1.65 2004/07/08 10:37:12 jmc Exp $
-.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
-.\"
-.\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.
-.\" All rights reserved.
-.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved.
-.\" Copyright (c) 2001, 2002 Håkan Olsson. All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" This code was written under funding by Ericsson Radio Systems.
-.\"
-.\" Manual page, using -mandoc macros
-.\"
-.Dd August 07, 2002
-.Dt ISAKMPD 8
-.Os
-.Sh NAME
-.Nm isakmpd
-.Nd ISAKMP/Oakley a.k.a. IKE key management daemon
-.Sh SYNOPSIS
-.Nm isakmpd
-.Bk -words
-.Op Fl 4
-.Op Fl 6
-.Op Fl c Ar config-file
-.Op Fl a
-.Op Fl d
-.Op Fl D Ar class=level
-.Op Fl f Ar fifo
-.Op Fl i Ar pid-file
-.Op Fl n
-.Op Fl p Ar listen-port
-.Op Fl P Ar local-port
-.Op Fl K
-.Op Fl L
-.Op Fl l Ar packetlog-file
-.Op Fl r Ar seed
-.Op Fl R Ar report-file
-.Op Fl v
-.Ek
-.Sh DESCRIPTION
-The
-.Nm
-daemon establishes security associations for encrypted
-and/or authenticated network traffic.
-At this moment, and probably forever, this means
-.Xr ipsec 4
-traffic.
-.Pp
-The way
-.Nm
-goes about its work is by maintaining an internal configuration
-as well as a policy database which describes what kinds of SAs to negotiate,
-and by listening for different events that trigger these negotiations.
-The events that control
-.Nm
-consist of negotiation initiations from a remote party, user input via
-a FIFO or by signals, upcalls from the kernel via a
-.Dv PF_KEY
-socket, and lastly by scheduled events triggered by timers running out.
-.Pp
-Most uses of
-.Nm
-will be to implement so called "virtual private
-networks" or VPNs for short.
-The
-.Xr vpn 8
-manual page describes how to set up
-.Nm
-for a simple VPN.
-For other uses, some more knowledge of IKE as a protocol is required.
-One source of information are the RFCs mentioned below.
-.Pp
-On startup
-.Nm
-forks into two processes for privilege separation.
-The unprivileged child jails itself with
-.Xr chroot 8
-to
-.Pa /var/empty .
-The privileged process communicates with the child, reads configuration files
-and PKI information and binds to privileged ports on its behalf.
-See
-.Sx CAVEATS
-section below.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 4 | Fl 6
-These options control what address family
-.Pf ( Dv AF_INET
-and/or
-.Dv AF_INET6 )
-.Nm
-will use.
-The default is to use both IPv4 and IPv6.
-.It Fl a
-If given,
-.Nm
-does not set up flows automatically.
-This is useful when flows are configured with
-.Xr ipsecadm 4
-or by other programs like
-.Xr bgpd 8 .
-Thus
-.Nm
-only takes care of the SA establishment.
-.It Fl c Ar config-file
-If given, the
-.Fl c
-option specifies an alternate configuration file instead of
-.Pa /etc/isakmpd/isakmpd.conf .
-As this file may contain sensitive information, it must be readable
-only by the user running the daemon.
-.Nm
-will reread the configuration file when sent a
-.Dv SIGHUP
-signal.
-.It Fl d
-The
-.Fl d
-option is used to make the daemon run in the foreground, logging to stderr.
-.It Xo Fl D
-.Ar class Ns = Ns Ar level
-.Xc
-Debugging class.
-It's possible to specify this argument many times.
-It takes a parameter of the form
-.Ar class Ns = Ns Ar level ,
-where both
-.Ar class
-and
-.Ar level
-are numbers.
-.Ar class
-denotes a debugging class, and
-.Ar level
-the level you want that debugging class to
-limit debug printouts at (i.e., all debug printouts above the level specified
-will not output anything).
-If
-.Ar class
-is set to
-.Sq A ,
-then all debugging classes are set to the specified level.
-.Pp
-Valid values for
-.Ar class
-are as follows:
-.Pp
-.Bl -tag -width 2n -compact -offset indent
-.It 0
-Misc
-.It 1
-Transport
-.It 2
-Message
-.It 3
-Crypto
-.It 4
-Timer
-.It 5
-Sysdep
-.It 6
-SA
-.It 7
-Exchange
-.It 8
-Negotiation
-.It 9
-Policy
-.It 10
-FIFO user interface
-.It A
-All
-.El
-.Pp
-Currently used values for
-.Ar level
-are 0 to 99.
-.It Fl f Ar fifo
-The
-.Fl f
-option specifies the
-.Tn FIFO
-(a.k.a. named pipe) where the daemon listens for
-user requests.
-If the path given is a dash
-.Pq Sq \&- ,
-.Nm
-will listen to stdin instead.
-.It Fl i Ar pid-file
-By default the PID of the daemon process will be written to
-.Pa /var/run/isakmpd.pid .
-This path can be overridden by specifying another one as the argument to the
-.Fl i
-option.
-.It Fl n
-When the
-.Fl n
-option is given, the kernel will not take part in the negotiations.
-This is a non-destructive mode, so to speak, in that it won't alter any
-SAs in the IPsec stack.
-.It Fl p Ar listen-port
-The
-.Fl p
-option specifies the listen port the daemon will bind to.
-.It Fl P Ar local-port
-On the other hand, the port specified to capital
-.Fl P
-will be what the daemon binds its local end to when acting as
-initiator.
-.It Fl K
-When this option is given,
-.Nm
-does not read the policy configuration file and no
-.Xr keynote 4
-policy check is accomplished.
-This option can be used when policies for flows and SA establishment are
-arranged by other programs like
-.Xr ipsecadm 8
-or
-.Xr bgpd 8 .
-.It Fl L
-Enable IKE packet capture.
-When this option is given,
-.Nm
-will capture to file an unencrypted copy of the negotiation packets it
-is sending and receiving.
-This file can later be read by
-.Xr tcpdump 8
-and other utilities using
-.Xr pcap 3 .
-.It Fl l Ar packetlog-file
-As option
-.Fl L
-above, but capture to a specified file.
-.It Fl r Ar seed
-If given, a deterministic random number sequence will be used internally.
-This is useful for setting up regression tests.
-.It Fl R Ar report-file
-When you signal
-.Nm
-a
-.Dv SIGUSR1 ,
-it will report its internal state to a report file, normally
-.Pa /var/run/isakmpd.report ,
-but this can be changed by feeding
-the file name as an argument to the
-.Fl R
-flag.
-.It Fl v
-Enables verbose logging.
-Normally,
-.Nm
-is silent and outputs only messages when a warning or an error occurs.
-With verbose logging
-.Nm
-reports successful completion of phase 1 (Main and Aggressive) and phase 2
-(Quick) exchanges (Information and Transaction exchanges do not generate any
-additional status information).
-.El
-.Ss Setting up an IKE public key infrastructure (a.k.a. PKI)
-In order to use public key based authentication, there has to be an
-infrastructure managing the key signing.
-Either there is an already existing PKI
-.Nm
-should take part in, or there will be a need to set one up.
-In the former case, what is needed to be done varies depending on the
-actual Certificate Authority used, and is therefore not covered here,
-other than mentioning that
-.Xr openssl 1
-needs to be used to create a certificate signing request that the
-CA understands.
-The latter case, however, is described here:
-.Bl -enum
-.It
-Create your own CA as root.
-.Bd -literal
-# openssl genrsa -out /etc/ssl/private/ca.key 1024
-# openssl req -new -key /etc/ssl/private/ca.key \e
- -out /etc/ssl/private/ca.csr
-.Ed
-.Pp
-You are then asked to enter information that will be incorporated
-into your certificate request.
-What you are about to enter is what is called a Distinguished Name (DN).
-There are quite a few fields but you can leave some blank.
-For some fields there will be a default value; if you enter
-.Sq \&. ,
-the field will be left blank.
-.Bd -literal
-# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \e
- -signkey /etc/ssl/private/ca.key \e
- -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \e
- -out /etc/ssl/ca.crt
-.Ed
-.Pp
-.It
-Create keys and certificates for your IKE peers.
-This step as well as the next one, needs to be done for every peer.
-Furthermore the last step will need to be done once for each ID you
-want the peer to have.
-The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID,
-and should be changed for each invocation.
-You will be asked for a DN for each run.
-Encoding the ID in the common name is recommended, as it should be unique.
-.Bd -literal
-# openssl genrsa -out /etc/isakmpd/private/local.key 1024
-# openssl req -new -key /etc/isakmpd/private/local.key \e
- -out /etc/isakmpd/private/10.0.0.1.csr
-.Ed
-.Pp
-Now take these certificate signing requests to your CA and process
-them like below.
-You have to add a subjectAltName extension field
-to the certificate in order to make it usable by
-.Nm isakmpd .
-There are two possible ways to add the extensions to the certificate.
-Either you have to run
-.Xr certpatch 8
-or you have to make use of an OpenSSL configuration file, for example
-.Pa /etc/ssl/x509v3.cnf .
-Replace 10.0.0.1 with the IP-address which
-.Nm
-will use as the certificate identity.
-.Pp
-To use
-.Xr certpatch 8 ,
-do the following
-.Bd -literal
-# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e
- -CAkey /etc/ssl/private/ca.key -CAcreateserial \e
- -out 10.0.0.1.crt
-# certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \e
- 10.0.0.1.crt 10.0.0.1.crt
-.Ed
-.Pp
-Otherwise do
-.Bd -literal
-# setenv CERTIP 10.0.0.1
-# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e
- -CAkey /etc/ssl/private/ca.key -CAcreateserial \e
- -extfile /etc/ssl/x509v3.cnf -extensions x509v3_IPAddr \e
- -out 10.0.0.1.crt
-.Ed
-.Pp
-For a FQDN certificate, do
-.Bd -literal
-# setenv CERTFQDN somehost.somedomain
-# openssl x509 -req -days 365 -in somehost.somedomain.csr \e
- -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
- -CAcreateserial \e
- -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN \e
- -out somehost.somedomain.crt
-.Ed
-.Pp
-or with
-.Xr certpatch 8
-.Bd -literal
-# certpatch -t fqdn -i somehost.somedomain \e
- -k /etc/ssl/private/ca.key \e
- somehost.somedomain.crt somehost.somedomain.crt
-.Ed
-.Pp
-(This assumes the previous steps were used to create a request for
-somehost.somedomain instead of 10.0.0.1)
-.Pp
-Put the certificate (the file ending in .crt) in
-.Pa /etc/isakmpd/certs/
-on your local system.
-Also carry over the CA cert
-.Pa /etc/ssl/ca.crt
-and put it in
-.Pa /etc/isakmpd/ca/ .
-.El
-.Pp
-To revoke certificates, create a Certificate Revocation List (CRL) file
-and install it in the
-.Pa /etc/isakmpd/crls/
-directory.
-See
-.Xr openssl 1
-and the
-.Sq crl
-subcommand for more info.
-.Pp
-It is also possible to store trusted public keys to make them directly
-usable by
-.Nm isakmpd .
-The keys should be saved in PEM format (see
-.Xr openssl 1 )
-and named and stored after this easy formula:
-.Bl -tag -width for_ufqdn_identities
-.It For IPv4 identities
-/etc/isakmpd/pubkeys/ipv4/A.B.C.D
-.It For IPv6 identities
-/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc
-.It For FQDN identities
-/etc/isakmpd/pubkeys/fqdn/foo.bar.org
-.It For UFQDN identities
-/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org
-.El
-.Ss The FIFO user interface
-When
-.Nm
-starts, it creates a FIFO (named pipe) where it listens for user
-requests.
-All commands start with a single letter, followed by command-specific options.
-Available commands are:
-.Bl -tag -width Ds -compact
-.Pp
-.It Ic "c <name>"
-Start the named connection, if stopped or inactive.
-.Pp
-.It Ic "C set [section]:tag=value"
-.It Ic "C set [section]:tag=value force"
-.It Ic "C add [section]:tag=value"
-.It Ic "C rm [section]:tag"
-.It Ic "C rms [section]"
-Update the running
-.Nm
-configuration atomically.
-.Sq set
-sets a configuration value consisting of a section, tag and value triplet.
-.Sq set
-will fail if the configuration already contains a section with the named tag;
-use the
-.Sq force
-option to change this behaviour.
-.Sq add
-appends a configuration value to the named configuration list tag.
-.Sq rm
-removes a tag in a section.
-.Sq rms
-removes an entire section.
-.Pp
-NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will
-void any updates done to the configuration.
-.Pp
-.It Ic "C get [section]:tag"
-Get the configuration value of the specified section and tag.
-The result is stored in
-.Pa /var/run/isakmpd.result .
-.Pp
-.It Ic "d <cookies> <msgid>"
-Delete the specified SA from the system.
-Specify <msgid> as "-" to match a Phase 1 SA.
-.Pp
-.It Ic "D <class> <level>"
-.It Ic "D A <level>"
-.It Ic "D T"
-Set debug class <class> to level <level>.
-If <class> is specified as "A", the level applies to all debug classes.
-"D T" toggles all debug classes to level zero.
-Another "D T" command will toggle them back to the earlier levels.
-.Pp
-.It Ic "p on[=<path>]"
-.It Ic "p off"
-Enable or disable cleartext IKE packet capture.
-When enabling, optionally specify which file
-.Nm
-should capture the packets to.
-.Pp
-.It Ic "Q"
-Cleanly shutdown the daemon, as when sent a
-.Dv SIGTERM
-signal.
-.Pp
-.It Ic "r"
-Report
-.Nm
-internal state to a file.
-See
-.Fl R
-option.
-Same as when sent a
-.Dv SIGUSR1
-signal.
-.Pp
-.It Ic "R"
-Reinitialize
-.Nm isakmpd ,
-as when sent a
-.Dv SIGHUP
-signal.
-.Pp
-.It Ic "S"
-Report information on all known SAs to the
-.Pa /var/run/isakmpd.result
-file.
-.Pp
-.It Ic "t <name>"
-Tear down the named connection, if active.
-.Pp
-.It Ic "T"
-Tear down all active connections.
-.El
-.Sh FILES
-.Bl -tag -width /etc/isakmpd/private/local.
-.It Pa /etc/isakmpd/ca/
-The directory where CA certificates can be found.
-.It Pa /etc/isakmpd/certs/
-The directory where IKE certificates can be found, both the local
-certificate(s) and those of the peers, if a choice to have them kept
-permanently has been made.
-.It Pa /etc/isakmpd/crls/
-The directory where CRLs can be found.
-.It Pa /etc/isakmpd/isakmpd.conf
-The configuration file.
-As this file can contain sensitive information
-it must not be readable by anyone but the user running
-.Nm isakmpd .
-.It Pa /etc/isakmpd/isakmpd.policy
-The keynote policy configuration file.
-The same mode requirements as
-.Nm isakmpd.conf .
-.It Pa /etc/isakmpd/private/local.key
-A local private key for certificate based authentication.
-There has to be a certificate for this key in the certificate directory
-mentioned above.
-The same mode requirements as
-.Nm isakmpd.conf .
-.It Pa /etc/isakmpd/pubkeys/
-Directory in which trusted public keys can be kept.
-The keys must be named in the fashion described above.
-.It Pa /var/run/isakmpd.pid
-The PID of the current daemon.
-.It Pa /var/run/isakmpd.fifo
-The FIFO used to manually control
-.Nm isakmpd .
-.It Pa /var/run/isakmpd.pcap
-The default IKE packet capture file.
-.It Pa /var/run/isakmpd.report
-The report file written when
-.Dv SIGUSR1
-is received.
-.It Pa /var/run/isakmpd.result
-The report file written when the
-.Sq S
-or
-.Sq "C get"
-command is issued in the command FIFO.
-.It Pa /usr/share/ipsec/isakmpd/
-A directory containing some sample
-.Nm
-and keynote policy configuration files.
-.El
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr getnameinfo 3 ,
-.Xr pcap 3 ,
-.Xr ipsec 4 ,
-.Xr isakmpd.conf 5 ,
-.Xr isakmpd.policy 5 ,
-.Xr ssl 8 ,
-.Xr tcpdump 8 ,
-.Xr vpn 8
-.Sh HISTORY
-The ISAKMP/Oakley key management protocol is described in the RFCs
-.%T RFC 2407 ,
-.%T RFC 2408
-and
-.%T RFC 2409 .
-This implementation was done 1998 by Niklas Hallqvist and Niels Provos,
-sponsored by Ericsson Radio Systems.
-.Sh CAVEATS
-When storing a trusted public key for an IPv6 identity, the
-.Em most efficient
-form of address representation, i.e "::" instead of ":0:0:0:",
-must be used or the matching will fail.
-.Nm
-uses the output from
-.Xr getnameinfo 3
-for the address-to-name translation.
-The privileged process only allows binding to the default port 500 or
-unprivileged ports (>1024).
-It is not possible to change the interfaces
-.Nm
-listens on without a restart.
-.Sh BUGS
-The
-.Fl P
-flag does not do what we document, rather it does nothing.