1IPSEC_PLUTO(8)                Executable programs               IPSEC_PLUTO(8)
2
3
4

NAME

6       ipsec_pluto, ipsec_whack, pluto - ipsec whack : IPsec IKE keying daemon
7       and control interface
8

SYNOPSIS

10       ipsec pluto [--help] [--version] [--leak-detective] [--efence-protect]
11             [--config filename] [--vendorid VID] [--nofork] [--stderrlog]
12             [--logfile filename] [--log-no-time] [--log-no-append]
13             [--log-no-ip] [--log-no-audit] [--use-netkey] [--use-bsdkame]
14             [--uniqueids] [--virtual-private network_list]
15             [--keep-alive delay_sec] [--force-busy] [--crl-strict]
16             [--crlcheckinterval] [--interface interfacename]
17             [--listen ipaddr] [--ikeport portnumber]
18             [--natikeport portnumber] [--rundir path]
19             [--secretsfile secrets-file] [--nhelpers number]
20             [--seedbits numbits] [--ipsecdir dirname] [--nssdir dirname]
21             [--coredir dirname] [--statsbin filename]
22             [--secctx-attr-type number]
23
24       ipsec whack [--help] [--version]
25
26       ipsec whack --name connection-name [[--ipv4] | [--ipv6]]
27             [[--tunnelipv4] | [--tunnelipv6]]
28             [--id identity] [--host ip-address] [--cert friendly_name]
29             [--ckaid CKAID] [--ca distinguished name]
30             [--groups access control groups]
31             [--sendcert yes | forced | always | ifasked | no | never]
32             [--sendca none | issuer | all] [--certtype number]
33             [--ikeport portnumber] [--nexthop ip-address] [[--client subnet]]
34             [--clientprotoport protocol/port] [--srcip ip-address]
35             [--xauthserver] [--xauthclient] [--modecfgserver]
36             [--modecfgclient] [--modecfgdns ip-address, ip-address, ...]
37             [--modecfgdomains DNS-domain, DNS-domain, ...]
38             [--modecfgbanner login-banner] [--dnskeyondemand]
39             [--updown updown]
40             --to
41             [--id identity] [--host ip-address] [--cert friendly_name]
42             [--ckaid CKAID] [--ca distinguished name]
43             [--groups access control groups]
44             [--sendcert yes | always | ifasked | no | never]
45             [--certtype number] [--ikeport port-number]
46             [--nexthop ip-address] [--client subnet]
47             [--clientprotoport protocol/port] [--srcip ip-address]
48             [--xauthserver] [--xauthclient] [--modecfgserver]
49             [--modecfgclient] [--modecfgdns ip-address, ip-address, ...]
50             [--modecfgdomains DNS-domain, DNS-domain, ...] [--dnskeyondemand]
51             [--updown updown]
52
53             [--tunnel] [--psk] [--rsasig] [--encrypt] [--authenticate]
54             [--compress] [--pfs]
55             [--pfsgroup [modp1024] | [modp1536] | [modp2048] | [modp3072] | [modp4096] | [modp6144] | [modp8192] | [dh22] | [dh23] | [dh24]]
56             [--ikelifetime seconds] [--ipseclifetime seconds]
57             [--rekeymargin seconds] [--rekeyfuzz percentage]
58             [--keyingtries count] [--esp esp-algos] [--dontrekey]
59             [--aggrmode] [--modecfgpull] [--metric metric]
60             [--nflog-group nflognum] [--conn-mark mark/mask]
61             [[--dpddelay seconds] | [--dpdtimeout seconds]]
62             [--dpdaction [clear] | [hold] | [restart]] [--forceencaps]
63             [--no-keep-alive]
64             [[--initiateontraffic] | [--pass] | [--drop] | [--reject]]
65             [[--failnone] | [--failpass] | [--faildrop] | [--failreject]]
66             [--rundir path] [--ctlsocket path/file] [--label string]
67
68       ipsec whack --keyid id [--addkey] [--pubkeyrsa key] [--rundir path]
69             [--ctlsocket path/file] [--label string]
70
71       ipsec whack --listen | --unlisten  [--rundir path]
72             [--ctlsocket path/file] [--label string]
73
74       ipsec whack --ddos-auto | --ddos-busy | --ddos-unlimited
75             [--rundir path] [--ctlsocket path/file]
76
77       ipsec whack --route | --unroute  --name connection-name [--rundir path]
78             [--ctlsocket path/file] [--label string]
79
80       ipsec whack --initiate | [--remote-host ip-address] | --terminate |
81             --rekey-ike | --rekey-ipsec  --name connection-name
82             [--xauthuser user] [--xauthpass pass] [--asynchronous]
83             [--rundir path] [--ctlsocket path/file] [--label string]
84
85       ipsec whack --global-redirect yes|no|auto
86
87       ipsec whack --global-redirect-to ip-address(es)
88
89       ipsec whack [--name connection-name] --redirect-to ip-address(es)
90
91       ipsec whack [[--tunnelipv4] | [--tunnelipv6]] --oppohere ip-address
92             --oppothere ip-address --opposport port --oppodport port
93             --oppoproto protocol
94
95       ipsec whack --crash [ipaddress]
96
97       ipsec whack --name connection-name --delete [--ctlbase path]
98             [--label string]
99
100       ipsec whack --deletestate state-number [--rundir path]
101             [--ctlsocket path/file] [--label string]
102
103       ipsec whack --deleteuser --name username [--rundir path]
104             [--ctlsocket path/file] [--label string]
105
106       ipsec whack [--name connection-name]
107             {--debug help | none | base | cpu-usage | class} |
108             {--no-debug class} | {--impair help | none | behaviour} |
109             {--no-impair behaviour}
110
111       ipsec whack [--utc] [--listall] [--listpubkeys] [--listcerts]
112             [--listcacerts] [--listcrls]
113
114       ipsec whack [--utc] [--rereadsecrets] [--fetchcrls] [--rereadall]
115
116       ipsec whack --ddns
117
118       ipsec whack --listevents
119
120       ipsec whack --purgeocsp
121
122       ipsec whack --status --trafficstatus --shuntstatus --addresspoolstatus
123             --processstatus [--rundir path] [--ctlsocket path/file]
124             [--label string]
125
126       ipsec whack --globalstats --clearstats [--rundir path]
127             [--ctlsocket path/file] [--label string]
128
129       ipsec whack [--ike-socket-bufsize bufsize]
130             [--ike-socket-errqueue-toggle] [--rundir path]
131             [--ctlsocket path/file] [--label string]
132
133       ipsec whack --shutdown [--rundir path] [--ctlsocket path/file]
134             [--label string] [--leave-state]
135

DESCRIPTION

137       pluto is an IKE ("IPsec Key Exchange") daemon.  whack is an auxiliary
138       program to allow requests to be made to a running pluto.
139
140       pluto is used to automatically build shared "security associations" on
141       a system that has IPsec, the secure IP protocol. In other words, pluto
142       can eliminate much of the work of manual keying. The actual secure
143       transmission of packets is the responsibility of other parts of the
144       system - the kernel. Pluto can talk to various kernel implementations,
145       such as the Linux XFRM and BSD KAME IPsec stacks.  ipsec_auto(8)
146       provides a more convenient interface to pluto and whack.
147
148   IKE's Job
149       A Security Association (SA) is an agreement between two network nodes
150       on how to process certain traffic between them. This processing
151       involves encapsulation, authentication, encryption, or compression.
152
153       IKE can be deployed on a network node to negotiate Security
154       Associations for that node. These IKE implementations can only
155       negotiate with other IKE implementations, so IKE must be on each node
156       that is to be an endpoint of an IKE-negotiated Security Association. No
157       other nodes need to be running IKE.
158
159       An IKE instance (i.e. an IKE implementation on a particular network
160       node) communicates with another IKE instance using UDP IP packets, so
161       there must be a route between the nodes in each direction.
162
163       The negotiation of Security Associations requires a number of choices
164       that involve tradeoffs between security, convenience, trust, and
165       efficiency. These are policy issues and are normally specified to the
166       IKE instance by the system administrator.
167
168       IKE deals with two kinds of Security Associations. The first part of a
169       negotiation between IKE instances is to build an ISAKMP SA. An ISAKMP
170       SA is used to protect communication between the two IKEs. IPsec SAs can
171       then be built by the IKEs - these are used to carry protected IP
172       traffic between the systems.
173
174       The negotiation of the ISAKMP SA is known as Phase 1. In theory, Phase
175       1 can be accomplished by a couple of different exchange types.
176       Currently, Main Mode and Aggressive Mode are implemented.
177
178       Any negotiation under the protection of an ISAKMP SA, including the
179       negotiation of IPsec SAs, is part of Phase 2. The exchange type that we
180       use to negotiate an IPsec SA is called Quick Mode.
181
182       IKE instances must be able to authenticate each other as part of their
183       negotiation of an ISAKMP SA. This can be done by several mechanisms
184       described in the draft standards.
185
186       IKE negotiation can be initiated by any instance with any other. If
187       both can find an agreeable set of characteristics for a Security
188       Association, and both recognize each others authenticity, they can set
189       up a Security Association. The standards do not specify what causes an
190       IKE instance to initiate a negotiation.
191
192       In summary, an IKE instance is prepared to automate the management of
193       Security Associations in an IPsec environment, but a number of issues
194       are considered policy and are left in the system administrator's hands.
195
196   Pluto
197       pluto is an implementation of IKE. It runs as a daemon on a network
198       node. Currently, this network node must be a Linux system running the
199       XFRM IPsec stack, or a FreeBSD/NetBSD/Mac OSX system running the KAME
200       IPsec stack.
201
202       pluto implements a large subset of IKEv1 and IKEv2.
203
204       The policy for acceptable characteristics for Security Associations is
205       mostly hardwired into the code of pluto (spdb.c). Eventually this will
206       be moved into a security policy database with reasonable expressive
207       power and more convenience.
208
209       pluto uses shared secrets or RSA signatures to authenticate peers with
210       whom it is negotiating. These RSA signatures can come from DNS(SEC), a
211       configuration file, or from X.509 and CA certificates.
212
213       pluto initiates negotiation of a Security Association when it is
214       manually prodded: the program whack is run to trigger this. It will
215       also initiate a negotiation when IPsec traps an outbound packet for
216       Opportunistic Encryption.
217
218       pluto implements ISAKMP SAs itself. After it has negotiated the
219       characteristics of an IPsec SA, it directs the kernel to implement it.
220       If necessary, it also invokes a script to adjust any firewall and issue
221       route(8) commands to direct IP packets.
222
223       When pluto shuts down, it closes all Security Associations.
224
225   Before Running Pluto
226       pluto runs as a daemon with userid root. Before running it, a few
227       things must be set up.
228
229       pluto requires a working IPsec stack.
230
231       pluto supports multiple public networks (that is, networks that are
232       considered insecure and thus need to have their traffic encrypted or
233       authenticated). It discovers the public interfaces to use by looking at
234       all interfaces that are configured (the --interface option can be used
235       to limit the interfaces considered). It does this only when whack tells
236       it to --listen, so the interfaces must be configured by then. The
237       --listen can be used to limit listening on only 1 IP address of a
238       certain interface.  ifconfig(8) or ip(8) with the -a flag will show the
239       name and status of each network interface.
240
241       pluto requires a database of preshared secrets and RSA private keys.
242       This is described in the ipsec.secrets(5).  pluto is told of RSA public
243       keys via whack commands. If the connection is Opportunistic, and no RSA
244       public key is known, pluto will attempt to fetch RSA keys using the
245       Domain Name System.
246
247   Setting up XFRM for pluto
248       No special requirements are necessary to use XFRM - it ships with all
249       modern versions of Linux 2.4 and later.
250
251   ipsec.secrets file
252       A pluto daemon and another IKE daemon (for example, another instance of
253       pluto) must convince each other that they are who they are supposed to
254       be before any negotiation can succeed. This authentication is
255       accomplished by using either secrets that have been shared beforehand
256       (manually) or by using RSA signatures. There are other techniques, but
257       they have not been implemented in pluto.
258
259       The file /etc/ipsec.secrets is used to keep preshared secret keys and
260       XAUTH passwords. RSA private keys, X.509 certificates, CRLs, OCSP and
261       smartcards are handled via NSS. For debugging, there is an argument to
262       the pluto command to use a different file. This file is described in
263       ipsec.secrets(5).
264
265   Running Pluto
266       To fire up the daemon, just type pluto (be sure to be running as the
267       superuser). The default IKE port number is 500, the UDP port assigned
268       by IANA for IKE Daemons.  pluto must be run by the superuser to be able
269       to use the UDP 500 port. If pluto is told to enable NAT-Traversal, then
270       UDP port 4500 is also taken by pluto to listen on.
271
272       Pluto supports different IPstacks on different operating systems. This
273       can be configured using one of the options --use-netkey (Linux),
274       --use-bsdkame (BSD). On startup, pluto might also read the protostack=
275       option to select the IPsec stack to use if --config /etc/ipsec.conf is
276       given as argument to pluto. If both --use-XXX and --config
277       /etc/ipsec.conf are specified, the last command line argument specified
278       takes precedence.
279
280       Pluto supports RFC 3947 NAT-Traversal. The allowed range behind the NAT
281       routers is submitted using the --virtual-private option. See
282       ipsec.conf(5) for the syntax. The option --force-keepalive forces the
283       sending of the keep-alive packets, which are send to prevent the NAT
284       router from closing its port when there is not enough traffic on the
285       IPsec connection. The --keep-alive sets the delay (in seconds) of these
286       keep-alive packets. The newer NAT-T standards support port floating,
287       and Libreswan enables this per default.
288
289       Pluto supports the use of X.509 certificates and sends certificates
290       when needed. Pluto uses NSS for all X.509 related data, including
291       CAcerts, certs, CRLs and private keys. The Certificate Revocation Lists
292       can also be retrieved from an URL. The option --crlcheckinterval sets
293       the time between checking for CRL expiration and issuing new fetch
294       commands. The first attempt to update a CRL is started at
295       2*crlcheckinterval before the next update time. Pluto logs a warning if
296       no valid CRL was loaded or obtained for a connection. If --crl-strict
297       is given, the connection will be rejected until a valid CRL has been
298       loaded.
299
300       Pluto can also use helper children to off-load cryptographic
301       operations. This behavior can be fine tuned using the --nhelpers. Pluto
302       will start (n-1) of them, where n is the number of CPU's you have
303       (including hypherthreaded CPU's). A value of 0 forces pluto to do all
304       operations in the main process. A value of -1 tells pluto to perform
305       the above calculation. Any other value forces the number to that
306       amount.
307
308       Pluto uses the NSS crypto library as its random source. Some government
309       Three Letter Agency requires that pluto reads 440 bits from /dev/random
310       and feed this into the NSS RNG before drawing random from the NSS
311       library, despite the NSS library itself already seeding its internal
312       state. As this process can block pluto for an extended time, the
313       default is to not perform this redundant seeding. The --seedbits option
314       can be used to specify the number of bits that will be pulled from
315       /dev/random and seeded into the NSS RNG. This can also be accomplished
316       by specifying seedbits in the "config setup" section of ipsec.conf.
317       This option should not be used by most people.
318
319       pluto attempts to create a lockfile with the name
320       /var/run/pluto/pluto.pid. If the lockfile cannot be created, pluto
321       exits - this prevents multiple plutos from competing Any "leftover"
322       lockfile must be removed before pluto will run.  pluto writes its PID
323       into this file so that scripts can find it. This lock will not function
324       properly if it is on an NFS volume (but sharing locks on multiple
325       machines doesn't make sense anyway).
326
327       pluto then forks and the parent exits. This is the conventional "daemon
328       fork". It can make debugging awkward, so there is an option to suppress
329       this fork. In certain configurations, pluto might also launch helper
330       programs to assist with DNS queries or to offload cryptographic
331       operations.
332
333       All logging, including diagnostics, is sent to syslog(3) with
334       facility=authpriv; it decides where to put these messages (possibly in
335       /var/log/secure or /var/log/auth.log). Since this too can make
336       debugging awkward, the option --stderrlog is used to steer logging to
337       stderr.
338
339       Alternatively, --logfile can be used to send all logging information to
340       a specific file.
341
342       Once pluto is started, it waits for requests from whack.
343
344   Pluto's Internal State
345       To understand how to use pluto, it is helpful to understand a little
346       about its internal state. Furthermore, the terminology is needed to
347       decipher some of the diagnostic messages.
348
349       Pluto supports food groups for Opportunistic IPsec. The policies for
350       these are located in /etc/ipsec.d/policies, or another directory as
351       specified by --ipsecdir.
352
353       Pluto supports X.509 Certificates. All certificate handling is done
354       using the NSS library and all certificate material is stored in an NSS
355       database in /var/lib/ipsec/nss or another directory as specified by
356       --nssdir.
357
358       Pluto may core dump. It will normally do so into the current working
359       directory. You can specify the --coredir option for pluto, or specify
360       the dumpdir= option in ipsec.conf.
361
362       If you are investigating a potential memory leak in pluto, start pluto
363       with the --leak-detective option. Before the leak causes the system or
364       pluto to die, shut down pluto in the regular way. pluto will display a
365       list of leaks it has detected.
366
367       If you are investigating a potential use-after-free or double-free in
368       pluto, first build pluto with USE_EFENCE=true and then start pluto with
369       --efence-protect. See efence(2) and EF_PROTECT_BELOW and
370       EF_PROTECT_FREE.
371
372       The (potential) connection database describes attributes of a
373       connection. These include the IP addresses of the hosts and client
374       subnets and the security characteristics desired.  pluto requires this
375       information (simply called a connection) before it can respond to a
376       request to build an SA. Each connection is given a name when it is
377       created, and all references are made using this name.
378
379       During the IKE exchange to build an SA, the information about the
380       negotiation is represented in a state object. Each state object
381       reflects how far the negotiation has reached. Once the negotiation is
382       complete and the SA established, the state object remains to represent
383       the SA. When the SA is terminated, the state object is discarded. Each
384       State object is given a serial number and this is used to refer to the
385       state objects in logged messages.
386
387       Each state object corresponds to a connection and can be thought of as
388       an instantiation of that connection. At any particular time, there may
389       be any number of state objects corresponding to a particular
390       connection. Often there is one representing an ISAKMP SA and another
391       representing an IPsec SA.
392
393       XFRM requires no special routing.
394
395       Each connection may be routed, and must be while it has an IPsec SA.
396       The connection specifies the characteristics of the route: the
397       interface on this machine, the "gateway" (the nexthop), and the peer's
398       client subnet. Two connections may not be simultaneously routed if they
399       are for the same peer's client subnet but use different interfaces or
400       gateways (pluto's logic does not reflect any advanced routing
401       capabilities).
402
403       When pluto needs to install a route for a connection, it must make sure
404       that no conflicting route is in use. If another connection has a
405       conflicting route, that route will be taken down, as long as there is
406       no IPsec SA instantiating that connection. If there is such an IPsec
407       SA, the attempt to install a route will fail.
408
409       There is an exception. If pluto, as Responder, needs to install a route
410       to a fixed client subnet for a connection, and there is already a
411       conflicting route, then the SAs using the route are deleted to make
412       room for the new SAs. The rationale is that the new connection is
413       probably more current. The need for this usually is a product of Road
414       Warrior connections (these are explained later; they cannot be used to
415       initiate).
416
417       When pluto needs to install an eroute for an IPsec SA (for a state
418       object), first the state object's connection must be routed (if this
419       cannot be done, the eroute and SA will not be installed). If a
420       conflicting eroute is already in place for another connection, the
421       eroute and SA will not be installed (but note that the routing
422       exception mentioned above may have already deleted potentially
423       conflicting SAs). If another IPsec SA for the same connection already
424       has an eroute, all its outgoing traffic is taken over by the new
425       eroute. The incoming traffic will still be processed. This
426       characteristic is exploited during rekeying.
427
428   Using whack
429       whack is used to command a running pluto.  whack uses a UNIX domain
430       socket to speak to pluto (by default, /var/pluto.ctl).
431
432       whack has an intricate argument syntax. This syntax allows many
433       different functions to be specified. The help form shows the usage or
434       version information. The connection form gives pluto a description of a
435       potential connection. The public key form informs pluto of the RSA
436       public key for a potential peer. The delete form deletes a connection
437       description and all SAs corresponding to it. The listen form tells
438       pluto to start or stop listening on the public interfaces for IKE
439       requests from peers. The route form tells pluto to set up routing for a
440       connection; the unroute form undoes this. The initiate form tells pluto
441       to negotiate an SA corresponding to a connection. The terminate form
442       tells pluto to remove all SAs corresponding to a connection, including
443       those being negotiated. The status form displays the pluto's internal
444       state. The debug form tells pluto to change the selection of debugging
445       output "on the fly". The shutdown form tells pluto to shut down,
446       deleting all SAs.
447
448       The crash option asks pluto to consider a particularly target IP to
449       have crashed, and to attempt to restart all connections with that IP
450       address as a gateway. In general, you should use Dead Peer Detection to
451       detect this kind of situation automatically, but this is not always
452       possible.
453
454       Most options are specific to one of the forms, and will be described
455       with that form. There are three options that apply to all forms.
456
457       --ctlsocket path/file
458           file is used as the UNIX domain socket for talking to pluto. Use
459           either this option or --rundir, but not both.
460
461       --rundir path
462           path where the UNIX domain socket for talking to the pluto, the
463           pluto.pid file and the pluto.lock files are found. Use either this
464           option or --ctlsocket, but not both.
465
466       --label string
467           adds the string to all error messages generated by whack.
468
469       The help form of whack is self-explanatory.
470
471       --help
472           display the usage message.
473
474       --version
475           display the version of whack.
476
477       The connection form describes a potential connection to pluto.  pluto
478       needs to know what connections can and should be negotiated. When pluto
479       is the initiator, it needs to know what to propose. When pluto is the
480       responder, it needs to know enough to decide whether is is willing to
481       set up the proposed connection.
482
483       The description of a potential connection can specify a large number of
484       details. Each connection has a unique name. This name will appear in a
485       updown shell command, so it should not contain punctuation that would
486       make the command ill-formed.
487
488       --name connection-name
489           sets the name of the connection
490
491       The topology of a connection is symmetric, so to save space here is
492       half a picture:
493
494          client_subnet<-->host:ikeport<-->nexthop<---
495
496       A similar trick is used in the flags. The same flag names are used for
497       both ends. Those before the --to flag describe the left side and those
498       afterwards describe the right side. When pluto attempts to use the
499       connection, it decides whether it is the left side or the right side of
500       the connection, based on the IP numbers of its interfaces.
501
502       --id id
503           the identity of the end. Currently, this can be an IP address
504           (specified as dotted quad or as a Fully Qualified Domain Name,
505           which will be resolved immediately) or as a Fully Qualified Domain
506           Name itself (prefixed by "@" to signify that it should not be
507           resolved), or as user@FQDN, or an X.509 DN.  Pluto only
508           authenticates the identity, and does not use it for addressing, so,
509           for example, an IP address need not be the one to which packets are
510           to be sent. If the option is absent, the identity defaults to the
511           IP address specified by --host.
512
513       --host ip-address, --host %any, --host %opportunistic
514           the IP address of the end (generally the public interface). If
515           pluto is to act as a responder for IKE negotiations initiated from
516           unknown IP addresses (the "Road Warrior" case), the IP address
517           should be specified as %any (currently, the obsolete notation
518           0.0.0.0 is also accepted for this). If pluto is to
519           opportunistically initiate the connection, use %opportunistic
520
521       --cert friendly_name
522           The friendly_name (or nickname) of the X.509 certificate that was
523           used when imported the certificate into the NSS database. See
524           ipsec.conf(5) on how to extract this from the PKCS#12 file.
525
526       --ckaid CKAID
527           The hex CKAID of the X.509 certificate. Certificates are stored in
528           the NSS database.
529
530       --ca distinguished name
531           the X.509 Certificate Authority's Distinguished Name (DN) used as
532           trust anchor for this connection. This is the CA certificate that
533           signed the host certificate, as well as the certificate of the
534           incoming client.
535
536       --groups access control groups
537           the access control groups used.
538
539       --sendcert yes|forced|always|ifasked|no|never
540           Whether or not to send our X.509 certificate credentials. This
541           could potentially give an attacker too much information about which
542           identities are allowed to connect to this host. The default is to
543           use ifasked when we are a Responder, and to use yes (which is the
544           same as forced and always if we are an Initiator. The values no and
545           never are equivalent. NOTE: "forced" does not seem to be actually
546           implemented - do not use it.
547
548       --sendca none|issuer|all
549           How much of our available X.509 trust chain to send with the end
550           certificate, excluding any root CAs. Specifying issuer sends just
551           the issuing intermediate CA, while
552            all will send the entire chain of intermediate CAs.none will not
553           send any CA certs. The default is none which maintains the current
554           libreswan behavior.
555
556       --certtype number
557           The X.509 certificate type number.
558
559       --ikeport port-number
560           the UDP port that IKE listens to on that host. The default is 500.
561           (pluto on this machine uses the port specified by its own command
562           line argument, so this only affects where pluto sends messages.)
563
564       --nexthop ip-address
565           where to route packets for the peer's client (presumably for the
566           peer too, but it will not be used for this). When pluto installs an
567           IPsec SA, it issues a route command. It uses the nexthop as the
568           gateway. The default is the peer's IP address (this can be
569           explicitly written as %direct; the obsolete notation 0.0.0.0 is
570           accepted). This option is necessary if pluto's host's interface
571           used for sending packets to the peer is neither point-to-point nor
572           directly connected to the peer.
573
574       --client subnet
575           the subnet for which the IPsec traffic will be destined. If not
576           specified, the host will be the client. The subnet can be specified
577           in any of the forms supported by ipsec_atosubnet(3). The general
578           form is address/mask. The address can be either a domain name or
579           four decimal numbers (specifying octets) separated by dots. The
580           most convenient form of the mask is a decimal integer, specifying
581           the number of leading one bits in the mask. So, for example,
582           10.0.0.0/8 would specify the class A network "Net 10".
583
584       --clientprotoport protocol/port
585           specify the Port Selectors (filters) to be used on this connection.
586           The general form is protocol/port. This is most commonly used to
587           limit the connection to L2TP traffic only by specifying a value of
588           17/1701 for UDP (protocol 17) and port 1701. The notation 17/%any
589           can be used to allow all UDP traffic and is needed for L2TP
590           connections with Windows XP machines before Service Pack 2.
591
592       --srcip ip-address
593           the IP address for this host to use when transmitting a packet to
594           the remote IPsec gateway itself. This option is used to make the
595           gateway itself use its internal IP, which is part of the --client
596           subnet. Otherwise it will use its nearest IP address, which is its
597           public IP address, which is not part of the subnet-subnet IPsec
598           tunnel, and would therefore not get encrypted.
599
600       --xauthserver
601           this end is an xauthserver. It will lookup the xauth user name and
602           password and verify this before allowing the connection to get
603           established.
604
605       --xauthclient
606           this end is an xauthclient. To bring this connection up with the
607           --initiate also requires the client to specify --xauthuser username
608           and --xauthpass password
609
610       --xauthuser
611           The username for the xauth authentication.This option is normally
612           passed along by ipsec_auto(8) when an xauth connection is started
613           using ipsec auto --up conn
614
615       --xauthpass
616           The password for the xauth authentication. This option is normally
617           passed along by ipsec_auto(8) when an xauth connection is started
618           using ipsec auto --up conn
619
620       --modecfgserver
621           this end is an Mode Config server
622
623       --modecfgclient
624           this end is an Mode Config client
625
626       --modecfgdns
627           A comma separated list of DNS server IP's to pass along to
628           connecting clients
629
630       --modecfgdomains
631           A comma separated list of internal DNS domains to pass along to
632           connecting clients
633
634       --dnskeyondemand
635           specifies that when an RSA public key is needed to authenticate
636           this host, and it isn't already known, fetch it from DNS.
637
638       --updown updown
639           specifies an external shell command to be run whenever pluto brings
640           up or down a connection. The script is used to build a shell
641           command, so it may contain positional parameters, but ought not to
642           have punctuation that would cause the resulting command to be
643           ill-formed. The default is ipsec _updown. Pluto passes a dozen
644           environment variables to the script about the connection involved.
645
646       --to
647           separates the specification of the left and right ends of the
648           connection. Pluto tries to decide whether it is left or right based
649           on the information provided on both sides of this option.
650
651       The potential connection description also specifies characteristics of
652       rekeying and security.
653
654       --psk
655           Propose and allow preshared secret authentication for IKE peers.
656           This authentication requires that each side use the same secret.
657           May be combined with --rsasig; at least one must be specified.
658
659       --rsasig
660           Propose and allow RSA signatures for authentication of IKE peers.
661           This authentication requires that each side have have a private key
662           of its own and know the public key of its peer. May be combined
663           with --psk; at least one must be specified.
664
665       --encrypt
666           All proposed or accepted IPsec SAs will include non-null ESP. The
667           actual choices of transforms are wired into pluto.
668
669       --authenticate
670           All proposed IPsec SAs will include AH. All accepted IPsec SAs will
671           include AH or ESP with authentication. The actual choices of
672           transforms are wired into pluto. Note that this has nothing to do
673           with IKE authentication.
674
675       --compress
676           All proposed IPsec SAs will include IPCOMP (compression).
677
678       --tunnel
679           the IPsec SA should use tunneling. Implicit if the SA is for
680           clients. Must only be used with --authenticate or --encrypt.
681
682       --ipv4
683           The host addresses will be interpreted as IPv4 addresses. This is
684           the default. Note that for a connection, all host addresses must be
685           of the same Address Family (IPv4 and IPv6 use different Address
686           Families).
687
688       --ipv6
689           The host addresses (including nexthop) will be interpreted as IPv6
690           addresses. Note that for a connection, all host addresses must be
691           of the same Address Family (IPv4 and IPv6 use different Address
692           Families).
693
694       --tunnelipv4
695           The client addresses will be interpreted as IPv4 addresses. The
696           default is to match what the host will be. This does not imply
697           --tunnel so the flag can be safely used when no tunnel is actually
698           specified. Note that for a connection, all tunnel addresses must be
699           of the same Address Family.
700
701       --tunnelipv6
702           The client addresses will be interpreted as IPv6 addresses. The
703           default is to match what the host will be. This does not imply
704           --tunnel so the flag can be safely used when no tunnel is actually
705           specified. Note that for a connection, all tunnel addresses must be
706           of the same Address Family.
707
708       --pfs
709           There should be Perfect Forward Secrecy - new keying material will
710           be generated for each IPsec SA when running Quick Mode in IKEv1 or
711           Create Child in IKEv2. Without this option, the SAKMP SA keying
712           material is used instead.  pluto will propose the same group that
713           was used with the original IKE SA.
714
715       --pfsgroup modp-group
716           Sets the Diffie-Hellman group used. Currently the following values
717           are supported: modp1024 (DHgroup 2), modp1536 (DHgroup 5), modp2048
718           (DHgroup 14), modp3072 (DHgroup 15), modp4096 (DHgroup 16),
719           modp6144 (DHgroup 17), and modp8192 (DHgroup 18). It is possible to
720           support the weak and broken modp768 (DHgroup 1), but this requires
721           a manual recompile and is strongly discouraged.
722
723       --esp esp-algos
724           ESP encryption/authentication algorithm to be used for the
725           connection (phase2 aka IPsec SA). The options must be suitable as a
726           value of ipsec_spi(8). See ipsec.conf(5) for a detailed description
727           of the algorithm format.
728
729       --aggrmode
730           This tunnel is using aggressive mode ISAKMP negotiation. The
731           default is main mode. Aggressive mode is less secure than main mode
732           as it reveals your identity to an eavesdropper, but is needed to
733           support road warriors using PSK keys or to interoperate with other
734           buggy implementations insisting on using aggressive mode.
735
736       --modecfgpull
737           Pull the Mode Config network information from the peer.
738
739       --dpddelay seconds
740           Set the delay (in seconds) between Dead Peer Detection (RFC 3706)
741           keepalives (R_U_THERE, R_U_THERE_ACK) that are sent for this
742           connection (default 30 seconds).
743
744       --timeout seconds
745           Set the length of time (in seconds) we will idle without hearing
746           either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
747           After this period has elapsed with no response and no traffic, we
748           will declare the peer dead, and remove the SA (default 120
749           seconds).
750
751       --dpdaction action
752           When a DPD enabled peer is declared dead, what action should be
753           taken.  hold(default) means the eroute will be put into %hold
754           status, while clearmeans the eroute and SA with both be cleared.
755           Clear is really only useful on the server of a Road Warrior config.
756           The action restart is used on tunnels that need to be permanently
757           up, and have static IP addresses. The action restart_by_peerhas
758           been obsoleted and its functionality has been moved into the
759           restart action.
760
761       --forceencaps
762           In some cases, for example when ESP packets are filtered or when a
763           broken IPsec peer does not properly recognise NAT, it can be useful
764           to force RFC-3948 encapsulation using this option. It causes pluto
765           lie and tell the remote peer that RFC-3948 encapsulation (ESP in
766           UDP port 4500 packets) is required.
767
768       If none of the --encrypt, --authenticate, --compress, or --pfs flags is
769       given, the initiating the connection will only build an ISAKMP SA. For
770       such a connection, client subnets have no meaning and must not be
771       specified.
772
773       Apart from initiating directly using the --initiate option, a tunnel
774       can be loaded with a different policy
775
776       --initiateontraffic
777           Only initiate the connection when we have traffic to send over the
778           connection
779
780       --pass
781           Allow unencrypted traffic to flow until the tunnel is initiated.
782
783       --drop
784           Drop unencrypted traffic silently.
785
786       --reject
787           Drop unencrypted traffic silently, but send an ICMP message
788           notifying the other end.
789
790       These options need to be documented
791
792       --failnone
793           to be documented
794
795       --failpass
796           to be documented
797
798       --faildrop
799           to be documented
800
801       --failreject
802           to be documented
803
804       pluto supports various X.509 Certificate related options.
805
806       --utc
807           display all times in UTC.
808
809       --listall
810           lists all of the X.509 information known to pluto.
811
812       --listpubkeys
813           list all the public keys that have been successfully loaded.
814
815       --listcerts
816           list all the X.509 certificates that are currently loaded.
817
818       --checkpubkeys
819           list all the loaded X.509 certificates that are about to expire or
820           have expired.
821
822       --listcacerts
823           list all the Certificate Authority X.509 certificates that are
824           currently loaded.
825
826       --listcrls
827           list all the loaded Certificate Revocation Lists (CRLs)
828
829       The corresponding options --rereadsecrets, --rereadall, and
830       --rereadcrls options reread this information from their respective
831       sources, and purge all the online obtained information. The option
832       --listevents lists all pending events, and the --ddns triggers the
833       Dynamic DNS update event that is normally scheduled to run once every
834       minute.
835
836       --ikelifetime seconds
837           how long pluto will propose that an ISAKMP SA be allowed to live.
838           The default is 3600 (one hour) and the maximum is 86400 (1 day).
839           This option will not affect what is accepted.  pluto will reject
840           proposals that exceed the maximum.
841
842       --ipseclifetime seconds
843           how long pluto will propose that an IPsec SA be allowed to live.
844           The default is 28800 (eight hours) and the maximum is 86400 (one
845           day). This option will not affect what is accepted.  pluto will
846           reject proposals that exceed the maximum.
847
848       --rekeymargin seconds
849           how long before an SA's expiration should pluto try to negotiate a
850           replacement SA. This will only happen if pluto was the initiator.
851           The default is 540 (nine minutes).
852
853       --rekeyfuzz percentage
854           maximum size of random component to add to rekeymargin, expressed
855           as a percentage of rekeymargin.  pluto will select a delay
856           uniformly distributed within this range. By default, the percentage
857           will be 100. If greater determinism is desired, specify 0. It may
858           be appropriate for the percentage to be much larger than 100.
859
860       --keyingtries count
861           how many times pluto should try to negotiate an SA, either for the
862           first time or for rekeying. The default value of 0 means to keep
863           trying forever.
864
865       --dontrekey
866           A misnomer. Only rekey a connection if we were the Initiator and
867           there was recent traffic on the existing connection. This applies
868           to Phase 1 and Phase 2. This is currently the only automatic way
869           for a connection to terminate. It may be useful with Road Warrior
870           or Opportunistic connections.  Since SA lifetime negotiation is
871           take-it-or-leave it, a Responder normally uses the shorter of the
872           negotiated or the configured lifetime. This only works because if
873           the lifetime is shorter than negotiated, the Responder will rekey
874           in time so that everything works. This interacts badly with
875           --dontrekey. In this case, the Responder will end up rekeying to
876           rectify a shortfall in an IPsec SA lifetime; for an ISAKMP SA, the
877           Responder will accept the negotiated lifetime.
878
879       --delete
880           when used in the connection form, it causes any previous connection
881           with this name to be deleted before this one is added. Unlike a
882           normal delete, no diagnostic is produced if there was no previous
883           connection to delete. Any routing in place for the connection is
884           undone.
885
886       --delete, --name connection-name
887           The delete form deletes a named connection description and any SAs
888           established or negotiations initiated using this connection. Any
889           routing in place for the connection is undone.
890
891       --deletestate state-number
892           The deletestate form deletes the state object with the specified
893           serial number. This is useful for selectively deleting instances of
894           connections.
895
896       The route form of the whack command tells pluto to set up routing for a
897       connection. Although like a traditional route, it uses an ipsec device
898       as a virtual interface. Once routing is set up, no packets will be sent
899       "in the clear" to the peer's client specified in the connection. A TRAP
900       shunt eroute will be installed; if outbound traffic is caught, Pluto
901       will initiate the connection. An explicit whack route is not always
902       needed: if it hasn't been done when an IPsec SA is being installed, one
903       will be automatically attempted.
904
905       --route, --name connection-name
906           When a routing is attempted for a connection, there must not
907           already be a routing for a different connection with the same
908           subnet but different interface or destination, or if there is, it
909           must not be being used by an IPsec SA. Otherwise the attempt will
910           fail.
911
912       --unroute, --name connection-name
913           The unroute form of the whack command tells pluto to undo a
914           routing.  pluto will refuse if an IPsec SA is using the connection.
915           If another connection is sharing the same routing, it will be left
916           in place. Without a routing, packets will be sent without
917           encryption or authentication.
918
919       The initiate form tells pluto to initiate a negotiation with another
920       pluto (or other IKE daemon) according to the named connection.
921       Initiation requires a route that --route would provide; if none is in
922       place at the time an IPsec SA is being installed, pluto attempts to set
923       one up.
924
925       --initiate, --name connection-name, --asynchronous
926           The initiate form of the whack command will relay back from pluto
927           status information via the UNIX domain socket (unless
928           --asynchronous is specified). The status information is meant to
929           look a bit like that from FTP. Currently whack simply copies this
930           to stderr. When the request is finished (eg. the SAs are
931           established or pluto gives up), pluto closes the channel, causing
932           whack to terminate.
933
934       The opportunistic initiate form is mainly used for debugging.
935
936       --tunnelipv4, --tunnelipv6, --oppohere  ip-address, --oppothere
937       ip-address, --opposport  port, --oppodport  port, --oppoproto  protocol
938           This will cause pluto to attempt to opportunistically initiate a
939           connection from here to the there, even if a previous attempt had
940           been made. The whack log will show the progress of this attempt.
941
942       Rekeying a connection
943
944       --rekey-ipsec, --name connection-name
945           the rekey-ipsec form tells pluto to rekey the IPsec SA (child SA)
946           of the specified connection. It does not affect the IKE SA (parent
947           SA)
948
949       --rekey-ike, --name connection-name
950           the rekey-ike form tells pluto to rekey the IKE SA (parent SA) of
951           the specified connection. It does not affect the IPsec SAs (child
952           SAs)
953
954       Ending a connection
955
956       --terminate, --name connection-name
957           the terminate form tells pluto to delete any SAs that use the
958           specified connection and to stop any negotiations in process. it
959           does not prevent new negotiations from starting (the delete form
960           has this effect).
961
962       --crash ip-address
963           If the remote peer has crashed, and therefore did not notify us, we
964           keep sending encrypted traffic, and rejecting all plaintext
965           (non-IKE) traffic from that remote peer. The --crash brings our end
966           down as well for all the known connections to the specified
967           ip-address
968
969       ip-address
970           If the remote peer has crashed, and therefore did not notify us, we
971           keep sending encrypted traffic, and rejecting all plaintext
972           (non-IKE) traffic from that remote peer. The --crash brings our end
973           down as well for all the known connections to the specified
974           ip-address
975
976       Redirecting clients can be done using IKEv2 redirect mechanism.
977
978       --global-redirect yes|no|auto
979           The --global-redirect option controls whether pluto will instruct
980           remote peers to redirect IKE/IPsec SA's during IKE_SA_INIT. Valid
981           options are no, yes and auto, where auto means remote peers will be
982           redirected if DDoS mode is active.
983
984       --global-redirect-to ip-address(es)
985           The destination, or a list of destinations, where the peers will be
986           redirected.
987
988       --name connection_name, --redirect-to ip-address(es)
989           The destination, or a list of destinations, where the peers will be
990           redirected. Specifying the connection name is optional. If not
991           specified the mechanism will redirect all currently active peers.
992           If specified, only the peers from connection connection_name will
993           be redirected.
994
995       The public key for informs pluto of the RSA public key for a potential
996       peer. Private keys must be kept secret, so they are kept in
997       ipsec.secrets(5).
998
999       --keyid id
1000           specififies the identity of the peer for which a public key should
1001           be used. Its form is identical to the identity in the connection.
1002           If no public key is specified, pluto attempts to find KEY records
1003           from DNS for the id (if a FQDN) or through reverse lookup (if an IP
1004           address). Note that there several interesting ways in which this is
1005           not secure.
1006
1007       --addkey
1008           specifies that the new key is added to the collection; otherwise
1009           the new key replaces any old ones.
1010
1011       --pubkeyrsa key
1012           specifies the value of the RSA public key. It is a sequence of
1013           bytes as described in RFC 2537 "RSA/MD5 KEYs and SIGs in the Domain
1014           Name System (DNS)". It is denoted in a way suitable for
1015           ipsec_ttodata(3). For example, a base 64 numeral starts with 0s.
1016
1017       The listen form tells pluto to start listening for IKE requests on its
1018       public interfaces. To avoid race conditions, it is normal to load the
1019       appropriate connections into pluto before allowing it to listen. If
1020       pluto isn't listening, it is pointless to initiate negotiations, so it
1021       will refuse requests to do so. Whenever the listen form is used, pluto
1022       looks for public interfaces and will notice when new ones have been
1023       added and when old ones have been removed. This is also the trigger for
1024       pluto to read the ipsec.secrets file. So listen may useful more than
1025       once.
1026
1027       --listen
1028           start listening for IKE traffic on public interfaces.
1029
1030       --unlisten
1031           stop listening for IKE traffic on public interfaces.
1032
1033       The --ddos-auto, --ddos-busy and --ddos-unlimited options tells pluto
1034       to update the DDoS protection state. Normally, these measures are
1035       automatically activated or deactivated based on the number of states
1036       inside pluto. The busy and unlimited option tells pluto to activate or
1037       deactivate the DDoS protection mode manually. One of these DDoS
1038       protection methods is to activate IKEv2 DCOOKIEs to defend against
1039       spoofed IKE packets.
1040
1041       --ddos-busy
1042           place pluto into busy mode and activate anti-DDoS measures.
1043
1044       --ddos-unlimited
1045           pull pluto out of busy mode and deactivate anti-DDoS measures.
1046
1047       --ddos-auto
1048           activate the built-in detection mechanism for the anti-DDoS
1049           measures.
1050
1051       The status form will display information about the internal state of
1052       pluto: information about each potential connection, about each state
1053       object, and about each shunt that pluto is managing without an
1054       associated connection.
1055
1056       Statistics can be seen using ipsec whack --globalstats and reset using
1057       ipsec whack --clearstats. This can be used with the munin software to
1058       monitor VPN services.
1059
1060       --status
1061
1062       The trafficstatus form will display the xauth username, add_time and
1063       the total in and out bytes of the IPsec SA's.
1064
1065       --trafficstatus
1066
1067       The shutdown form is the proper way to shut down pluto. It will tear
1068       down the SAs on this machine that pluto has negotiated. If the
1069       --leave-state option is given, it does not delete any connections, and
1070       leaves the kernel state in the kernel. Note that the init system used
1071       might clean up the kernel state regardless.
1072
1073       --shutdown
1074
1075   Examples
1076       It would be normal to start pluto in one of the system initialization
1077       scripts. It needs to be run by the superuser. Generally, no arguments
1078       are needed. To run in manually, the superuser can simply type
1079
1080          ipsec pluto
1081
1082       The command will immediately return, but a pluto process will be left
1083       running, waiting for requests from whack or a peer.
1084
1085       Using whack, several potential connections would be described:
1086
1087          ipsec whack --name silly --host 127.0.0.1 --to --host 127.0.0.2
1088       --ikelifetime 900 --ipseclifetime 800 --keyingtries 3
1089
1090       Since this silly connection description specifies neither encryption,
1091       authentication, nor tunneling, it could only be used to establish an
1092       ISAKMP SA.
1093
1094          ipsec whack --name conn_name --host 10.0.0.1 --client 10.0.1.0/24
1095       --to --host 10.0.0.2 --client 10.0.2.0/24 --encrypt
1096
1097       This is something that must be done on both sides. If the other side is
1098       pluto, the same whack command could be used on it (the command syntax
1099       is designed to not distinguish which end is ours).
1100
1101       Now that the connections are specified, pluto is ready to handle
1102       requests and replies via the public interfaces. We must tell it to
1103       discover those interfaces and start accepting messages from peers:
1104
1105          ipsec whack --listen
1106
1107       If we don't immediately wish to bring up a secure connection between
1108       the two clients, we might wish to prevent insecure traffic. The routing
1109       form asks pluto to cause the packets sent from our client to the peer's
1110       client to be routed through the ipsec0 device; if there is no SA, they
1111       will be discarded:
1112
1113          ipsec whack --route conn_name
1114
1115       Finally, we are ready to get pluto to initiate negotiation for an IPsec
1116       SA (and implicitly, an ISAKMP SA):
1117
1118          ipsec whack --initiate --name conn_name
1119
1120       A small log of interesting events will appear on standard output (other
1121       logging is sent to syslog).
1122
1123       whack can also be used to terminate pluto cleanly, tearing down all SAs
1124       that it has negotiated.
1125
1126          ipsec whack --shutdown
1127
1128       Notification of any IPSEC SA deletion, but not ISAKMP SA deletion is
1129       sent to the peer. Unfortunately, such Notification is not reliable.
1130       Furthermore, pluto itself ignores Notifications.
1131
1132   XAUTH
1133       If pluto needs additional authentication, such as defined by the XAUTH
1134       specifications, then it may ask whack to prompt the operator for
1135       username or passwords. Typically, these will be entered interactively.
1136       A GUI that wraps around whack may look for the 041 (username) or 040
1137       (password) prompts, and display them to the user.
1138
1139       For testing purposes, the options --xauthuser user --xauthpass pass may
1140       be be given prior to the --initiate  to provide responses to the
1141       username and password prompts.
1142
1143   The updown command
1144       Whenever pluto brings a connection up or down, it invokes the updown
1145       command. This command is specified using the --updown option. This
1146       allows for customized control over routing and firewall manipulation.
1147
1148       The updown is invoked for five different operations. Each of these
1149       operations can be for our client subnet or for our host itself.
1150
1151       prepare-host or prepare-client
1152           is run before bringing up a new connection if no other connection
1153           with the same clients is up. Generally, this is useful for deleting
1154           a route that might have been set up before pluto was run or perhaps
1155           by some agent not known to pluto.
1156
1157       route-host or route-client
1158           is run when bringing up a connection for a new peer client subnet
1159           (even if prepare-host or prepare-client was run). The command
1160           should install a suitable route. Routing decisions are based only
1161           on the destination (peer's client) subnet address, unlike eroutes
1162           which discriminate based on source too.
1163
1164       unroute-host or unroute-client
1165           is run when bringing down the last connection for a particular peer
1166           client subnet. It should undo what the route-host or route-client
1167           did.
1168
1169       up-host or up-client
1170           is run when bringing up a tunnel eroute with a pair of client
1171           subnets that does not already have a tunnel eroute. This command
1172           should install firewall rules as appropriate. It is generally a
1173           good idea to allow IKE messages (UDP port 500) travel between the
1174           hosts.
1175
1176       down-host or down-client
1177           is run when bringing down the eroute for a pair of client subnets.
1178           This command should delete firewall rules as appropriate. Note that
1179           there may remain some inbound IPsec SAs with these client subnets.
1180
1181       The script is passed a large number of environment variables to specify
1182       what needs to be done.
1183
1184       PLUTO_VERB
1185           specifies the name of the operation to be performed (prepare-host,r
1186           prepare-client, up-host, up-client, down-host, or down-client). If
1187           the address family for security gateway to security gateway
1188           communications is IPv6, then a suffix of -v6 is added to the verb.
1189
1190       PLUTO_CONNECTION
1191           is the name of the connection for which we are routing.
1192
1193       PLUTO_NEXT_HOP
1194           is the next hop to which packets bound for the peer must be sent.
1195
1196       PLUTO_INTERFACE
1197           is the name of the ipsec interface to be used.
1198
1199       PLUTO_ME
1200           is the IP address of our host.
1201
1202       PLUTO_MY_CLIENT
1203           is the IP address / count of our client subnet. If the client is
1204           just the host, this will be the host's own IP address / max (where
1205           max is 32 for IPv4 and 128 for IPv6).
1206
1207       PLUTO_MY_CLIENT_NET
1208           is the IP address of our client net. If the client is just the
1209           host, this will be the host's own IP address.
1210
1211       PLUTO_MY_CLIENT_MASK
1212           is the mask for our client net. If the client is just the host,
1213           this will be 255.255.255.255.
1214
1215       PLUTO_PEER
1216           is the IP address of our peer.
1217
1218       PLUTO_PEER_CLIENT
1219           is the IP address / count of the peer's client subnet. If the
1220           client is just the peer, this will be the peer's own IP address /
1221           max (where max is 32 for IPv4 and 128 for IPv6).
1222
1223       PLUTO_PEER_CLIENT_NET
1224           is the IP address of the peer's client net. If the client is just
1225           the peer, this will be the peer's own IP address.
1226
1227       PLUTO_PEER_CLIENT_MASK
1228           is the mask for the peer's client net. If the client is just the
1229           peer, this will be 255.255.255.255.
1230
1231       PLUTO_MY_PROTOCOL
1232           lists the protocols allowed over this IPsec SA.
1233
1234       PLUTO_PEER_PROTOCOL
1235           lists the protocols the peer allows over this IPsec SA.
1236
1237       PLUTO_MY_PORT
1238           lists the ports allowed over this IPsec SA.
1239
1240       PLUTO_PEER_PORT
1241           lists the ports the peer allows over this IPsec SA.
1242
1243       PLUTO_MY_ID
1244           lists our id.
1245
1246       PLUTO_PEER_ID
1247           Dlists our peer's id.
1248
1249       PLUTO_PEER_CA
1250           lists the peer's CA.
1251
1252       All output sent by the script to stderr or stdout is logged. The script
1253       should return an exit status of 0 if and only if it succeeds.
1254
1255       Pluto waits for the script to finish and will not do any other
1256       processing while it is waiting. The script may assume that pluto will
1257       not change anything while the script runs. The script should avoid
1258       doing anything that takes much time and it should not issue any command
1259       that requires processing by pluto. Either of these activities could be
1260       performed by a background subprocess of the script.
1261
1262   Rekeying
1263       When an SA that was initiated by pluto has only a bit of lifetime left,
1264       pluto will initiate the creation of a new SA. This applies to ISAKMP
1265       and IPsec SAs. The rekeying will be initiated when the SA's remaining
1266       lifetime is less than the rekeymargin plus a random percentage, between
1267       0 and rekeyfuzz, of the rekeymargin.
1268
1269       Similarly, when an SA that was initiated by the peer has only a bit of
1270       lifetime left, pluto will try to initiate the creation of a
1271       replacement. To give preference to the initiator, this rekeying will
1272       only be initiated when the SA's remaining lifetime is half of
1273       rekeymargin. If rekeying is done by the responder, the roles will be
1274       reversed: the responder for the old SA will be the initiator for the
1275       replacement. The former initiator might also initiate rekeying, so
1276       there may be redundant SAs created. To avoid these complications, make
1277       sure that rekeymargin is generous.
1278
1279       One risk of having the former responder initiate is that perhaps none
1280       of its proposals is acceptable to the former initiator (they have not
1281       been used in a successful negotiation). To reduce the chances of this
1282       happening, and to prevent loss of security, the policy settings are
1283       taken from the old SA (this is the case even if the former initiator is
1284       initiating). These may be stricter than those of the connection.
1285
1286       pluto will not rekey an SA if that SA is not the most recent of its
1287       type (IPsec or ISAKMP) for its potential connection. This avoids
1288       creating redundant SAs.
1289
1290       The random component in the rekeying time (rekeyfuzz) is intended to
1291       make certain pathological patterns of rekeying unstable. If both sides
1292       decide to rekey at the same time, twice as many SAs as necessary are
1293       created. This could become a stable pattern without the randomness.
1294
1295       Another more important case occurs when a security gateway has SAs with
1296       many other security gateways. Each of these connections might need to
1297       be rekeyed at the same time. This would cause a high peek requirement
1298       for resources (network bandwidth, CPU time, entropy for random
1299       numbers). The rekeyfuzz can be used to stagger the rekeying times.
1300
1301       Once a new set of SAs has been negotiated, pluto will never send
1302       traffic on a superseded one. Traffic will be accepted on an old SA
1303       until it expires.
1304
1305   Selecting a Connection When Responding: Road Warrior Support
1306       When pluto receives an initial Main Mode message, it needs to decide
1307       which connection this message is for. It picks based solely on the
1308       source and destination IP addresses of the message. There might be
1309       several connections with suitable IP addresses, in which case one of
1310       them is arbitrarily chosen. (The ISAKMP SA proposal contained in the
1311       message could be taken into account, but it is not.)
1312
1313       The ISAKMP SA is negotiated before the parties pass further identifying
1314       information, so all ISAKMP SA characteristics specified in the
1315       connection description should be the same for every connection with the
1316       same two host IP addresses. At the moment, the only characteristic that
1317       might differ is authentication method.
1318
1319       Up to this point, all configuring has presumed that the IP addresses
1320       are known to all parties ahead of time. This will not work when either
1321       end is mobile (or assigned a dynamic IP address for other reasons). We
1322       call this situation "Road Warrior". It is fairly tricky and has some
1323       important limitations, most of which are features of the IKE protocol.
1324
1325       Only the initiator may be mobile: the initiator may have an IP number
1326       unknown to the responder. When the responder doesn't recognize the IP
1327       address on the first Main Mode packet, it looks for a connection with
1328       itself as one end and %any as the other. If it cannot find one, it
1329       refuses to negotiate. If it does find one, it creates a temporary
1330       connection that is a duplicate except with the %any replaced by the
1331       source IP address from the packet; if there was no identity specified
1332       for the peer, the new IP address will be used.
1333
1334       When pluto is using one of these temporary connections and needs to
1335       find the preshared secret or RSA private key in ipsec.secrets, and the
1336       connection specified no identity for the peer, %any is used as its
1337       identity. After all, the real IP address was apparently unknown to the
1338       configuration, so it is unreasonable to require that it be used in this
1339       table.
1340
1341       Part way into the Phase 1 (Main Mode) negotiation using one of these
1342       temporary connection descriptions, pluto will receive an Identity
1343       Payload. At this point, pluto checks for a more appropriate connection,
1344       one with an identity for the peer that matches the payload and would
1345       use the same keys as so far used for authentication. If it finds one,
1346       it will switch to using this better connection (or a temporary one
1347       derived from this, if it has %any for the peer's IP address). It may
1348       even turn out that no connection matches the newly discovered identity,
1349       including the current connection; if so, pluto terminates negotiation.
1350
1351       Unfortunately, if preshared secret authentication is being used, the
1352       Identity Payload is encrypted using this secret, so the secret must be
1353       selected by the responder without knowing this payload. This limits
1354       there to being at most one preshared secret for all Road Warrior
1355       systems connecting to a host. RSA Signature authentication does not
1356       require that the responder knows how to select the initiator's public
1357       key until after the initiator's Identity Payload is decoded (using the
1358       responder's private key, so that must be preselected).
1359
1360       When pluto is responding to a Quick Mode negotiation via one of these
1361       temporary connection descriptions, it may well find that the subnets
1362       specified by the initiator don't match those in the temporary
1363       connection description. If so, it will look for a connection with
1364       matching subnets, its own host address, a peer address of %any and
1365       matching identities. If it finds one, a new temporary connection is
1366       derived from this one and used for the Quick Mode negotiation of IPsec
1367       SAs. If it does not find one, pluto terminates negotiation.
1368
1369       Be sure to specify an appropriate nexthop for the responder to send a
1370       message to the initiator: pluto has no way of guessing it (if
1371       forwarding isn't required, use an explicit %direct as the nexthop and
1372       the IP address of the initiator will be filled in; the obsolete
1373       notation 0.0.0.0 is still accepted).
1374
1375       pluto has no special provision for the initiator side. The current
1376       (possibly dynamic) IP address and nexthop must be used in defining
1377       connections. These must be properly configured each time the
1378       initiator's IP address changes.  pluto has no mechanism to do this
1379       automatically.
1380
1381       Although we call this Road Warrior Support, it could also be used to
1382       support encrypted connections with anonymous initiators. The
1383       responder's organization could announce the preshared secret that would
1384       be used with unrecognized initiators and let anyone connect. Of course
1385       the initiator's identity would not be authenticated.
1386
1387       If any Road Warrior connections are supported, pluto cannot reject an
1388       exchange initiated by an unknown host until it has determined that the
1389       secret is not shared or the signature is invalid. This must await the
1390       third Main Mode message from the initiator. If no Road Warrior
1391       connection is supported, the first message from an unknown source would
1392       be rejected. This has implications for ease of debugging configurations
1393       and for denial of service attacks.
1394
1395       Although a Road Warrior connection must be initiated by the mobile
1396       side, the other side can and will rekey using the temporary connection
1397       it has created. If the Road Warrior wishes to be able to disconnect, it
1398       is probably wise to set --keyingtries to 1 in the connection on the
1399       non-mobile side to prevent it trying to rekey the connection.
1400       Unfortunately, there is no mechanism to unroute the connection
1401       automatically.
1402
1403   Debugging
1404       pluto accepts several optional arguments, useful mostly for debugging.
1405       Except for --interface, each should appear at most once.
1406
1407       --interface interfacename
1408           specifies that the named real public network interface should be
1409           considered. The interface name specified should not be ipsecN. If
1410           the option doesn't appear, all interfaces are considered. To
1411           specify several interfaces, use the option once for each. One use
1412           of this option is to specify which interface should be used when
1413           two or more share the same IP address.
1414
1415       --ikeport port-number
1416           changes the UDP port that pluto will use (default, specified by
1417           IANA: 500)
1418
1419       --ctlbase path
1420           basename for control files.  path.ctl is the socket through which
1421           whack communicates with pluto.  path.pid is the lockfile to prevent
1422           multiple pluto instances. The default is /var/run/pluto/pluto).
1423
1424       --secretsfile file
1425           specifies the file for authentication secrets (default:
1426           /etc/ipsec.secrets). This name is subject to "globbing" as in
1427           sh(1), so every file with a matching name is processed. Quoting is
1428           generally needed to prevent the shell from doing the globbing.
1429
1430       --nofork
1431           disable "daemon fork" (default is to fork). In addition, after the
1432           lock file and control socket are created, print the line "Pluto
1433           initialized" to standard out.
1434
1435       --uniqueids
1436           if this option has been selected, whenever a new ISAKMP SA is
1437           established, any connection with the same Peer ID but a different
1438           Peer IP address is unoriented (causing all its SAs to be deleted).
1439           This helps clean up dangling SAs when a connection is lost and then
1440           regained at another IP address.
1441
1442       --force-busy
1443           if this option has been selected, pluto will be forced to be
1444           "busy". In this state, which happens when there is a Denial of
1445           Service attack, will force pluto to use cookies before accepting
1446           new incoming IKE packets. Cookies are send and required in ikev1
1447           Aggressive Mode and in ikev2. This option is mostly used for
1448           testing purposes, but can be selected by paranoid administrators as
1449           well.
1450
1451       --stderrlog
1452           log goes to standard out {default is to use syslogd(8))
1453
1454       pluto is willing to produce a prodigious amount of debugging
1455       information. There are several classes of debugging output, and pluto
1456       may be directed to produce a selection of them. All lines of debugging
1457       output are prefixed with "| " to distinguish them from normal
1458       diagnostic messages.
1459
1460       When pluto is invoked, it may be given arguments to specify which debug
1461       classes to output. The current options are:
1462
1463       --debug help (whack only)
1464           list the debugging classes recognised by pluto
1465
1466       --debug none
1467           disable logging for all debugging classes
1468
1469       --debug base
1470           enable debug-logging
1471
1472       --debug cpu-usage
1473           enable cpu-usage logging
1474
1475       --debug class, --no-debug class, --debug no-class
1476           enable (disable) logging of the specified debugging class (--debug
1477           help lists debugging classes supported by this version of pluto)
1478
1479       The debug form of the whack command will change the selection in a
1480       running pluto. If a connection name is specified, the flags are added
1481       whenever pluto has identified that it is dealing with that connection.
1482       Unfortunately, this is often part way into the operation being
1483       observed.
1484
1485       For example, to start pluto with both base and cpu-usage debug-logging
1486       enabled:
1487
1488                pluto --debug base --debug cpu-usage
1489
1490
1491       To later change this pluto to disable base debug-logging use either:
1492
1493                whack --no-debug base
1494
1495
1496       or:
1497
1498                whack --debug none --debug cpu-usage
1499
1500
1501   Impairing
1502       pluto and whack accept several optional arguments that alter (impair)
1503       correct behaviour.
1504
1505       These options are solely intended for use by developers when testing
1506       pluto.
1507
1508       --impair help (whack only)
1509           list all the behaviours that can be altered (impaired)
1510
1511       --impair list (whack only)
1512           list all the behaviours that are currently altered (impaired)
1513
1514       --impair none
1515           disable all altered (impaired) behaviours
1516
1517       --impair behaviour, --impair behaviour:how, --no-impair behaviour
1518           alter (impair) pluto inducing the (possibly erroneous) behaviour
1519
1520   Pluto's Behaviour When Things Go Wrong
1521       When pluto doesn't understand or accept a message, it just ignores the
1522       message. It is not yet capable of communicating the problem to the
1523       other IKE daemon (in the future it might use Notifications to
1524       accomplish this in many cases). It does log a diagnostic.
1525
1526       When pluto gets no response from a message, it resends the same message
1527       (a message will be sent at most three times). This is appropriate: UDP
1528       is unreliable.
1529
1530       When pluto gets a message that it has already seen, there are many
1531       cases when it notices and discards it. This too is appropriate for UDP.
1532
1533       Combine these three rules, and you can explain many apparently
1534       mysterious behaviours. In a pluto log, retrying isn't usually the
1535       interesting event. The critical thing is either earlier (pluto got a
1536       message that it didn't like and so ignored, so it was still awaiting an
1537       acceptable message and got impatient) or on the other system (pluto
1538       didn't send a reply because it wasn't happy with the previous message).
1539
1540   Notes
1541       Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the
1542       SA. The IKE protocol lets the destination of the SA choose the SPI. The
1543       range 0 to 0xFF is reserved for IANA.  Pluto also avoids choosing an
1544       SPI in the range 0x100 to 0xFFF, leaving these SPIs free for manual
1545       keying. Remember that the peer, if not pluto, may well chose SPIs in
1546       this range.
1547
1548   Policies
1549       This catalogue of policies may be of use when trying to configure Pluto
1550       and another IKE implementation to interoperate.
1551
1552       In Phase 1, only Main Mode is supported. We are not sure that
1553       Aggressive Mode is secure. For one thing, it does not support identity
1554       protection. It may allow more severe Denial Of Service attacks.
1555
1556       No Informational Exchanges are supported. These are optional and since
1557       their delivery is not assured, they must not matter. It is the case
1558       that some IKE implementations won't interoperate without Informational
1559       Exchanges, but we feel they are broken.
1560
1561       No Informational Payloads are supported. These are optional, but
1562       useful. It is of concern that these payloads are not authenticated in
1563       Phase 1, nor in those Phase 2 messages authenticated with HASH(3).
1564
1565
1566           Diffie Hellman Groups MODP 1024 and MODP 1536 (2 and 5) are
1567           supported. Group MODP768 (1) is not supported because it is too
1568           weak.
1569
1570
1571           Host authentication can be done by RSA Signatures or Pre-Shared
1572           Secrets.
1573
1574
1575           3DES CBC (Cypher Block Chaining mode) is the only encryption
1576           supported, both for ISAKMP SAs and IPSEC SAs.
1577
1578
1579           MD5 and SHA1 hashing are supported for packet authentication in
1580           both kinds of SAs.
1581
1582
1583           The ESP, AH, or AH plus ESP are supported. If, and only if, AH and
1584           ESP are combined, the ESP need not have its own authentication
1585           component. The selection is controlled by the --encrypt and
1586           --authenticate flags.
1587
1588
1589           Each of these may be combined with IPCOMP Deflate compression, but
1590           only if the potential connection specifies compression.
1591
1592
1593           The IPSEC SAs may be tunnel or transport mode, where appropriate.
1594           The --tunnel flag controls this when pluto is initiating.
1595
1596
1597           When responding to an ISAKMP SA proposal, the maximum acceptable
1598           lifetime is eight hours. The default is one hour. There is no
1599           minimum. The --ikelifetime flag controls this when pluto is
1600           initiating.
1601
1602
1603           When responding to an IPSEC SA proposal, the maximum acceptable
1604           lifetime is one day. The default is eight hours. There is no
1605           minimum. The --ipseclifetime flag controls this when pluto is
1606           initiating.
1607
1608
1609           PFS is acceptable, and will be proposed if the --pfs flag was
1610           specified. The DH group proposed will be the same as negotiated for
1611           Phase 1.
1612

SIGNALS

1614       Pluto responds to SIGHUP by issuing a suggestion that ``whack
1615       --listen'' might have been intended.
1616
1617       Pluto exits when it receives SIGTERM.
1618

EXIT STATUS

1620       pluto normally forks a daemon process, so the exit status is normally a
1621       very preliminary result.
1622
1623       0
1624           means that all is OK so far.
1625
1626       1
1627           means that something was wrong.
1628
1629       10
1630           means that the lock file already exists.
1631
1632       If whack detects a problem, it will return an exit status of 1. If it
1633       received progress messages from pluto, it returns as status the value
1634       of the numeric prefix from the last such message that was not a message
1635       sent to syslog or a comment (but the prefix for success is treated as
1636       0). Otherwise, the exit status is 0.
1637

FILES

1639       /var/run/pluto/pluto.pid
1640
1641       /var/run/pluto/pluto.ctl
1642
1643       /etc/ipsec.secrets
1644
1645       /dev/urandom
1646

ENVIRONMENT

1648       pluto does not use any environment variables
1649

SEE ALSO

1651       The rest of the Libreswan distribution, in particular ipsec(8).
1652
1653       ipsec_auto(8) is designed to make using pluto more pleasant. Use it!
1654
1655       ipsec.secrets(5) describes the format of the secrets file.
1656
1657       ipsec_atoaddr(3), part of the Libreswan distribution, describes the
1658       forms that IP addresses may take.  ipsec_atosubnet(3), part of the
1659       Libreswan distribution, describes the forms that subnet specifications.
1660
1661       For more information on IPsec, the mailing list, and the relevant
1662       documents, see:
1663
1664       https://datatracker.ietf.org/wg/ipsecme/charter/
1665
1666       At the time of writing, the latest IETF IKE RFC is:
1667
1668       RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2)
1669
1670       The Libreswan web site <https://libreswan.org> and the mailing lists
1671       described there.
1672
1673       The Libreswan wiki <https://libreswan.org/wiki> and the mailing lists
1674       described there.
1675
1676       The Libreswan list of implemented RFCs
1677       <https://libreswan.org/wiki/Implemented_Standards>
1678

HISTORY

1680       This code is released under the GPL terms. See the accompanying files
1681       CHANGES COPYING and CREDITS.* for more details.
1682
1683       Detailed history (including FreeS/WAN and Openswan) can be found in the
1684       docs/ directory.
1685

BUGS

1687       Please see <https://bugs.libreswan.org> for a list of currently known
1688       bugs and missing features.
1689
1690       Bugs should be reported to the <swan-dev@lists.libreswan.org> mailing
1691       list.
1692

AUTHOR

1694       Paul Wouters
1695           placeholder to suppress warning
1696
1697
1698
1699libreswan                         09/05/2023                    IPSEC_PLUTO(8)
Impressum