1IPSEC_MANUAL(8)                                                IPSEC_MANUAL(8)
2
3
4

NAME

6       ipsec manual - take manually-keyed IPsec connections up and down
7

SYNOPSIS

9       ipsec manual [--show] [--showonly] [--other] [--iam address@interface]
10             [--config configfile] operation
11
12       ipsec manual [options] --union operation_part...
13
14

DESCRIPTION

16       Manual manipulates manually-keyed Openswan IPsec  connections,  setting
17       them  up  and shutting them down, based on the information in the IPsec
18       configuration file. Normally, manually keyed connections should not  be
19       used  - automatic keying connections In the normal usage, connection is
20       the name of a connection specification in the configuration file; oper‐
21       ation  is  --up,  --down, --route, or --unroute. Manual generates setup
22       (--route or --up) or teardown (--down or --unroute)  commands  for  the
23       connection and feeds them to a shell for execution.
24
25
26       The --up operation brings the specified connection up, including estab‐
27       lishing a suitable route for it if necessary.
28
29
30       The --route operation just establishes the route for a connection.  Un‐
31       less  and until an --up operation is done, packets routed by that route
32       will simply be discarded.
33
34
35       The --down operation tears the specified connection down,  except  that
36       it  leaves  the route in place. Unless and until an --unroute operation
37       is done, packets routed by that route will simply  be  discarded.  This
38       permits establishing another connection to the same destination without
39       any “window” in which packets can pass without encryption.
40
41
42       The --unroute operation (and only the --unroute operation) deletes  any
43       route established for a connection.
44
45
46       In  the  --union  usage,  each part is the name of a partial connection
47       specification in the configuration file, and the union of all the  par‐
48       tial specifications is the connection specification used. The effect is
49       as if the contents of the partial specifications were concatenated  to‐
50       gether; restrictions on duplicate parameters, etc., do apply to the re‐
51       sult. (The same effect can now be had, more gracefully, using the  also
52       parameter in connection descriptions; see ipsec.conf(5) for details.)
53
54
55       The  --show  option turns on the -x option of the shell used to execute
56       the commands, so each command is shown as it is executed.
57
58
59       The --showonly option causes manual to show the commands it would  run,
60       on standard output, and not run them.
61
62
63       The  --other option causes manual to pretend it is the other end of the
64       connection. This is probably not  useful  except  in  combination  with
65       --showonly.
66
67
68       The  --iam  option  causes  manual to believe it is running on the host
69       with the specified IP address, and that it should use the specified in‐
70       terface  (normally  it determines all this automatically, based on what
71       IPsec interfaces are up and how they are configured).
72
73
74       The  --config  option  specifies  a  non-standard  location   for   the
75       /etc/ipsec.conf) file.
76
77
78       See ipsec.conf(5) for details of the configuration file. Apart from the
79       basic parameters which specify the endpoints and routing of  a  connec‐
80       tion  (left and right, plus possibly leftsubnet, leftnexthop, leftfire‐
81       wall, their right equivalents, and  perhaps  type),  a  non-passthrough
82       manual connection needs an spi or spibase parameter and some parameters
83       specifying encryption, authentication, or both, most  simply  esp,  es‐
84       penckey,  and  espauthkey.  Moderately-secure keys can be obtained from
85       ipsec_ranbits(8). For production use of manually-keyed connections,  it
86       is  strongly recommended that the keys be kept in a separate file (with
87       permissions rw-------) using the include and  also  facilities  of  the
88       configuration file (see ipsec.conf(5)).
89
90
91       If  an spi parameter is given, manual uses that value as the SPI number
92       for all the SAs (which are in separate number  spaces  anyway).  If  an
93       spibase parameter is given instead, manual assigns SPI values by alter‐
94       ing the bottom digit of that value; SAs going from left  to  right  get
95       even  digits starting at 0, SAs going from right to left get odd digits
96       starting at 1. Either way, it is suggested that manually-keyed  connec‐
97       tions  use  three-digit SPIs with the first digit non-zero, i.e. in the
98       range 0x100 through 0xfff; Openswan reserves those  for  manual  keying
99       and will not attempt to use them for automatic keying (unless requested
100       to, presumably by a non-Openswan other end).
101
102

FILES

104       /etc/ipsec.conf  default   IPsec   configuration   file   /var/run/plu‐
105       to/ipsec.info%defaultroute information
106
107

SEE ALSO

109       ipsec(8),   ipsec.conf(5),  ipsec_spi(8),  ipsec_eroute(8),  ipsec_spi‐
110       grp(8), route(8)
111
112

HISTORY

114       Written   for   the   FreeS/WAN   project    <http://www.freeswan.org/:
115       http://www.freeswan.org/> by Henry Spencer.
116
117

BUGS

119       It's  not  nearly  as  generous about the syntax of subnets, addresses,
120       etc. as the usual FreeS/WAN user interfaces. Four-component dotted-dec‐
121       imal  must  be  used for all addresses. It is smart enough to translate
122       bit-count netmasks to dotted-decimal form.
123
124
125       If the connection specification for a connection is changed between  an
126       --up and the ensuing --down, chaos may ensue.
127
128
129       The --up operation is not smart enough to notice whether the connection
130       is already up.
131
132
133       Manual is not smart enough to reject  insecure  combinations  of  algo‐
134       rithms, e.g. encryption with no authentication at all.
135
136
137       Any  non-IPsec  route to the other end which is replaced by the --up or
138       --route operation will not be re-established by --unroute. Whether this
139       is a feature or a bug depends on your viewpoint.
140
141
142       The  optional parameters which override the automatic spibase-based SPI
143       assignment are a messy area of the code and bugs are likely.
144
145
146       “Road warrior” handling, and other special forms of setup which require
147       negotiation  between  the  two  security gateways, inherently cannot be
148       done with manual.
149
150
151       Manual generally lags behind auto in support of various features,  even
152       when  implementation  would be possible. For example, currently it does
153       not do IPComp content compression.
154
155
156
157
158                                                               IPSEC_MANUAL(8)
Impressum