1IPSEC_MANUAL(8) IPSEC_MANUAL(8)
2
6 ipsec manual - take manually-keyed IPsec connections up and down
7
9 ipsec manual [--show] [--showonly] [--other] [--iam address@interface]
10 [--config configfile] operation
11 ipsec manual [options] --union operation_part...
13
16 Manual manipulates manually-keyed Openswan IPsec connections, setting
17 them up and shutting them down, based on the information in the IPsec
18 configuration file. Normally, manually keyed connections should not be
19 used - automatic keying connections In the normal usage, connection is
20 the name of a connection specification in the configuration file; oper‐
21 ation is --up, --down, --route, or --unroute. Manual generates setup
22 (--route or --up) or teardown (--down or --unroute) commands for the
23 connection and feeds them to a shell for execution.
24 The --up operation brings the specified connection up, including estab‐
27 lishing a suitable route for it if necessary.
28 The --route operation just establishes the route for a connection. Un‐
31 less and until an --up operation is done, packets routed by that route
32 will simply be discarded.
33 The --down operation tears the specified connection down, except that
36 it leaves the route in place. Unless and until an --unroute operation
37 is done, packets routed by that route will simply be discarded. This
38 permits establishing another connection to the same destination without
39 any “window” in which packets can pass without encryption.
40 The --unroute operation (and only the --unroute operation) deletes any
43 route established for a connection.
44 In the --union usage, each part is the name of a partial connection
47 specification in the configuration file, and the union of all the par‐
48 tial specifications is the connection specification used. The effect is
49 as if the contents of the partial specifications were concatenated to‐
50 gether; restrictions on duplicate parameters, etc., do apply to the re‐
51 sult. (The same effect can now be had, more gracefully, using the also
52 parameter in connection descriptions; see ipsec.conf(5) for details.)
53 The --show option turns on the -x option of the shell used to execute
56 the commands, so each command is shown as it is executed.
57 The --showonly option causes manual to show the commands it would run,
60 on standard output, and not run them.
61 The --other option causes manual to pretend it is the other end of the
64 connection. This is probably not useful except in combination with
65 --showonly.
66 The --iam option causes manual to believe it is running on the host
69 with the specified IP address, and that it should use the specified in‐
70 terface (normally it determines all this automatically, based on what
71 IPsec interfaces are up and how they are configured).
72 The --config option specifies a non-standard location for the
75 /etc/ipsec.conf) file.
76 See ipsec.conf(5) for details of the configuration file. Apart from the
79 basic parameters which specify the endpoints and routing of a connec‐
80 tion (left and right, plus possibly leftsubnet, leftnexthop, leftfire‐
81 wall, their right equivalents, and perhaps type), a non-passthrough
82 manual connection needs an spi or spibase parameter and some parameters
83 specifying encryption, authentication, or both, most simply esp, es‐
84 penckey, and espauthkey. Moderately-secure keys can be obtained from
85 ipsec_ranbits(8). For production use of manually-keyed connections, it
86 is strongly recommended that the keys be kept in a separate file (with
87 permissions rw-------) using the include and also facilities of the
88 configuration file (see ipsec.conf(5)).
89 If an spi parameter is given, manual uses that value as the SPI number
92 for all the SAs (which are in separate number spaces anyway). If an
93 spibase parameter is given instead, manual assigns SPI values by alter‐
94 ing the bottom digit of that value; SAs going from left to right get
95 even digits starting at 0, SAs going from right to left get odd digits
96 starting at 1. Either way, it is suggested that manually-keyed connec‐
97 tions use three-digit SPIs with the first digit non-zero, i.e. in the
98 range 0x100 through 0xfff; Openswan reserves those for manual keying
99 and will not attempt to use them for automatic keying (unless requested
100 to, presumably by a non-Openswan other end).
101
104 /etc/ipsec.conf default IPsec configuration file /var/run/plu‐
105 to/ipsec.info%defaultroute information
106
109 ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spi‐
110 grp(8), route(8)
111
114 Written for the FreeS/WAN project <http://www.freeswan.org/:
115 http://www.freeswan.org/> by Henry Spencer.
116
119 It's not nearly as generous about the syntax of subnets, addresses,
120 etc. as the usual FreeS/WAN user interfaces. Four-component dotted-dec‐
121 imal must be used for all addresses. It is smart enough to translate
122 bit-count netmasks to dotted-decimal form.
123 If the connection specification for a connection is changed between an
126 --up and the ensuing --down, chaos may ensue.
127 The --up operation is not smart enough to notice whether the connection
130 is already up.
131 Manual is not smart enough to reject insecure combinations of algo‐
134 rithms, e.g. encryption with no authentication at all.
135 Any non-IPsec route to the other end which is replaced by the --up or
138 --route operation will not be re-established by --unroute. Whether this
139 is a feature or a bug depends on your viewpoint.
140 The optional parameters which override the automatic spibase-based SPI
143 assignment are a messy area of the code and bugs are likely.
144 “Road warrior” handling, and other special forms of setup which require
147 negotiation between the two security gateways, inherently cannot be
148 done with manual.
149 Manual generally lags behind auto in support of various features, even
152 when implementation would be possible. For example, currently it does
153 not do IPComp content compression.
154 IPSEC_MANUAL(8)