Updated and corrected the ipsec.secrets(5) manual page.
This commit is contained in:
parent
f115838bee
commit
1d3a48b559
|
@ -1,148 +1,116 @@
|
||||||
.TH IPSEC.SECRETS 5 "28 March 1999"
|
.TH IPSEC.SECRETS 5 "2010-05-30"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
ipsec.secrets \- secrets for IKE/IPsec authentication
|
ipsec.secrets \- secrets for IKE/IPsec authentication
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
The file \fIipsec.secrets\fP holds a table of secrets.
|
The file \fIipsec.secrets\fP holds a table of secrets.
|
||||||
These secrets are used by \fIipsec_pluto\fP(8), the FreeS/WAN Internet Key
|
These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
|
||||||
Exchange daemon, to authenticate other hosts.
|
pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
|
||||||
Currently there are two kinds of secrets: preshared secrets and
|
|
||||||
.\" the private part of DSS keys.
|
|
||||||
RSA private keys.
|
|
||||||
.LP
|
.LP
|
||||||
It is vital that these secrets be protected. The file should be owned
|
It is vital that these secrets be protected. The file should be owned
|
||||||
by the super-user,
|
by the super-user,
|
||||||
and its permissions should be set to block all access by others.
|
and its permissions should be set to block all access by others.
|
||||||
.LP
|
.LP
|
||||||
The file is a sequence of entries and include directives.
|
The file is a sequence of entries and include directives.
|
||||||
Here is an example. Each entry or directive must start at the
|
Here is an example.
|
||||||
left margin, but if it continues beyond a single line, each continuation
|
|
||||||
line must be indented.
|
|
||||||
.LP
|
.LP
|
||||||
.RS
|
.RS
|
||||||
.nf
|
.nf
|
||||||
# sample /etc/ipsec.secrets file for 10.1.0.1
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
10.1.0.1 10.2.0.1: PSK "secret shared by two hosts"
|
192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
|
||||||
|
|
||||||
# an entry may be split across lines,
|
: RSA moonKey.pem
|
||||||
# but indentation matters
|
|
||||||
www.xs4all.nl @www.kremvax.ru
|
|
||||||
\ \ \ \ 10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5"
|
|
||||||
|
|
||||||
.\" # Private part of our DSS key, in base 64,
|
alice@strongswan.org : EAP "x3.dEhgN"
|
||||||
.\" # as generated by BIND 8.2.1's dnskeygen.
|
|
||||||
.\" # Since this is the default key for this host,
|
|
||||||
.\" # there is no need to specify indices.
|
|
||||||
.\" : DSS 0siMs0N/hfRoCBMXA6plPtuv58/+c=
|
|
||||||
# an RSA private key.
|
|
||||||
# note that the lines are too wide for a
|
|
||||||
# man page, so ... has been substituted for
|
|
||||||
# the truncated part
|
|
||||||
@my.com: rsa {
|
|
||||||
\ \ \ \ Modulus:\ 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
|
|
||||||
\ \ \ \ PublicExponent:\ 0sAw==
|
|
||||||
\ \ \ \ PrivateExponent:\ 0shlGbVR1m8Z+7rhzSyenCaBN...
|
|
||||||
\ \ \ \ Prime1:\ 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
|
|
||||||
\ \ \ \ Prime2:\ 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
|
|
||||||
\ \ \ \ Exponent1:\ 0soaXj85ihM5M2inVf/NfHmtLutVz4r...
|
|
||||||
\ \ \ \ Exponent2:\ 0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
|
|
||||||
\ \ \ \ Coefficient:\ 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
|
|
||||||
\ \ \ \ }
|
|
||||||
|
|
||||||
include ipsec.*.secrets # get secrets from other files
|
: XAUTH carol "4iChxLT3"
|
||||||
|
|
||||||
|
: XAUTH dave "ryftzG4A"
|
||||||
|
|
||||||
|
# get secrets from other files
|
||||||
|
include ipsec.*.secrets
|
||||||
.fi
|
.fi
|
||||||
.RE
|
.RE
|
||||||
.LP
|
.LP
|
||||||
Each entry in the file is a list of indices, followed by a secret.
|
Each entry in the file is a list of optional ID selectors, followed by a secret.
|
||||||
The two parts are separated by a colon (\fB:\fP) that is
|
The two parts are separated by a colon (\fB:\fP) that is surrounded
|
||||||
followed by whitespace or a newline. For compatability
|
by whitespace. If no ID selectors are specified the line must start with a
|
||||||
with the previous form of this file, if the key part is just a
|
colon.
|
||||||
double-quoted string the colon may be left out.
|
|
||||||
.LP
|
.LP
|
||||||
An index is an IP address, or a Fully Qualified Domain Name, user@FQDN,
|
A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
|
||||||
\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
|
\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
|
||||||
in the familiar dotted quad form or as a domain name to be looked up
|
in the familiar dotted quad form or as a domain name to be looked up
|
||||||
when the file is loaded
|
when the file is loaded.
|
||||||
(or in any of the forms supported by the FreeS/WAN \fIipsec_ttoaddr\fP(3)
|
In many cases it is a bad idea to use domain names because
|
||||||
routine). In many cases it is a bad idea to use domain names because
|
|
||||||
the name server may not be running or may be insecure. To denote a
|
the name server may not be running or may be insecure. To denote a
|
||||||
Fully Qualified Domain Name (as opposed to an IP address denoted by
|
Fully Qualified Domain Name (as opposed to an IP address denoted by
|
||||||
its domain name), precede the name with an at sign (\fB@\fP).
|
its domain name), precede the name with an at sign (\fB@\fP).
|
||||||
.LP
|
.LP
|
||||||
Matching IDs with indices is fairly straightforward: they have to be
|
Matching IDs with selectors is fairly straightforward: they have to be
|
||||||
equal. In the case of a ``Road Warrior'' connection, if an equal
|
equal. In the case of a ``Road Warrior'' connection, if an equal
|
||||||
match is not found for the Peer's ID, and it is in the form of an IP
|
match is not found for the Peer's ID, and it is in the form of an IP
|
||||||
address, an index of \fB%any\fP will match the peer's IP address if IPV4
|
address, a selector of \fB%any\fP will match the peer's IP address if IPV4
|
||||||
and \fB%any6\fP will match a the peer's IP address if IPV6.
|
and \fB%any6\fP will match a the peer's IP address if IPV6.
|
||||||
Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
|
Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
|
||||||
\fB%any\fP.
|
\fB%any\fP.
|
||||||
.LP
|
.LP
|
||||||
An additional complexity
|
In IKEv1 an additional complexity
|
||||||
arises in the case of authentication by preshared secret: the
|
arises in the case of authentication by preshared secret: the
|
||||||
responder will need to look up the secret before the Peer's ID payload has
|
responder will need to look up the secret before the Peer's ID payload has
|
||||||
been decoded, so the ID used will be the IP address.
|
been decoded, so the ID used will be the IP address.
|
||||||
.LP
|
.LP
|
||||||
To authenticate a connection between two hosts, the entry that most
|
To authenticate a connection between two hosts, the entry that most
|
||||||
specifically matches the host and peer IDs is used. An entry with no
|
specifically matches the host and peer IDs is used. An entry with no
|
||||||
index will match any host and peer. More specifically, an entry with one index will
|
selectors will match any host and peer. More specifically, an entry with one
|
||||||
match a host and peer if the index matches the host's ID (the peer isn't
|
selector will match a host and peer if the selector matches the host's ID (the
|
||||||
considered). Still more specifically, an entry with multiple indices will match a host and
|
peer isn't considered). Still more specifically, an entry with multiple
|
||||||
peer if the host ID and peer ID each match one of the indices. If the key
|
selectors will match a host and peer if the host ID and peer ID each match one
|
||||||
is for an asymmetric authentication technique (i.e. a public key
|
of the selectors. If the key is for an asymmetric authentication technique
|
||||||
system such as RSA), an entry with multiple indices will match a host
|
(i.e. a public key system such as RSA), an entry with multiple selectors will
|
||||||
and peer even if only the host ID matches an index (it is presumed that the
|
match a host and peer even if only the host ID matches a selector (it is
|
||||||
multiple indices are all identities of the host).
|
presumed that the selectors are all identities of the host).
|
||||||
It is acceptable for two entries to be the best match as
|
It is acceptable for two entries to be the best match as
|
||||||
long as they agree about the secret or private key.
|
long as they agree about the secret or private key.
|
||||||
.LP
|
.LP
|
||||||
Authentication by preshared secret requires that both systems find the
|
Authentication by preshared secret requires that both systems find the
|
||||||
identical secret (the secret is not actually transmitted by the IKE
|
identical secret (the secret is not actually transmitted by the IKE
|
||||||
protocol). If both the host and peer appear in the index list, the
|
protocol). If both the host and peer appear in the selector list, the
|
||||||
same entry will be suitable for both systems so verbatim copying
|
same entry will be suitable for both systems so verbatim copying
|
||||||
between systems can be used. This naturally extends to larger groups
|
between systems can be used. This naturally extends to larger groups
|
||||||
sharing the same secret. Thus multiple-index entries are best for PSK
|
sharing the same secret. Thus multiple-selector entries are best for PSK
|
||||||
authentication.
|
authentication.
|
||||||
.LP
|
.LP
|
||||||
Authentication by RSA Signatures requires that each host have its own private
|
Authentication by public key systems such as RSA requires that each host
|
||||||
key. A host could reasonably use a different private keys
|
have its own private key. A host could reasonably use a different private keys
|
||||||
for different interfaces and for different peers. But it would not
|
for different interfaces and for different peers. But it would not
|
||||||
be normal to share entries between systems. Thus thus no-index and
|
be normal to share entries between systems. Thus thus no-selector and
|
||||||
one-index forms of entry often make sense for RSA Signature authentication.
|
one-selector forms of entry often make sense for public key authentication.
|
||||||
.LP
|
.LP
|
||||||
The key part of an entry may start with a token indicating the kind of
|
The key part of an entry must start with a token indicating the kind of
|
||||||
key. ``RSA'' signifies RSA private key and ``PSK'' signifies
|
key. The following types of secrets are currently supported:
|
||||||
PreShared Key (case is ignored). For compatability with previous
|
.TP
|
||||||
forms of this file, PSK is the default.
|
.B PSK
|
||||||
|
defines a pre-shared key
|
||||||
|
.TP
|
||||||
|
.B RSA
|
||||||
|
defines an RSA private key
|
||||||
|
.TP
|
||||||
|
.B ECDSA
|
||||||
|
defines an ECDSA private key
|
||||||
|
.TP
|
||||||
|
.B EAP
|
||||||
|
defines EAP credentials
|
||||||
|
.TP
|
||||||
|
.B XAUTH
|
||||||
|
defines XAUTH credentials
|
||||||
|
.TP
|
||||||
|
.B PIN
|
||||||
|
defines a smartcard PIN
|
||||||
.LP
|
.LP
|
||||||
A preshared secret is most conveniently represented as a sequence of
|
Details on each type of secret are given below.
|
||||||
characters, delimited by the double-quote
|
|
||||||
character (\fB"\fP). The sequence cannot contain a newline or
|
|
||||||
double-quote. Strictly speaking, the secret is actually the sequence
|
|
||||||
of bytes that is used in the file to represent the sequence of
|
|
||||||
characters (excluding the delimiters).
|
|
||||||
A preshared secret may also be represented, without quotes, in any form supported by
|
|
||||||
\fIipsec_ttodata\fP(3).
|
|
||||||
.LP
|
.LP
|
||||||
An RSA private key is a composite of eight generally large numbers. The notation
|
Whitespace at the end of a line is ignored. At the start of a line or
|
||||||
used is a brace-enclosed list of field name and value pairs (see the example above).
|
|
||||||
A suitable key, in a suitable format, may be generated by \fIipsec_rsasigkey\fP(8).
|
|
||||||
The structure is very similar to that used by BIND 8.2.2 or later, but note that
|
|
||||||
the numbers must have a ``0s'' prefix if they are in base 64. The order of
|
|
||||||
the fields is fixed.
|
|
||||||
.LP
|
|
||||||
The first token an entry must start in
|
|
||||||
the first column of its line. Subsequent tokens must be
|
|
||||||
separated by whitespace,
|
|
||||||
except for a colon token, which only needs to be followed by whitespace.
|
|
||||||
A newline is taken as whitespace, but every
|
|
||||||
line of an entry after the first must be indented.
|
|
||||||
.LP
|
|
||||||
Whitespace at the end of a line is ignored (except in the 0t
|
|
||||||
notation for a key). At the start of line or
|
|
||||||
after whitespace, \fB#\fP and the following text up to the end of the
|
after whitespace, \fB#\fP and the following text up to the end of the
|
||||||
line is treated as a comment. Within entries, all lines must be
|
line is treated as a comment.
|
||||||
indented (except for lines with no tokens).
|
|
||||||
Outside entries, no line may be indented (this is to make sure that
|
|
||||||
the file layout reflects its structure).
|
|
||||||
.LP
|
.LP
|
||||||
An include directive causes the contents of the named file to be processed
|
An include directive causes the contents of the named file to be processed
|
||||||
before continuing with the current file. The filename is subject to
|
before continuing with the current file. The filename is subject to
|
||||||
|
@ -153,23 +121,55 @@ directory containing the current file is prepended to the name. The
|
||||||
include directive is a line that starts with the word \fBinclude\fP,
|
include directive is a line that starts with the word \fBinclude\fP,
|
||||||
followed by whitespace, followed by the filename (which must not contain
|
followed by whitespace, followed by the filename (which must not contain
|
||||||
whitespace).
|
whitespace).
|
||||||
|
.SS TYPES OF SECRETS
|
||||||
|
.TP
|
||||||
|
.B [ <selectors> ] : PSK <secret>
|
||||||
|
A preshared secret is most conveniently represented as a sequence of
|
||||||
|
characters, delimited by double-quote characters (\fB"\fP).
|
||||||
|
The sequence cannot contain a newline or double-quote.
|
||||||
|
Strictly speaking, the secret is actually the sequence
|
||||||
|
of bytes that is used in the file to represent the sequence of
|
||||||
|
characters (excluding the delimiters).
|
||||||
|
.TP
|
||||||
|
.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
|
||||||
|
.TQ
|
||||||
|
.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
|
||||||
|
For the private key file both absolute paths or paths relative to
|
||||||
|
\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
|
||||||
|
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
|
||||||
|
.B %prompt
|
||||||
|
can be used which then causes the daemons to ask the user for the password
|
||||||
|
whenever it is required to decrypt the key.
|
||||||
|
.TP
|
||||||
|
.B <user id> : EAP <secret>
|
||||||
|
As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
|
||||||
|
delimited by double-quote characters (\fB"\fP).
|
||||||
|
.br
|
||||||
|
\fBEAP\fP secrets are IKEv2 only.
|
||||||
|
.TP
|
||||||
|
.B : XAUTH <username> <password>
|
||||||
|
\fBXAUTH\fP secrets are IKEv1 only.
|
||||||
|
.TP
|
||||||
|
.B : PIN <smartcard selector> <pin code> | %prompt
|
||||||
|
The format
|
||||||
|
.B "%smartcard[<slot nr>[:<key id>]]"
|
||||||
|
is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
|
||||||
|
instead of specifying the pin code statically,
|
||||||
|
.B %prompt
|
||||||
|
can be specified, which causes the pluto daemon to ask the user for the pin
|
||||||
|
code.
|
||||||
|
.LP
|
||||||
|
|
||||||
.SH FILES
|
.SH FILES
|
||||||
/etc/ipsec.secrets
|
/etc/ipsec.secrets
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
The rest of the FreeS/WAN distribution, in particular
|
|
||||||
\fIipsec.conf\fP(5),
|
\fIipsec.conf\fP(5),
|
||||||
\fIipsec\fP(8),
|
\fIipsec\fP(8)
|
||||||
\fIipsec_newhostkey\fP(8),
|
|
||||||
\fIipsec_rsasigkey\fP(8),
|
|
||||||
\fIipsec_showhostkey\fP(8),
|
|
||||||
\fIipsec_auto\fP(8) \fB\-\-rereadsecrets\fP,
|
|
||||||
and \fIipsec_pluto\fP(8) \fB\-\-listen\fP,.
|
|
||||||
.br
|
.br
|
||||||
BIND 8.2.2 or later, ftp://ftp.isc.org/isc/bind/src/
|
|
||||||
.SH HISTORY
|
.SH HISTORY
|
||||||
Designed for the FreeS/WAN project
|
Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
|
||||||
<http://www.freeswan.org>
|
Updated and extended for the strongSwan project <http://www.strongswan.org> by
|
||||||
by D. Hugh Redelmeier.
|
Tobias Brunner and Andreas Steffen.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
|
If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
|
||||||
if it is \fB0::0\fP, it will match \fB%any6\fP.
|
if it is \fB0::0\fP, it will match \fB%any6\fP.
|
||||||
|
|
Loading…
Reference in New Issue