1.\" $NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd June 4, 2010 31.Dt SETKEY 8 32.Os 33.\" 34.Sh NAME 35.Nm setkey 36.Nd manually manipulate the IPsec SA/SP database 37.\" 38.Sh SYNOPSIS 39.Nm setkey 40.Op Fl knrv 41.Ar file ... 42.Nm setkey 43.Op Fl knrv 44.Fl c 45.Nm setkey 46.Op Fl krv 47.Fl f Ar filename 48.Nm setkey 49.Op Fl aklPrv 50.Fl D 51.Nm setkey 52.Op Fl Pvp 53.Fl F 54.Nm setkey 55.Op Fl H 56.Fl x 57.Nm setkey 58.Op Fl ?V 59.\" 60.Sh DESCRIPTION 61.Nm 62adds, updates, dumps, or flushes 63Security Association Database (SAD) entries 64as well as Security Policy Database (SPD) entries in the kernel. 65.Pp 66.Nm 67takes a series of operations from standard input 68.Po 69if invoked with 70.Fl c 71.Pc 72or the file named 73.Ar filename 74.Po 75if invoked with 76.Fl f Ar filename 77.Pc . 78.Bl -tag -width Ds 79.It (no flag) 80Dump the SAD entries or SPD entries contained in the specified 81.Ar file . 82.It Fl ? 83Print short help. 84.It Fl a 85.Nm 86usually does not display dead SAD entries with 87.Fl D . 88If 89.Fl a 90is also specified, the dead SAD entries will be displayed as well. 91A dead SAD entry is one that has expired but remains in the 92system because it is referenced by some SPD entries. 93.It Fl D 94Dump the SAD entries. 95If 96.Fl P 97is also specified, the SPD entries are dumped. 98If 99.Fl p 100is specified, the ports are displayed. 101.It Fl F 102Flush the SAD entries. 103If 104.Fl P 105is also specified, the SPD entries are flushed. 106.It Fl H 107Add hexadecimal dump in 108.Fl x 109mode. 110.It Fl h 111On 112.Nx , 113synonym for 114.Fl H . 115On other systems, synonym for 116.Fl ? . 117.It Fl k 118Use semantics used in kernel. 119Available only in Linux. 120See also 121.Fl r . 122.It Fl l 123Loop forever with short output on 124.Fl D . 125.It Fl n 126No action. 127The program will check validity of the input, but no changes to 128the SPD will be made. 129.It Fl r 130Use semantics described in IPsec RFCs. 131This mode is default. 132For details see section 133.Sx RFC vs Linux kernel semantics . 134Available only in Linux. 135See also 136.Fl k . 137.It Fl x 138Loop forever and dump all the messages transmitted to the 139.Dv PF_KEY 140socket. 141.Fl xx 142prints the unformatted timestamps. 143.It Fl V 144Print version string. 145.It Fl v 146Be verbose. 147The program will dump messages exchanged on the 148.Dv PF_KEY 149socket, including messages sent from other processes to the kernel. 150.El 151.Ss Configuration syntax 152With 153.Fl c 154or 155.Fl f 156on the command line, 157.Nm 158accepts the following configuration syntax. 159Lines starting with hash signs 160.Pq Sq # 161are treated as comment lines. 162.Bl -tag -width Ds 163.It Li add Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi \ 164Oo Ar extensions Oc Ar algorithm ... Li ; 165Add an SAD entry. 166.Li add 167can fail for multiple reasons, including when the key length does 168not match the specified algorithm. 169.\" 170.It Li get Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ; 171Show an SAD entry. 172.\" 173.It Li delete Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ; 174Remove an SAD entry. 175.\" 176.It Li deleteall Oo Fl 46n Oc Ar src Ar dst Ar protocol Li ; 177Remove all SAD entries that match the specification. 178.\" 179.It Li flush Oo Ar protocol Oc Li ; 180Clear all SAD entries matched by the options. 181.Fl F 182on the command line achieves the same functionality. 183.\" 184.It Li dump Oo Ar protocol Oc Li ; 185Dumps all SAD entries matched by the options. 186.Fl D 187on the command line achieves the same functionality. 188.\" 189.It Li spdadd Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \ 190Ar label Ar policy Li ; 191Add an SPD entry. 192.\" 193.It Li spdadd tagged Ar tag Ar policy Li ; 194Add an SPD entry based on a PF tag. 195.Ar tag 196must be a string surrounded by double quotes. 197.\" 198.It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \ 199Ar label Ar policy Li ; 200Updates an SPD entry. 201.\" 202.It Li spdupdate tagged Ar tag Ar policy Li ; 203Update an SPD entry based on a PF tag. 204.Ar tag 205must be a string surrounded by double quotes. 206.\" 207.It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \ 208Fl P Ar direction Li ; 209Delete an SPD entry. 210.\" 211.It Li spdflush Li ; 212Clear all SPD entries. 213.Fl FP 214on the command line achieves the same functionality. 215.\" 216.It Li spddump Li ; 217Dumps all SPD entries. 218.Fl DP 219on the command line achieves the same functionality. 220.El 221.\" 222.Pp 223Meta-arguments are as follows: 224.Pp 225.Bl -tag -compact -width Ds 226.It Ar src 227.It Ar dst 228Source/destination of the secure communication is specified as 229an IPv4/v6 address, and an optional port number between square 230brackets. 231.Nm 232can resolve a FQDN into numeric addresses. 233If the FQDN resolves into multiple addresses, 234.Nm 235will install multiple SAD/SPD entries into the kernel 236by trying all possible combinations. 237.Fl 4 , 238.Fl 6 , 239and 240.Fl n 241restrict the address resolution of FQDN in certain ways. 242.Fl 4 243and 244.Fl 6 245restrict results into IPv4/v6 addresses only, respectively. 246.Fl n 247avoids FQDN resolution and requires addresses to be numeric addresses. 248.\" 249.Pp 250.It Ar protocol 251.Ar protocol 252is one of following: 253.Bl -tag -width Fl -compact 254.It Li esp 255ESP based on rfc2406 256.It Li esp-old 257ESP based on rfc1827 258.It Li ah 259AH based on rfc2402 260.It Li ah-old 261AH based on rfc1826 262.It Li ipcomp 263IPComp 264.It Li tcp 265TCP-MD5 based on rfc2385 266.El 267.\" 268.Pp 269.It Ar spi 270Security Parameter Index 271.Pq SPI 272for the SAD and the SPD. 273.Ar spi 274must be a decimal number, or a hexadecimal number with a 275.Dq Li 0x 276prefix. 277SPI values between 0 and 255 are reserved for future use by IANA 278and cannot be used. 279TCP-MD5 associations must use 0x1000 and therefore only have per-host 280granularity at this time. 281.\" 282.Pp 283.It Ar extensions 284take some of the following: 285.Bl -tag -width Fl -compact 286.\" 287.It Fl m Ar mode 288Specify a security protocol mode for use. 289.Ar mode 290is one of following: 291.Li transport , tunnel , 292or 293.Li any . 294The default value is 295.Li any . 296.\" 297.It Fl r Ar size 298Specify window size of bytes for replay prevention. 299.Ar size 300must be decimal number in 32-bit word. 301If 302.Ar size 303is zero or not specified, replay checks don't take place. 304.\" 305.It Fl u Ar id 306Specify the identifier of the policy entry in the SPD. 307See 308.Ar policy . 309.\" 310.It Fl f Ar pad_option 311defines the content of the ESP padding. 312.Ar pad_option 313is one of following: 314.Bl -tag -width random-pad -compact 315.It Li zero-pad 316All the paddings are zero. 317.It Li random-pad 318A series of randomized values are used. 319.It Li seq-pad 320A series of sequential increasing numbers started from 1 are used. 321.El 322.\" 323.It Fl f Li nocyclic-seq 324Don't allow cyclic sequence numbers. 325.\" 326.It Fl lh Ar time 327.It Fl ls Ar time 328Specify hard/soft life time duration of the SA measured in seconds. 329.\" 330.It Fl bh Ar bytes 331.It Fl bs Ar bytes 332Specify hard/soft life time duration of the SA measured in bytes transported. 333.\" 334.It Fl ctx Ar doi Ar algorithm Ar context-name 335Specify an access control label. 336The access control label is interpreted by the LSM (e.g., SELinux). 337Ultimately, it enables MAC on network communications. 338.Bl -tag -width Fl -compact 339.It Ar doi 340The domain of interpretation, which is used by the 341IKE daemon to identify the domain in which negotiation takes place. 342.It Ar algorithm 343Indicates the LSM for which the label is generated (e.g., SELinux). 344.It Ar context-name 345The string representation of the label that is interpreted by the LSM. 346.El 347.El 348.\" 349.Pp 350.It Ar algorithm 351.Bl -tag -width Fl -compact 352.It Fl E Ar ealgo Ar key 353Specify an encryption algorithm 354.Ar ealgo 355for ESP. 356.It Fl E Ar ealgo Ar key Fl A Ar aalgo Ar key 357Specify an encryption algorithm 358.Ar ealgo , 359as well as a payload authentication algorithm 360.Ar aalgo , 361for ESP. 362.It Fl A Ar aalgo Ar key 363Specify an authentication algorithm for AH. 364.It Fl C Ar calgo Op Fl R 365Specify a compression algorithm for IPComp. 366If 367.Fl R 368is specified, the 369.Ar spi 370field value will be used as the IPComp CPI 371.Pq compression parameter index 372on wire as-is. 373If 374.Fl R 375is not specified, 376the kernel will use well-known CPI on wire, and 377.Ar spi 378field will be used only as an index for kernel internal usage. 379.El 380.Pp 381.Ar key 382must be a double-quoted character string, or a series of hexadecimal 383digits preceded by 384.Dq Li 0x . 385.Pp 386Possible values for 387.Ar ealgo , 388.Ar aalgo , 389and 390.Ar calgo 391are specified in the 392.Sx Algorithms 393sections. 394.\" 395.Pp 396.It Ar src_range 397.It Ar dst_range 398These select the communications that should be secured by IPsec. 399They can be an IPv4/v6 address or an IPv4/v6 address range, and 400may be accompanied by a TCP/UDP port specification. 401This takes the following form: 402.Bd -literal -offset 403.Ar address 404.Ar address/prefixlen 405.Ar address[port] 406.Ar address/prefixlen[port] 407.Ed 408.Pp 409.Ar prefixlen 410and 411.Ar port 412must be decimal numbers. 413The square brackets around 414.Ar port 415are really necessary, 416they are not man page meta-characters. 417For FQDN resolution, the rules applicable to 418.Ar src 419and 420.Ar dst 421apply here as well. 422.\" 423.Pp 424.It Ar upperspec 425Upper-layer protocol to be used. 426You can use one of the words in 427.Pa /etc/protocols 428as 429.Ar upperspec , 430or 431.Li icmp6 , 432.Li ip4 , 433.Li gre , 434or 435.Li any . 436.Li any 437stands for 438.Dq any protocol . 439You can also use the protocol number. 440Additional specification can be placed after the protocol name for 441some protocols. 442You can specify a type and/or a code of ICMP or ICMPv6. 443The type is separated from a code by single comma and the code must 444always be specified. 445GRE key can be specified in dotted-quad format or as plain number. 446When a zero is specified, the kernel deals with it as a wildcard. 447Note that the kernel can not distinguish a wildcard from an ICPMv6 448type of zero. 449.Pp 450For example, the following means that the policy doesn't require IPsec 451for any inbound Neighbor Solicitation. 452.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ; 453.Pp 454A second example of requiring transport mode encryption of specific 455GRE tunnel: 456.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ; 457.Pp 458.Em Note : 459.Ar upperspec 460does not work against forwarding case at this moment, 461as it requires extra reassembly at the forwarding node 462.Pq not implemented at this moment . 463There are many protocols in 464.Pa /etc/protocols , 465but all protocols except of TCP, UDP, GRE, and ICMP may not be suitable 466to use with IPsec. 467You have to consider carefully what to use. 468.\" 469.Pp 470.It Ar label 471.Ar label 472is the access control label for the policy. 473This label is interpreted by the LSM (e.g., SELinux). 474Ultimately, it enables MAC on network communications. 475When a policy contains an access control label, SAs 476negotiated with this policy will contain the label. 477Its format: 478.Bl -tag -width Fl -compact 479.\" 480.It Fl ctx Ar doi Ar algorithm Ar context-name 481.Bl -tag -width Fl -compact 482.It Ar doi 483The domain of interpretation, which is used by the 484IKE daemon to identify the domain in which negotiation takes place. 485.It Ar algorithm 486Indicates the LSM for which the label is generated (e.g., SELinux). 487.It Ar context-name 488The string representation of the label that is interpreted by the LSM. 489.El 490.El 491.\" 492.Pp 493.It Ar policy 494.Ar policy 495is in one of the following three formats: 496.Bl -item -compact 497.It 498.Fl P Ar direction [priority specification] Li discard 499.It 500.Fl P Ar direction [priority specification] Li none 501.It 502.Fl P Ar direction [priority specification] Li ipsec 503.Ar protocol/mode/src-dst/level Op ... 504.El 505.Pp 506You must specify the direction of its policy as 507.Ar direction . 508Either 509.Ar out , 510.Ar in , 511or 512.Ar fwd 513can be used. 514.Pp 515.Ar priority specification 516is used to control the placement of the policy within the SPD. 517Policy position is determined by 518a signed integer where higher priorities indicate the policy is placed 519closer to the beginning of the list and lower priorities indicate the 520policy is placed closer to the end of the list. 521Policies with equal priorities are added at the end of groups 522of such policies. 523.Pp 524Priority can only 525be specified when setkey has been compiled against kernel headers that 526support policy priorities (Linux \*[Gt]= 2.6.6). 527If the kernel does not support priorities, a warning message will 528be printed the first time a priority specification is used. 529Policy priority takes one of the following formats: 530.Bl -tag -width "discard" 531.It Ar {priority,prio} offset 532.Ar offset 533is an integer in the range from \-2147483647 to 214783648. 534.It Ar {priority,prio} base {+,\-} offset 535.Ar base 536is either 537.Li low (\-1073741824) , 538.Li def (0) , 539or 540.Li high (1073741824) 541.Pp 542.Ar offset 543is an unsigned integer. 544It can be up to 1073741824 for 545positive offsets, and up to 1073741823 for negative offsets. 546.El 547.Pp 548.Li discard 549means the packet matching indexes will be discarded. 550.Li none 551means that IPsec operation will not take place onto the packet. 552.Li ipsec 553means that IPsec operation will take place onto the packet. 554.Pp 555The 556.Ar protocol/mode/src-dst/level 557part specifies the rule how to process the packet. 558Either 559.Li ah , 560.Li esp , 561or 562.Li ipcomp 563must be used as 564.Ar protocol . 565.Ar mode 566is either 567.Li transport 568or 569.Li tunnel . 570If 571.Ar mode 572is 573.Li tunnel , 574you must specify the end-point addresses of the SA as 575.Ar src 576and 577.Ar dst 578with 579.Sq - 580between these addresses, which is used to specify the SA to use. 581If 582.Ar mode 583is 584.Li transport , 585both 586.Ar src 587and 588.Ar dst 589can be omitted. 590.Ar level 591is to be one of the following: 592.Li default , use , require , 593or 594.Li unique . 595If the SA is not available in every level, the kernel will 596ask the key exchange daemon to establish a suitable SA. 597.Li default 598means the kernel consults the system wide default for the protocol 599you specified, e.g. the 600.Li esp_trans_deflev 601sysctl variable, when the kernel processes the packet. 602.Li use 603means that the kernel uses an SA if it's available, 604otherwise the kernel keeps normal operation. 605.Li require 606means SA is required whenever the kernel sends a packet matched 607with the policy. 608.Li unique 609is the same as 610.Li require ; 611in addition, it allows the policy to match the unique out-bound SA. 612You just specify the policy level 613.Li unique , 614.Xr racoon 8 615will configure the SA for the policy. 616If you configure the SA by manual keying for that policy, 617you can put a decimal number as the policy identifier after 618.Li unique 619separated by a colon 620.Sq \&: 621like: 622.Li unique:number 623in order to bind this policy to the SA. 624.Li number 625must be between 1 and 32767. 626It corresponds to 627.Ar extensions Fl u 628of the manual SA configuration. 629When you want to use SA bundle, you can define multiple rules. 630For example, if an IP header was followed by an AH header followed 631by an ESP header followed by an upper layer protocol header, the 632rule would be: 633.Dl esp/transport//require ah/transport//require ; 634The rule order is very important. 635.Pp 636When NAT-T is enabled in the kernel, policy matching for ESP over 637UDP packets may be done on endpoint addresses and port 638(this depends on the system. 639System that do not perform the port check cannot support 640multiple endpoints behind the same NAT). 641When using ESP over UDP, you can specify port numbers in the endpoint 642addresses to get the correct matching. 643Here is an example: 644.Bd -literal -offset 645spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any \-P out ipsec 646 esp/tunnel/192.168.0.1[4500]-192.168.1.2[30000]/require ; 647 648.Ed 649These ports must be left unspecified (which defaults to 0) for 650anything other than ESP over UDP. 651They can be displayed in SPD dump using 652.Nm 653.Fl DPp . 654.Pp 655Note that 656.Dq Li discard 657and 658.Dq Li none 659are not in the syntax described in 660.Xr ipsec_set_policy 3 . 661There are a few differences in the syntax. 662See 663.Xr ipsec_set_policy 3 664for detail. 665.El 666.\" 667.Ss Algorithms 668The following list shows the supported algorithms. 669.Sy protocol 670and 671.Sy algorithm 672are almost orthogonal. 673These authentication algorithms can be used as 674.Ar aalgo 675in 676.Fl A Ar aalgo 677of the 678.Ar protocol 679parameter: 680.Pp 681.Bd -literal -offset indent 682algorithm keylen (bits) 683hmac-md5 128 ah: rfc2403 684 128 ah-old: rfc2085 685hmac-sha1 160 ah: rfc2404 686 160 ah-old: 128bit ICV (no document) 687keyed-md5 128 ah: 96bit ICV (no document) 688 128 ah-old: rfc1828 689keyed-sha1 160 ah: 96bit ICV (no document) 690 160 ah-old: 128bit ICV (no document) 691null 0 to 2048 for debugging 692hmac-sha256 256 ah: 96bit ICV 693 (draft-ietf-ipsec-ciph-sha-256-00) 694 256 ah-old: 128bit ICV (no document) 695hmac-sha384 384 ah: 96bit ICV (no document) 696 384 ah-old: 128bit ICV (no document) 697hmac-sha512 512 ah: 96bit ICV (no document) 698 512 ah-old: 128bit ICV (no document) 699hmac-ripemd160 160 ah: 96bit ICV (RFC2857) 700 ah-old: 128bit ICV (no document) 701aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 702 128 ah-old: 128bit ICV (no document) 703tcp-md5 8 to 640 tcp: rfc2385 704.Ed 705.Pp 706These encryption algorithms can be used as 707.Ar ealgo 708in 709.Fl E Ar ealgo 710of the 711.Ar protocol 712parameter: 713.Pp 714.Bd -literal -offset indent 715algorithm keylen (bits) 716des-cbc 64 esp-old: rfc1829, esp: rfc2405 7173des-cbc 192 rfc2451 718null 0 to 2048 rfc2410 719blowfish-cbc 40 to 448 rfc2451 720cast128-cbc 40 to 128 rfc2451 721des-deriv 64 ipsec-ciph-des-derived-01 7223des-deriv 192 no document 723rijndael-cbc 128/192/256 rfc3602 724twofish-cbc 0 to 256 draft-ietf-ipsec-ciph-aes-cbc-01 725aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 726camellia-cbc 128/192/256 rfc4312 727.Ed 728.Pp 729Note that the first 128 bits of a key for 730.Li aes-ctr 731will be used as AES key, and the remaining 32 bits will be used as nonce. 732.Pp 733These compression algorithms can be used as 734.Ar calgo 735in 736.Fl C Ar calgo 737of the 738.Ar protocol 739parameter: 740.Pp 741.Bd -literal -offset indent 742algorithm 743deflate rfc2394 744.Ed 745.\" 746.Ss RFC vs Linux kernel semantics 747The Linux kernel uses the 748.Ar fwd 749policy instead of the 750.Ar in 751policy for packets what are forwarded through that particular box. 752.Pp 753In 754.Ar kernel 755mode, 756.Nm 757manages and shows policies and SAs exactly as they are stored in the kernel. 758.Pp 759In 760.Ar RFC 761mode, 762.Nm 763.Bl -item 764.It 765creates 766.Ar fwd 767policies for every 768.Ar in 769policy inserted 770.It 771(not implemented yet) filters out all 772.Ar fwd 773policies 774.El 775.Sh RETURN VALUES 776The command exits with 0 on success, and non-zero on errors. 777.\" 778.Sh EXAMPLES 779.Bd -literal -offset 780add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 781 \-E des-cbc 0x3ffe05014819ffff ; 782 783add \-6 myhost.example.com yourhost.example.com ah 123456 784 \-A hmac-sha1 "AH SA configuration!" ; 785 786add 10.0.11.41 10.0.11.33 esp 0x10001 787 \-E des-cbc 0x3ffe05014819ffff 788 \-A hmac-md5 "authentication!!" ; 789 790get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; 791 792flush ; 793 794dump esp ; 795 796spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any 797 \-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; 798 799add 10.1.10.34 10.1.10.36 tcp 0x1000 \-A tcp-md5 "TCP-MD5 BGP secret" ; 800 801add 10.0.11.41 10.0.11.33 esp 0x10001 802 \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh" 803 \-E des-cbc 0x3ffe05014819ffff; 804 805spdadd 10.0.11.41 10.0.11.33 any 806 \-ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh" 807 \-P out ipsec esp/transport//require ; 808.Ed 809.\" 810.Sh SEE ALSO 811.Xr ipsec_set_policy 3 , 812.Xr racoon 8 , 813.Xr sysctl 8 814.Rs 815.%T "Changed manual key configuration for IPsec" 816.%U "http://www.kame.net/newsletter/19991007/" 817.%D "October 1999" 818.Re 819.\" 820.Sh HISTORY 821The 822.Nm 823command first appeared in the WIDE Hydrangea IPv6 protocol stack 824kit. 825The command was completely re-designed in June 1998. 826.\" 827.Sh BUGS 828.Nm 829should report and handle syntax errors better. 830.Pp 831For IPsec gateway configuration, 832.Ar src_range 833and 834.Ar dst_range 835with TCP/UDP port numbers does not work, as the gateway does not 836reassemble packets 837.Pq it cannot inspect upper-layer headers . 838