pluto.8

This a good VPN source

.TH IPSEC_PLUTO 8 "28 March 1999"
.SH NAME
ipsec pluto \- IPsec IKE keying daemon
.br
ipsec whack \- control interface for IPSEC keying daemon
.SH SYNOPSIS
.na
.nh
.HP
.ft B
ipsec pluto
[\-\-help]
[\-\-version]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-nofork]
[\-\-stderrlog]
[\-\-noklips]
[\-\-uniqueids]
[\fB\-\-interface\fP \fIinterfacename\fP]
[\-\-ikeport\ \c
\fIportnumber\fP]
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-secretsfile\ \c
\fIsecrets\(hyfile\fP]
[\-\-adns \fIpathname\fP]
[\-\-lwdnsq \fIpathname\fP]
[\-\-perpeerlog]
[\-\-perpeerlogbase\ \c
\fIdirname\fP]
[\-\-ipsecdir\ \c
\fIdirname\fP]
[\-\-coredir\ \c
\fIdirname\fP]
[\-\-noretransmits]
[\-\-debug\(hynone]
[\-\-debug\(hyall]
[\-\-debug\(hyraw]
[\-\-debug\(hycrypt]
[\-\-debug\(hyparsing]
[\-\-debug\(hyemitting]
[\-\-debug\(hycontrol]
[\-\-debug\(hylifecycle]
[\-\-debug\(hyklips]
[\-\-debug\(hydns]
[\-\-debug\(hyoppo]
[\-\-debug\(hyprivate]
.HP
.ft B
ipsec whack
[\-\-help]
[\-\-version]
.HP
.ft B
ipsec whack
\-\-name\ \c
\fIconnection-name\fP
.br
[\-\-id\ \c
\fIid\fP] \c
[\-\-host\ \c
\fIip\(hyaddress\fP]
[\-\-ikeport\ \c
\fIport\(hynumber\fP]
[\-\-nexthop\ \c
\fIip\(hyaddress\fP]
[\-\-client\ \c
\fIsubnet\fP]
[\-\-dnskeyondemand]
[\-\-updown\ \c
\fIupdown\fP]
.br
\-\-to
.br
[\-\-id\ \c
\fIid\fP]
[\-\-host\ \c
\fIip\(hyaddress\fP]
[\-\-ikeport\ \c
\fIport\(hynumber\fP]
[\-\-nexthop\ \c
\fIip\(hyaddress\fP]
[\-\-client\ \c
\fIsubnet\fP]
[\-\-dnskeyondemand]
[\-\-updown\ \c
\fIupdown\fP]
.br
[\-\-aggrmode]
[\-\-psk]
[\-\-rsasig]
[\-\-encrypt]
[\-\-authenticate]
[\-\-compress]
[\-\-tunnel]
[\-\-pfs]
[\-\-disablearrivalcheck]
[\-\-ipv4]
[\-\-ipv6]
[\-\-tunnelipv4]
[\-\-tunnelipv6]
[\-\-ikelifetime\ \c
\fIseconds\fP]
[\-\-ipseclifetime\ \c
\fIseconds\fP]
[\-\-rekeymargin\ \c
\fIseconds\fP]
[\-\-rekeyfuzz\ \c
\fIpercentage\fP]
[\-\-keyingtries\ \c
\fIcount\fP]
[\-\-dontrekey]
[\-\-delete]
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-keyid\ \c
\fIid\fP
[\-\-addkey]
[\-\-pubkeyrsa\ \c
\fIkey\fP]
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-myid\ \c
\fIid\fP
.HP
.ft B
ipsec whack
\-\-listen|\-\-unlisten
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-route|\-\-unroute
\-\-name\ \c
\fIconnection-name\fP
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-initiate|\-\-terminate
\-\-name\ \c
\fIconnection-name\fP
[\-\-xauthuser user]
[\-\-xauthpass pass]
[\-\-asynchronous]
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
[\-\-tunnelipv4]
[\-\-tunnelipv6]
\-\-oppohere \fIip\(hyaddress\fP
\-\-oppothere \fIip\(hyaddress\fP
.HP
.ft B
ipsec whack
\-\-delete
\-\-name\ \c
\fIconnection-name\fP
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-deletestate\ \c
\fIstate-number\fP
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
[\-\-name\ \c
\fIconnection-name\fP]
[\-\-debug\(hynone]
[\-\-debug\(hyall]
[\-\-debug\(hyraw]
[\-\-debug\(hycrypt]
[\-\-debug\(hyparsing]
[\-\-debug\(hyemitting]
[\-\-debug\(hycontrol]
[\-\-debug\(hylifecycle]
[\-\-debug\(hyklips]
[\-\-debug\(hydns]
[\-\-debug\(hyoppo]
[\-\-debug\(hyprivate]
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-status
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.HP
.ft B
ipsec whack
\-\-shutdown
[\-\-ctlbase\ \c
\fIpath\fP]
[\-\-optionsfrom\ \c
\fIfilename\fP]
[\-\-label\ \c
\fIstring\fP]
.ft R
.hy
.ad
.SH DESCRIPTION
.BR pluto
is an IKE (``IPsec Key Exchange'') daemon.
.BR whack
is an auxiliary program to allow requests to be made to a running
.BR pluto .
.LP
.BR pluto
is used to automatically build shared ``security associations'' on a
system that has IPsec, the secure IP protocol.
In other words,
.BR pluto
can eliminate much of the work of manual keying.
The actual
secure transmission of packets is the responsibility of other parts of
the system (see
.BR KLIPS ,
the companion implementation of IPsec).
\fIipsec_auto\fP(8) provides a more convenient interface to
\fBpluto\fP and \fBwhack\fP.
.SS IKE's Job
.LP
A \fISecurity Association\fP (\fISA\fP) is an agreement between two network nodes on
how to process certain traffic between them.  This processing involves
encapsulation, authentication, encryption, or compression.
.LP
IKE can be deployed on a network node to negotiate Security
Associations for that node.  These IKE implementations can only
negotiate with other IKE implementations, so IKE must be on each node
that is to be an endpoint of an IKE-negotiated Security Association.
No other nodes need to be running IKE.
.LP
An IKE instance (i.e. an IKE implementation on a particular network
node) communicates with another IKE instance using UDP IP packets, so
there must be a route between the nodes in each direction.
.LP
The negotiation of Security Associations requires a number of choices
that involve tradeoffs between security, convenience, trust, and
efficiency.  These are policy issues and are normally specified to the
IKE instance by the system administrator.
.LP
IKE deals with two kinds of Security Associations.  The first part of
a negotiation between IKE instances is to build an ISAKMP SA.  An
ISAKMP SA is used to protect communication between the two IKEs.
IPsec SAs can then be built by the IKEs \- these are used to carry
protected IP traffic between the systems.
.LP
The negotiation of the ISAKMP SA is known as Phase 1.  In theory,
Phase 1 can be accomplished by a couple of different exchange types,
but we only implement one called Main Mode (we don't implement
Aggressive Mode).
.LP
Any negotiation under the protection of an ISAKMP SA, including the
negotiation of IPsec SAs, is part of Phase 2.  The exchange type
that we use to negotiate an IPsec SA is called Quick Mode.
.LP
IKE instances must be able to authenticate each other as part of their
negotiation of an ISAKMP SA.  This can be done by several mechanisms
described in the draft standards.
.LP
IKE negotiation can be initiated by any instance with any other.  If
both can find an agreeable set of characteristics for a Security
Association, and both recognize each others authenticity, they can set
up a Security Association.  The standards do not specify what causes
an IKE instance to initiate a negotiation.
.LP
In summary, an IKE instance is prepared to automate the management of
Security Associations in an IPsec environment, but a number of issues
are considered policy and are left in the system administrator's hands.
.SS Pluto
.LP
\fBpluto\fP is an implementation of IKE.  It runs as a daemon on a network
node.  Currently, this network node must be a LINUX system running the
\fBKLIPS\fP implementation of IPsec.
.LP
\fBpluto\fP only implements a subset of IKE.  This is enough for it to
interoperate with other instances of \fBpluto\fP, and many other IKE
implementations.  We are working on implementing more of IKE.
.LP
The policy for acceptable characteristics for Security Associations is
mostly hardwired into the code of \fBpluto\fP (spdb.c).  Eventually
this will be moved into a security policy database with reasonable
expressive power and more convenience.
.LP