Provided by:
openswan_2.4.6+dfsg.2-1.1build2_i386 
NAME
ipsec manual - take manually-keyed IPsec connections up and down
SYNOPSIS
ipsec manual [ --show ] [ --showonly ] [ --other ]
[ --iam address@interface ] [ --config configfile ]
operation connection
ipsec manual [ options ] --union operation part ...
DESCRIPTION
Manual manipulates manually-keyed FreeS/WAN IPsec connections, setting
them up and shutting them down, based on the information in the IPsec
configuration file. In the normal usage, connection is the name of a
connection specification in the configuration file; operation is --up,
--down, --route, or --unroute. Manual generates setup (--route or
--up) or teardown (--down or --unroute) commands for the connection and
feeds them to a shell for execution.
The --up operation brings the specified connection up, including estab‐
lishing a suitable route for it if necessary.
The --route operation just establishes the route for a connection.
Unless and until an --up operation is done, packets routed by that
route will simply be discarded.
The --down operation tears the specified connection down, except that
it leaves the route in place. Unless and until an --unroute operation
is done, packets routed by that route will simply be discarded. This
permits establishing another connection to the same destination without
any ‘‘window’’ in which packets can pass without encryption.
The --unroute operation (and only the --unroute operation) deletes any
route established for a connection.
In the --union usage, each part is the name of a partial connection
specification in the configuration file, and the union of all the par‐
tial specifications is the connection specification used. The effect
is as if the contents of the partial specifications were concatenated
together; restrictions on duplicate parameters, etc., do apply to the
result. (The same effect can now be had, more gracefully, using the
also parameter in connection descriptions; see ipsec.conf(5) for
details.)
The --show option turns on the -x option of the shell used to execute
the commands, so each command is shown as it is executed.
The --showonly option causes manual to show the commands it would run,
on standard output, and not run them.
The --other option causes manual to pretend it is the other end of the
connection. This is probably not useful except in combination with
--showonly.
The --iam option causes manual to believe it is running on the host
with the specified IP address, and that it should use the specified
interface (normally it determines all this automatically, based on what
IPsec interfaces are up and how they are configured).
The --config option specifies a non-standard location for the FreeS/WAN
IPsec configuration file (default /etc/ipsec.conf).
See ipsec.conf(5) for details of the configuration file. Apart from
the basic parameters which specify the endpoints and routing of a con‐
nection (left and right, plus possibly leftsubnet, leftnexthop, left
firewall, their right equivalents, and perhaps type), a non-passthrough
manual connection needs an spi or spibase parameter and some parameters
specifying encryption, authentication, or both, most simply esp,
espenckey, and espauthkey. Moderately-secure keys can be obtained from
ipsec_ranbits(8). For production use of manually-keyed connections, it
is strongly recommended that the keys be kept in a separate file (with
permissions rw-------) using the include and also facilities of the
configuration file (see ipsec.conf(5)).
If an spi parameter is given, manual uses that value as the SPI number
for all the SAs (which are in separate number spaces anyway). If an
spibase parameter is given instead, manual assigns SPI values by alter‐
ing the bottom digit of that value; SAs going from left to right get
even digits starting at 0, SAs going from right to left get odd digits
starting at 1. Either way, it is suggested that manually-keyed connec‐
tions use three-digit SPIs with the first digit non-zero, i.e. in the
range 0x100 through 0xfff; FreeS/WAN reserves those for manual keying
and will not attempt to use them for automatic keying (unless requested
to, presumably by a non-FreeS/WAN other end).
FILES
/etc/ipsec.conf default IPsec configuration file
/var/run/pluto/ipsec.info %defaultroute information
ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spi‐
grp(8), route(8)
HISTORY
Written for the FreeS/WAN project <http://www.freeswan.org/> by Henry
Spencer.
BUGS
It’s not nearly as generous about the syntax of subnets, addresses,
etc. as the usual FreeS/WAN user interfaces. Four-component dotted-
decimal must be used for all addresses. It is smart enough to trans‐
late bit-count netmasks to dotted-decimal form.
If the connection specification for a connection is changed between an
--up and the ensuing --down, chaos may ensue.
The --up operation is not smart enough to notice whether the connection
is already up.
Manual is not smart enough to reject insecure combinations of algo‐
rithms, e.g. encryption with no authentication at all.
Any non-IPsec route to the other end which is replaced by the --up or
--route operation will not be re-established by --unroute. Whether
this is a feature or a bug depends on your viewpoint.
The optional parameters which override the automatic spibase-based SPI
assignment are a messy area of the code and bugs are likely.
‘‘Road warrior’’ handling, and other special forms of setup which
require negotiation between the two security gateways, inherently can‐
not be done with manual.
Manual generally lags behind auto in support of various features, even
when implementation would be possible. For example, currently it does
not do IPComp content compression.
17 July 2001 IPSEC_MANUAL(8)