-
Notifications
You must be signed in to change notification settings - Fork 15
/
ipseckey.1.xml
84 lines (71 loc) · 3.58 KB
/
ipseckey.1.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry id='ipseckey1'>
<refentryinfo><date>January 5, 2015</date></refentryinfo>
<refmeta>
<refentrytitle>ipseckey</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class='date'>January 5, 2015</refmiscinfo>
<refmiscinfo class='source'>Paul Wouters</refmiscinfo>
<refmiscinfo class='manual'>Internet / DNS</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>ipseckey</refname>
<refpurpose>Generate IPSECKEY records on libreswan IPsec servers</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsect1 id='syntax'><title>SYNTAX</title>
<para>ipseckey</para>
</refsect1>
<refsect1 id='description'><title>DESCRIPTION</title>
<para>ipseckey generates RFC-4025 IPSECKEY DNS records based on the public key of the IPsec server. Supported IPsec software is
libreswan and some versions of openswan (depending on its implementation of showhostkey). The record is displayed will have
the label of the hostname. This can be manually changed.
</para>
<para>(TODO: allow specifying --hostname and allow --reverse for creating in-addr.arpa. entries)</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<variablelist remap='TP'>
<varlistentry>
<term><option>-h / --help</option></term>
<listitem>
<para>Output help information and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v / --version</option></term>
<listitem>
<para>Output version information and exit.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='files'><title>FILES</title>
<para>The NSS IPsec database in <filename>/etc/ipsec.d/*.db</filename> or for older openswan without NSS <filename>/etc/ipsec.secrets</filename></para>
</refsect1>
<refsect1 id='requirements'><title>REQUIREMENTS</title>
<para>ipseckey MUST be run on the IPsec gateway itself because unlike TLS, IPsec servers do not present their public RSA key any client. Currently, only libreswan IPsec is supported (<ulink url='https://libreswan.org'>https://libreswan.org</ulink>) although some versions of
openswan might work as well. Root access is needed because the public key is pulled from /etc/ipsec.secrets which can contain secrets and is therefor only readable by root (even though with libreswan, ipsec.secrets does not contain the any private RSA keys)</para>
</refsect1>
<refsect1 id='bugs'><title>BUGS</title>
<para>Some other IPsec software is not yet supported</para>
</refsect1>
<refsect1 id='see_also'><title>SEE ALSO</title>
<para><citerefentry><refentrytitle>ipsec_showhostkey</refentrytitle><manvolnum>8</manvolnum></citerefentry> and RFC-4025</para>
</refsect1>
<refsect1 id='authors'><title>AUTHORS</title>
<para>Paul Wouters <[email protected]></para>
</refsect1>
<refsect1 id='copyright'><title>COPYRIGHT</title>
<para>Copyright 2015 Paul Wouters</para>
<para>This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <<ulink url='http://www.fsf.org/copyleft/gpl.txt'>http://www.fsf.org/copyleft/gpl.txt</ulink>>.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.</para>
</refsect1>
</refentry>