[
.B \-\-show
] [
.B \-\-showonly
] [
.B \-\-other
]
.br
\ \ \ [
.B \-\-iam
.RB address "@" interface
] [
.B \-\-config
configfile
]
.br
\ \ \ operation connection
.sp 0.5
.B ipsec
.B manual
[
.I options
]
.B \-\-union
operation part ...
.SH DESCRIPTION
.I Manual
manipulates manually-keyed FreeS/WAN IPsec connections,
setting them up and shutting them down,
based on the information in the IPsec configuration file.
In the normal usage,
.I connection
is the name of a connection specification in the configuration file;
.I operation
is
.BR \-\-up ,
.BR \-\-down ,
.BR \-\-route ,
or
.BR \-\-unroute .
.I Manual
generates setup (\c
.BR \-\-route
or
.BR \-\-up )
or
teardown (\c
.BR \-\-down
or
.BR \-\-unroute )
commands for the connection and feeds them to a shell for execution.
.PP
operation tears the specified connection down,
.I except
that it leaves the route in place.
Unless and until an
.B \-\-unroute
operation is done, packets routed by that route will simply be discarded.
This permits establishing another connection to the same destination
without any ``window'' in which packets can pass without encryption.
.PP
The
.B \-\-unroute
operation (and only the
.B \-\-unroute
operation) deletes any route established for a connection.
.PP
In the
.B \-\-union
usage, each
.I part
is the name of a partial connection specification in the configuration file,
and the union of all the partial specifications is the
connection specification used.
The effect is as if the contents of the partial specifications were
concatenated together;
restrictions on duplicate parameters, etc., do apply to the result.
(The same effect can now be had, more gracefully, using the
.B also
parameter in connection descriptions;
see
.IR ipsec.conf (5)
for details.)
.PP
The
.B \-\-show
option turns on the
.B \-x
option of the shell used to execute the commands,
so each command is shown as it is executed.
.PP
The
.B \-\-showonly
option causes
.I manual
to show the commands it would run, on standard output,
and not run them.
.PP
The
.B \-\-other
option causes
.I manual
to pretend it is the other end of the connection.
This is probably not useful except in combination with
.B \-\-config
option specifies a non-standard location for the FreeS/WAN IPsec
configuration file (default
.IR /etc/ipsec.conf ).
.PP
See
.IR ipsec.conf (5)
for details of the configuration file.
Apart from the basic parameters which specify the endpoints and routing
of a connection (\fBleft\fR
and
.BR right ,
plus possibly
.BR leftsubnet ,
.BR leftnexthop ,
.BR leftfirewall ,
their
.B right
equivalents,
and perhaps
.BR type ),
a non-\fBpassthrough\fR
.I manual
connection needs an
.B spi
or
.B spibase
parameter and some parameters specifying encryption, authentication, or
both, most simply
.BR esp ,
.BR espenckey ,
and
.BR espauthkey .
Moderately-secure keys can be obtained from
.IR ipsec_ranbits (8).
For production use of manually-keyed connections,
it is strongly recommended that the keys be kept in a separate file
(with permissions
.BR rw\-\-\-\-\-\-\- )
using the
.B include
and
.B also
facilities of the configuration file (see
.IR ipsec.conf (5)).
.PP
If an
.B spi
parameter is given,
.I manual
uses that value as the SPI number for all the SAs
(which are in separate number spaces anyway).
FreeS/WAN reserves those for manual keying and will not
attempt to use them for automatic keying (unless requested to,
presumably by a non-FreeS/WAN other end).
.SH FILES
.ta \w'/var/run/ipsec.nexthop'u+4n
/etc/ipsec.conf	default IPsec configuration file
.br
/var/run/ipsec.info	\fB%defaultroute\fR information
.SH SEE ALSO
ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spigrp(8),
route(8)
.SH HISTORY
Written for the FreeS/WAN project



Man(1) output converted with
man2html