This is an implementation of ISAKMP and its resolution with Oakley. It
implements the drafts:
	draft-ietf-ipsec-isakmp-07
	draft-ietf-ipsec-ipsec-doi-02
	draft-ietf-ipsec-isakmp-oakley-03

with a few changes, dictated by the AIAG testing "committee".

If your system does not define BYTE_ORDER, make sure you
define it in the Makefile.

The file isakmp-secrets (should be in /etc in normal operation) is used 
to keep preshared secret keys for authentication with other ISAKMP daemons.
The format is:
<IP address>
<secret key, at most 254 printable characters without newlines>
  .
  .

The trailing newline is not included in the secret.

To fire up the daemon, just type pluto. If it was compiled with -DDEBUG,
it will bind to port 7500, or to the command line argument (if given). If
it was compiled without -DDEBUG, it will use port 500.

Whichever port it uses, port + 1 is also used (temporarily) to receive
requests to initiate ISAKMP exchanges. To do that, use the program whack:
whack port+1 <remote IP address> <remote ISAKMP daemon port> [encrypt] [authenticate] [tunnel]

Do no issue just tunnel, use it in conjuction with encrypt or authenticate.
More work is needed in allowing for flexible policies. Right now, encrypt
(or encrypt AND authenticate) will try to negotiate a 3DES-MD5 SA, and 
authenticate will try for an AH-SHA1 SA.

There is token support for JI's ipsec-0.5; it only does 3DES-MD5-96. Use
-DJI in the Makefile to compile that in. It shouldn't be too hard to
add proper support for all transforms, using the utils provided with
ipsec-0.5 as a guideline. This code has not been extensively tested.
Bear in mind that you need to do the interface configuration (read the
docs that come with ipsec-0.5) before pluto can successfully establish
SAs (or actually, make them do something useful). Presumably, this would
happen at boot time (from some rc file).

There is a LOT of work needed yet to make this a really useful program,
but all the basics should be there. Some brave soul should try to break
up the monstrous ipsec_doi.c file.

This code is released under the despicable GPL terms.
See the accompanying file COPYING-2.0 for more details.
The GPL does NOT apply to those pieces of code written by others
which are included in this distribution, except as noted by the
individual authors.

For instructions on how to install this software, read the file
INSTALL.

For the libdeslite license, see libdeslite/COPYRIGHT (code
by Eric Young).

This software should be used in conjuction with an IPsec
implementation. For a directory with some such implementations, see:
ftp://ftp.funet.fi/pub/unix/security/net/ip/
	Files:
		BSDipsec-pl1.tar.gz # IPsec implementation for BSD/OS
				    # NetBSD and OpenBSD
		ipsec-0.5.tar.gz    # Ditto for Linux
http://www.openbsd.org/             # IPsec in the standard distribution 

For more information on IPsec, the mailing list and the relevant
documents, see:
http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html

This software was written by Angelos D. Keromytis, in May/June 1997,
in Athens, Greece. Thanks go to John Ioannidis for his help.

- Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
