			LIPsec: IPsec for Linux

	           Copyright (C) 1997, Gordon Oliver

	   see the file COPYING for a full description of your
	   rights. If you did not recieve the file COPYING,
	   contact the Free Software Foundation

	   Duplicated from the GPL...

			    NO WARRANTY

  9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

  10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

		     END OF TERMS AND CONDITIONS
---------------------------------------------------------------------------

So all the legalese done with...

What there is in the package:

	ipsadm - a manual keying program.
	isakmp - the isakmp daemon :-) doesn't exist...
	lib - library routines for accessing PF_KEY.

Installing the package:
  - patch you linux kernel with the given patch in the top level directory
  - rebuild the kernel and re-install (it needs to modify the base kernel)
  - make sure you actually enabled IPsec (you have to have NETLINK enabled)
  - build ipsadm (make in the top level directory)
  - look over the test files to see what you can do.

Sample Test scripts.
  in the ipsadm directory, you will find testinit and testdestroy. These
  can be run on two separate machines (identical scripts, passing the
  argument A or B to the script - different for the two machines)
  The test scripts require Aliasing built into the kernel, and will set up
  four addresses with distinct IPsec SA's. You can then verify that it works
  with a combination of ping, ftp and tcpdump...

Supported Algorithms:
  - HMAC-SHA: as described in draft-ietf-ipsec-auth-hmac-sha196-01.txt
	(name: sha1)
  - HMAC-MD5: as described in draft-ietf-ipsec-auth-hmac-md5-96-01.txt
	(name: md5-hmac)
  - MD5-KPDK: as described in rfc1826 (only has 32 bits of real replay prot)
	(name: md5-kpdk)

  - DES: as described in draft-ietf-ipsec-ciph-des-expiv-01.txt
	(name: des-cbc)
  - 3DES: as described in draft-ietf-ipsec-ciph-3des-expiv-00.txt
	(name: des3-cbc)
  - DES-IV32: as described in rfc1829
		(upwards compatible with new ESP-v2 headers)
	(name: des-iv32)


Missing parts:
	- User ID not used in selection.
	- ICMP forwarding doesn't work.
	- Automatic keying doesn't work - wouldn't even if isakmp exists
	- more algorithms.

Syntax for parser:
	The syntax is relatively simple :->
	a semicolon terminates the line.
	stuff goes before it...  So.

	for SA management.
	<command> <ah/esp> <stuff> ;
		where <command> is add/delete/getspi/update
		Add creates a valid SA in one shot...
		GetSPI/Update will create one in two goes, but you can ask
			for the SPI.
		Delete does just what you'd think.
		Update can be used to change timeouts after an SA is created.

	Also:
		flush <ah/esp> will destroy all SPI's for the given protocol
			Warning... they are ref-counted, so they won't really
			be deleted till later.
		dump <ah/esp> will show all of the current SA's.


	Bundle management.
		bundle add
			create a bundle (see test1 for examples)
		bundle delete
			kill a previously created bundle.

	for Policy management.
		policy add
			add a given policy for the addresses (incl port & proto)
		policy delete
			remove a given policy for the addresses.
		policy flush
			remove all policies, and flush hashes.

		you must specify input/output on the policy to specify if
		it is an incoming rule or outgoing rule.

	Addresses are specified with
		source <IP-addr>/<bits> dest <IP-addr>/<bits>
			sport <port> dport <port>
			protocol <proto>

		where ports and protocol are only important/valid on the policy.
