Unison Help

  1. Unison Kernel
    1. Pthreads
      1. pthread_create()
      2. pthread_exit()
      3. pthread_self()
      4. pthread_equal()
      5. pthread_join()
      6. pthread_detach()
      7. pthread_setschedparam()
      8. pthread_getschedparam()
      9. pthread_attr_init()
      10. pthread_attr_destroy()
      11. pthread_attr_setstackaddr()
      12. pthread_attr_getstackaddr()
      13. pthread_attr_setstacksize()
      14. pthread_attr_getstacksize()
      15. pthread_attr_setschedparam()
      16. pthread_attr_getschedparam()
      17. pthread_attr_setdetachstate()
      18. pthread_attr_getdetachstate()
      19. pthread_stackinfo()
      20. pthread_setprio()
      21. pthread_getprio()
      22. sched_get_priority_max()
      23. sched_get_priority_min()
      24. sched_yield()
    2. Pthread Cancellation
      1. pthread_cleanup_pop()
      2. pthread_cleanup_push()
      3. pthread_cancel()
      4. pthread_setcanceltype()
      5. pthread_setcancelstate()
      6. pthread_testcancel()
    3. Mutex
      1. pthread_mutex_init()
      2. pthread_mutex_destroy()
      3. pthread_mutex_lock()
      4. pthread_mutex_trylock()
      5. pthread_mutex_unlock()
    4. Semaphores
      1. sem_open()
      2. sem_close()
      3. sem_unlink()
      4. sem_init()
      5. sem_destroy()
      6. sem_wait()
      7. sem_trywait()
      8. sem_timedwait()
      9. sem_post()
      10. sem_getvalue()
    5. Message Queues
      1. mq_open()
      2. mq_close()
      3. mq_unlink()
      4. mq_send()
      5. mq_receive()
      6. mq_notify()
      7. mq_setattr()
      8. mq_getattr()
      9. mq_timedreceive()
      10. mq_timedsend()
    6. Conditional Variables
      1. pthread_cond_init()
      2. pthread_cond_destroy()
      3. pthread_cond_wait()
      4. pthread_cond_timedwait()
      5. pthread_cond_signal()
      6. pthread_cond_broadcast()
      7. pthread_condattr_init()
      8. pthread_condattr_destroy()
    7. Barriers
      1. pthread_barrier_init()
      2. pthread_barrier_destroy()
      3. pthread_barrier_wait()
    8. Timers
      1. timer_create()
      2. timer_delete()
      3. timer_settime()
      4. timer_gettime()
      5. timer_getoverrun()
      6. timer_tick()
      7. nanosleep()
    9. Clocks
      1. time()
      2. uptime()
      3. sleep()
      4. clock_settime()
      5. clock_gettime()
      6. clock_getres()
      7. clock_init()
    10. Memory Allocation
      1. POSIX.1
        1. malloc()
        2. free()
      2. Variable Length (Pools)
        1. pool_create()
        2. pool_destroy()
        3. pool_alloc()
        4. pool_free()
      3. Fixed Length (Partitions)
        1. pt_create()
        2. pt_destroy()
        3. pt_getblock()
        4. pt_freeblock()
    11. Rendezvous
      1. mr_init()
      2. mr_send()
      3. mr_receive()
      4. mr_reply()
      5. mr_sigrecv()
      6. mr_sigpost()
    12. Interrupts
      1. interrupts
      2. i_disable()
      3. i_restore()
    13. Directory Services
      1. dir_register()
      2. dir_deregister()
      3. dir_lookup()
      4. dir_lookup_string()
    14. Miscellaneous
      1. checkIstack()
      2. NanoStart() or DSPexec_Start()
      3. _isrStackFill
      4. Kernel Scaling
      5. kfatal()
      6. kalloc()
      7. kfree()
      8. mpu or mmu
      9. pthreadStackFill
      10. thread_numb()
      11. thread_utilization_start()
      12. thread_utilization_stop()
      13. xprintf()
      14. xputs()
      15. xputchar()
  2. Unison I/O Library
    1. accept()
    2. bind()
    3. chmod()
    4. close()
    5. connect()
    6. creat()
    7. fstat()
    8. getpeername()
    9. getsockname()
    10. getsockopt()
    11. ioctl()
    12. link()
    13. listen()
    14. lseek()
    15. mkdir()
    16. mkfs()
    17. mount()
    18. open()
    19. read()
    20. recv()
    21. recvfrom()
    22. rename()
    23. renameat()
    24. rmdir()
    25. select()
    26. send()
    27. sendto()
    28. setsockopt()
    29. shutdown()
    30. socket()
    31. stat()
    32. sync()
    33. umount()
    34. unlink()
    35. write()
  3. Unison STDIO Library
    1. STDIO Library Calls
      1. clearerr()
      2. dprintf()
      3. fclose()
      4. fdopen()
      5. feof()
      6. ferror()
      7. fileno()
      8. fflush()
      9. fgetc()
      10. fgetpos()
      11. fgets()
      12. fopen()
      13. fprintf()
      14. fputc()
      15. fputs()
      16. fread()
      17. freopen()
      18. fscanf()
      19. fseek()
      20. fseeko()
      21. fsetpos()
      22. ftell()
      23. ftello()
      24. fwrite()
      25. getc()
      26. getc_unlocked()
      27. getchar()
      28. getchar_unlocked()
      29. getdelim()
      30. getline()
      31. gets()
      32. get_stderr_ptr()
      33. get_stdin_ptr()
      34. get_stdout_ptr()
      35. noperprintf()
      36. perprintf()
      37. perror()
      38. posix_compat()
      39. printf()
      40. putc()
      41. putc_unlocked()
      42. putchar()
      43. putchar_unlocked()
      44. puts()
      45. remove()
      46. rewind()
      47. scanf()
      48. setbuf()
      49. setvbuf()
      50. snprintf()
      51. sprintf()
      52. sscanf()
      53. stderr_init()
      54. stderr_close()
      55. stdin_init()
      56. stdin_close()
      57. stdout_init()
      58. stdout_close()
      59. vdprintf()
      60. vscanf()
      61. vsscanf()
      62. vfscanf()
      63. vprintf()
      64. vsnprintf()
      65. vsprintf()
      66. vfprintf()
      67. ungetc()
    2. Do-nothing Stubs
      1. ctermid()
      2. flockfile()
      3. fmemopen()
      4. ftrylockfile()
      5. open_memstream()
      6. pclose()
      7. popen()
      8. tempnam()
      9. tmpfile()
      10. tmpnam()
  4. Unison LIBC Library
    1. LIBC Library Calls
      1. assert()
      2. realloc()
      3. strcasecmp()
      4. strdup()
      5. strncasecmp()
      6. strftime()
    2. Do-nothing Stubs
      1. abort()
      2. execve()
      3. exit()
      4. _Exit()
      5. fork()
      6. getpid()
      7. isatty()
      8. kill()
      9. sbrk()
      10. times()
      11. wait()
    3. Do-nothing Wide-character Stubs
      1. <wchar.h>
      2. <wctype.h>
  5. Unison I/O Servers
    1. File Servers
      1. Multimedia File Server - fsys
      2. FAT File System - fatfs
      3. NAND File Server - nandfsys
      4. NOR File Server - norfsys
      5. Network File Server - nfs
  6. Graphics, Camera, Video, Audio
    1. Vendor Graphics
    2. Prism++ Graphics
    3. ADPCM Services - adpcmd
    4. Camera
  7. Network Protocols
    1. TCP and UDP Server - tcpd
      1. IPv4 only server
      2. IPv4/IPv6 server
    2. DHCP Client Service - dhcp client
    3. DHCP Server - dhcpd
    4. Telnet Server - telnetd
    5. Tiny FTP Server - tftpd
    6. Point to Point - pppd
    7. Network Translation - NAT with PAT
    8. Firewall
      1. Packet filter: pf
      2. Packet filter control: pfctl
      3. Fitler rules: pf.filtering
      4. Translation rules: pf.nat
    9. Tiny HTTP Server - thttpd
    10. Tiny HTTP Server with TLS
    11. POP3 Server
    12. Simple Mail Transfer Protocol Services (SMTP)
    13. Bootp Protocol
    14. File Transfer Protocol Server (FTP)
    15. File Transfer Client Services
    16. RPC / XDR
    17. DNS Client
    18. HTTP/HTTPS Client
    19. REST Client
    20. AutoIP Service - autoip client
    21. mDNS server - mdnsd
    22. SNTP Client
    23. SNMP Agent - Snmpd server
    24. SSL/TLS library
    25. SSH server
    26. IP security
      1. IPsec description
      2. IPsec administration: ipsecadm
      3. Virtual Private Network: VPN
    27. Power Control
      1. Motor and Motion Control Servers
      2. PWM, Encoders
    28. Serial I/O
      1. Asynchronous Serial I/O Server - ttyserver
      2. CAN Server - cand
      3. I2C Server - i2cd
      4. I2S Server - i2sd
    29. System Services
      1. Power Management Servers
      2. Login Service - login_services
      3. XML
      4. POSIX Shell and Login Service - posh
    30. Universal Serial Bus (USB)
      1. USB Server
      2. USB Device Server
      3. USB Embedded Host Server
    31. Wireless
      1. Wireless Servers and Drivers
      2. 802.15.4 Radio Servers
      3. TCP/v6 with 6loWPAN
      4. ZigBee
      5. BlueTooth Server
      6. 802.11 Wi-Fi
      7. GPRS, UHF and GPS Radio Servers
    32. Remedy Tools for Unison
      1. Remedy Data Logging and Event Display Tools
      2. Remedy Diagnostics
      3. Remedy Flash Downloader/Bootloader
      4. Remedy Power On Self Test - POST
      5. Remedy OS Object Viewer
      6. Remedy Remote Control Tools

7.26.2.IPsec administration: ipsecadm #


IPSec administration – ipsecadm


int ipsecadm(char *str);
str[command] modifiers ...


Before ipsecadm() can be used, IPSec must be enabled by setting one or more of the following variables:

extern int esp_enable;      – Enable the ESP IPsec protocol
extern int ah_enable;       – Enable the AH IPsec protocol


The ipsecadm library sets up security associations in the tcp-server to be used with ipsec. It can be used to specify the encryption and authentication algorithms and key material for the network layer security provided by IPSec.

The possible commands are:

  new esp
Setup a Security Association (SA) which uses the new esp transforms. A SA consists of the destination address, a Security Parameter Index (SPI) and a security protocol. Encryption and authentication algorithms can be applied. This is the default mode. Allowed modifiers are: -dst, -src, -proxy, -spi, -enc, -srcid_type, -srcid, -dstid_type, -dstid, -auth, -authkey, -forcetunnel, and -key.


  old esp
Setup a SA which uses the old esp transforms. Only encryption algorithms can be applied. Allowed modifiers are: -dst, -src, -proxy, -spi, -enc, -srcid_type, -srcid, -dstid_type, -dstid, -halfiv, -forcetunnel, and -key.


  new ah
Setup a SA which uses the new ah transforms. Authentication will be done with HMAC using the specified hash algorithm. Allowed modifiers are: -dst, -src, -proxy, -spi, -srcid_type, -srcid, -dstid_type, -dstid, -forcetunnel, -auth, and, -key.


  old ah
Setup a SA which uses the old ah transforms. Simple keyed hashes will be used for authentication. Allowed modifiers are: -dst, -src, -proxy, -spi, -srcid_type, -srcid, -dstid_type, -dstid, -forcetunnel, -auth, and -key.


Group two SAs together, such that whenever the first one is applied, the second one will be applied as well (SA bundle). Arbitrarily long SA bundles can thus be created. Note that the last SA in the bundle is the one that is applied last. Thus, if an ESP and an AH SA are bundled together (in that order), then the resulting packet will have an AH header, followed by an ESP header, followed by the encrypted payload. Allowed modifiers are: -dst, -spi, -proto, -dst2, -spi2, and -proto2.


Setup an SA which uses the IP-in-IP encapsulation protocol. This mode offers no security services by itself, but can be used to route other (experimental or otherwise) protocols over an IP network. The SPI value is not used for anything other than referencing the information, and does not appear on the wire. Unlike other setups, like new esp, there is no necessary setup in the receiving side. Allowed modifiers are: -dst, -src, and -spi.


The specified SA will be deleted. Allowed modifiers are: -dst, -spi, and -proto.


Create a flow determining what security parameters a packet should have (input or output). Allowed modifiers are: -src, -dst, -proto, -addr, -transport, -sport, -dport, -delete, -in, -out, -deny, -srcid, -dstid, -srcid_type, -dstid_type, -use, -acquire, -require, -dontacq, -permit, and -bypass. Flows are directional, and the -in and -out modifiers are used to specify the direction. By default, flows are assumed to apply to outgoing packets. The kernel will attempt to find an appropriate Security Association from those already present (an SA that matches the destination address, if set, and the security protocol). If the destination address is set to all zeroes ( or left unspecified, the destination address from the packet will be used to locate an SA (the source address is used for incoming flows). For incoming flows, the destination address (if specified) should point to the expected source of the SA (the remote SA peer). If no such SA exists, key management daemons will be used to generate them if -acquire or -require were used. If -acquire was used, traffic will be allowed out (or in) and IPsec will be used when the relevant SAs have been established. If -require was used, traffic will not be allowed in or out until it is protected by IPsec. If -dontacq was used, traffic will not be allowed in or out until it is protected by IPsec, but key management will not be asked to provide such an SA. The -proto argument (by default set to esp) will be used to determine what type of SA should be established. A bypass or permit flow is used to specify a flow for which IPSec processing will be bypassed, i.e packets will/need not be processed by any SAs. For permit flows, additional modifiers are restricted to: -addr, -transport, -sport, -dport, -in, -out, and -delete. A deny flow is used to specify classes of packets that must be dropped (either on output or input) without further processing. deny takes the same additional modifiers as bypass.


Flush SAs from from tcp-server. This includes flushing any flows and routing entries associated with the SAs. Allowed modifiers are: -ah, -esp, and -ip4. Default action is to flush all types of security associations from the kernel.

If no command is given, ipsecadm defaults to new ESP mode.

The modifiers have the following meanings:

  -src address
The source IP address for the SA. This is necessary for incoming SAs to avoid source address spoofing between mutually suspicious hosts that have established SAs with us. For outgoing SAs, this field is used to fill in the source address when doing tunneling.


  -dst address
The destination IP address for the SA.


  -dst2 address
The second IP address used by group.


  -proxy address
This IP address, if provided, is checked against the inner IP address when doing tunneling to a firewall, to prevent source spoofing attacks. It is strongly recommended that this option is provided when applicable. It is applicable in a scenario when host A is using IPsec to communicate with firewall B, and through that to host C. In that case, the proxy address for the incoming SA should be C. This option is not necessary for outgoing SAs.


  -spi index
The Security Parameter Index (SPI), given as a hexadecimal number.


  -spi2 index
The second SPI used by group.


Force IP-inside-IP encapsulation before ESP or AH processing is performed for outgoing packets. The source/destination addresses of the outgoing IP packet will be those provided in the src and dst options. Notice that the IPsec stack will perform IP-inside-IP encapsulation when deemed necessary, even if this flag has not been set.


  -enc algorithm
The encryption algorithm to be used with the SA. Possible values are:

    • des
      • This is available for both old and new esp. Notice that hardware crackers for DES can be (and have been) built for US$250,000 (in 1998). Use DES for encryption of critical information at your own risk. We suggest using 3DES or AES instead. DES support is kept for interoperability (with old implementations) purposes only.
    • 3des
      • This is available for both old and new esp. It is considered more secure than straight DES, since it uses larger keys.
  • aes
    • Rijndael encryption is available only in new esp.
  -auth algorithm
The authentication algorithm to be used with the SA. Possible values are: md5 and sha1 for both old and new ah and also new esp. Also rmd160 for both new ah and esp.


  -key key
The secret symmetric key used for encryption and authentication. The size for des and 3des is fixed to 8 and 24 respectively. For cipher aes the key length can vary (depending on the algorithm). The key should be given in hexadecimal digits. The key should be chosen in random (ideally, using some true-random source like coin flipping). It is very important that the key is not guessable.


  -authkey key
The secret key material used for authentication if additional authentication in new esp mode is required. For old or new ah the key material for authentication is passed with the -key option. The key should be given in hexadecimal digits. The key should be chosen in random (ideally, using some true-random source like coin flipping). It is very important that the key is not guessable.


This option causes use of a 4 byte IV in old ESP (as opposed to 8 bytes). It may only be used with old ESP.


  -proto protocol
The security protocol needed by delspi or flow, to uniquely specify the SA. The default value is 50 which means IPPROTO_ESP. Other accepted values are 51 (IPPROTO_AH), and 4 (IPPROTO_IP). One can also specify the symbolic names “esp”, “ah”, and “ip4”, case insensitive.


  -proto2 protocol
The second security protocol used by group. It defaults to IPPROTO_AH, otherwise takes the same values as -proto.


  -addr srcnet mask dstnet mask
  -addr srcnet/prefixlen dstnet/prefixlen
The source address, source network mask, destination address and destination network mask against which packets need to match to use the specified Security Association. All addresses must be of the same address family (IPv4 or IPv6).


  -transport protocol
The protocol number which packets need to match to use the specified Security Association. By default the protocol number is not used for matching.


  -sport port
The source port which packets have to match for the flow. By default the source port is not used for matching.


  -dport port
The destination port which packets have to match for the flow. By default the source port is not used for matching.


  -srcid id
For flow, used to specify what local identity key management should use when negotiating the SAs. If left unspecified, the source address of the flow is used (see the discussion on flow above, with regard to source address).


  -dstid id
For flow, used to specify what the remote identity key management should expect. If left unspecified, the destination address of the flow is used (see the discussion on flow above, with regard to destination address).


  -srcid_type type
For flow, used to specify the type of identity given by -srcid. Valid values are prefix, fqdn, and ufqdn.
The prefix type implies an IPv4 or IPv6 address followed by a forward slash character and a decimal number indicating the number of important bits in the address (equivalent to a netmask, in IPv4 terms). Key management then has to pick a local identity that falls within the address space indicated.
The fqdn and ufqdn types are DNS-style host names and mailbox-format user addresses, respectively, and are especially useful for mobile user scenarios. Note that no validity checking on the identities is done.


  -dstid_type type
See -srcid_type.


Instead of creating a flow, an existing flow is deleted.


For flow, create or delete a bypass flow. Packets matching this flow will not be processed by IPsec.


Same as -bypass.


For flow, create or delete a deny flow. Packets matching this flow will be dropped.


For flow, specify that packets matching this flow should try to use IPsec if possible.


For flow, specify that packets matching this flow should try to use IPsec and establish SAs dynamically if possible, but permit unencrypted traffic.


For flow, specify that packets matching this flow must use IPsec, and establish SAs dynamically as needed. If no SAs are established, traffic is not allowed through.


For flow, specify that packets matching this flow must use IPsec. If such SAs are not present, simply drop the packets. Such a policy may be used to demand peers to establish SAs before they can communicate with us, without going through the burden of initiating the SA ourselves (thus allowing for some denial of service attacks). This flow type is particularly suitable for security gateways.


For flow, specify that it should be used to match incoming packets only.


For flow, specify that it should be used to match outgoing packets only.


For flush, only flush SAs of type ah.


For flush, only flush SAs of type esp.


For flush, only flush SAs of type ip4.


Setup a SA which uses new ESP with 3DES encryption and HMAC-SHA1 authentication:

     ipsecadm("new esp -enc 3des -auth sha1 -spi 100a -dst \
             -src \
             -key 638063806380638063806380638063806380638063806380 \
             -authkey 1234123412341234123412341234123412341234");

Setup a SA for authentication with old AH only:

     ipsecadm("old ah -auth md5 -spi 10f2 -dst -src \
             -key 12341234deadbeef");

Setup a flow requiring use of AH:

     ipsecadm("flow -dst -proto ah \
             -addr -out -require");

Setup an inbound SA:

     ipsecadm("new esp -enc blf -auth md5 -spi 1002 -dst \
             -src \
             -key abadbeef15deadbeefabadbeef15deadbeefabadbeef15deadbeef \
             -authkey 12349876432167890192837465098273");

Setup an ingress flow on for the inbound SA:

     ipsecadm("flow -addr \
             -dst -proto esp -in -require");

Setup a bypass flow:

     ipsecadm("flow -bypass -out \

Delete all esp SAs and their flows and routing information:

     ipsecadm("flush -esp");


There is a demo available for the Unison and DSPnano IPsec which is found in installdir/demos.


ipsec, VPN

Suggest Edit