charon-cmd: Add man page for charon-cmd(8)

2 files changed, 123 insertions, 0 deletions

diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
index 2c9f1ba1f..4539173a1 100644
--- a/src/charon-cmd/Makefile.am
+++ b/src/charon-cmd/Makefile.am
@@ -1,4 +1,7 @@
 sbin_PROGRAMS = charon-cmd
+CLEANFILES = charon-cmd.8
+dist_man8_MANS = charon-cmd.8
+EXTRA_DIST = charon-cmd.8.in
 
 charon_cmd_SOURCES = \
 	cmd/cmd_options.h cmd/cmd_options.c \
@@ -23,3 +26,9 @@ charon_cmd_LDADD = \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
+
+charon-cmd.8 : charon-cmd.8.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
new file mode 100644
index 000000000..e0181ee50
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -0,0 +1,114 @@
+.TH CHARON\-CMD 8 "2013-06-16" "@IPSEC_VERSION@" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2.  It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+.SH "OPTIONS"
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+section below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.TP
+.B "ikev1\-pub"
+IKEv1 with public key client and server authentication
+.TP
+.B "ikev1\-xauth"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.B "ikev1\-xauth\-psk"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.B "ikev1\-hybrid"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBipsec\fR(8)