+.BI "ABORT repeated-select-errors"
+The main event loop is repeatedly failing. If the server doesn't quit,
+it will probably waste all available CPU doing nothing.
+.SS "ADMIN warnings"
+These indicate a problem with the administration socket interface.
+.TP
+.BI "ADMIN accept-error \-\- " message
+There was an error while attempting to accept a connection from a new
+client.
+.TP
+.BI "ADMIN client-read-error \-\- " message
+There was an error sending data to a client. The connection to the
+client has been closed.
+.SS "KEYMGMT warnings"
+These indicate a problem with the keyring files, or the keys stored in
+them.
+.TP
+.BI "KEYMGMT bad-private-key \-\- " message
+The private key could not be read, or failed a consistency check. If
+there was a problem with the file, usually there will have been
+.B key-file-error
+warnings before this.
+.TP
+.BI "KEYMGMT bad-public-keyring \-\- " message
+The public keyring couldn't be read. Usually, there will have been
+.B key-file-error
+warnings before this.
+.TP
+.BI "KEYMGMT key-file-error " file ":" line " \-\- " message
+Reports a specific error with the named keyring file. This probably
+indicates a bug in
+.BR key (1).
+.TP
+.BI "KEYMGMT public-key " tag " " tokens\fR...
+These messages all indicate a problem with the public key named
+.IR tag .
+.TP
+.BI "KEYMGMT public-key " tag " algorithm-mismatch"
+The algorithms specified on the public key don't match the ones for our
+private key. All the peers in a network have to use the same
+algorithms.
+.TP
+.BI "KEYMGMT public-key " tag " bad \-\- " message
+The public key couldn't be read, or is invalid.
+.TP
+.BI "KEYMGMT public-key " tag " bad-public-group-element"
+The public key is invalid. This may indicate a malicious attempt to
+introduce a bogus key.
+.TP
+.BI "KEYMGMT public-key " tag " bad-algorithm-selection"
+The algorithms listed on the public key couldn't be understood. The
+algorithm selection attributes are probably malformed and need fixing.
+.TP
+.BI "KEYMGMT public-key " tag " incorrect-group"
+The public key doesn't use the same group as our private key. All the
+peers in a network have to use the same group.
+.TP
+.BI "KEYMGMT public-key " tag " not-found"
+The public key for peer
+.I tag
+wasn't in the public keyring.
+.TP
+.BI "KEYMGMT public-key " tag " unknown-type"
+The type of the public key isn't understood. Maybe you need to upgrade
+your copy of
+.BR tripe .
+(Even if you do, you'll have to regenerate your keys.)
+.SS "KX warnings"
+These indicate problems during key-exchange. Many indicate either a bug
+in the server (either yours or the remote one), or some kind of attack
+in progress. All name a
+.I peer
+as the second token: this is the peer the packet is apparently from,
+though it may have been sent by an attacker instead.
+.PP
+In the descriptions below,
+.I msgtoken
+is one of the tokens
+.BR pre-challenge ,
+.BR cookie ,
+.BR challenge ,
+.BR reply ,
+.BR switch-rq ,
+or
+.BR switch-ok .
+.TP
+.BI "KX " peer " bad-expected-reply-log"
+The challenges
+.B tripe
+uses in its protocol contain a check value which proves that the
+challenge is honest. This message indicates that the check value
+supplied is wrong: someone is attempting to use bogus challenges to
+persuade your
+.B tripe
+server to leak private key information. No chance!
+.TP
+.BI "KX " peer " decrypt-failed \fR[\fBreply\fR|\fBswitch-ok\fR]"
+A symmetrically-encrypted portion of a key-exchange message failed to
+decrypt.
+.TP
+.BI "KX " peer " invalid " msgtoken
+A key-exchange message was malformed. This almost certainly indicates a
+bug somewhere.
+.TP
+.BI "KX " peer " incorrect \fR[\fBcookie\fR|\fBswitch-rq\fR|\fBswitch-ok\fR]"
+A message didn't contain the right magic data. This may be a replay of
+some old exchange, or random packets being sent in an attempt to waste
+CPU.
+.TP
+.BI "KX " peer " public-key-expired"
+The peer's public key has expired. It's maintainer should have given
+you a replacement before now.
+.TP
+.BI "KX " peer " sending-cookie"
+We've received too many bogus pre-challenge messages. Someone is trying
+to flood us with key-exchange messages and make us waste CPU on doing
+hard asymmetric crypto sums.
+.TP
+.BI "KX " peer " unexpected " msgtoken
+The message received wasn't appropriate for this stage of the key
+exchange process. This may mean that one of our previous packets got
+lost. For
+.BR pre-challenge ,
+it may simply mean that the peer has recently restarted.
+.TP
+.BI "KX " peer " unknown-challenge"
+The peer is asking for an answer to a challenge which we don't know
+about. This may mean that we've been inundated with challenges from
+some malicious source
+.I who can read our messages
+and discarded the valid one.
+.TP
+.BI "KX " peer " unknown-message 0x" nn
+An unknown key-exchange message arrived.
+.SS "PEER warnings"
+These are largely concerned with management of peers and the low-level
+details of the network protocol. The second word is usually the name of
+a peer, or
+.RB ` \- '
+if none is relevant.
+.TP
+.BI "PEER \- unexpected-source " address\fR...
+A packet arrived from
+.I address
+(a network address \(en see above), but no peer is known at that
+address. This may indicate a misconfiguration, or simply be a result of
+one end of a connection being set up before the other.
+.TP
+.BI "PEER " peer " bad-packet no-type"
+An empty packet arrived. This is very strange.
+.TP
+.BI "PEER " peer " bad-packet unknown-category 0x" nn
+The message category
+.I nn
+(in hex) isn't understood. Probably a strange random packet from
+somewhere; could be an unlikely bug.
+.TP
+.BI "PEER " peer " bad-packet unknown-type 0x" nn
+The message type
+.I nn
+(in hex) isn't understood. Probably a strange random packet from
+somewhere; could be an unlikely bug.
+.TP
+.BI "PEER " peer " decrypt-failed"
+An encrypted IP packet failed to decrypt. It may have been mangled in
+transit, or may be a very old packet from an expired previous session
+key. There is usually a considerable overlap in the validity periods of
+successive session keys, so this shouldn't occur unless the key exchange
+takes ages or fails.
+.TP
+.BI "PEER " peer " packet-build-failed"
+There wasn't enough space in our buffer to put the packet we wanted to
+send. Shouldn't happen.
+.TP
+.BI "PEER \- socket-read-error \-\- " message
+An error occurred trying to read an incoming packet.
+.TP
+.BI "PEER " peer " socket-write-error \-\- " message
+An error occurred attempting to send a network packet. We lost that
+one.
+.SS "SERVER warnings"
+These indicate problems concerning the server process as a whole.
+.TP
+.BI "SERVER ignore signal " name
+A signal arrived, but the server ignored it. Currently this happens for
+.B SIGHUP
+because that's a popular way of telling daemons to re-read their
+configuration files. Since
+.B tripe
+re-reads its keyrings automatically and has no other configuration
+files, it's not relevant, but it seemed better to ignore the signal than
+let the server die.
+.TP
+.BI "SERVER quit signal " \fR[\fInn\fR|\fIname\fR]
+A signal arrived and
+.B tripe
+is going to quit.
+.TP
+.BI "SERVER quit admin-request"
+A client of the administration interface issued a
+.B QUIT
+command.
+.TP
+.BI "SERVER select-error \-\- " message
+An error occurred in the server's main event loop. This is bad: if it
+happens too many times, the server will abort.
+.SS "SYMM warnings"
+These are concerned with the symmetric encryption and decryption
+process.
+.TP
+.BI "SYMM replay old-sequence"
+A packet was received with an old sequence number. It may just have
+been delayed or duplicated, or it may have been an attempt at a replay
+attack.
+.TP
+.BI "SYMM replay duplicated-sequence"
+A packet was received with a sequence number we've definitely seen
+before. It may be an accidental duplication because the 'net is like
+that, or a deliberate attempt at a replay.
+.SS "TUN warnings"
+These concern the workings of the system-specific tunnel driver. The
+second word is the name of the tunnel interface in question, or
+.RB ` \- '
+if none.
+.TP
+.BI "TUN \- bsd no-tunnel-devices"
+The driver couldn't find an available tunnel device. Maybe if you
+create some more
+.BI /dev/tun nn
+files, it will work.
+.TP
+.BI "TUN - open-error " device " \-\- " message
+An attempt to open the tunnel device file
+.I device
+failed.
+.TP
+.BI "TUN " ifname " read-error \-\- " message
+Reading from the tunnel device failed.
+.TP
+.BI "TUN \- linux config-error \-\- " message
+Configuring the Linux TUN/TAP interface failed.
+.TP
+.BI "TUN \- unet config-error \-\- " message
+Configuring the Linux Unet interface failed. Unet is obsolete and
+shouldn't be used any more.
+.TP
+.BI "TUN \- unet getinfo-error \-\- " message
+Reading information about the Unet interface failed. Unet is obsolete
+and shouldn't be used any more.
+.TP
+.BI "TUN \- unet ifname-too-long \-\- " message
+The Unet interface's name overflowed, so we couldn't read it properly.
+Unet is obsolete and shouldn't be used any more.