summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/isakmpd.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'keyexchange/isakmpd-20041012/isakmpd.conf.5')
-rw-r--r--keyexchange/isakmpd-20041012/isakmpd.conf.51126
1 files changed, 1126 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/isakmpd.conf.5 b/keyexchange/isakmpd-20041012/isakmpd.conf.5
new file mode 100644
index 0000000..db3dd78
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/isakmpd.conf.5
@@ -0,0 +1,1126 @@
+.\" $OpenBSD: isakmpd.conf.5,v 1.94 2004/08/10 15:59:10 ho Exp $
+.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
+.\"
+.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved.
+.\" Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" This code was written under funding by Ericsson Radio Systems.
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd August 07, 2002
+.Dt ISAKMPD.CONF 5
+.Os
+.Sh NAME
+.Nm isakmpd.conf
+.Nd configuration file for isakmpd
+.Sh DESCRIPTION
+.Nm
+is the configuration file for the
+.Nm isakmpd
+daemon managing security association and key management for the
+IPsec layer of the kernel's networking stack.
+.Pp
+The file is of a well known type of format called .INI style, named after
+the suffix used by an overrated windowing environment for its configuration
+files.
+This format consists of sections, each beginning with a line looking like:
+.Bd -literal
+[Section name]
+.Ed
+Between the brackets is the name of the section following this section header.
+Inside a section many tag/value pairs can be stored, each one looking like:
+.Bd -literal
+Tag=Value
+.Ed
+If the value needs more space than fits on a single line it's possible to
+continue it on the next by ending the first with a backslash character
+immediately before the newline character.
+This method can extend a value for an arbitrary number of lines.
+.Pp
+Comments can be put anywhere in the file by using a hash mark
+.Pq Sq \&# .
+The comment extends to the end of the current line.
+.Pp
+Often the right-hand side values consist of other section names.
+This results in a tree structure.
+Some values are treated as a list of several scalar values.
+Such lists always use a comma character as the separator.
+Some values are formatted like this: X,Y:Z, which
+is an offer/accept syntax, where X is a value we offer and Y:Z is a range of
+accepted values, inclusive.
+.Pp
+To activate changes to
+.Nm
+without restarting
+.Nm isakmpd ,
+send a
+.Dv SIGHUP
+signal to the daemon process.
+.Ss Auto-generated parts of the configuration
+.Pp
+Some predefined section names are recognized by the daemon, avoiding the need
+to fully specify the Main Mode transforms and Quick Mode suites, protocols,
+and transforms.
+.Pp
+For Main Mode:
+.Bd -filled -compact
+.Ar {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}]
+.Ed
+.Pp
+For Quick Mode:
+.Bd -filled -compact
+.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
+.Ed
+.Bd -literal
+ where
+ {proto} is either ESP or AH
+ {cipher} is either DES, 3DES, CAST, BLF or AES
+ {hash} is either MD5, SHA, RIPEMD, SHA2-{256,384,512}
+ {group} is either GRP1, GRP2, GRP5 or GRP14
+.Ed
+.Pp
+For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization by
+pre-shared keys.
+Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP protocol, 3DES encryption,
+SHA hash, and use Perfect Forward Secrecy.
+.Pp
+Unless explicitly stated with -GRP1, 2, 5 or 14 transforms and PFS suites
+use DH group 2.
+There are currently no predefined ESP+AH Quick Mode suites.
+.Pp
+The predefinitions include some default values for the special
+sections "General", "Keynote", "X509-certificates", and
+"Default-phase-1-configuration".
+These default values are presented in the example below.
+.Pp
+All autogenerated values can be overridden by manual entries by using the
+same section and tag names in the configuration file.
+In particular, the default phase 1 (Main or Aggressive Mode) and phase 2
+(Quick Mode) lifetimes can be overridden by these tags under the "General"
+section;
+.Bd -literal
+[General]
+Default-phase-1-lifetime= 3600,60:86400
+Default-phase-2-lifetime= 1200,60:86400
+.Ed
+.Pp
+The Main Mode lifetime currently defaults to one hour (minimum 60
+seconds, maximum 1 day).
+The Quick Mode lifetime defaults to 20 minutes
+(minimum 60 seconds, maximum 1 day).
+.Pp
+Also, the default phase 1 ID can be set by creating a <Phase1-ID>
+section, as shown below, and adding this tag under the "General"
+section;
+.Bd -literal
+[General]
+Default-phase-1-ID= Phase1-ID-name
+
+[Phase1-ID-name]
+ID-type= USER_FQDN
+Name= foo@bar.com
+.Ed
+.Ss Roots
+.Bl -hang -width 12n
+.It Em General
+Generic global configuration parameters
+.Bl -tag -width 12n
+.It Em Default-phase-1-ID
+Optional default phase 1 ID name.
+.It Em Default-phase-1-lifetime
+The default lifetime for autogenerated transforms (phase 1).
+If unspecified, the value 3600,60:86400 is used as the default.
+.It Em Default-phase-2-lifetime
+The default lifetime for autogenerated suites (phase 2).
+If unspecified, the value 1200,60:86400 is used as the default.
+.It Em Default-phase-2-suites
+A list of phase 2 suites that will be used when establishing dynamic
+SAs.
+If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default.
+.It Em Acquire-Only
+If this tag is defined,
+.Nm isakmpd
+will not set up flows automatically.
+This is useful when flows are configured with
+.Xr ipsecadm 4
+or by other programs like
+.Xr bgpd 8 .
+Thus
+.Nm isakmpd
+only takes care of the SA establishment.
+.It Em Check-interval
+The interval between watchdog checks of connections we want up at all
+times.
+.It Em DPD-check-interval
+The interval between RFC 3706 (Dead Peer Detection) messages.
+The default value is 0 (zero), which means DPD is disabled.
+.It Em Exchange-max-time
+How many seconds should an exchange maximally take to set up before we
+give up.
+.It Em Listen-on
+A list of IP-addresses OK to listen on.
+This list is used as a filter for the set of addresses the interfaces
+configured provides.
+This means that we won't see if an address given here does not exist
+on this host, and thus no error is given for that case.
+.It Em Loglevel
+A list of the form
+.Ar class Ns = Ns Ar level ,
+where both
+.Ar class
+and
+.Ar level
+are numbers.
+This is similar to the
+.Fl D
+command line switch of
+.Em isakmpd .
+See
+.Xr isakmpd 8
+for details.
+.It Em Logverbose
+If this tag is defined, whatever the value is, verbose logging is enabled.
+This is similar to the
+.Fl v
+command line switch of
+.Em isakmpd .
+See
+.Xr isakmpd 8
+for details.
+.It Em NAT-T-Keepalive
+The number of seconds between NAT-T keepalive messages, sent by the
+peer behind NAT to keep the mapping active.
+Defaults to 20.
+.It Em Policy-file
+The name of the file that contains
+.Xr keynote 4
+policies.
+The default is "/etc/isakmpd/isakmpd.policy".
+.It Em Pubkey-directory
+The directory in which
+.Nm
+looks for explicitly trusted public keys.
+The default is "/etc/isakmpd/pubkeys".
+Read
+.Xr isakmpd 8
+for the required naming convention of the files in here.
+.It Em Renegotiate-on-HUP
+If this tag is defined, whatever the value is,
+.Nm isakmpd
+will renegotiate all current phase 2 SAs when the daemon receives a
+.Dv SIGHUP
+signal, or an
+.Sq R
+is sent to the FIFO interface (see
+.Xr isakmpd 8 ) .
+.It Em Retransmits
+How many times should a message be retransmitted before giving up.
+.It Em Shared-SADB
+If this tag is defined, whatever the value is, some semantics of
+.Nm
+are changed so that multiple instances can run on top of one SADB
+and set up SAs with each other.
+Specifically this means replay
+protection will not be asked for, and errors that can occur when
+updating an SA with its parameters a 2nd time will be ignored.
+.It Em Use-Keynote
+This tag controls the use of
+.Xr keynote 4
+policy checking.
+The default value is
+.Qq yes ,
+which enables the policy checking.
+When set to any other value, policies will not be checked.
+This is useful when policies for flows and SA establishment are arranged by
+other programs like
+.Xr ipsecadm 8
+or
+.Xr bgpd 8 .
+.El
+.It Em Phase 1
+ISAKMP SA negotiation parameter root
+.Bl -tag -width 12n
+.It Em <IP-address>
+A name of the ISAKMP peer at the given IP-address.
+.It Em Default
+A name of the default ISAKMP peer.
+Incoming phase 1 connections from other IP-addresses will use this peer name.
+.It ""
+This name is used as the section name for further information to be found.
+Look at <ISAKMP-peer> below.
+.El
+.It Em Phase 2
+IPsec SA negotiation parameter root
+.Bl -tag -width 12n
+.It Em Connections
+A list of directed IPsec "connection" names that should be brought up
+automatically, either on first use if the system supports it, or at
+startup of the daemon.
+These names are section names where further information can be found.
+Look at <IPsec-connection> below.
+Normally any connections mentioned here are treated as part of the
+"Passive-connection" list we present below, however there is a
+flag: "Active-only" that disables this behaviour.
+This too is mentioned in the <IPsec-connection> section, in the "Flags" tag.
+.It Em Passive-connections
+A list of IPsec "connection" names we recognize and accept initiations for.
+These names are section names where further information can be found.
+Look at <IPsec-connection> below.
+Currently only the Local-ID and Remote-ID tags
+are looked at in those sections, as they are matched against the IDs given
+by the initiator.
+.El
+.It Em KeyNote
+.Bl -tag -width 12n
+.It Em Credential-directory
+A directory containing directories named after IDs (IP
+addresses,
+.Dq user@domain ,
+or hostnames) that contain files named
+.Dq credentials
+and
+.Dq private_key .
+.Pp
+The credentials file contains
+.Xr keynote 4
+credentials that are sent to a remote IKE daemon when we use the
+associated ID, or credentials that we may want to consider when doing
+an exchange with a remote IKE daemon that uses that ID.
+Note that, in the former case, the last credential in the file
+MUST contain our public key in its Licensees field.
+More than one credentials may exist in the file.
+They are separated by whitelines (the format is essentially the same as
+that of the policy file).
+The credentials are of the same format as the policies described in
+.Xr isakmpd.policy 5 .
+The only difference is that the Authorizer field contains a public
+key, and the assertion is signed.
+Signed assertions can be generated using the
+.Xr keynote 1
+utility.
+.Pp
+The private_key file contains the private RSA key we use for
+authentication.
+If the directory (and the files) exist, they take precedence over X509-based
+authentication.
+.El
+.It Em X509-Certificates
+.Bl -tag -width 12n
+.It Em Accept-self-signed
+If this tag is defined, whatever the value is, certificates that
+do not originate from a trusted CA but are self-signed will be
+accepted.
+.It Em Ca-directory
+A directory containing PEM certificates of certification authorities
+that we trust to sign other certificates.
+Note that for a CA to be really trusted, it needs to be somehow
+referred to by policy, in
+.Xr isakmpd.policy 5 .
+The certificates in this directory are used for the actual X.509
+authentication and for cross-referencing policies that refer to
+Distinguished Names (DNs).
+Keeping a separate directory (as opposed to integrating policies
+and X.509 CA certificates) allows for maintenance of a list of
+"well known" CAs without actually having to trust all (or any) of them.
+.It Em Cert-directory
+A directory containing PEM certificates that we trust to be valid.
+These certificates are used in preference to those passed in messages and
+are required to have a subjectAltName extension containing the certificate
+holder identity; usually IP address, FQDN, or User FQDN, as provided by
+.Xr certpatch 8 .
+.It Em Private-key
+The private key matching the public key of our certificate (which should be
+in the "Cert-directory", and have an appropriate subjectAltName field).
+.El
+.El
+.Ss Referred-to sections
+.Bl -hang -width 12n
+.It Em <ISAKMP-peer>
+Parameters for negotiation with an ISAKMP peer
+.Bl -tag -width 12n
+.It Em Phase
+The constant
+.Li 1 ,
+as ISAKMP-peers and IPsec-connections
+really are handled by the same code inside isakmpd.
+.It Em Transport
+The name of the transport protocol, defaults to
+.Li UDP .
+.It Em Port
+In case of
+.Li UDP ,
+the
+.Li UDP
+port number to send to.
+This is optional, the
+default value is 500 which is the IANA-registered number for ISAKMP.
+.It Em Local-address
+The Local IP-address to use, if we are multi-homed, or have aliases.
+.It Em Address
+If existent, the IP-address of the peer.
+.It Em Configuration
+The name of the ISAKMP-configuration section to use.
+Look at <ISAKMP-configuration> below.
+If unspecified, defaults to "Default-phase-1-configuration".
+.It Em Authentication
+If existent, authentication data for this specific peer.
+In the case of preshared key, this is the key value itself.
+.It Em ID
+If existent, the name of the section that describes the
+local client ID that we should present to our peer.
+If not present, it
+defaults to the address of the local interface we are sending packets
+over to the remote daemon.
+Look at <Phase1-ID> below.
+.It Em Remote-ID
+If existent, the name of the section that describes the remote client
+ID we expect the remote daemon to send us.
+If not present, it defaults to the address of the remote daemon.
+Look at <Phase1-ID> below.
+.It Em Flags
+A comma-separated list of flags controlling the further
+handling of the ISAKMP SA.
+Currently there are no specific ISAKMP SA flags defined.
+.El
+.It Em <Phase1-ID>
+.Bl -tag -width 12n
+.It Em ID-type
+The ID type as given by the RFC specifications.
+For phase 1 this is currently
+.Li IPV4_ADDR ,
+.Li IPV4_ADDR_SUBNET ,
+.Li IPV6_ADDR ,
+.Li IPV6_ADDR_SUBNET ,
+.Li FQDN ,
+.Li USER_FQDN
+or
+.Li KEY_ID .
+.It Em Address
+If the ID-type is
+.Li IPV4_ADDR
+or
+.Li IPV6_ADDR ,
+this tag should exist and be an IP-address.
+.It Em Network
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET
+this tag should exist and
+be a network address.
+.It Em Netmask
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET
+this tag should exist and
+be a network subnet mask.
+.It Em Name
+If the ID-type is
+.Li FQDN ,
+.Li USER_FQDN
+or
+.Li KEY_ID ,
+this tag should exist and contain a domain name, user@domain, or
+other identifying string respectively.
+.Pp
+In the case of
+.Li KEY_ID ,
+note that the IKE protocol allows any octet sequence to be sent or
+received under this payload, potentially including non-printable
+ones.
+.Xr isakmpd 8
+can only transmit printable
+.Li KEY_ID
+payloads, but can receive and process arbitrary
+.Li KEY_ID
+payloads.
+This effectively means that non-printable
+.Li KEY_ID
+remote identities cannot be verified through this means, although it
+is still possible to do so through
+.Xr isakmpd.policy 5 .
+.El
+.It Em <ISAKMP-configuration>
+.Bl -tag -width 12n
+.It Em DOI
+The domain of interpretation as given by the RFCs.
+Normally
+.Li IPSEC .
+If unspecified, defaults to
+.Li IPSEC .
+.It Em EXCHANGE_TYPE
+The exchange type as given by the RFCs.
+For main mode this is
+.Li ID_PROT
+and for aggressive mode it is
+.Li AGGRESSIVE .
+.It Em Transforms
+A list of proposed transforms to use for protecting the
+ISAKMP traffic.
+These are actually names for sections
+further describing the transforms.
+Look at <ISAKMP-transform> below.
+.El
+.It Em <ISAKMP-transform>
+.Bl -tag -width 12n
+.It Em ENCRYPTION_ALGORITHM
+The encryption algorithm as the RFCs name it, or ANY to denote that any
+encryption algorithm proposed will be accepted.
+.It Em KEY_LENGTH
+For encryption algorithms with variable key length, this is
+where the offered/accepted keylengths are described.
+The value is of the offer-accept kind described above.
+.It Em HASH_ALGORITHM
+The hash algorithm as the RFCs name it, or ANY.
+.It Em AUTHENTICATION_METHOD
+The authentication method as the RFCs name it, or ANY.
+.It Em GROUP_DESCRIPTION
+The group used for Diffie-Hellman exponentiations, or ANY.
+The names are symbolic, like
+.Li MODP_768 , MODP_1024 , EC_155
+and
+.Li EC_185 .
+.It Em PRF
+The algorithm to use for the keyed pseudo-random function (used for key
+derivation and authentication in phase 1), or ANY.
+.It Em Life
+A list of lifetime descriptions, or ANY.
+In the former case, each
+element is in itself a name of the section that defines the lifetime.
+Look at <Lifetime> below.
+If it is set to ANY, then any type of
+proposed lifetime type and value will be accepted.
+.El
+.It Em <Lifetime>
+.Bl -tag -width 12n
+.It Em LIFE_TYPE
+.Li SECONDS
+or
+.Li KILOBYTES
+depending on the type of the duration.
+Notice that this field may NOT be set to ANY.
+.It Em LIFE_DURATION
+An offer/accept kind of value, see above.
+Can also be set to ANY.
+.El
+.It Em <IPsec-connection>
+.Bl -tag -width 12n
+.It Em Phase
+The constant
+.Li 2 ,
+as ISAKMP-peers and IPsec-connections
+really are handled by the same code inside isakmpd.
+.It Em ISAKMP-peer
+The name of the ISAKMP-peer which to talk to in order to
+set up this connection.
+The value is the name of an <ISAKMP-peer> section.
+See above.
+.It Em Configuration
+The name of the IPsec-configuration section to use.
+Look at <IPsec-configuration> below.
+.It Em Local-ID
+If existent, the name of the section that describes the
+optional local client ID that we should present to our peer.
+It is also used when we act as responders to find out what
+<IPsec-connection> we are dealing with.
+Look at <IPsec-ID> below.
+.It Em Remote-ID
+If existent, the name of the section that describes the
+optional remote client ID that we should present to our peer.
+It is also used when we act as responders to find out what
+<IPsec-connection> we are dealing with.
+Look at <IPsec-ID> below.
+.It Em Flags
+A comma-separated list of flags controlling the further
+handling of the IPsec SA.
+Currently only one flag is defined:
+.Bl -tag -width 12n
+.It Em Active-only
+If this flag is given and this <IPsec-connection> is part of the phase 2
+connections we automatically keep up, it will not automatically be used for
+accepting connections from the peer.
+.El
+.El
+.It Em <IPsec-configuration>
+.Bl -tag -width 12n
+.It Em DOI
+The domain of interpretation as given by the RFCs.
+Normally
+.Li IPSEC .
+If unspecified, defaults to
+.Li IPSEC .
+.It Em EXCHANGE_TYPE
+The exchange type as given by the RFCs.
+For quick mode this is
+.Li QUICK_MODE .
+.It Em Suites
+A list of protection suites (bundles of protocols) usable for
+protecting the IP traffic.
+Each of the list elements is a name of an <IPsec-suite> section.
+See below.
+.El
+.It Em <IPsec-suite>
+.Bl -tag -width 12n
+.It Em Protocols
+A list of the protocols included in this protection suite.
+Each of the list elements is a name of an <IPsec-protocol>
+section.
+See below.
+.El
+.It Em <IPsec-protocol>
+.Bl -tag -width 12n
+.It Em PROTOCOL_ID
+The protocol as given by the RFCs.
+Acceptable values today are
+.Li IPSEC_AH
+and
+.Li IPSEC_ESP .
+.It Em Transforms
+A list of transforms usable for implementing the protocol.
+Each of the list elements is a name of an <IPsec-transform>
+section.
+See below.
+.It Em ReplayWindow
+The size of the window used for replay protection.
+This is normally left alone.
+Look at the
+.Nm ESP
+and
+.Nm AH
+RFCs for a better description.
+.El
+.It Em <IPsec-transform>
+.Bl -tag -width 12n
+.It Em TRANSFORM_ID
+The transform ID as given by the RFCs.
+.It Em ENCAPSULATION_MODE
+The encapsulation mode as given by the RFCs.
+This means TRANSPORT or TUNNEL.
+.It Em AUTHENTICATION_ALGORITHM
+The optional authentication algorithm in the case of this
+being an ESP transform.
+.It Em GROUP_DESCRIPTION
+An optional (provides PFS if present) Diffie-Hellman group
+description.
+The values are the same as GROUP_DESCRIPTION's
+in <ISAKMP-transform> sections shown above.
+.It Em Life
+List of lifetimes, each element is a <Lifetime> section name.
+.El
+.It Em <IPsec-ID>
+.Bl -tag -width 12n
+.It Em ID-type
+The ID type as given by the RFCs.
+For IPsec this is currently
+.Li IPV4_ADDR ,
+.Li IPV6_ADDR ,
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET .
+.It Em Address
+If the ID-type is
+.Li IPV4_ADDR
+or
+.Li IPV6_ADDR
+this tag should exist and be an IP-address.
+.It Em Network
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET
+this tag should exist and
+be a network address.
+.It Em Netmask
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET
+this tag should exist and
+be a network subnet mask.
+.It Em Protocol
+If the ID-type is
+.Li IPV4_ADDR ,
+.Li IPV4_ADDR_SUBNET ,
+.Li IPV6_ADDR
+or
+.Li IPV6_ADDR_SUBNET
+this tag indicates what transport protocol should be transmitted over
+the SA.
+If left unspecified, all transport protocols between the two address
+(ranges) will be sent (or permitted) over that SA.
+.It Em Port
+If the ID-type is
+.Li IPV4_ADDR ,
+.Li IPV4_ADDR_SUBNET ,
+.Li IPV6_ADDR
+or
+.Li IPV6_ADDR_SUBNET
+this tag indicates what source or destination port is allowed to be
+transported over the SA (depending on whether this is a local or
+remote ID).
+If left unspecified, all ports of the given transport protocol
+will be transmitted (or permitted) over the SA.
+The Protocol tag must be specified in conjunction with this tag.
+.El
+.El
+.Ss Other sections
+.Bl -hang -width 12n
+.It Em <IKECFG-ID>
+Parameters to use with IKE mode-config.
+One ID per peer.
+.Pp
+An IKECFG-ID is written as [<ID-type>/<name>].
+The following ID types are supported:
+.Bl -tag -width 12n
+.It IPv4
+[ipv4/A.B.C.D]
+.It IPv6
+[ipv6/abcd:abcd::ab:cd]
+.It FQDN
+[fqdn/foo.bar.org]
+.It UFQDN
+[ufqdn/user@foo.bar.org]
+.It ASN1_DN
+[asn1_dn//C=aa/O=cc/...] (Note the double slashes as the DN itself
+starts with a
+.Sq / . )
+.El
+.Pp
+Each section specifies what configuration values to return to the peer
+requesting IKE mode-config.
+Currently supported values are:
+.Bl -tag -width 12n
+.It Em Address
+The peer's network address.
+.It Em Netmask
+The peer's netmask.
+.It Em Nameserver
+The IP address of a DNS nameserver.
+.It Em WINS-server
+The IP address of a WINS server.
+.El
+.It Em <Initiator-ID>
+.Pp
+During phase 1 negotiation
+.Nm isakmpd
+looks for a pre-shared key in the <ISAKMP-peer> section.
+If no Authentication data is specified in that section, and
+.Nm isakmpd
+is not the initiator, it looks for Authentication data in a section named after
+the initiator's phase 1 ID.
+This allows mobile users with dynamic IP addresses
+to have different shared secrets.
+.Pp
+This only works for aggressive mode because in main mode the remote
+initiator ID would not yet be known.
+.Pp
+The name of the <Initiator-ID> section depends on the ID type sent by
+the initiator.
+Currently this can be:
+.Bl -tag -width 12n
+.It IPv4
+[A.B.C.D]
+.It IPv6
+[abcd:abcd::ab:cd]
+.It FQDN
+[foo.bar.org]
+.It UFQDN
+[user@foo.bar.org]
+.El
+.El
+.Sh FILES
+.Bl -tag -width /etc/isakmpd/isakmpd.conf
+.It Pa /etc/isakmpd/isakmpd.conf
+The default
+.Nm isakmpd
+configuration file.
+.It Pa /usr/share/ipsec/isakmpd/
+A directory containing some sample
+.Nm isakmpd
+configuration files.
+.El
+.Sh EXAMPLES
+An example of a configuration file:
+.Bd -literal
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+
+[General]
+Listen-on= 10.1.0.2
+
+# Incoming phase 1 negotiations are multiplexed on the source IP address
+[Phase 1]
+10.1.0.1= ISAKMP-peer-west
+
+# These connections are walked over after config file parsing and told
+# to the application layer so that it will inform us when traffic wants to
+# pass over them.
+This means we can do on-demand keying.
+[Phase 2]
+Connections= IPsec-east-west
+
+# Default values are commented out.
+[ISAKMP-peer-west]
+Phase= 1
+#Transport= udp
+Local-address= 10.1.0.2
+Address= 10.1.0.1
+#Port= isakmp
+#Port= 500
+#Configuration= Default-phase-1-configuration
+Authentication= mekmitasdigoat
+#Flags=
+
+[IPsec-east-west]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-west
+Configuration= Default-quick-mode
+Local-ID= Net-east
+Remote-ID= Net-west
+#Flags=
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.1.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.2.0
+Netmask= 255.255.255.0
+
+# Quick mode descriptions
+
+[Default-quick-mode]
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
+
+# Data for an IKE mode-config peer
+[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com]
+Address= 192.168.1.123
+Netmask= 255.255.255.0
+Nameserver= 192.168.1.10
+WINS-server= 192.168.1.11
+
+# pre-shared key based on initiator's phase 1 ID
+[foo.bar.org]
+Authentication= mekmitasdigoat
+
+#
+# #####################################################################
+# All configuration data below this point is not required as the example
+# uses the predefined Main Mode transform and Quick Mode suite names.
+# It is included here for completeness. Note the default values for the
+# [General] and [X509-certificates] sections just below.
+# #####################################################################
+#
+
+[General]
+Policy-file= /etc/isakmpd/isakmpd.policy
+Retransmits= 3
+Exchange-max-time= 120
+
+# KeyNote credential storage
+[KeyNote]
+Credential-directory= /etc/isakmpd/keynote/
+
+# Certificates stored in PEM format
+[X509-certificates]
+CA-directory= /etc/isakmpd/ca/
+Cert-directory= /etc/isakmpd/certs/
+CRL-directory= /etc/isakmpd/crls/
+Private-key= /etc/isakmpd/private/local.key
+
+# Default phase 1 description (Main Mode)
+
+[Default-phase-1-configuration]
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+# Main mode transforms
+######################
+
+# DES
+
+[DES-MD5]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= MD5
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
+[DES-SHA]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
+# 3DES
+
+[3DES-SHA]
+ENCRYPTION_ALGORITHM= 3DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
+# Blowfish
+
+[BLF-SHA]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
+# Blowfish, using DH group 4 (non-default)
+[BLF-SHA-EC185]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= EC2N_185
+Life= Default-phase-1-lifetime
+
+# Quick mode protection suites
+##############################
+
+# DES
+
+[QM-ESP-DES-SUITE]
+Protocols= QM-ESP-DES
+
+[QM-ESP-DES-PFS-SUITE]
+Protocols= QM-ESP-DES-PFS
+
+[QM-ESP-DES-MD5-SUITE]
+Protocols= QM-ESP-DES-MD5
+
+[QM-ESP-DES-MD5-PFS-SUITE]
+Protocols= QM-ESP-DES-MD5-PFS
+
+[QM-ESP-DES-SHA-SUITE]
+Protocols= QM-ESP-DES-SHA
+
+[QM-ESP-DES-SHA-PFS-SUITE]
+Protocols= QM-ESP-DES-SHA-PFS
+
+# 3DES
+
+[QM-ESP-3DES-SHA-SUITE]
+Protocols= QM-ESP-3DES-SHA
+
+[QM-ESP-3DES-SHA-PFS-SUITE]
+Protocols= QM-ESP-3DES-SHA-PFS
+
+# AES
+
+[QM-ESP-AES-SHA-SUITE]
+Protocols= QM-ESP-AES-SHA
+
+[QM-ESP-AES-SHA-PFS-SUITE]
+Protocols= QM-ESP-AES-SHA-PFS
+
+# AH
+
+[QM-AH-MD5-SUITE]
+Protocols= QM-AH-MD5
+
+[QM-AH-MD5-PFS-SUITE]
+Protocols= QM-AH-MD5-PFS
+
+# AH + ESP (non-default)
+
+[QM-AH-MD5-ESP-DES-SUITE]
+Protocols= QM-AH-MD5,QM-ESP-DES
+
+[QM-AH-MD5-ESP-DES-MD5-SUITE]
+Protocols= QM-AH-MD5,QM-ESP-DES-MD5
+
+[QM-ESP-DES-MD5-AH-MD5-SUITE]
+Protocols= QM-ESP-DES-MD5,QM-AH-MD5
+
+# Quick mode protocols
+
+# DES
+
+[QM-ESP-DES]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-XF
+
+[QM-ESP-DES-MD5]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-MD5-XF
+
+[QM-ESP-DES-MD5-PFS]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-MD5-PFS-XF
+
+[QM-ESP-DES-SHA]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-SHA-XF
+
+# 3DES
+
+[QM-ESP-3DES-SHA]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-XF
+
+[QM-ESP-3DES-SHA-PFS]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-PFS-XF
+
+[QM-ESP-3DES-SHA-TRP]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-TRP-XF
+
+# AES
+
+[QM-ESP-AES-SHA]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-AES-SHA-XF
+
+[QM-ESP-AES-SHA-PFS]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-AES-SHA-PFS-XF
+
+[QM-ESP-AES-SHA-TRP]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-AES-SHA-TRP-XF
+
+# AH MD5
+
+[QM-AH-MD5]
+PROTOCOL_ID= IPSEC_AH
+Transforms= QM-AH-MD5-XF
+
+[QM-AH-MD5-PFS]
+PROTOCOL_ID= IPSEC_AH
+Transforms= QM-AH-MD5-PFS-XF
+
+# Quick mode transforms
+
+# ESP DES+MD5
+
+[QM-ESP-DES-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+Life= Default-phase-2-lifetime
+
+[QM-ESP-DES-MD5-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= Default-phase-2-lifetime
+
+[QM-ESP-DES-MD5-PFS-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+GROUP_DESCRIPTION= MODP_1024
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= Default-phase-2-lifetime
+
+[QM-ESP-DES-SHA-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= Default-phase-2-lifetime
+
+# 3DES
+
+[QM-ESP-3DES-SHA-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= Default-phase-2-lifetime
+
+[QM-ESP-3DES-SHA-PFS-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-2-lifetime
+
+[QM-ESP-3DES-SHA-TRP-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TRANSPORT
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= Default-phase-2-lifetime
+
+# AES
+
+[QM-ESP-AES-SHA-XF]
+TRANSFORM_ID= AES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= Default-phase-2-lifetime
+
+[QM-ESP-AES-SHA-PFS-XF]
+TRANSFORM_ID= AES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-2-lifetime
+
+[QM-ESP-AES-SHA-TRP-XF]
+TRANSFORM_ID= AES
+ENCAPSULATION_MODE= TRANSPORT
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= Default-phase-2-lifetime
+
+# AH
+
+[QM-AH-MD5-XF]
+TRANSFORM_ID= MD5
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= Default-phase-2-lifetime
+
+[QM-AH-MD5-PFS-XF]
+TRANSFORM_ID= MD5
+ENCAPSULATION_MODE= TUNNEL
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-2-lifetime
+
+[Sample-Life-Time]
+LIFE_TYPE= SECONDS
+LIFE_DURATION= 3600,1800:7200
+
+[Sample-Life-Volume]
+LIFE_TYPE= KILOBYTES
+LIFE_DURATION= 1000,768:1536
+.Ed
+.Sh SEE ALSO
+.Xr keynote 1 ,
+.Xr ipsec 4 ,
+.Xr keynote 4 ,
+.Xr isakmpd.policy 5 ,
+.Xr isakmpd 8
+.Sh BUGS
+The RFCs do not permit differing DH groups in the same proposal for
+aggressive and quick mode exchanges.
+Mixing both PFS and non-PFS suites in a quick mode proposal is not possible,
+as PFS implies using a DH group.