diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/isakmpd.conf.5')
-rw-r--r-- | keyexchange/isakmpd-20041012/isakmpd.conf.5 | 1126 |
1 files changed, 1126 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/isakmpd.conf.5 b/keyexchange/isakmpd-20041012/isakmpd.conf.5 new file mode 100644 index 0000000..db3dd78 --- /dev/null +++ b/keyexchange/isakmpd-20041012/isakmpd.conf.5 @@ -0,0 +1,1126 @@ +.\" $OpenBSD: isakmpd.conf.5,v 1.94 2004/08/10 15:59:10 ho Exp $ +.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ +.\" +.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. +.\" Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd August 07, 2002 +.Dt ISAKMPD.CONF 5 +.Os +.Sh NAME +.Nm isakmpd.conf +.Nd configuration file for isakmpd +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Nm isakmpd +daemon managing security association and key management for the +IPsec layer of the kernel's networking stack. +.Pp +The file is of a well known type of format called .INI style, named after +the suffix used by an overrated windowing environment for its configuration +files. +This format consists of sections, each beginning with a line looking like: +.Bd -literal +[Section name] +.Ed +Between the brackets is the name of the section following this section header. +Inside a section many tag/value pairs can be stored, each one looking like: +.Bd -literal +Tag=Value +.Ed +If the value needs more space than fits on a single line it's possible to +continue it on the next by ending the first with a backslash character +immediately before the newline character. +This method can extend a value for an arbitrary number of lines. +.Pp +Comments can be put anywhere in the file by using a hash mark +.Pq Sq \&# . +The comment extends to the end of the current line. +.Pp +Often the right-hand side values consist of other section names. +This results in a tree structure. +Some values are treated as a list of several scalar values. +Such lists always use a comma character as the separator. +Some values are formatted like this: X,Y:Z, which +is an offer/accept syntax, where X is a value we offer and Y:Z is a range of +accepted values, inclusive. +.Pp +To activate changes to +.Nm +without restarting +.Nm isakmpd , +send a +.Dv SIGHUP +signal to the daemon process. +.Ss Auto-generated parts of the configuration +.Pp +Some predefined section names are recognized by the daemon, avoiding the need +to fully specify the Main Mode transforms and Quick Mode suites, protocols, +and transforms. +.Pp +For Main Mode: +.Bd -filled -compact +.Ar {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}] +.Ed +.Pp +For Quick Mode: +.Bd -filled -compact +.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE +.Ed +.Bd -literal + where + {proto} is either ESP or AH + {cipher} is either DES, 3DES, CAST, BLF or AES + {hash} is either MD5, SHA, RIPEMD, SHA2-{256,384,512} + {group} is either GRP1, GRP2, GRP5 or GRP14 +.Ed +.Pp +For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization by +pre-shared keys. +Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP protocol, 3DES encryption, +SHA hash, and use Perfect Forward Secrecy. +.Pp +Unless explicitly stated with -GRP1, 2, 5 or 14 transforms and PFS suites +use DH group 2. +There are currently no predefined ESP+AH Quick Mode suites. +.Pp +The predefinitions include some default values for the special +sections "General", "Keynote", "X509-certificates", and +"Default-phase-1-configuration". +These default values are presented in the example below. +.Pp +All autogenerated values can be overridden by manual entries by using the +same section and tag names in the configuration file. +In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 +(Quick Mode) lifetimes can be overridden by these tags under the "General" +section; +.Bd -literal +[General] +Default-phase-1-lifetime= 3600,60:86400 +Default-phase-2-lifetime= 1200,60:86400 +.Ed +.Pp +The Main Mode lifetime currently defaults to one hour (minimum 60 +seconds, maximum 1 day). +The Quick Mode lifetime defaults to 20 minutes +(minimum 60 seconds, maximum 1 day). +.Pp +Also, the default phase 1 ID can be set by creating a <Phase1-ID> +section, as shown below, and adding this tag under the "General" +section; +.Bd -literal +[General] +Default-phase-1-ID= Phase1-ID-name + +[Phase1-ID-name] +ID-type= USER_FQDN +Name= foo@bar.com +.Ed +.Ss Roots +.Bl -hang -width 12n +.It Em General +Generic global configuration parameters +.Bl -tag -width 12n +.It Em Default-phase-1-ID +Optional default phase 1 ID name. +.It Em Default-phase-1-lifetime +The default lifetime for autogenerated transforms (phase 1). +If unspecified, the value 3600,60:86400 is used as the default. +.It Em Default-phase-2-lifetime +The default lifetime for autogenerated suites (phase 2). +If unspecified, the value 1200,60:86400 is used as the default. +.It Em Default-phase-2-suites +A list of phase 2 suites that will be used when establishing dynamic +SAs. +If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default. +.It Em Acquire-Only +If this tag is defined, +.Nm isakmpd +will not set up flows automatically. +This is useful when flows are configured with +.Xr ipsecadm 4 +or by other programs like +.Xr bgpd 8 . +Thus +.Nm isakmpd +only takes care of the SA establishment. +.It Em Check-interval +The interval between watchdog checks of connections we want up at all +times. +.It Em DPD-check-interval +The interval between RFC 3706 (Dead Peer Detection) messages. +The default value is 0 (zero), which means DPD is disabled. +.It Em Exchange-max-time +How many seconds should an exchange maximally take to set up before we +give up. +.It Em Listen-on +A list of IP-addresses OK to listen on. +This list is used as a filter for the set of addresses the interfaces +configured provides. +This means that we won't see if an address given here does not exist +on this host, and thus no error is given for that case. +.It Em Loglevel +A list of the form +.Ar class Ns = Ns Ar level , +where both +.Ar class +and +.Ar level +are numbers. +This is similar to the +.Fl D +command line switch of +.Em isakmpd . +See +.Xr isakmpd 8 +for details. +.It Em Logverbose +If this tag is defined, whatever the value is, verbose logging is enabled. +This is similar to the +.Fl v +command line switch of +.Em isakmpd . +See +.Xr isakmpd 8 +for details. +.It Em NAT-T-Keepalive +The number of seconds between NAT-T keepalive messages, sent by the +peer behind NAT to keep the mapping active. +Defaults to 20. +.It Em Policy-file +The name of the file that contains +.Xr keynote 4 +policies. +The default is "/etc/isakmpd/isakmpd.policy". +.It Em Pubkey-directory +The directory in which +.Nm +looks for explicitly trusted public keys. +The default is "/etc/isakmpd/pubkeys". +Read +.Xr isakmpd 8 +for the required naming convention of the files in here. +.It Em Renegotiate-on-HUP +If this tag is defined, whatever the value is, +.Nm isakmpd +will renegotiate all current phase 2 SAs when the daemon receives a +.Dv SIGHUP +signal, or an +.Sq R +is sent to the FIFO interface (see +.Xr isakmpd 8 ) . +.It Em Retransmits +How many times should a message be retransmitted before giving up. +.It Em Shared-SADB +If this tag is defined, whatever the value is, some semantics of +.Nm +are changed so that multiple instances can run on top of one SADB +and set up SAs with each other. +Specifically this means replay +protection will not be asked for, and errors that can occur when +updating an SA with its parameters a 2nd time will be ignored. +.It Em Use-Keynote +This tag controls the use of +.Xr keynote 4 +policy checking. +The default value is +.Qq yes , +which enables the policy checking. +When set to any other value, policies will not be checked. +This is useful when policies for flows and SA establishment are arranged by +other programs like +.Xr ipsecadm 8 +or +.Xr bgpd 8 . +.El +.It Em Phase 1 +ISAKMP SA negotiation parameter root +.Bl -tag -width 12n +.It Em <IP-address> +A name of the ISAKMP peer at the given IP-address. +.It Em Default +A name of the default ISAKMP peer. +Incoming phase 1 connections from other IP-addresses will use this peer name. +.It "" +This name is used as the section name for further information to be found. +Look at <ISAKMP-peer> below. +.El +.It Em Phase 2 +IPsec SA negotiation parameter root +.Bl -tag -width 12n +.It Em Connections +A list of directed IPsec "connection" names that should be brought up +automatically, either on first use if the system supports it, or at +startup of the daemon. +These names are section names where further information can be found. +Look at <IPsec-connection> below. +Normally any connections mentioned here are treated as part of the +"Passive-connection" list we present below, however there is a +flag: "Active-only" that disables this behaviour. +This too is mentioned in the <IPsec-connection> section, in the "Flags" tag. +.It Em Passive-connections +A list of IPsec "connection" names we recognize and accept initiations for. +These names are section names where further information can be found. +Look at <IPsec-connection> below. +Currently only the Local-ID and Remote-ID tags +are looked at in those sections, as they are matched against the IDs given +by the initiator. +.El +.It Em KeyNote +.Bl -tag -width 12n +.It Em Credential-directory +A directory containing directories named after IDs (IP +addresses, +.Dq user@domain , +or hostnames) that contain files named +.Dq credentials +and +.Dq private_key . +.Pp +The credentials file contains +.Xr keynote 4 +credentials that are sent to a remote IKE daemon when we use the +associated ID, or credentials that we may want to consider when doing +an exchange with a remote IKE daemon that uses that ID. +Note that, in the former case, the last credential in the file +MUST contain our public key in its Licensees field. +More than one credentials may exist in the file. +They are separated by whitelines (the format is essentially the same as +that of the policy file). +The credentials are of the same format as the policies described in +.Xr isakmpd.policy 5 . +The only difference is that the Authorizer field contains a public +key, and the assertion is signed. +Signed assertions can be generated using the +.Xr keynote 1 +utility. +.Pp +The private_key file contains the private RSA key we use for +authentication. +If the directory (and the files) exist, they take precedence over X509-based +authentication. +.El +.It Em X509-Certificates +.Bl -tag -width 12n +.It Em Accept-self-signed +If this tag is defined, whatever the value is, certificates that +do not originate from a trusted CA but are self-signed will be +accepted. +.It Em Ca-directory +A directory containing PEM certificates of certification authorities +that we trust to sign other certificates. +Note that for a CA to be really trusted, it needs to be somehow +referred to by policy, in +.Xr isakmpd.policy 5 . +The certificates in this directory are used for the actual X.509 +authentication and for cross-referencing policies that refer to +Distinguished Names (DNs). +Keeping a separate directory (as opposed to integrating policies +and X.509 CA certificates) allows for maintenance of a list of +"well known" CAs without actually having to trust all (or any) of them. +.It Em Cert-directory +A directory containing PEM certificates that we trust to be valid. +These certificates are used in preference to those passed in messages and +are required to have a subjectAltName extension containing the certificate +holder identity; usually IP address, FQDN, or User FQDN, as provided by +.Xr certpatch 8 . +.It Em Private-key +The private key matching the public key of our certificate (which should be +in the "Cert-directory", and have an appropriate subjectAltName field). +.El +.El +.Ss Referred-to sections +.Bl -hang -width 12n +.It Em <ISAKMP-peer> +Parameters for negotiation with an ISAKMP peer +.Bl -tag -width 12n +.It Em Phase +The constant +.Li 1 , +as ISAKMP-peers and IPsec-connections +really are handled by the same code inside isakmpd. +.It Em Transport +The name of the transport protocol, defaults to +.Li UDP . +.It Em Port +In case of +.Li UDP , +the +.Li UDP +port number to send to. +This is optional, the +default value is 500 which is the IANA-registered number for ISAKMP. +.It Em Local-address +The Local IP-address to use, if we are multi-homed, or have aliases. +.It Em Address +If existent, the IP-address of the peer. +.It Em Configuration +The name of the ISAKMP-configuration section to use. +Look at <ISAKMP-configuration> below. +If unspecified, defaults to "Default-phase-1-configuration". +.It Em Authentication +If existent, authentication data for this specific peer. +In the case of preshared key, this is the key value itself. +.It Em ID +If existent, the name of the section that describes the +local client ID that we should present to our peer. +If not present, it +defaults to the address of the local interface we are sending packets +over to the remote daemon. +Look at <Phase1-ID> below. +.It Em Remote-ID +If existent, the name of the section that describes the remote client +ID we expect the remote daemon to send us. +If not present, it defaults to the address of the remote daemon. +Look at <Phase1-ID> below. +.It Em Flags +A comma-separated list of flags controlling the further +handling of the ISAKMP SA. +Currently there are no specific ISAKMP SA flags defined. +.El +.It Em <Phase1-ID> +.Bl -tag -width 12n +.It Em ID-type +The ID type as given by the RFC specifications. +For phase 1 this is currently +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR , +.Li IPV6_ADDR_SUBNET , +.Li FQDN , +.Li USER_FQDN +or +.Li KEY_ID . +.It Em Address +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV6_ADDR , +this tag should exist and be an IP-address. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET +this tag should exist and +be a network address. +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET +this tag should exist and +be a network subnet mask. +.It Em Name +If the ID-type is +.Li FQDN , +.Li USER_FQDN +or +.Li KEY_ID , +this tag should exist and contain a domain name, user@domain, or +other identifying string respectively. +.Pp +In the case of +.Li KEY_ID , +note that the IKE protocol allows any octet sequence to be sent or +received under this payload, potentially including non-printable +ones. +.Xr isakmpd 8 +can only transmit printable +.Li KEY_ID +payloads, but can receive and process arbitrary +.Li KEY_ID +payloads. +This effectively means that non-printable +.Li KEY_ID +remote identities cannot be verified through this means, although it +is still possible to do so through +.Xr isakmpd.policy 5 . +.El +.It Em <ISAKMP-configuration> +.Bl -tag -width 12n +.It Em DOI +The domain of interpretation as given by the RFCs. +Normally +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . +.It Em EXCHANGE_TYPE +The exchange type as given by the RFCs. +For main mode this is +.Li ID_PROT +and for aggressive mode it is +.Li AGGRESSIVE . +.It Em Transforms +A list of proposed transforms to use for protecting the +ISAKMP traffic. +These are actually names for sections +further describing the transforms. +Look at <ISAKMP-transform> below. +.El +.It Em <ISAKMP-transform> +.Bl -tag -width 12n +.It Em ENCRYPTION_ALGORITHM +The encryption algorithm as the RFCs name it, or ANY to denote that any +encryption algorithm proposed will be accepted. +.It Em KEY_LENGTH +For encryption algorithms with variable key length, this is +where the offered/accepted keylengths are described. +The value is of the offer-accept kind described above. +.It Em HASH_ALGORITHM +The hash algorithm as the RFCs name it, or ANY. +.It Em AUTHENTICATION_METHOD +The authentication method as the RFCs name it, or ANY. +.It Em GROUP_DESCRIPTION +The group used for Diffie-Hellman exponentiations, or ANY. +The names are symbolic, like +.Li MODP_768 , MODP_1024 , EC_155 +and +.Li EC_185 . +.It Em PRF +The algorithm to use for the keyed pseudo-random function (used for key +derivation and authentication in phase 1), or ANY. +.It Em Life +A list of lifetime descriptions, or ANY. +In the former case, each +element is in itself a name of the section that defines the lifetime. +Look at <Lifetime> below. +If it is set to ANY, then any type of +proposed lifetime type and value will be accepted. +.El +.It Em <Lifetime> +.Bl -tag -width 12n +.It Em LIFE_TYPE +.Li SECONDS +or +.Li KILOBYTES +depending on the type of the duration. +Notice that this field may NOT be set to ANY. +.It Em LIFE_DURATION +An offer/accept kind of value, see above. +Can also be set to ANY. +.El +.It Em <IPsec-connection> +.Bl -tag -width 12n +.It Em Phase +The constant +.Li 2 , +as ISAKMP-peers and IPsec-connections +really are handled by the same code inside isakmpd. +.It Em ISAKMP-peer +The name of the ISAKMP-peer which to talk to in order to +set up this connection. +The value is the name of an <ISAKMP-peer> section. +See above. +.It Em Configuration +The name of the IPsec-configuration section to use. +Look at <IPsec-configuration> below. +.It Em Local-ID +If existent, the name of the section that describes the +optional local client ID that we should present to our peer. +It is also used when we act as responders to find out what +<IPsec-connection> we are dealing with. +Look at <IPsec-ID> below. +.It Em Remote-ID +If existent, the name of the section that describes the +optional remote client ID that we should present to our peer. +It is also used when we act as responders to find out what +<IPsec-connection> we are dealing with. +Look at <IPsec-ID> below. +.It Em Flags +A comma-separated list of flags controlling the further +handling of the IPsec SA. +Currently only one flag is defined: +.Bl -tag -width 12n +.It Em Active-only +If this flag is given and this <IPsec-connection> is part of the phase 2 +connections we automatically keep up, it will not automatically be used for +accepting connections from the peer. +.El +.El +.It Em <IPsec-configuration> +.Bl -tag -width 12n +.It Em DOI +The domain of interpretation as given by the RFCs. +Normally +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . +.It Em EXCHANGE_TYPE +The exchange type as given by the RFCs. +For quick mode this is +.Li QUICK_MODE . +.It Em Suites +A list of protection suites (bundles of protocols) usable for +protecting the IP traffic. +Each of the list elements is a name of an <IPsec-suite> section. +See below. +.El +.It Em <IPsec-suite> +.Bl -tag -width 12n +.It Em Protocols +A list of the protocols included in this protection suite. +Each of the list elements is a name of an <IPsec-protocol> +section. +See below. +.El +.It Em <IPsec-protocol> +.Bl -tag -width 12n +.It Em PROTOCOL_ID +The protocol as given by the RFCs. +Acceptable values today are +.Li IPSEC_AH +and +.Li IPSEC_ESP . +.It Em Transforms +A list of transforms usable for implementing the protocol. +Each of the list elements is a name of an <IPsec-transform> +section. +See below. +.It Em ReplayWindow +The size of the window used for replay protection. +This is normally left alone. +Look at the +.Nm ESP +and +.Nm AH +RFCs for a better description. +.El +.It Em <IPsec-transform> +.Bl -tag -width 12n +.It Em TRANSFORM_ID +The transform ID as given by the RFCs. +.It Em ENCAPSULATION_MODE +The encapsulation mode as given by the RFCs. +This means TRANSPORT or TUNNEL. +.It Em AUTHENTICATION_ALGORITHM +The optional authentication algorithm in the case of this +being an ESP transform. +.It Em GROUP_DESCRIPTION +An optional (provides PFS if present) Diffie-Hellman group +description. +The values are the same as GROUP_DESCRIPTION's +in <ISAKMP-transform> sections shown above. +.It Em Life +List of lifetimes, each element is a <Lifetime> section name. +.El +.It Em <IPsec-ID> +.Bl -tag -width 12n +.It Em ID-type +The ID type as given by the RFCs. +For IPsec this is currently +.Li IPV4_ADDR , +.Li IPV6_ADDR , +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET . +.It Em Address +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV6_ADDR +this tag should exist and be an IP-address. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET +this tag should exist and +be a network address. +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET +this tag should exist and +be a network subnet mask. +.It Em Protocol +If the ID-type is +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR +or +.Li IPV6_ADDR_SUBNET +this tag indicates what transport protocol should be transmitted over +the SA. +If left unspecified, all transport protocols between the two address +(ranges) will be sent (or permitted) over that SA. +.It Em Port +If the ID-type is +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR +or +.Li IPV6_ADDR_SUBNET +this tag indicates what source or destination port is allowed to be +transported over the SA (depending on whether this is a local or +remote ID). +If left unspecified, all ports of the given transport protocol +will be transmitted (or permitted) over the SA. +The Protocol tag must be specified in conjunction with this tag. +.El +.El +.Ss Other sections +.Bl -hang -width 12n +.It Em <IKECFG-ID> +Parameters to use with IKE mode-config. +One ID per peer. +.Pp +An IKECFG-ID is written as [<ID-type>/<name>]. +The following ID types are supported: +.Bl -tag -width 12n +.It IPv4 +[ipv4/A.B.C.D] +.It IPv6 +[ipv6/abcd:abcd::ab:cd] +.It FQDN +[fqdn/foo.bar.org] +.It UFQDN +[ufqdn/user@foo.bar.org] +.It ASN1_DN +[asn1_dn//C=aa/O=cc/...] (Note the double slashes as the DN itself +starts with a +.Sq / . ) +.El +.Pp +Each section specifies what configuration values to return to the peer +requesting IKE mode-config. +Currently supported values are: +.Bl -tag -width 12n +.It Em Address +The peer's network address. +.It Em Netmask +The peer's netmask. +.It Em Nameserver +The IP address of a DNS nameserver. +.It Em WINS-server +The IP address of a WINS server. +.El +.It Em <Initiator-ID> +.Pp +During phase 1 negotiation +.Nm isakmpd +looks for a pre-shared key in the <ISAKMP-peer> section. +If no Authentication data is specified in that section, and +.Nm isakmpd +is not the initiator, it looks for Authentication data in a section named after +the initiator's phase 1 ID. +This allows mobile users with dynamic IP addresses +to have different shared secrets. +.Pp +This only works for aggressive mode because in main mode the remote +initiator ID would not yet be known. +.Pp +The name of the <Initiator-ID> section depends on the ID type sent by +the initiator. +Currently this can be: +.Bl -tag -width 12n +.It IPv4 +[A.B.C.D] +.It IPv6 +[abcd:abcd::ab:cd] +.It FQDN +[foo.bar.org] +.It UFQDN +[user@foo.bar.org] +.El +.El +.Sh FILES +.Bl -tag -width /etc/isakmpd/isakmpd.conf +.It Pa /etc/isakmpd/isakmpd.conf +The default +.Nm isakmpd +configuration file. +.It Pa /usr/share/ipsec/isakmpd/ +A directory containing some sample +.Nm isakmpd +configuration files. +.El +.Sh EXAMPLES +An example of a configuration file: +.Bd -literal +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. + +[General] +Listen-on= 10.1.0.2 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.1.0.1= ISAKMP-peer-west + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. +This means we can do on-demand keying. +[Phase 2] +Connections= IPsec-east-west + +# Default values are commented out. +[ISAKMP-peer-west] +Phase= 1 +#Transport= udp +Local-address= 10.1.0.2 +Address= 10.1.0.1 +#Port= isakmp +#Port= 500 +#Configuration= Default-phase-1-configuration +Authentication= mekmitasdigoat +#Flags= + +[IPsec-east-west] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-west +Configuration= Default-quick-mode +Local-ID= Net-east +Remote-ID= Net-west +#Flags= + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.1.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.2.0 +Netmask= 255.255.255.0 + +# Quick mode descriptions + +[Default-quick-mode] +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE + +# Data for an IKE mode-config peer +[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com] +Address= 192.168.1.123 +Netmask= 255.255.255.0 +Nameserver= 192.168.1.10 +WINS-server= 192.168.1.11 + +# pre-shared key based on initiator's phase 1 ID +[foo.bar.org] +Authentication= mekmitasdigoat + +# +# ##################################################################### +# All configuration data below this point is not required as the example +# uses the predefined Main Mode transform and Quick Mode suite names. +# It is included here for completeness. Note the default values for the +# [General] and [X509-certificates] sections just below. +# ##################################################################### +# + +[General] +Policy-file= /etc/isakmpd/isakmpd.policy +Retransmits= 3 +Exchange-max-time= 120 + +# KeyNote credential storage +[KeyNote] +Credential-directory= /etc/isakmpd/keynote/ + +# Certificates stored in PEM format +[X509-certificates] +CA-directory= /etc/isakmpd/ca/ +Cert-directory= /etc/isakmpd/certs/ +CRL-directory= /etc/isakmpd/crls/ +Private-key= /etc/isakmpd/private/local.key + +# Default phase 1 description (Main Mode) + +[Default-phase-1-configuration] +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-1-lifetime + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-1-lifetime + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-1-lifetime + +# Blowfish + +[BLF-SHA] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-1-lifetime + +# Blowfish, using DH group 4 (non-default) +[BLF-SHA-EC185] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_185 +Life= Default-phase-1-lifetime + +# Quick mode protection suites +############################## + +# DES + +[QM-ESP-DES-SUITE] +Protocols= QM-ESP-DES + +[QM-ESP-DES-PFS-SUITE] +Protocols= QM-ESP-DES-PFS + +[QM-ESP-DES-MD5-SUITE] +Protocols= QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-PFS-SUITE] +Protocols= QM-ESP-DES-MD5-PFS + +[QM-ESP-DES-SHA-SUITE] +Protocols= QM-ESP-DES-SHA + +[QM-ESP-DES-SHA-PFS-SUITE] +Protocols= QM-ESP-DES-SHA-PFS + +# 3DES + +[QM-ESP-3DES-SHA-SUITE] +Protocols= QM-ESP-3DES-SHA + +[QM-ESP-3DES-SHA-PFS-SUITE] +Protocols= QM-ESP-3DES-SHA-PFS + +# AES + +[QM-ESP-AES-SHA-SUITE] +Protocols= QM-ESP-AES-SHA + +[QM-ESP-AES-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-SHA-PFS + +# AH + +[QM-AH-MD5-SUITE] +Protocols= QM-AH-MD5 + +[QM-AH-MD5-PFS-SUITE] +Protocols= QM-AH-MD5-PFS + +# AH + ESP (non-default) + +[QM-AH-MD5-ESP-DES-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES + +[QM-AH-MD5-ESP-DES-MD5-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-AH-MD5-SUITE] +Protocols= QM-ESP-DES-MD5,QM-AH-MD5 + +# Quick mode protocols + +# DES + +[QM-ESP-DES] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-XF + +[QM-ESP-DES-MD5] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-XF + +[QM-ESP-DES-MD5-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-PFS-XF + +[QM-ESP-DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-SHA-XF + +# 3DES + +[QM-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-XF + +[QM-ESP-3DES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-PFS-XF + +[QM-ESP-3DES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-TRP-XF + +# AES + +[QM-ESP-AES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-XF + +[QM-ESP-AES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-PFS-XF + +[QM-ESP-AES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-TRP-XF + +# AH MD5 + +[QM-AH-MD5] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-XF + +[QM-AH-MD5-PFS] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-PFS-XF + +# Quick mode transforms + +# ESP DES+MD5 + +[QM-ESP-DES-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +Life= Default-phase-2-lifetime + +[QM-ESP-DES-MD5-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= Default-phase-2-lifetime + +[QM-ESP-DES-MD5-PFS-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_1024 +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= Default-phase-2-lifetime + +[QM-ESP-DES-SHA-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= Default-phase-2-lifetime + +# 3DES + +[QM-ESP-3DES-SHA-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= Default-phase-2-lifetime + +[QM-ESP-3DES-SHA-PFS-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-2-lifetime + +[QM-ESP-3DES-SHA-TRP-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= Default-phase-2-lifetime + +# AES + +[QM-ESP-AES-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= Default-phase-2-lifetime + +[QM-ESP-AES-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-2-lifetime + +[QM-ESP-AES-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= Default-phase-2-lifetime + +# AH + +[QM-AH-MD5-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= Default-phase-2-lifetime + +[QM-AH-MD5-PFS-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_1024 +Life= Default-phase-2-lifetime + +[Sample-Life-Time] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +[Sample-Life-Volume] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 1000,768:1536 +.Ed +.Sh SEE ALSO +.Xr keynote 1 , +.Xr ipsec 4 , +.Xr keynote 4 , +.Xr isakmpd.policy 5 , +.Xr isakmpd 8 +.Sh BUGS +The RFCs do not permit differing DH groups in the same proposal for +aggressive and quick mode exchanges. +Mixing both PFS and non-PFS suites in a quick mode proposal is not possible, +as PFS implies using a DH group. |