diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/isakmpd.conf.5')
| -rw-r--r-- | keyexchange/isakmpd-20041012/isakmpd.conf.5 | 1126 |
1 files changed, 0 insertions, 1126 deletions
diff --git a/keyexchange/isakmpd-20041012/isakmpd.conf.5 b/keyexchange/isakmpd-20041012/isakmpd.conf.5 deleted file mode 100644 index db3dd78..0000000 --- a/keyexchange/isakmpd-20041012/isakmpd.conf.5 +++ /dev/null @@ -1,1126 +0,0 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.94 2004/08/10 15:59:10 ho Exp $ -.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ -.\" -.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. -.\" Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" This code was written under funding by Ericsson Radio Systems. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd August 07, 2002 -.Dt ISAKMPD.CONF 5 -.Os -.Sh NAME -.Nm isakmpd.conf -.Nd configuration file for isakmpd -.Sh DESCRIPTION -.Nm -is the configuration file for the -.Nm isakmpd -daemon managing security association and key management for the -IPsec layer of the kernel's networking stack. -.Pp -The file is of a well known type of format called .INI style, named after -the suffix used by an overrated windowing environment for its configuration -files. -This format consists of sections, each beginning with a line looking like: -.Bd -literal -[Section name] -.Ed -Between the brackets is the name of the section following this section header. -Inside a section many tag/value pairs can be stored, each one looking like: -.Bd -literal -Tag=Value -.Ed -If the value needs more space than fits on a single line it's possible to -continue it on the next by ending the first with a backslash character -immediately before the newline character. -This method can extend a value for an arbitrary number of lines. -.Pp -Comments can be put anywhere in the file by using a hash mark -.Pq Sq \&# . -The comment extends to the end of the current line. -.Pp -Often the right-hand side values consist of other section names. -This results in a tree structure. -Some values are treated as a list of several scalar values. -Such lists always use a comma character as the separator. -Some values are formatted like this: X,Y:Z, which -is an offer/accept syntax, where X is a value we offer and Y:Z is a range of -accepted values, inclusive. -.Pp -To activate changes to -.Nm -without restarting -.Nm isakmpd , -send a -.Dv SIGHUP -signal to the daemon process. -.Ss Auto-generated parts of the configuration -.Pp -Some predefined section names are recognized by the daemon, avoiding the need -to fully specify the Main Mode transforms and Quick Mode suites, protocols, -and transforms. -.Pp -For Main Mode: -.Bd -filled -compact -.Ar {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}] -.Ed -.Pp -For Quick Mode: -.Bd -filled -compact -.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE -.Ed -.Bd -literal - where - {proto} is either ESP or AH - {cipher} is either DES, 3DES, CAST, BLF or AES - {hash} is either MD5, SHA, RIPEMD, SHA2-{256,384,512} - {group} is either GRP1, GRP2, GRP5 or GRP14 -.Ed -.Pp -For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization by -pre-shared keys. -Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP protocol, 3DES encryption, -SHA hash, and use Perfect Forward Secrecy. -.Pp -Unless explicitly stated with -GRP1, 2, 5 or 14 transforms and PFS suites -use DH group 2. -There are currently no predefined ESP+AH Quick Mode suites. -.Pp -The predefinitions include some default values for the special -sections "General", "Keynote", "X509-certificates", and -"Default-phase-1-configuration". -These default values are presented in the example below. -.Pp -All autogenerated values can be overridden by manual entries by using the -same section and tag names in the configuration file. -In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 -(Quick Mode) lifetimes can be overridden by these tags under the "General" -section; -.Bd -literal -[General] -Default-phase-1-lifetime= 3600,60:86400 -Default-phase-2-lifetime= 1200,60:86400 -.Ed -.Pp -The Main Mode lifetime currently defaults to one hour (minimum 60 -seconds, maximum 1 day). -The Quick Mode lifetime defaults to 20 minutes -(minimum 60 seconds, maximum 1 day). -.Pp -Also, the default phase 1 ID can be set by creating a <Phase1-ID> -section, as shown below, and adding this tag under the "General" -section; -.Bd -literal -[General] -Default-phase-1-ID= Phase1-ID-name - -[Phase1-ID-name] -ID-type= USER_FQDN -Name= foo@bar.com -.Ed -.Ss Roots -.Bl -hang -width 12n -.It Em General -Generic global configuration parameters -.Bl -tag -width 12n -.It Em Default-phase-1-ID -Optional default phase 1 ID name. -.It Em Default-phase-1-lifetime -The default lifetime for autogenerated transforms (phase 1). -If unspecified, the value 3600,60:86400 is used as the default. -.It Em Default-phase-2-lifetime -The default lifetime for autogenerated suites (phase 2). -If unspecified, the value 1200,60:86400 is used as the default. -.It Em Default-phase-2-suites -A list of phase 2 suites that will be used when establishing dynamic -SAs. -If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default. -.It Em Acquire-Only -If this tag is defined, -.Nm isakmpd -will not set up flows automatically. -This is useful when flows are configured with -.Xr ipsecadm 4 -or by other programs like -.Xr bgpd 8 . -Thus -.Nm isakmpd -only takes care of the SA establishment. -.It Em Check-interval -The interval between watchdog checks of connections we want up at all -times. -.It Em DPD-check-interval -The interval between RFC 3706 (Dead Peer Detection) messages. -The default value is 0 (zero), which means DPD is disabled. -.It Em Exchange-max-time -How many seconds should an exchange maximally take to set up before we -give up. -.It Em Listen-on -A list of IP-addresses OK to listen on. -This list is used as a filter for the set of addresses the interfaces -configured provides. -This means that we won't see if an address given here does not exist -on this host, and thus no error is given for that case. -.It Em Loglevel -A list of the form -.Ar class Ns = Ns Ar level , -where both -.Ar class -and -.Ar level -are numbers. -This is similar to the -.Fl D -command line switch of -.Em isakmpd . -See -.Xr isakmpd 8 -for details. -.It Em Logverbose -If this tag is defined, whatever the value is, verbose logging is enabled. -This is similar to the -.Fl v -command line switch of -.Em isakmpd . -See -.Xr isakmpd 8 -for details. -.It Em NAT-T-Keepalive -The number of seconds between NAT-T keepalive messages, sent by the -peer behind NAT to keep the mapping active. -Defaults to 20. -.It Em Policy-file -The name of the file that contains -.Xr keynote 4 -policies. -The default is "/etc/isakmpd/isakmpd.policy". -.It Em Pubkey-directory -The directory in which -.Nm -looks for explicitly trusted public keys. -The default is "/etc/isakmpd/pubkeys". -Read -.Xr isakmpd 8 -for the required naming convention of the files in here. -.It Em Renegotiate-on-HUP -If this tag is defined, whatever the value is, -.Nm isakmpd -will renegotiate all current phase 2 SAs when the daemon receives a -.Dv SIGHUP -signal, or an -.Sq R -is sent to the FIFO interface (see -.Xr isakmpd 8 ) . -.It Em Retransmits -How many times should a message be retransmitted before giving up. -.It Em Shared-SADB -If this tag is defined, whatever the value is, some semantics of -.Nm -are changed so that multiple instances can run on top of one SADB -and set up SAs with each other. -Specifically this means replay -protection will not be asked for, and errors that can occur when -updating an SA with its parameters a 2nd time will be ignored. -.It Em Use-Keynote -This tag controls the use of -.Xr keynote 4 -policy checking. -The default value is -.Qq yes , -which enables the policy checking. -When set to any other value, policies will not be checked. -This is useful when policies for flows and SA establishment are arranged by -other programs like -.Xr ipsecadm 8 -or -.Xr bgpd 8 . -.El -.It Em Phase 1 -ISAKMP SA negotiation parameter root -.Bl -tag -width 12n -.It Em <IP-address> -A name of the ISAKMP peer at the given IP-address. -.It Em Default -A name of the default ISAKMP peer. -Incoming phase 1 connections from other IP-addresses will use this peer name. -.It "" -This name is used as the section name for further information to be found. -Look at <ISAKMP-peer> below. -.El -.It Em Phase 2 -IPsec SA negotiation parameter root -.Bl -tag -width 12n -.It Em Connections -A list of directed IPsec "connection" names that should be brought up -automatically, either on first use if the system supports it, or at -startup of the daemon. -These names are section names where further information can be found. -Look at <IPsec-connection> below. -Normally any connections mentioned here are treated as part of the -"Passive-connection" list we present below, however there is a -flag: "Active-only" that disables this behaviour. -This too is mentioned in the <IPsec-connection> section, in the "Flags" tag. -.It Em Passive-connections -A list of IPsec "connection" names we recognize and accept initiations for. -These names are section names where further information can be found. -Look at <IPsec-connection> below. -Currently only the Local-ID and Remote-ID tags -are looked at in those sections, as they are matched against the IDs given -by the initiator. -.El -.It Em KeyNote -.Bl -tag -width 12n -.It Em Credential-directory -A directory containing directories named after IDs (IP -addresses, -.Dq user@domain , -or hostnames) that contain files named -.Dq credentials -and -.Dq private_key . -.Pp -The credentials file contains -.Xr keynote 4 -credentials that are sent to a remote IKE daemon when we use the -associated ID, or credentials that we may want to consider when doing -an exchange with a remote IKE daemon that uses that ID. -Note that, in the former case, the last credential in the file -MUST contain our public key in its Licensees field. -More than one credentials may exist in the file. -They are separated by whitelines (the format is essentially the same as -that of the policy file). -The credentials are of the same format as the policies described in -.Xr isakmpd.policy 5 . -The only difference is that the Authorizer field contains a public -key, and the assertion is signed. -Signed assertions can be generated using the -.Xr keynote 1 -utility. -.Pp -The private_key file contains the private RSA key we use for -authentication. -If the directory (and the files) exist, they take precedence over X509-based -authentication. -.El -.It Em X509-Certificates -.Bl -tag -width 12n -.It Em Accept-self-signed -If this tag is defined, whatever the value is, certificates that -do not originate from a trusted CA but are self-signed will be -accepted. -.It Em Ca-directory -A directory containing PEM certificates of certification authorities -that we trust to sign other certificates. -Note that for a CA to be really trusted, it needs to be somehow -referred to by policy, in -.Xr isakmpd.policy 5 . -The certificates in this directory are used for the actual X.509 -authentication and for cross-referencing policies that refer to -Distinguished Names (DNs). -Keeping a separate directory (as opposed to integrating policies -and X.509 CA certificates) allows for maintenance of a list of -"well known" CAs without actually having to trust all (or any) of them. -.It Em Cert-directory -A directory containing PEM certificates that we trust to be valid. -These certificates are used in preference to those passed in messages and -are required to have a subjectAltName extension containing the certificate -holder identity; usually IP address, FQDN, or User FQDN, as provided by -.Xr certpatch 8 . -.It Em Private-key -The private key matching the public key of our certificate (which should be -in the "Cert-directory", and have an appropriate subjectAltName field). -.El -.El -.Ss Referred-to sections -.Bl -hang -width 12n -.It Em <ISAKMP-peer> -Parameters for negotiation with an ISAKMP peer -.Bl -tag -width 12n -.It Em Phase -The constant -.Li 1 , -as ISAKMP-peers and IPsec-connections -really are handled by the same code inside isakmpd. -.It Em Transport -The name of the transport protocol, defaults to -.Li UDP . -.It Em Port -In case of -.Li UDP , -the -.Li UDP -port number to send to. -This is optional, the -default value is 500 which is the IANA-registered number for ISAKMP. -.It Em Local-address -The Local IP-address to use, if we are multi-homed, or have aliases. -.It Em Address -If existent, the IP-address of the peer. -.It Em Configuration -The name of the ISAKMP-configuration section to use. -Look at <ISAKMP-configuration> below. -If unspecified, defaults to "Default-phase-1-configuration". -.It Em Authentication -If existent, authentication data for this specific peer. -In the case of preshared key, this is the key value itself. -.It Em ID -If existent, the name of the section that describes the -local client ID that we should present to our peer. -If not present, it -defaults to the address of the local interface we are sending packets -over to the remote daemon. -Look at <Phase1-ID> below. -.It Em Remote-ID -If existent, the name of the section that describes the remote client -ID we expect the remote daemon to send us. -If not present, it defaults to the address of the remote daemon. -Look at <Phase1-ID> below. -.It Em Flags -A comma-separated list of flags controlling the further -handling of the ISAKMP SA. -Currently there are no specific ISAKMP SA flags defined. -.El -.It Em <Phase1-ID> -.Bl -tag -width 12n -.It Em ID-type -The ID type as given by the RFC specifications. -For phase 1 this is currently -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR , -.Li IPV6_ADDR_SUBNET , -.Li FQDN , -.Li USER_FQDN -or -.Li KEY_ID . -.It Em Address -If the ID-type is -.Li IPV4_ADDR -or -.Li IPV6_ADDR , -this tag should exist and be an IP-address. -.It Em Network -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network address. -.It Em Netmask -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network subnet mask. -.It Em Name -If the ID-type is -.Li FQDN , -.Li USER_FQDN -or -.Li KEY_ID , -this tag should exist and contain a domain name, user@domain, or -other identifying string respectively. -.Pp -In the case of -.Li KEY_ID , -note that the IKE protocol allows any octet sequence to be sent or -received under this payload, potentially including non-printable -ones. -.Xr isakmpd 8 -can only transmit printable -.Li KEY_ID -payloads, but can receive and process arbitrary -.Li KEY_ID -payloads. -This effectively means that non-printable -.Li KEY_ID -remote identities cannot be verified through this means, although it -is still possible to do so through -.Xr isakmpd.policy 5 . -.El -.It Em <ISAKMP-configuration> -.Bl -tag -width 12n -.It Em DOI -The domain of interpretation as given by the RFCs. -Normally -.Li IPSEC . -If unspecified, defaults to -.Li IPSEC . -.It Em EXCHANGE_TYPE -The exchange type as given by the RFCs. -For main mode this is -.Li ID_PROT -and for aggressive mode it is -.Li AGGRESSIVE . -.It Em Transforms -A list of proposed transforms to use for protecting the -ISAKMP traffic. -These are actually names for sections -further describing the transforms. -Look at <ISAKMP-transform> below. -.El -.It Em <ISAKMP-transform> -.Bl -tag -width 12n -.It Em ENCRYPTION_ALGORITHM -The encryption algorithm as the RFCs name it, or ANY to denote that any -encryption algorithm proposed will be accepted. -.It Em KEY_LENGTH -For encryption algorithms with variable key length, this is -where the offered/accepted keylengths are described. -The value is of the offer-accept kind described above. -.It Em HASH_ALGORITHM -The hash algorithm as the RFCs name it, or ANY. -.It Em AUTHENTICATION_METHOD -The authentication method as the RFCs name it, or ANY. -.It Em GROUP_DESCRIPTION -The group used for Diffie-Hellman exponentiations, or ANY. -The names are symbolic, like -.Li MODP_768 , MODP_1024 , EC_155 -and -.Li EC_185 . -.It Em PRF -The algorithm to use for the keyed pseudo-random function (used for key -derivation and authentication in phase 1), or ANY. -.It Em Life -A list of lifetime descriptions, or ANY. -In the former case, each -element is in itself a name of the section that defines the lifetime. -Look at <Lifetime> below. -If it is set to ANY, then any type of -proposed lifetime type and value will be accepted. -.El -.It Em <Lifetime> -.Bl -tag -width 12n -.It Em LIFE_TYPE -.Li SECONDS -or -.Li KILOBYTES -depending on the type of the duration. -Notice that this field may NOT be set to ANY. -.It Em LIFE_DURATION -An offer/accept kind of value, see above. -Can also be set to ANY. -.El -.It Em <IPsec-connection> -.Bl -tag -width 12n -.It Em Phase -The constant -.Li 2 , -as ISAKMP-peers and IPsec-connections -really are handled by the same code inside isakmpd. -.It Em ISAKMP-peer -The name of the ISAKMP-peer which to talk to in order to -set up this connection. -The value is the name of an <ISAKMP-peer> section. -See above. -.It Em Configuration -The name of the IPsec-configuration section to use. -Look at <IPsec-configuration> below. -.It Em Local-ID -If existent, the name of the section that describes the -optional local client ID that we should present to our peer. -It is also used when we act as responders to find out what -<IPsec-connection> we are dealing with. -Look at <IPsec-ID> below. -.It Em Remote-ID -If existent, the name of the section that describes the -optional remote client ID that we should present to our peer. -It is also used when we act as responders to find out what -<IPsec-connection> we are dealing with. -Look at <IPsec-ID> below. -.It Em Flags -A comma-separated list of flags controlling the further -handling of the IPsec SA. -Currently only one flag is defined: -.Bl -tag -width 12n -.It Em Active-only -If this flag is given and this <IPsec-connection> is part of the phase 2 -connections we automatically keep up, it will not automatically be used for -accepting connections from the peer. -.El -.El -.It Em <IPsec-configuration> -.Bl -tag -width 12n -.It Em DOI -The domain of interpretation as given by the RFCs. -Normally -.Li IPSEC . -If unspecified, defaults to -.Li IPSEC . -.It Em EXCHANGE_TYPE -The exchange type as given by the RFCs. -For quick mode this is -.Li QUICK_MODE . -.It Em Suites -A list of protection suites (bundles of protocols) usable for -protecting the IP traffic. -Each of the list elements is a name of an <IPsec-suite> section. -See below. -.El -.It Em <IPsec-suite> -.Bl -tag -width 12n -.It Em Protocols -A list of the protocols included in this protection suite. -Each of the list elements is a name of an <IPsec-protocol> -section. -See below. -.El -.It Em <IPsec-protocol> -.Bl -tag -width 12n -.It Em PROTOCOL_ID -The protocol as given by the RFCs. -Acceptable values today are -.Li IPSEC_AH -and -.Li IPSEC_ESP . -.It Em Transforms -A list of transforms usable for implementing the protocol. -Each of the list elements is a name of an <IPsec-transform> -section. -See below. -.It Em ReplayWindow -The size of the window used for replay protection. -This is normally left alone. -Look at the -.Nm ESP -and -.Nm AH -RFCs for a better description. -.El -.It Em <IPsec-transform> -.Bl -tag -width 12n -.It Em TRANSFORM_ID -The transform ID as given by the RFCs. -.It Em ENCAPSULATION_MODE -The encapsulation mode as given by the RFCs. -This means TRANSPORT or TUNNEL. -.It Em AUTHENTICATION_ALGORITHM -The optional authentication algorithm in the case of this -being an ESP transform. -.It Em GROUP_DESCRIPTION -An optional (provides PFS if present) Diffie-Hellman group -description. -The values are the same as GROUP_DESCRIPTION's -in <ISAKMP-transform> sections shown above. -.It Em Life -List of lifetimes, each element is a <Lifetime> section name. -.El -.It Em <IPsec-ID> -.Bl -tag -width 12n -.It Em ID-type -The ID type as given by the RFCs. -For IPsec this is currently -.Li IPV4_ADDR , -.Li IPV6_ADDR , -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET . -.It Em Address -If the ID-type is -.Li IPV4_ADDR -or -.Li IPV6_ADDR -this tag should exist and be an IP-address. -.It Em Network -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network address. -.It Em Netmask -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network subnet mask. -.It Em Protocol -If the ID-type is -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR -or -.Li IPV6_ADDR_SUBNET -this tag indicates what transport protocol should be transmitted over -the SA. -If left unspecified, all transport protocols between the two address -(ranges) will be sent (or permitted) over that SA. -.It Em Port -If the ID-type is -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR -or -.Li IPV6_ADDR_SUBNET -this tag indicates what source or destination port is allowed to be -transported over the SA (depending on whether this is a local or -remote ID). -If left unspecified, all ports of the given transport protocol -will be transmitted (or permitted) over the SA. -The Protocol tag must be specified in conjunction with this tag. -.El -.El -.Ss Other sections -.Bl -hang -width 12n -.It Em <IKECFG-ID> -Parameters to use with IKE mode-config. -One ID per peer. -.Pp -An IKECFG-ID is written as [<ID-type>/<name>]. -The following ID types are supported: -.Bl -tag -width 12n -.It IPv4 -[ipv4/A.B.C.D] -.It IPv6 -[ipv6/abcd:abcd::ab:cd] -.It FQDN -[fqdn/foo.bar.org] -.It UFQDN -[ufqdn/user@foo.bar.org] -.It ASN1_DN -[asn1_dn//C=aa/O=cc/...] (Note the double slashes as the DN itself -starts with a -.Sq / . ) -.El -.Pp -Each section specifies what configuration values to return to the peer -requesting IKE mode-config. -Currently supported values are: -.Bl -tag -width 12n -.It Em Address -The peer's network address. -.It Em Netmask -The peer's netmask. -.It Em Nameserver -The IP address of a DNS nameserver. -.It Em WINS-server -The IP address of a WINS server. -.El -.It Em <Initiator-ID> -.Pp -During phase 1 negotiation -.Nm isakmpd -looks for a pre-shared key in the <ISAKMP-peer> section. -If no Authentication data is specified in that section, and -.Nm isakmpd -is not the initiator, it looks for Authentication data in a section named after -the initiator's phase 1 ID. -This allows mobile users with dynamic IP addresses -to have different shared secrets. -.Pp -This only works for aggressive mode because in main mode the remote -initiator ID would not yet be known. -.Pp -The name of the <Initiator-ID> section depends on the ID type sent by -the initiator. -Currently this can be: -.Bl -tag -width 12n -.It IPv4 -[A.B.C.D] -.It IPv6 -[abcd:abcd::ab:cd] -.It FQDN -[foo.bar.org] -.It UFQDN -[user@foo.bar.org] -.El -.El -.Sh FILES -.Bl -tag -width /etc/isakmpd/isakmpd.conf -.It Pa /etc/isakmpd/isakmpd.conf -The default -.Nm isakmpd -configuration file. -.It Pa /usr/share/ipsec/isakmpd/ -A directory containing some sample -.Nm isakmpd -configuration files. -.El -.Sh EXAMPLES -An example of a configuration file: -.Bd -literal -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. - -[General] -Listen-on= 10.1.0.2 - -# Incoming phase 1 negotiations are multiplexed on the source IP address -[Phase 1] -10.1.0.1= ISAKMP-peer-west - -# These connections are walked over after config file parsing and told -# to the application layer so that it will inform us when traffic wants to -# pass over them. -This means we can do on-demand keying. -[Phase 2] -Connections= IPsec-east-west - -# Default values are commented out. -[ISAKMP-peer-west] -Phase= 1 -#Transport= udp -Local-address= 10.1.0.2 -Address= 10.1.0.1 -#Port= isakmp -#Port= 500 -#Configuration= Default-phase-1-configuration -Authentication= mekmitasdigoat -#Flags= - -[IPsec-east-west] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-west -Configuration= Default-quick-mode -Local-ID= Net-east -Remote-ID= Net-west -#Flags= - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.1.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.2.0 -Netmask= 255.255.255.0 - -# Quick mode descriptions - -[Default-quick-mode] -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE - -# Data for an IKE mode-config peer -[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com] -Address= 192.168.1.123 -Netmask= 255.255.255.0 -Nameserver= 192.168.1.10 -WINS-server= 192.168.1.11 - -# pre-shared key based on initiator's phase 1 ID -[foo.bar.org] -Authentication= mekmitasdigoat - -# -# ##################################################################### -# All configuration data below this point is not required as the example -# uses the predefined Main Mode transform and Quick Mode suite names. -# It is included here for completeness. Note the default values for the -# [General] and [X509-certificates] sections just below. -# ##################################################################### -# - -[General] -Policy-file= /etc/isakmpd/isakmpd.policy -Retransmits= 3 -Exchange-max-time= 120 - -# KeyNote credential storage -[KeyNote] -Credential-directory= /etc/isakmpd/keynote/ - -# Certificates stored in PEM format -[X509-certificates] -CA-directory= /etc/isakmpd/ca/ -Cert-directory= /etc/isakmpd/certs/ -CRL-directory= /etc/isakmpd/crls/ -Private-key= /etc/isakmpd/private/local.key - -# Default phase 1 description (Main Mode) - -[Default-phase-1-configuration] -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -# Main mode transforms -###################### - -# DES - -[DES-MD5] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= MD5 -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -[DES-SHA] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# 3DES - -[3DES-SHA] -ENCRYPTION_ALGORITHM= 3DES_CBC -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# Blowfish - -[BLF-SHA] -ENCRYPTION_ALGORITHM= BLOWFISH_CBC -KEY_LENGTH= 128,96:192 -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# Blowfish, using DH group 4 (non-default) -[BLF-SHA-EC185] -ENCRYPTION_ALGORITHM= BLOWFISH_CBC -KEY_LENGTH= 128,96:192 -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= EC2N_185 -Life= Default-phase-1-lifetime - -# Quick mode protection suites -############################## - -# DES - -[QM-ESP-DES-SUITE] -Protocols= QM-ESP-DES - -[QM-ESP-DES-PFS-SUITE] -Protocols= QM-ESP-DES-PFS - -[QM-ESP-DES-MD5-SUITE] -Protocols= QM-ESP-DES-MD5 - -[QM-ESP-DES-MD5-PFS-SUITE] -Protocols= QM-ESP-DES-MD5-PFS - -[QM-ESP-DES-SHA-SUITE] -Protocols= QM-ESP-DES-SHA - -[QM-ESP-DES-SHA-PFS-SUITE] -Protocols= QM-ESP-DES-SHA-PFS - -# 3DES - -[QM-ESP-3DES-SHA-SUITE] -Protocols= QM-ESP-3DES-SHA - -[QM-ESP-3DES-SHA-PFS-SUITE] -Protocols= QM-ESP-3DES-SHA-PFS - -# AES - -[QM-ESP-AES-SHA-SUITE] -Protocols= QM-ESP-AES-SHA - -[QM-ESP-AES-SHA-PFS-SUITE] -Protocols= QM-ESP-AES-SHA-PFS - -# AH - -[QM-AH-MD5-SUITE] -Protocols= QM-AH-MD5 - -[QM-AH-MD5-PFS-SUITE] -Protocols= QM-AH-MD5-PFS - -# AH + ESP (non-default) - -[QM-AH-MD5-ESP-DES-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES - -[QM-AH-MD5-ESP-DES-MD5-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES-MD5 - -[QM-ESP-DES-MD5-AH-MD5-SUITE] -Protocols= QM-ESP-DES-MD5,QM-AH-MD5 - -# Quick mode protocols - -# DES - -[QM-ESP-DES] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-XF - -[QM-ESP-DES-MD5] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-XF - -[QM-ESP-DES-MD5-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-PFS-XF - -[QM-ESP-DES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-SHA-XF - -# 3DES - -[QM-ESP-3DES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-XF - -[QM-ESP-3DES-SHA-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-PFS-XF - -[QM-ESP-3DES-SHA-TRP] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-TRP-XF - -# AES - -[QM-ESP-AES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-XF - -[QM-ESP-AES-SHA-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-PFS-XF - -[QM-ESP-AES-SHA-TRP] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-TRP-XF - -# AH MD5 - -[QM-AH-MD5] -PROTOCOL_ID= IPSEC_AH -Transforms= QM-AH-MD5-XF - -[QM-AH-MD5-PFS] -PROTOCOL_ID= IPSEC_AH -Transforms= QM-AH-MD5-PFS-XF - -# Quick mode transforms - -# ESP DES+MD5 - -[QM-ESP-DES-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -Life= Default-phase-2-lifetime - -[QM-ESP-DES-MD5-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-ESP-DES-MD5-PFS-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_1024 -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-ESP-DES-SHA-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# 3DES - -[QM-ESP-3DES-SHA-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -[QM-ESP-3DES-SHA-PFS-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[QM-ESP-3DES-SHA-TRP-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TRANSPORT -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# AES - -[QM-ESP-AES-SHA-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -[QM-ESP-AES-SHA-PFS-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[QM-ESP-AES-SHA-TRP-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TRANSPORT -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# AH - -[QM-AH-MD5-XF] -TRANSFORM_ID= MD5 -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-AH-MD5-PFS-XF] -TRANSFORM_ID= MD5 -ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[Sample-Life-Time] -LIFE_TYPE= SECONDS -LIFE_DURATION= 3600,1800:7200 - -[Sample-Life-Volume] -LIFE_TYPE= KILOBYTES -LIFE_DURATION= 1000,768:1536 -.Ed -.Sh SEE ALSO -.Xr keynote 1 , -.Xr ipsec 4 , -.Xr keynote 4 , -.Xr isakmpd.policy 5 , -.Xr isakmpd 8 -.Sh BUGS -The RFCs do not permit differing DH groups in the same proposal for -aggressive and quick mode exchanges. -Mixing both PFS and non-PFS suites in a quick mode proposal is not possible, -as PFS implies using a DH group. |