illumos-omnios Sdiff usr/src/man/man4/ike.config.4

Print this page

5782 ike.config(4) needs additional oakley_group numbers

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.

   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   4 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH IKE.CONFIG 4 "Apr 27, 2009"
   7 .SH NAME
   8 ike.config \- configuration file for IKE policy
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/inet/ike/config\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .sp
  17 .LP
  18 The \fB/etc/inet/ike/config\fR file contains rules for matching inbound IKE
  19 requests. It also contains rules for preparing outbound \fBIKE\fR requests.
  20 .sp
  21 .LP
  22 You can test the syntactic correctness of an \fB/etc/inet/ike/config\fR file by

 553 .ad
 554 .sp .6
 555 .RS 4n
 556 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
 557 An initiator offers up lists of phase 1 transforms, and a receiver is expected
 558 to only accept such an entry if it matches one in a phase 1 rule. There can be
 559 several of these, and they are additive. There must be either at least one
 560 phase 1 transform in a rule or a global default phase 1 transform list. In a
 561 configuration file without a global default phase 1 transform list \fBand\fR a
 562 rule without a phase, transform list is an invalid file. Unless specified as
 563 optional, elements in the parameter-list must occur exactly once within a given
 564 transform's parameter-list:
 565 .sp
 566 .ne 2
 567 .na
 568 \fBoakley_group \fInumber\fR\fR
 569 .ad
 570 .sp .6
 571 .RS 4n
 572 The Oakley Diffie-Hellman group used for IKE SA key derivation. The group
 573 numbers are defined in RFC 2409, Appendix A, and RFC 3526. Acceptable values
 574 are currently:
 575 .br
 576 .in +2
 577 1 (768-bit)
 578 .in -2
 579 .br
 580 .in +2
 581 2 (1024-bit)
 582 .in -2
 583 .br
 584 .in +2
 585 5 (1536-bit)
 586 .in -2
 587 .br
 588 .in +2
 589 14 (2048-bit)
 590 .in -2
 591 .br
 592 .in +2
 593 15 (3072-bit)
 594 .in -2
 595 .br
 596 .in +2
 597 16 (4096-bit)
 598 .in -2
















































 599 .RE
 600 
 601 .sp
 602 .ne 2
 603 .na
 604 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
 605 aes-cbc}\fR
 606 .ad
 607 .sp .6
 608 .RS 4n
 609 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
 610 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
 611 using the "low value-to-high value" syntax. To specify a single AES key size,
 612 the low value must equal the high value. If no range is specified, all three
 613 AES key sizes are allowed.
 614 .RE
 615 
 616 .sp
 617 .ne 2
 618 .na

1130 \fBipseckey\fR(1M), \fBipsecalgs\fR(1M), \fBipsecconf\fR(1M), \fBsvccfg\fR(1M),
1131 \fBdlopen\fR(3C), \fBattributes\fR(5), \fBrandom\fR(7D)
1132 .sp
1133 .LP
1134 Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR.
1135 Cisco Systems, November 1998.
1136 .sp
1137 .LP
1138 Maughan, Douglas et. al. \fIRFC 2408, Internet Security Association and Key
1139 Management Protocol (ISAKMP)\fR. National Security Agency, Ft. Meade, MD.
1140 November 1998.
1141 .sp
1142 .LP
1143 Piper, Derrell. \fIRFC 2407, The Internet IP Security Domain of Interpretation
1144 for ISAKMP\fR. Network Alchemy. Santa Cruz, California. November 1998.
1145 .sp
1146 .LP
1147 Kivinen, T. \fIRFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups
1148 for Internet Key Exchange (IKE)\fR. The Internet Society, Network Working
1149 Group. May 2003.

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright (c) 2015, Circonus, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH IKE.CONFIG 4 "Apr 27, 2009"
   8 .SH NAME
   9 ike.config \- configuration file for IKE policy
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/inet/ike/config\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The \fB/etc/inet/ike/config\fR file contains rules for matching inbound IKE
  20 requests. It also contains rules for preparing outbound \fBIKE\fR requests.
  21 .sp
  22 .LP
  23 You can test the syntactic correctness of an \fB/etc/inet/ike/config\fR file by

 554 .ad
 555 .sp .6
 556 .RS 4n
 557 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
 558 An initiator offers up lists of phase 1 transforms, and a receiver is expected
 559 to only accept such an entry if it matches one in a phase 1 rule. There can be
 560 several of these, and they are additive. There must be either at least one
 561 phase 1 transform in a rule or a global default phase 1 transform list. In a
 562 configuration file without a global default phase 1 transform list \fBand\fR a
 563 rule without a phase, transform list is an invalid file. Unless specified as
 564 optional, elements in the parameter-list must occur exactly once within a given
 565 transform's parameter-list:
 566 .sp
 567 .ne 2
 568 .na
 569 \fBoakley_group \fInumber\fR\fR
 570 .ad
 571 .sp .6
 572 .RS 4n
 573 The Oakley Diffie-Hellman group used for IKE SA key derivation. The group
 574 numbers are defined in RFC 2409, Appendix A, RFC 3526, and RFC 5114, section
 575 3.2. Acceptable values are currently:
 576 .br
 577 .in +2
 578 1 (MODP 768-bit)
 579 .in -2
 580 .br
 581 .in +2
 582 2 (MODP 1024-bit)
 583 .in -2
 584 .br
 585 .in +2
 586 3 (EC2N 155-bit)
 587 .in -2
 588 .br
 589 .in +2
 590 4 (EC2N 185-bit)
 591 .in -2
 592 .br
 593 .in +2
 594 5 (MODP 1536-bit)
 595 .in -2
 596 .br
 597 .in +2
 598 14 (MODP 2048-bit)
 599 .in -2
 600 .br
 601 .in +2
 602 15 (MODP 3072-bit)
 603 .in -2
 604 .br
 605 .in +2
 606 16 (MODP 4096-bit)
 607 .in -2
 608 .br
 609 .in +2
 610 17 (MODP 6144-bit)
 611 .in -2
 612 .br
 613 .in +2
 614 18 (MODP 8192-bit)
 615 .in -2
 616 .br
 617 .in +2
 618 19 (ECP 256-bit)
 619 .in -2
 620 .br
 621 .in +2
 622 20 (ECP 384-bit)
 623 .in -2
 624 .br
 625 .in +2
 626 21 (ECP 521-bit)
 627 .in -2
 628 .br
 629 .in +2
 630 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
 631 .in -2
 632 .br
 633 .in +2
 634 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
 635 .in -2
 636 .br
 637 .in +2
 638 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
 639 .in -2
 640 .br
 641 .in +2
 642 25 (ECP 192-bit)
 643 .in -2
 644 .br
 645 .in +2
 646 26 (ECP 224-bit)
 647 .in -2
 648 .RE
 649 
 650 .sp
 651 .ne 2
 652 .na
 653 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
 654 aes-cbc}\fR
 655 .ad
 656 .sp .6
 657 .RS 4n
 658 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
 659 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
 660 using the "low value-to-high value" syntax. To specify a single AES key size,
 661 the low value must equal the high value. If no range is specified, all three
 662 AES key sizes are allowed.
 663 .RE
 664 
 665 .sp
 666 .ne 2
 667 .na

1179 \fBipseckey\fR(1M), \fBipsecalgs\fR(1M), \fBipsecconf\fR(1M), \fBsvccfg\fR(1M),
1180 \fBdlopen\fR(3C), \fBattributes\fR(5), \fBrandom\fR(7D)
1181 .sp
1182 .LP
1183 Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR.
1184 Cisco Systems, November 1998.
1185 .sp
1186 .LP
1187 Maughan, Douglas et. al. \fIRFC 2408, Internet Security Association and Key
1188 Management Protocol (ISAKMP)\fR. National Security Agency, Ft. Meade, MD.
1189 November 1998.
1190 .sp
1191 .LP
1192 Piper, Derrell. \fIRFC 2407, The Internet IP Security Domain of Interpretation
1193 for ISAKMP\fR. Network Alchemy. Santa Cruz, California. November 1998.
1194 .sp
1195 .LP
1196 Kivinen, T. \fIRFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups
1197 for Internet Key Exchange (IKE)\fR. The Internet Society, Network Working
1198 Group. May 2003.
1199 .sp
1200 .LP
1201 Lepinksi, M. and Kent, S. \fIRFC 5114, Additional Diffie-Hellman Groups for Use
1202 with IETF Standards\fR. BBN Technologies, January 2008.