1 IKE.CONFIG(4)                    File Formats                    IKE.CONFIG(4)
   2 
   3 
   4 
   5 NAME
   6        ike.config - configuration file for IKE policy
   7 
   8 SYNOPSIS
   9        /etc/inet/ike/config
  10 
  11 
  12 DESCRIPTION
  13        The /etc/inet/ike/config file contains rules for matching inbound IKE
  14        requests. It also contains rules for preparing outbound IKE requests.
  15 
  16 
  17        You can test the syntactic correctness of an /etc/inet/ike/config file
  18        by using the -c or -f options of in.iked(1M). You must use the -c option
  19        to test a config file. You might need to use the -f option if it is not
  20        in /etc/inet/ike/config.
  21 
  22    Lexical Components
  23        On any line, an unquoted # character introduces a comment. The
  24        remainder of that line is ignored. Additionally, on any line, an
  25        unquoted // sequence introduces a comment. The remainder of that line
  26        is ignored.
  27 
  28 
  29        There are several types of lexical tokens in the ike.config file:
  30 
  31        num
  32            A decimal, hex, or octal number representation is as in 'C'.
  33 
  34 
  35        IPaddr/prefix/range
  36            An IPv4 or IPv6 address with an optional /NNN suffix, (where NNN is
  37            a num) that indicates an address (CIDR) prefix (for example,
  38            10.1.2.0/24). An optional /ADDR suffix (where ADDR is a second IP
  39            address) indicates an address/mask pair (for example,
  40            10.1.2.0/255.255.255.0). An optional -ADDR suffix (where ADDR is a
  41            second IPv4 address) indicates an inclusive range of addresses (for
  42            example, 10.1.2.0-10.1.2.255). The / or - can be surrounded by an
  43            arbitrary amount of white space.
  44 
  45 
  46        XXX | YYY | ZZZ
  47            Either the words XXX, YYY, or ZZZ, for example, {yes,no}.
  48 
  49 
  50        p1-id-type
  51            An IKE phase 1 identity type. IKE phase 1 identity types include:
  52              dn, DN
  53              dns, DNS
  54              fqdn, FQDN
  55              gn, GN
  56              ip, IP
  57              ipv4
  58              ipv4_prefix
  59              ipv4_range
  60              ipv6
  61              ipv6_prefix
  62              ipv6_range
  63              mbox, MBOX
  64              user_fqdn
  65 
  66 
  67        "string"
  68            A quoted string.
  69 
  70            Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc.,
  71            N=olemcd@eng.example.com"
  72 
  73            A backslash (\) is an escape character. If the string needs an
  74            actual backslash, two must be specified.
  75 
  76 
  77        cert-sel
  78            A certificate selector, a string which specifies the identities of
  79            zero or more certificates. The specifiers can conform to X.509
  80            naming conventions.
  81 
  82            A cert-sel can also use various shortcuts to match either subject
  83            alternative names, the filename or slot of a certificate in
  84            /etc/inet/ike/publickeys, or even the ISSUER. For example:
  85 
  86              "SLOT=0"
  87              "EMAIL=postmaster@domain.org"
  88              "webmaster@domain.org" # Some just work w/o TYPE=
  89              "IP=10.0.0.1"
  90              "10.21.11.11"          # Some just work w/o TYPE=
  91              "DNS=www.domain.org"
  92              "mailhost.domain.org"  # Some just work w/o TYPE=
  93              "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
  94 
  95 
  96            Any cert-sel preceded by the character ! indicates a negative match,
  97            that is, not matching this specifier. These are the same kind of
  98            strings used in ikecert(1M).
  99 
 100 
 101        ldap-list
 102            A quoted, comma-separated list of LDAP servers and ports.
 103 
 104            For example, "ldap1.example.com", "ldap1.example.com:389",
 105            "ldap1.example.com:389,ldap2.example.com".
 106 
 107            The default port for LDAP is 389.
 108 
 109 
 110        parameter-list
 111            A list of parameters.
 112 
 113 
 114    File Body Entries
 115        There are four main types of entries:
 116 
 117            o      global parameters
 118 
 119            o      IKE phase 1 transform defaults
 120 
 121            o      IKE rule defaults
 122 
 123            o      IKE rules
 124 
 125 
 126        The global parameter entries are as follows:
 127 
 128        cert_root cert-sel
 129            The X.509 distinguished name of a certificate that is a trusted
 130            root CA certificate.It must be encoded in a file in the
 131            /etc/inet/ike/publickeys directory. It must have a CRL in
 132            /etc/inet/ike/crls. Multiple cert_root parameters aggregate.
 133 
 134 
 135        cert_trust cert-sel
 136            Specifies an X.509 distinguished name of a certificate that is
 137            self-signed, or has otherwise been verified as trustworthy for
 138            signing IKE exchanges. It must be encoded in a file in
 139            /etc/inet/ike/publickeys. Multiple cert_trust parameters aggregate.
 140 
 141 
 142        expire_timer integer
 143            The number of seconds to let a not-yet-complete IKE Phase I (Main
 144            Mode) negotiation linger before deleting it. Default value: 300
 145            seconds.
 146 
 147 
 148        ignore_crls
 149            If this keyword is present in the file, in.iked(1M) ignores
 150            Certificate Revocation Lists (CRLs) for root CAs (as given in
 151            cert_root)
 152 
 153 
 154        ldap_server ldap-list
 155            A list of LDAP servers to query for certificates. The list can be
 156            additive.
 157 
 158 
 159        pkcs11_path string
 160            The string that follows is a name of a shared object (.so) that
 161            implements the PKCS#11 standard. The name is passed directly into
 162            dlopen(3C) for linking, with all of the semantics of that library
 163            call.  By default, in.iked(1M) runs the same ISA as the running
 164            kernel, so a library specified using pkcs11_path and an absolute
 165            pathname must match the same ISA as the kernel. One can use the
 166            start/exec SMF property (see svccfg(1M)) to change in.iked's ISA,
 167            but it is not recommended.
 168 
 169            If this setting is not present, the default value is set to
 170            libpkcs11.so.  Most cryptographic providers go through the default
 171            library, and this parameter should only be used if a specialized
 172            provider of IKE-useful cryptographic services cannot interface with
 173            the Solaris Cryptographic Framework. See cryptoadm(1M).
 174 
 175            This option is now deprecated, and may be removed in a future
 176            release.
 177 
 178 
 179        retry_limit integer
 180            The number of retransmits before any IKE negotiation is aborted.
 181            Default value: 5 times.
 182 
 183 
 184        retry_timer_init integer or float
 185            The initial interval (in seconds) between retransmits. This
 186            interval is doubled until the retry_timer_max value (see below) is
 187            reached. Default value: 0.5 seconds.
 188 
 189 
 190        retry_timer_max integer or float
 191            The maximum interval (in seconds) between retransmits. The doubling
 192            retransmit interval stops growing at this limit. Default value: 30
 193            seconds.
 194 
 195            Note -
 196 
 197              This value is never reached with the default configuration. The
 198              longest interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
 199 
 200 
 201        proxy string
 202            The string following this keyword must be a URL for an HTTP proxy,
 203            for example, http://proxy:8080.
 204 
 205 
 206        socks string
 207            The string following this keyword must be a URL for a SOCKS proxy,
 208            for example, socks://socks-proxy.
 209 
 210 
 211        use_http
 212            If this keyword is present in the file, in.iked(1M) uses HTTP to
 213            retrieve Certificate Revocation Lists (CRLs).
 214 
 215 
 216 
 217        The following IKE phase 1 transform parameters can be prefigured using
 218        file-level defaults. Values specified within any given transform
 219        override these defaults.
 220 
 221 
 222        The IKE phase 1 transform defaults are as follows:
 223 
 224        p1_lifetime_secs num
 225            The proposed default lifetime, in seconds, of an IKE phase 1
 226            security association (SA).
 227 
 228 
 229        p1_nonce_len num
 230            The length in bytes of the phase 1 (quick mode) nonce data. This
 231            cannot be specified on a per-rule basis.
 232 
 233 
 234 
 235        The following IKE rule parameters can be prefigured using file-level
 236        defaults.  Values specified within any given rule override these
 237        defaults, unless a rule cannot.
 238 
 239        p2_lifetime_secs num
 240            The proposed default lifetime, in seconds, of an IKE phase 2
 241            security association (SA). This value is optional. If omitted, a
 242            default value is used.
 243 
 244 
 245        p2_softlife_secs num
 246            The soft lifetime of a phase 2 SA, in seconds. If this value is
 247            specified, the SA soft expires after the number of seconds
 248            specified by p2_softlife_secs. This causes in.iked to renegotiate a
 249            new phase 2 SA before the original SA expires.
 250 
 251            This value is optional, if omitted soft expiry occurs after 90% of
 252            the lifetime specified by p2_lifetime_secs. The value specified by
 253            p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
 254 
 255            Setting p2_softlife_secs to the same value as p2_lifetime_secs
 256            disables soft expires.
 257 
 258 
 259        p2_idletime_secs num
 260            The idle lifetime of a phase 2 SA, in seconds. If the value is
 261            specified, the value specifies the lifetime of the SA, if the
 262            security association is not used before the SA is revalidated.
 263 
 264 
 265        p2_lifetime_kb num
 266            The lifetime of an SA can optionally be specified in kilobytes.
 267            This parameter specifies the default value. If lifetimes are
 268            specified in both seconds and kilobytes, the SA expires when either
 269            the seconds or kilobyte threshholds are passed.
 270 
 271 
 272        p2_softlife_kb num
 273            This value is the number of kilobytes that can be protected by an
 274            SA before a soft expire occurs (see p2_softlife_secs, above).
 275 
 276            This value is optional. If omitted, soft expiry occurs after 90% of
 277            the lifetime specified by p2_lifetime_kb. The value specified by
 278            p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
 279 
 280 
 281        p2_nonce_len num
 282            The length in bytes of the phase 2 (quick mode) nonce data. This
 283            cannot be specified on a per-rule basis.
 284 
 285 
 286        local_id_type p1-id-type
 287            The local identity for IKE requires a type. This identity type is
 288            reflected in the IKE exchange. The type can be one of the
 289            following:
 290 
 291                o      an IP address (for example, 10.1.1.2)
 292 
 293                o      DNS name (for example, test.domain.com)
 294 
 295                o      MBOX RFC 822 name (for example, root@domain.com)
 296 
 297                o      DNX.509 distinguished name (for example, C=US, O=Sun
 298                       Microsystems, Inc., CN=Sun Test cert)
 299 
 300 
 301        p1_xform '{' parameter-list '}
 302            A phase 1 transform specifies a method for protecting an IKE phase
 303            1 exchange.  An initiator offers up lists of phase 1 transforms,
 304            and a receiver is expected to only accept such an entry if it
 305            matches one in a phase 1 rule. There can be several of these, and
 306            they are additive. There must be either at least one phase 1
 307            transform in a rule or a global default phase 1 transform list. In
 308            a configuration file without a global default phase 1 transform
 309            list and a rule without a phase, transform list is an invalid file.
 310            Unless specified as optional, elements in the parameter-list must
 311            occur exactly once within a given transform's parameter-list:
 312 
 313            oakley_group number
 314                The Oakley Diffie-Hellman group used for IKE SA key derivation.
 315                The group numbers are defined in RFC 2409, Appendix A, RFC
 316                3526, and RFC 5114, section 3.2. Acceptable values are
 317                currently:
 318                  1 (MODP 768-bit)
 319                  2 (MODP 1024-bit)
 320                  3 (EC2N 155-bit)
 321                  4 (EC2N 185-bit)
 322                  5 (MODP 1536-bit)
 323                  14 (MODP 2048-bit)
 324                  15 (MODP 3072-bit)
 325                  16 (MODP 4096-bit)
 326                  17 (MODP 6144-bit)
 327                  18 (MODP 8192-bit)
 328                  19 (ECP 256-bit)
 329                  20 (ECP 384-bit)
 330                  21 (ECP 521-bit)
 331                  22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
 332                  23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
 333                  24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
 334                  25 (ECP 192-bit)
 335                  26 (ECP 224-bit)
 336 
 337 
 338            encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
 339            aes-cbc}
 340                An encryption algorithm, as in ipsecconf(1M). However, of the
 341                ciphers listed above, only aes and aes-cbc allow optional key-
 342                size setting, using the "low value-to-high value" syntax. To
 343                specify a single AES key size, the low value must equal the
 344                high value. If no range is specified, all three AES key sizes
 345                are allowed.
 346 
 347 
 348            auth_alg {md5, sha, sha1, sha256, sha384, sha512}
 349                An authentication algorithm.
 350 
 351                Use ipsecalgs(1M) with the -l option to list the IPsec protocols
 352                and algorithms currently defined on a system. The cryptoadm
 353                list command diplays a list of installed providers and their
 354                mechanisms. See cryptoadm(1M).
 355 
 356 
 357            auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
 358                The authentication method used for IKE phase 1.
 359 
 360 
 361            p1_lifetime_secs num
 362                Optional. The lifetime for a phase 1 SA.
 363 
 364 
 365 
 366        p2_lifetime_secs num
 367            If configuring the kernel defaults is not sufficient for different
 368            tasks, this parameter can be used on a per-rule basis to set the
 369            IPsec SA lifetimes in seconds.
 370 
 371 
 372        p2_pfs num
 373            Use perfect forward secrecy for phase 2 (quick mode). If selected,
 374            the oakley group specified is used for phase 2 PFS. Acceptable
 375            values are:
 376              0 (do not use Perfect Forward Secrecy for IPsec SAs)
 377              1 (768-bit)
 378              2 (1024-bit)
 379              5 (1536-bit)
 380              14 (2048-bit)
 381              15 (3072-bit)
 382              16 (4096-bit)
 383 
 384 
 385 
 386        An IKE rule starts with a right-curly-brace ({), ends with a left-curly-
 387        brace (}), and has the following parameters in between:
 388 
 389        label string
 390            Required parameter. The administrative interface to in.iked looks
 391            up phase 1 policy rules with the label as the search string. The
 392            administrative interface also converts the label into an index,
 393            suitable for an extended ACQUIRE message from PF_KEY - effectively
 394            tying IPsec policy to IKE policy in the case of a node initiating
 395            traffic. Only one label parameter is allowed per rule.
 396 
 397 
 398        local_addr <IPaddr/prefix/range>
 399            Required parameter. The local address, address prefix, or address
 400            range for this phase 1 rule. Multiple local_addr parameters
 401            accumulate within a given rule.
 402 
 403 
 404        remote_addr <IPaddr/prefix/range>
 405            Required parameter. The remote address, address prefix, or address
 406            range for this phase 1 rule. Multiple remote_addr parameters
 407            accumulate within a given rule.
 408 
 409 
 410        local_id_type p1-id-type
 411            Which phase 1 identity type I uses. This is needed because a single
 412            certificate can contain multiple values for use in IKE phase 1.
 413            Within a given rule, all phase 1 transforms must either use
 414            preshared or non-preshared authentication (they cannot be mixed).
 415            For rules with preshared authentication, the local_id_type
 416            parameter is optional, and defaults to IP. For rules which use non-
 417            preshared authentication, the 'local_id_type' parameter is
 418            required. Multiple 'local_id_type' parameters within a rule are not
 419            allowed.
 420 
 421 
 422        local_id cert-sel
 423            Disallowed for preshared authentication method; required parameter
 424            for non-preshared authentication method. The local identity string
 425            or certificate selector. Only one local identity per rule is used,
 426            the first one stated.
 427 
 428 
 429        remote_id cert-sel
 430            Disallowed for preshared authentication method; required parameter
 431            for non-preshared authentication method. Selector for which remote
 432            phase 1 identities are allowed by this rule. Multiple remote_id
 433            parameters accumulate within a given rule. If a single empty string
 434            ("") is given, then this accepts any remote ID for phase 1. It is
 435            recommended that certificate trust chains or address enforcement be
 436            configured strictly to prevent a breakdown in security if this
 437            value for remote_id is used.
 438 
 439 
 440        p2_lifetime_secs num
 441            If configuring the kernel defaults is not sufficient for different
 442            tasks, this parameter can be used on a per-rule basis to set the
 443            IPsec SA lifetimes in seconds.
 444 
 445 
 446        p2_pfs num
 447            Use perfect forward secrecy for phase 2 (quick mode). If selected,
 448            the oakley group specified is used for phase 2 PFS. Acceptable
 449            values are:
 450              0 (do not use Perfect Forward Secrecy for IPsec SAs)
 451              1 (768-bit)
 452              2 (1024-bit)
 453              5 (1536-bit)
 454              14 (2048-bit)
 455              15 (3072-bit)
 456              16 (4096-bit)
 457 
 458 
 459        p1_xform { parameter-list }
 460            A phase 1 transform specifies a method for protecting an IKE phase
 461            1 exchange.  An initiator offers up lists of phase 1 transforms,
 462            and a receiver is expected to only accept such an entry if it
 463            matches one in a phase 1 rule. There can be several of these, and
 464            they are additive. There must be either at least one phase 1
 465            transform in a rule or a global default phase 1 transform list. A
 466            ike.config file without a global default phase 1transform list and
 467            a rule without a phase 1 transform list is an invalid file.
 468            Elements within the parameter-list; unless specified as optional,
 469            must occur exactly once within a given transform's parameter-list:
 470 
 471            oakley_group number
 472                The Oakley Diffie-Hellman group used for IKE SA key derivation.
 473                Acceptable values are currently:
 474                  1 (768-bit)
 475                  2 (1024-bit)
 476                  5 (1536-bit)
 477                  14 (2048-bit)
 478                  15 (3072-bit)
 479                  16 (4096-bit)
 480 
 481 
 482            encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
 483            aes-cbc}
 484                An encryption algorithm, as in ipsecconf(1M). However, of the
 485                ciphers listed above, only aes and aes-cbc allow optional key-
 486                size setting, using the "low value-to-high value" syntax. To
 487                specify a single AES key size, the low value must equal the
 488                high value. If no range is specified, all three AES key sizes
 489                are allowed.
 490 
 491 
 492            auth_alg {md5, sha, sha1}
 493                An authentication algorithm, as specified in ipseckey(1M).
 494 
 495 
 496            auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
 497                The authentication method used for IKE phase 1.
 498 
 499 
 500            p1_lifetime_secs num
 501                Optional. The lifetime for a phase 1 SA.
 502 
 503 
 504 
 505 EXAMPLES
 506        Example 1 A Sample ike.config File
 507 
 508 
 509        The following is an example of an ike.config file:
 510 
 511 
 512 
 513          ### BEGINNING OF FILE
 514 
 515          ### First some global parameters...
 516 
 517          ### certificate parameters...
 518 
 519          # Root certificates. I SHOULD use a full Distinguished Name.
 520          # I must have this certificate in my local filesystem, see ikecert(1m).
 521          cert_root    "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
 522 
 523          # Explicitly trusted certs that need no signatures, or perhaps
 524          # self-signed ones. Like root certificates, use full DNs for them
 525          # for now.
 526          cert_trust    "EMAIL=root@domain.org"
 527 
 528          # Where do I send LDAP requests?
 529          ldap_server        "ldap1.domain.org,ldap2.domain.org:389"
 530 
 531          ## phase 1 transform defaults...
 532 
 533          p1_lifetime_secs 14400
 534          p1_nonce_len 20
 535 
 536          ## Parameters that might also show up in rules.
 537 
 538          p1_xform { auth_method preshared oakley_group 5 auth_alg sha
 539                    encr_alg 3des }
 540          p2_pfs 2
 541 
 542 
 543 
 544          ### Now some rules...
 545 
 546          {
 547             label "simple inheritor"
 548             local_id_type ip
 549             local_addr 10.1.1.1
 550             remote_addr 10.1.1.2
 551          }
 552          {
 553             label "simple inheritor IPv6"
 554             local_id_type ipv6
 555             local_addr fe80::a00:20ff:fe7d:6
 556             remote_addr fe80::a00:20ff:fefb:3780
 557          }
 558 
 559          {
 560             # an index-only rule.  If I'm a receiver, and all I
 561             # have are index-only rules, what do I do about inbound IKE requests?
 562             # Answer:  Take them all!
 563 
 564             label "default rule"
 565             # Use whatever "host" (e.g. IP address) identity is appropriate
 566             local_id_type ipv4
 567 
 568             local_addr 0.0.0.0/0
 569             remote_addr 0.0.0.0/0
 570 
 571             p2_pfs 5
 572 
 573             # Now I'm going to have the p1_xforms
 574             p1_xform
 575             {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg \
 576              blowfish }   p1_xform
 577             {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }
 578 
 579             # After said list, another keyword (or a '}') stops xform
 580             # parsing.
 581          }
 582 
 583          {
 584             # Let's try something a little more conventional.
 585 
 586             label "host to .80 subnet"
 587             local_id_type ip
 588             local_id "10.1.86.51"
 589 
 590             remote_id ""    # Take any, use remote_addr for access control.
 591 
 592             local_addr 10.1.86.51
 593             remote_addr 10.1.80.0/24
 594 
 595             p1_xform
 596             { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
 597             p1_xform
 598             { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg \
 599               blowfish }
 600             p1_xform
 601             { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }
 602             p1_xform
 603             { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 604               blowfish }
 605          }
 606 
 607          {
 608             # Let's try something a little more conventional, but with ipv6.
 609 
 610              label "host to fe80::/10 subnet"
 611              local_id_type ip
 612              local_id "fe80::a00:20ff:fe7d:6"
 613 
 614              remote_id ""    # Take any, use remote_addr for access control.
 615 
 616              local_addr fe80::a00:20ff:fe7d:6
 617              remote_addr fe80::/10
 618 
 619              p1_xform
 620              { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
 621              p1_xform
 622              { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg \
 623                blowfish }
 624              p1_xform
 625              { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 626                3des }
 627              p1_xform
 628              { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 629                blowfish }
 630          }
 631 
 632          {
 633              # How 'bout something with a different cert type and name?
 634 
 635              label "punchin-point"
 636              local_id_type mbox
 637              local_id "ipsec-wizard@domain.org"
 638 
 639              remote_id "10.5.5.128"
 640 
 641              local_addr 0.0.0.0/0
 642              remote_addr 10.5.5.128
 643 
 644              p1_xform
 645              { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
 646                blowfish }
 647          }
 648 
 649          {
 650             label "receiver side"
 651 
 652             remote_id "ipsec-wizard@domain.org"
 653 
 654             local_id_type ip
 655             local_id "10.5.5.128"
 656 
 657             local_addr 10.5.5.128
 658             remote_addr 0.0.0.0/0
 659 
 660             p1_xform
 661             { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
 662             # NOTE:  Specifying preshared null-and-voids the remote_id/local_id
 663             #        fields.
 664             p1_xform
 665             { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
 666               blowfish}
 667 
 668          }
 669 
 670 
 671 ATTRIBUTES
 672        See attributes(5) for descriptions of the following attributes:
 673 
 674 
 675 
 676 
 677        +--------------------+-----------------+
 678        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
 679        +--------------------+-----------------+
 680        |Interface Stability | Committed       |
 681        +--------------------+-----------------+
 682 
 683 SEE ALSO
 684        cryptoadm(1M), ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
 685        ipsecalgs(1M), ipsecconf(1M), svccfg(1M), dlopen(3C), attributes(5),
 686        random(7D)
 687 
 688 
 689        Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
 690        Cisco Systems, November 1998.
 691 
 692 
 693        Maughan, Douglas et. al. RFC 2408, Internet Security Association and
 694        Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
 695        MD.  November 1998.
 696 
 697 
 698        Piper, Derrell. RFC 2407, The Internet IP Security Domain of
 699        Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
 700        November 1998.
 701 
 702 
 703        Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
 704        Groups for Internet Key Exchange (IKE). The Internet Society, Network
 705        Working Group. May 2003.
 706 
 707 
 708        Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups for
 709        Use with IETF Standards. BBN Technologies, January 2008.
 710 
 711 
 712        Fu, D. and Solinas, J. RFC 5903, Elliptic Curve Groups modulo a Prime
 713        (ECP Groups) for IKE and IKEv2. NSA, June 2010.
 714 
 715 
 716 
 717                                 April 27, 2009                   IKE.CONFIG(4)