1 IKE.CONFIG(4)           File Formats and Configurations          IKE.CONFIG(4)
   2 
   3 
   4 
   5 NAME
   6        ike.config - configuration file for IKE policy
   7 
   8 SYNOPSIS
   9        /etc/inet/ike/config
  10 
  11 
  12 DESCRIPTION
  13        The /etc/inet/ike/config file contains rules for matching inbound IKE
  14        requests. It also contains rules for preparing outbound IKE requests.
  15 
  16 
  17        You can test the syntactic correctness of an /etc/inet/ike/config file
  18        by using the -c or -f options of in.iked(1M). You must use the -c
  19        option to test a config file. You might need to use the -f option if it
  20        is not in /etc/inet/ike/config.
  21 
  22    Lexical Components
  23        On any line, an unquoted # character introduces a comment. The
  24        remainder of that line is ignored. Additionally, on any line, an
  25        unquoted // sequence introduces a comment. The remainder of that line
  26        is ignored.
  27 
  28 
  29        There are several types of lexical tokens in the ike.config file:
  30 
  31        num
  32 
  33            A decimal, hex, or octal number representation is as in 'C'.
  34 
  35 
  36        IPaddr/prefix/range
  37 
  38            An IPv4 or IPv6 address with an optional /NNN suffix, (where NNN is
  39            a num) that indicates an address (CIDR) prefix (for example,
  40            10.1.2.0/24). An optional /ADDR suffix (where ADDR is a second IP
  41            address) indicates an address/mask pair (for example,
  42            10.1.2.0/255.255.255.0). An optional -ADDR suffix (where ADDR is a
  43            second IPv4 address) indicates an inclusive range of addresses (for
  44            example, 10.1.2.0-10.1.2.255). The / or - can be surrounded by an
  45            arbitrary amount of white space.
  46 
  47 
  48        XXX | YYY | ZZZ
  49 
  50            Either the words XXX, YYY, or ZZZ, for example, {yes,no}.
  51 
  52 
  53        p1-id-type
  54 
  55            An IKE phase 1 identity type. IKE phase 1 identity types include:
  56              dn, DN
  57              dns, DNS
  58              fqdn, FQDN
  59              gn, GN
  60              ip, IP
  61              ipv4
  62              ipv4_prefix
  63              ipv4_range
  64              ipv6
  65              ipv6_prefix
  66              ipv6_range
  67              mbox, MBOX
  68              user_fqdn
  69 
  70 
  71        "string"
  72 
  73            A quoted string.
  74 
  75            Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc.,
  76            N=olemcd@eng.example.com"
  77 
  78            A backslash (\) is an escape character. If the string needs an
  79            actual backslash, two must be specified.
  80 
  81 
  82        cert-sel
  83 
  84            A certificate selector, a string which specifies the identities of
  85            zero or more certificates. The specifiers can conform to X.509
  86            naming conventions.
  87 
  88            A cert-sel can also use various shortcuts to match either subject
  89            alternative names, the filename or slot of a certificate in
  90            /etc/inet/ike/publickeys, or even the ISSUER. For example:
  91 
  92              "SLOT=0"
  93              "EMAIL=postmaster@domain.org"
  94              "webmaster@domain.org" # Some just work w/o TYPE=
  95              "IP=10.0.0.1"
  96              "10.21.11.11"          # Some just work w/o TYPE=
  97              "DNS=www.domain.org"
  98              "mailhost.domain.org"  # Some just work w/o TYPE=
  99              "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
 100 
 101 
 102            Any cert-sel preceded by the character ! indicates a negative
 103            match, that is, not matching this specifier. These are the same
 104            kind of strings used in ikecert(1M).
 105 
 106 
 107        ldap-list
 108 
 109            A quoted, comma-separated list of LDAP servers and ports.
 110 
 111            For example, "ldap1.example.com", "ldap1.example.com:389",
 112            "ldap1.example.com:389,ldap2.example.com".
 113 
 114            The default port for LDAP is 389.
 115 
 116 
 117        parameter-list
 118 
 119            A list of parameters.
 120 
 121 
 122    File Body Entries
 123        There are four main types of entries:
 124 
 125            o      global parameters
 126 
 127            o      IKE phase 1 transform defaults
 128 
 129            o      IKE rule defaults
 130 
 131            o      IKE rules
 132 
 133 
 134        The global parameter entries are as follows:
 135 
 136        cert_root cert-sel
 137 
 138            The X.509 distinguished name of a certificate that is a trusted
 139            root CA certificate. It must be encoded in a file in the
 140            /etc/inet/ike/publickeys directory. It must have a CRL in
 141            /etc/inet/ike/crls. Multiple cert_root parameters aggregate.
 142 
 143 
 144        cert_trust cert-sel
 145 
 146            Specifies an X.509 distinguished name of a certificate that is
 147            self-signed, or has otherwise been verified as trustworthy for
 148            signing IKE exchanges. It must be encoded in a file in
 149            /etc/inet/ike/publickeys. Multiple cert_trust parameters aggregate.
 150 
 151 
 152        expire_timer integer
 153 
 154            The number of seconds to let a not-yet-complete IKE Phase I (Main
 155            Mode) negotiation linger before deleting it. Default value: 300
 156            seconds.
 157 
 158 
 159        ignore_crls
 160 
 161            If this keyword is present in the file, in.iked(1M) ignores
 162            Certificate Revocation Lists (CRLs) for root CAs (as given in
 163            cert_root)
 164 
 165 
 166        ldap_server ldap-list
 167 
 168            A list of LDAP servers to query for certificates. The list can be
 169            additive.
 170 
 171 
 172        pkcs11_path string
 173 
 174            The string that follows is a name of a shared object (.so) that
 175            implements the PKCS#11 standard. The name is passed directly into
 176            dlopen(3C) for linking, with all of the semantics of that library
 177            call.  By default, in.iked(1M) runs the same ISA as the running
 178            kernel, so a library specified using pkcs11_path and an absolute
 179            pathname must match the same ISA as the kernel. One can use the
 180            start/exec SMF property (see svccfg(1M)) to change in.iked's ISA,
 181            but it is not recommended.
 182 
 183            If this setting is not present, the default value is set to
 184            libpkcs11.so.  Most cryptographic providers go through the default
 185            library, and this parameter should only be used if a specialized
 186            provider of IKE-useful cryptographic services cannot interface with
 187            the Solaris Cryptographic Framework. See cryptoadm(1M).
 188 
 189            This option is now deprecated, and may be removed in a future
 190            release.
 191 
 192 
 193        retry_limit integer
 194 
 195            The number of retransmits before any IKE negotiation is aborted.
 196            Default value: 5 times.
 197 
 198 
 199        retry_timer_init integer or float
 200 
 201            The initial interval (in seconds) between retransmits. This
 202            interval is doubled until the retry_timer_max value (see below) is
 203            reached. Default value: 0.5 seconds.
 204 
 205 
 206        retry_timer_max integer or float
 207 
 208            The maximum interval (in seconds) between retransmits. The doubling
 209            retransmit interval stops growing at this limit. Default value: 30
 210            seconds.
 211 
 212            Note -
 213 
 214              This value is never reached with the default configuration. The
 215              longest interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
 216 
 217 
 218        proxy string
 219 
 220            The string following this keyword must be a URL for an HTTP proxy,
 221            for example, http://proxy:8080.
 222 
 223 
 224        socks string
 225 
 226            The string following this keyword must be a URL for a SOCKS proxy,
 227            for example, socks://socks-proxy.
 228 
 229 
 230        use_http
 231 
 232            If this keyword is present in the file, in.iked(1M) uses HTTP to
 233            retrieve Certificate Revocation Lists (CRLs).
 234 
 235 
 236 
 237        The following IKE phase 1 transform parameters can be prefigured using
 238        file-level defaults. Values specified within any given transform
 239        override these defaults.
 240 
 241 
 242        The IKE phase 1 transform defaults are as follows:
 243 
 244        p1_lifetime_secs num
 245 
 246            The proposed default lifetime, in seconds, of an IKE phase 1
 247            security association (SA).
 248 
 249 
 250        p1_nonce_len num
 251 
 252            The length in bytes of the phase 1 (quick mode) nonce data. This
 253            cannot be specified on a per-rule basis.
 254 
 255 
 256 
 257        The following IKE rule parameters can be prefigured using file-level
 258        defaults.  Values specified within any given rule override these
 259        defaults, unless a rule cannot.
 260 
 261        p2_lifetime_secs num
 262 
 263            The proposed default lifetime, in seconds, of an IKE phase 2
 264            security association (SA). This value is optional. If omitted, a
 265            default value is used.
 266 
 267 
 268        p2_softlife_secs num
 269 
 270            The soft lifetime of a phase 2 SA, in seconds. If this value is
 271            specified, the SA soft expires after the number of seconds
 272            specified by p2_softlife_secs. This causes in.iked to renegotiate a
 273            new phase 2 SA before the original SA expires.
 274 
 275            This value is optional, if omitted soft expiry occurs after 90% of
 276            the lifetime specified by p2_lifetime_secs. The value specified by
 277            p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
 278 
 279            Setting p2_softlife_secs to the same value as p2_lifetime_secs
 280            disables soft expires.
 281 
 282 
 283        p2_idletime_secs num
 284 
 285            The idle lifetime of a phase 2 SA, in seconds. If the value is
 286            specified, the value specifies the lifetime of the SA, if the
 287            security association is not used before the SA is revalidated.
 288 
 289 
 290        p2_lifetime_kb num
 291 
 292            The lifetime of an SA can optionally be specified in kilobytes.
 293            This parameter specifies the default value. If lifetimes are
 294            specified in both seconds and kilobytes, the SA expires when either
 295            the seconds or kilobyte thresholds are passed.
 296 
 297 
 298        p2_softlife_kb num
 299 
 300            This value is the number of kilobytes that can be protected by an
 301            SA before a soft expire occurs (see p2_softlife_secs, above).
 302 
 303            This value is optional. If omitted, soft expiry occurs after 90% of
 304            the lifetime specified by p2_lifetime_kb. The value specified by
 305            p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
 306 
 307 
 308        p2_nonce_len num
 309 
 310            The length in bytes of the phase 2 (quick mode) nonce data. This
 311            cannot be specified on a per-rule basis.
 312 
 313 
 314        local_id_type p1-id-type
 315 
 316            The local identity for IKE requires a type. This identity type is
 317            reflected in the IKE exchange. The type can be one of the
 318            following:
 319 
 320                o      an IP address (for example, 10.1.1.2)
 321 
 322                o      DNS name (for example, test.domain.com)
 323 
 324                o      MBOX RFC 822 name (for example, root@domain.com)
 325 
 326                o      DNX.509 distinguished name (for example, C=US, O=Sun
 327                       Microsystems Inc., CN=Sun Test cert)
 328 
 329 
 330        p1_xform '{' parameter-list '}
 331 
 332            A phase 1 transform specifies a method for protecting an IKE phase
 333            1 exchange.  An initiator offers up lists of phase 1 transforms,
 334            and a receiver is expected to only accept such an entry if it
 335            matches one in a phase 1 rule. There can be several of these, and
 336            they are additive. There must be either at least one phase 1
 337            transform in a rule or a global default phase 1 transform list. In
 338            a configuration file without a global default phase 1 transform
 339            list and a rule without a phase, transform list is an invalid file.
 340            Unless specified as optional, elements in the parameter-list must
 341            occur exactly once within a given transform's parameter-list:
 342 
 343            oakley_group number
 344 
 345                The Oakley Diffie-Hellman group used for IKE SA key derivation.
 346                The group numbers are defined in RFC 2409, Appendix A, RFC
 347                3526, and RFC 5114, section 3.2. Acceptable values are
 348                currently:
 349                  1 (MODP 768-bit)
 350                  2 (MODP 1024-bit)
 351                  3 (EC2N 155-bit)
 352                  4 (EC2N 185-bit)
 353                  5 (MODP 1536-bit)
 354                  14 (MODP 2048-bit)
 355                  15 (MODP 3072-bit)
 356                  16 (MODP 4096-bit)
 357                  17 (MODP 6144-bit)
 358                  18 (MODP 8192-bit)
 359                  19 (ECP 256-bit)
 360                  20 (ECP 384-bit)
 361                  21 (ECP 521-bit)
 362                  22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
 363                  23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
 364                  24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
 365                  25 (ECP 192-bit)
 366                  26 (ECP 224-bit)
 367 
 368 
 369            encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
 370            aes, aes-cbc}
 371 
 372                An encryption algorithm, as in ipsecconf(1M). However, of the
 373                ciphers listed above, only aes and aes-cbc allow optional key-
 374                size setting, using the "low value-to-high value" syntax. To
 375                specify a single AES key size, the low value must equal the
 376                high value. If no range is specified, all three AES key sizes
 377                are allowed.
 378 
 379 
 380            auth_alg {md5, sha, sha1, sha256, sha384, sha512}
 381 
 382                An authentication algorithm.
 383 
 384                Use ipsecalgs(1M) with the -l option to list the IPsec
 385                protocols and algorithms currently defined on a system. The
 386                cryptoadm list command displays a list of installed providers
 387                and their mechanisms. See cryptoadm(1M).
 388 
 389 
 390            auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
 391 
 392                The authentication method used for IKE phase 1.
 393 
 394 
 395            p1_lifetime_secs num
 396 
 397                Optional. The lifetime for a phase 1 SA.
 398 
 399 
 400 
 401        p2_lifetime_secs num
 402 
 403            If configuring the kernel defaults is not sufficient for different
 404            tasks, this parameter can be used on a per-rule basis to set the
 405            IPsec SA lifetimes in seconds.
 406 
 407 
 408        p2_pfs num
 409 
 410            Use perfect forward secrecy for phase 2 (quick mode). If selected,
 411            the oakley group specified is used for phase 2 PFS. Acceptable
 412            values are:
 413              0 (do not use Perfect Forward Secrecy for IPsec SAs)
 414              1 (768-bit)
 415              2 (1024-bit)
 416              5 (1536-bit)
 417              14 (2048-bit)
 418              15 (3072-bit)
 419              16 (4096-bit)
 420 
 421 
 422 
 423        An IKE rule starts with a right-curly-brace ({), ends with a left-
 424        curly-brace (}), and has the following parameters in between:
 425 
 426        label string
 427 
 428            Required parameter. The administrative interface to in.iked looks
 429            up phase 1 policy rules with the label as the search string. The
 430            administrative interface also converts the label into an index,
 431            suitable for an extended ACQUIRE message from PF_KEY - effectively
 432            tying IPsec policy to IKE policy in the case of a node initiating
 433            traffic. Only one label parameter is allowed per rule.
 434 
 435 
 436        local_addr <IPaddr/prefix/range>
 437 
 438            Required parameter. The local address, address prefix, or address
 439            range for this phase 1 rule. Multiple local_addr parameters
 440            accumulate within a given rule.
 441 
 442 
 443        remote_addr <IPaddr/prefix/range>
 444 
 445            Required parameter. The remote address, address prefix, or address
 446            range for this phase 1 rule. Multiple remote_addr parameters
 447            accumulate within a given rule.
 448 
 449 
 450        local_id_type p1-id-type
 451 
 452            Which phase 1 identity type I uses. This is needed because a single
 453            certificate can contain multiple values for use in IKE phase 1.
 454            Within a given rule, all phase 1 transforms must either use
 455            preshared or non-preshared authentication (they cannot be mixed).
 456            For rules with preshared authentication, the local_id_type
 457            parameter is optional, and defaults to IP. For rules which use non-
 458            preshared authentication, the 'local_id_type' parameter is
 459            required. Multiple 'local_id_type' parameters within a rule are not
 460            allowed.
 461 
 462 
 463        local_id cert-sel
 464 
 465            Disallowed for preshared authentication method; required parameter
 466            for non-preshared authentication method. The local identity string
 467            or certificate selector. Only one local identity per rule is used,
 468            the first one stated.
 469 
 470 
 471        remote_id cert-sel
 472 
 473            Disallowed for preshared authentication method; required parameter
 474            for non-preshared authentication method. Selector for which remote
 475            phase 1 identities are allowed by this rule. Multiple remote_id
 476            parameters accumulate within a given rule. If a single empty string
 477            ("") is given, then this accepts any remote ID for phase 1. It is
 478            recommended that certificate trust chains or address enforcement be
 479            configured strictly to prevent a breakdown in security if this
 480            value for remote_id is used.
 481 
 482 
 483        p2_lifetime_secs num
 484 
 485            If configuring the kernel defaults is not sufficient for different
 486            tasks, this parameter can be used on a per-rule basis to set the
 487            IPsec SA lifetimes in seconds.
 488 
 489 
 490        p2_pfs num
 491 
 492            Use perfect forward secrecy for phase 2 (quick mode). If selected,
 493            the oakley group specified is used for phase 2 PFS. Acceptable
 494            values are:
 495              0 (do not use Perfect Forward Secrecy for IPsec SAs)
 496              1 (768-bit)
 497              2 (1024-bit)
 498              5 (1536-bit)
 499              14 (2048-bit)
 500              15 (3072-bit)
 501              16 (4096-bit)
 502 
 503 
 504        p1_xform { parameter-list }
 505 
 506            A phase 1 transform specifies a method for protecting an IKE phase
 507            1 exchange.  An initiator offers up lists of phase 1 transforms,
 508            and a receiver is expected to only accept such an entry if it
 509            matches one in a phase 1 rule. There can be several of these, and
 510            they are additive. There must be either at least one phase 1
 511            transform in a rule or a global default phase 1 transform list. A
 512            ike.config file without a global default phase 1transform list and
 513            a rule without a phase 1 transform list is an invalid file.
 514            Elements within the parameter-list; unless specified as optional,
 515            must occur exactly once within a given transform's parameter-list:
 516 
 517            oakley_group number
 518 
 519                The Oakley Diffie-Hellman group used for IKE SA key derivation.
 520                Acceptable values are currently:
 521                  1 (768-bit)
 522                  2 (1024-bit)
 523                  5 (1536-bit)
 524                  14 (2048-bit)
 525                  15 (3072-bit)
 526                  16 (4096-bit)
 527 
 528 
 529            encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
 530            aes, aes-cbc}
 531 
 532                An encryption algorithm, as in ipsecconf(1M). However, of the
 533                ciphers listed above, only aes and aes-cbc allow optional key-
 534                size setting, using the "low value-to-high value" syntax. To
 535                specify a single AES key size, the low value must equal the
 536                high value. If no range is specified, all three AES key sizes
 537                are allowed.
 538 
 539 
 540            auth_alg {md5, sha, sha1}
 541 
 542                An authentication algorithm, as specified in ipseckey(1M).
 543 
 544 
 545            auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
 546 
 547                The authentication method used for IKE phase 1.
 548 
 549 
 550            p1_lifetime_secs num
 551 
 552                Optional. The lifetime for a phase 1 SA.
 553 
 554 
 555 
 556 EXAMPLES
 557        Example 1 A Sample ike.config File
 558 
 559 
 560        The following is an example of an ike.config file:
 561 
 562 
 563 
 564          ### BEGINNING OF FILE
 565 
 566          ### First some global parameters...
 567 
 568          ### certificate parameters...
 569 
 570          # Root certificates. I SHOULD use a full Distinguished Name.
 571          # I must have this certificate in my local filesystem, see ikecert(1m).
 572          cert_root    "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
 573 
 574          # Explicitly trusted certs that need no signatures, or perhaps
 575          # self-signed ones. Like root certificates, use full DNs for them
 576          # for now.
 577          cert_trust    "EMAIL=root@domain.org"
 578 
 579          # Where do I send LDAP requests?
 580          ldap_server        "ldap1.domain.org,ldap2.domain.org:389"
 581 
 582          ## phase 1 transform defaults...
 583 
 584          p1_lifetime_secs 14400
 585          p1_nonce_len 20
 586 
 587          ## Parameters that might also show up in rules.
 588 
 589          p1_xform { auth_method preshared oakley_group 5 auth_alg sha
 590                    encr_alg 3des }
 591          p2_pfs 2
 592 
 593 
 594 
 595          ### Now some rules...
 596 
 597          {
 598             label "simple inheritor"
 599             local_id_type ip
 600             local_addr 10.1.1.1
 601             remote_addr 10.1.1.2
 602          }
 603          {
 604             label "simple inheritor IPv6"
 605             local_id_type ipv6
 606             local_addr fe80::a00:20ff:fe7d:6
 607             remote_addr fe80::a00:20ff:fefb:3780
 608          }
 609 
 610          {
 611             # an index-only rule.  If I'm a receiver, and all I
 612             # have are index-only rules, what do I do about inbound IKE requests?
 613             # Answer:  Take them all!
 614 
 615             label "default rule"
 616             # Use whatever "host" (e.g. IP address) identity is appropriate
 617             local_id_type ipv4
 618 
 619             local_addr 0.0.0.0/0
 620             remote_addr 0.0.0.0/0
 621 
 622             p2_pfs 5
 623 
 624             # Now I'm going to have the p1_xforms
 625             p1_xform
 626             {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg \
 627              blowfish }   p1_xform
 628             {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }
 629 
 630             # After said list, another keyword (or a '}') stops xform
 631             # parsing.
 632          }
 633 
 634          {
 635             # Let's try something a little more conventional.
 636 
 637             label "host to .80 subnet"
 638             local_id_type ip
 639             local_id "10.1.86.51"
 640 
 641             remote_id ""    # Take any, use remote_addr for access control.
 642 
 643             local_addr 10.1.86.51
 644             remote_addr 10.1.80.0/24
 645 
 646             p1_xform
 647             { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
 648             p1_xform
 649             { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg \
 650               blowfish }
 651             p1_xform
 652             { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }
 653             p1_xform
 654             { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 655               blowfish }
 656          }
 657 
 658          {
 659             # Let's try something a little more conventional, but with ipv6.
 660 
 661              label "host to fe80::/10 subnet"
 662              local_id_type ip
 663              local_id "fe80::a00:20ff:fe7d:6"
 664 
 665              remote_id ""    # Take any, use remote_addr for access control.
 666 
 667              local_addr fe80::a00:20ff:fe7d:6
 668              remote_addr fe80::/10
 669 
 670              p1_xform
 671              { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
 672              p1_xform
 673              { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg \
 674                blowfish }
 675              p1_xform
 676              { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 677                3des }
 678              p1_xform
 679              { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg \
 680                blowfish }
 681          }
 682 
 683          {
 684              # How 'bout something with a different cert type and name?
 685 
 686              label "punchin-point"
 687              local_id_type mbox
 688              local_id "ipsec-wizard@domain.org"
 689 
 690              remote_id "10.5.5.128"
 691 
 692              local_addr 0.0.0.0/0
 693              remote_addr 10.5.5.128
 694 
 695              p1_xform
 696              { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
 697                blowfish }
 698          }
 699 
 700          {
 701             label "receiver side"
 702 
 703             remote_id "ipsec-wizard@domain.org"
 704 
 705             local_id_type ip
 706             local_id "10.5.5.128"
 707 
 708             local_addr 10.5.5.128
 709             remote_addr 0.0.0.0/0
 710 
 711             p1_xform
 712             { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
 713             # NOTE:  Specifying preshared null-and-voids the remote_id/local_id
 714             #        fields.
 715             p1_xform
 716             { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
 717               blowfish}
 718 
 719          }
 720 
 721 
 722 ATTRIBUTES
 723        See attributes(5) for descriptions of the following attributes:
 724 
 725 
 726 
 727 
 728        +--------------------+-----------------+
 729        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
 730        +--------------------+-----------------+
 731        |Interface Stability | Committed       |
 732        +--------------------+-----------------+
 733 
 734 SEE ALSO
 735        cryptoadm(1M), ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
 736        ipsecalgs(1M), ipsecconf(1M), svccfg(1M), dlopen(3C), attributes(5),
 737        random(7D)
 738 
 739 
 740        Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
 741        Cisco Systems, November 1998.
 742 
 743 
 744        Maughan, Douglas et. al. RFC 2408, Internet Security Association and
 745        Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
 746        MD.  November 1998.
 747 
 748 
 749        Piper, Derrell. RFC 2407, The Internet IP Security Domain of
 750        Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
 751        November 1998.
 752 
 753 
 754        Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
 755        Groups for Internet Key Exchange (IKE). The Internet Society, Network
 756        Working Group. May 2003.
 757 
 758 
 759        Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups
 760        for Use with IETF Standards. BBN Technologies, January 2008.
 761 
 762 
 763        Fu, D. and Solinas, J. RFC 5903, Elliptic Curve Groups modulo a Prime
 764        (ECP Groups) for IKE and IKEv2. NSA, June 2010.
 765 
 766 
 767 
 768                                 April 27, 2009                   IKE.CONFIG(4)