295 o MBOX RFC 822 name (for example, root@domain.com)
296
297 o DNX.509 distinguished name (for example, C=US, O=Sun
298 Microsystems, Inc., CN=Sun Test cert)
299
300
301 p1_xform '{' parameter-list '}
302 A phase 1 transform specifies a method for protecting an IKE phase
303 1 exchange. An initiator offers up lists of phase 1 transforms,
304 and a receiver is expected to only accept such an entry if it
305 matches one in a phase 1 rule. There can be several of these, and
306 they are additive. There must be either at least one phase 1
307 transform in a rule or a global default phase 1 transform list. In
308 a configuration file without a global default phase 1 transform
309 list and a rule without a phase, transform list is an invalid file.
310 Unless specified as optional, elements in the parameter-list must
311 occur exactly once within a given transform's parameter-list:
312
313 oakley_group number
314 The Oakley Diffie-Hellman group used for IKE SA key derivation.
315 The group numbers are defined in RFC 2409, Appendix A, and RFC
316 3526. Acceptable values are currently:
317 1 (768-bit)
318 2 (1024-bit)
319 5 (1536-bit)
320 14 (2048-bit)
321 15 (3072-bit)
322 16 (4096-bit)
323
324
325 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
326 aes-cbc}
327 An encryption algorithm, as in ipsecconf(1M). However, of the
328 ciphers listed above, only aes and aes-cbc allow optional key-
329 size setting, using the "low value-to-high value" syntax. To
330 specify a single AES key size, the low value must equal the
331 high value. If no range is specified, all three AES key sizes
332 are allowed.
333
334
335 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
336 An authentication algorithm.
337
338 Use ipsecalgs(1M) with the -l option to list the IPsec protocols
339 and algorithms currently defined on a system. The cryptoadm
340 list command diplays a list of installed providers and their
341 mechanisms. See cryptoadm(1M).
342
675
676 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
677 Cisco Systems, November 1998.
678
679
680 Maughan, Douglas et. al. RFC 2408, Internet Security Association and
681 Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
682 MD. November 1998.
683
684
685 Piper, Derrell. RFC 2407, The Internet IP Security Domain of
686 Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
687 November 1998.
688
689
690 Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
691 Groups for Internet Key Exchange (IKE). The Internet Society, Network
692 Working Group. May 2003.
693
694
695
696 April 27, 2009 IKE.CONFIG(4)
|
295 o MBOX RFC 822 name (for example, root@domain.com)
296
297 o DNX.509 distinguished name (for example, C=US, O=Sun
298 Microsystems, Inc., CN=Sun Test cert)
299
300
301 p1_xform '{' parameter-list '}
302 A phase 1 transform specifies a method for protecting an IKE phase
303 1 exchange. An initiator offers up lists of phase 1 transforms,
304 and a receiver is expected to only accept such an entry if it
305 matches one in a phase 1 rule. There can be several of these, and
306 they are additive. There must be either at least one phase 1
307 transform in a rule or a global default phase 1 transform list. In
308 a configuration file without a global default phase 1 transform
309 list and a rule without a phase, transform list is an invalid file.
310 Unless specified as optional, elements in the parameter-list must
311 occur exactly once within a given transform's parameter-list:
312
313 oakley_group number
314 The Oakley Diffie-Hellman group used for IKE SA key derivation.
315 The group numbers are defined in RFC 2409, Appendix A, RFC
316 3526, and RFC 5114, section 3.2. Acceptable values are
317 currently:
318 1 (MODP 768-bit)
319 2 (MODP 1024-bit)
320 3 (EC2N 155-bit)
321 4 (EC2N 185-bit)
322 5 (MODP 1536-bit)
323 14 (MODP 2048-bit)
324 15 (MODP 3072-bit)
325 16 (MODP 4096-bit)
326 17 (MODP 6144-bit)
327 18 (MODP 8192-bit)
328 19 (ECP 256-bit)
329 20 (ECP 384-bit)
330 21 (ECP 521-bit)
331 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
332 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
333 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
334 25 (ECP 192-bit)
335 26 (ECP 224-bit)
336
337
338 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
339 aes-cbc}
340 An encryption algorithm, as in ipsecconf(1M). However, of the
341 ciphers listed above, only aes and aes-cbc allow optional key-
342 size setting, using the "low value-to-high value" syntax. To
343 specify a single AES key size, the low value must equal the
344 high value. If no range is specified, all three AES key sizes
345 are allowed.
346
347
348 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
349 An authentication algorithm.
350
351 Use ipsecalgs(1M) with the -l option to list the IPsec protocols
352 and algorithms currently defined on a system. The cryptoadm
353 list command diplays a list of installed providers and their
354 mechanisms. See cryptoadm(1M).
355
688
689 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
690 Cisco Systems, November 1998.
691
692
693 Maughan, Douglas et. al. RFC 2408, Internet Security Association and
694 Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
695 MD. November 1998.
696
697
698 Piper, Derrell. RFC 2407, The Internet IP Security Domain of
699 Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
700 November 1998.
701
702
703 Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
704 Groups for Internet Key Exchange (IKE). The Internet Society, Network
705 Working Group. May 2003.
706
707
708 Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups for
709 Use with IETF Standards. BBN Technologies, January 2008.
710
711
712
713 April 27, 2009 IKE.CONFIG(4)
|