Print this page
5782 ike.config(4) needs additional oakley_group numbers
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/ike.config.4.man.txt
+++ new/usr/src/man/man4/ike.config.4.man.txt
1 1 IKE.CONFIG(4) File Formats IKE.CONFIG(4)
2 2
3 3
4 4
5 5 NAME
6 6 ike.config - configuration file for IKE policy
7 7
8 8 SYNOPSIS
9 9 /etc/inet/ike/config
10 10
11 11
12 12 DESCRIPTION
13 13 The /etc/inet/ike/config file contains rules for matching inbound IKE
14 14 requests. It also contains rules for preparing outbound IKE requests.
15 15
16 16
17 17 You can test the syntactic correctness of an /etc/inet/ike/config file
18 18 by using the -c or -f options of in.iked(1M). You must use the -c option
19 19 to test a config file. You might need to use the -f option if it is not
20 20 in /etc/inet/ike/config.
21 21
22 22 Lexical Components
23 23 On any line, an unquoted # character introduces a comment. The
24 24 remainder of that line is ignored. Additionally, on any line, an
25 25 unquoted // sequence introduces a comment. The remainder of that line
26 26 is ignored.
27 27
28 28
29 29 There are several types of lexical tokens in the ike.config file:
30 30
31 31 num
32 32 A decimal, hex, or octal number representation is as in 'C'.
33 33
34 34
35 35 IPaddr/prefix/range
36 36 An IPv4 or IPv6 address with an optional /NNN suffix, (where NNN is
37 37 a num) that indicates an address (CIDR) prefix (for example,
38 38 10.1.2.0/24). An optional /ADDR suffix (where ADDR is a second IP
39 39 address) indicates an address/mask pair (for example,
40 40 10.1.2.0/255.255.255.0). An optional -ADDR suffix (where ADDR is a
41 41 second IPv4 address) indicates an inclusive range of addresses (for
42 42 example, 10.1.2.0-10.1.2.255). The / or - can be surrounded by an
43 43 arbitrary amount of white space.
44 44
45 45
46 46 XXX | YYY | ZZZ
47 47 Either the words XXX, YYY, or ZZZ, for example, {yes,no}.
48 48
49 49
50 50 p1-id-type
51 51 An IKE phase 1 identity type. IKE phase 1 identity types include:
52 52 dn, DN
53 53 dns, DNS
54 54 fqdn, FQDN
55 55 gn, GN
56 56 ip, IP
57 57 ipv4
58 58 ipv4_prefix
59 59 ipv4_range
60 60 ipv6
61 61 ipv6_prefix
62 62 ipv6_range
63 63 mbox, MBOX
64 64 user_fqdn
65 65
66 66
67 67 "string"
68 68 A quoted string.
69 69
70 70 Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc.,
71 71 N=olemcd@eng.example.com"
72 72
73 73 A backslash (\) is an escape character. If the string needs an
74 74 actual backslash, two must be specified.
75 75
76 76
77 77 cert-sel
78 78 A certificate selector, a string which specifies the identities of
79 79 zero or more certificates. The specifiers can conform to X.509
80 80 naming conventions.
81 81
82 82 A cert-sel can also use various shortcuts to match either subject
83 83 alternative names, the filename or slot of a certificate in
84 84 /etc/inet/ike/publickeys, or even the ISSUER. For example:
85 85
86 86 "SLOT=0"
87 87 "EMAIL=postmaster@domain.org"
88 88 "webmaster@domain.org" # Some just work w/o TYPE=
89 89 "IP=10.0.0.1"
90 90 "10.21.11.11" # Some just work w/o TYPE=
91 91 "DNS=www.domain.org"
92 92 "mailhost.domain.org" # Some just work w/o TYPE=
93 93 "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
94 94
95 95
96 96 Any cert-sel preceded by the character ! indicates a negative match,
97 97 that is, not matching this specifier. These are the same kind of
98 98 strings used in ikecert(1M).
99 99
100 100
101 101 ldap-list
102 102 A quoted, comma-separated list of LDAP servers and ports.
103 103
104 104 For example, "ldap1.example.com", "ldap1.example.com:389",
105 105 "ldap1.example.com:389,ldap2.example.com".
106 106
107 107 The default port for LDAP is 389.
108 108
109 109
110 110 parameter-list
111 111 A list of parameters.
112 112
113 113
114 114 File Body Entries
115 115 There are four main types of entries:
116 116
117 117 o global parameters
118 118
119 119 o IKE phase 1 transform defaults
120 120
121 121 o IKE rule defaults
122 122
123 123 o IKE rules
124 124
125 125
126 126 The global parameter entries are as follows:
127 127
128 128 cert_root cert-sel
129 129 The X.509 distinguished name of a certificate that is a trusted
130 130 root CA certificate.It must be encoded in a file in the
131 131 /etc/inet/ike/publickeys directory. It must have a CRL in
132 132 /etc/inet/ike/crls. Multiple cert_root parameters aggregate.
133 133
134 134
135 135 cert_trust cert-sel
136 136 Specifies an X.509 distinguished name of a certificate that is
137 137 self-signed, or has otherwise been verified as trustworthy for
138 138 signing IKE exchanges. It must be encoded in a file in
139 139 /etc/inet/ike/publickeys. Multiple cert_trust parameters aggregate.
140 140
141 141
142 142 expire_timer integer
143 143 The number of seconds to let a not-yet-complete IKE Phase I (Main
144 144 Mode) negotiation linger before deleting it. Default value: 300
145 145 seconds.
146 146
147 147
148 148 ignore_crls
149 149 If this keyword is present in the file, in.iked(1M) ignores
150 150 Certificate Revocation Lists (CRLs) for root CAs (as given in
151 151 cert_root)
152 152
153 153
154 154 ldap_server ldap-list
155 155 A list of LDAP servers to query for certificates. The list can be
156 156 additive.
157 157
158 158
159 159 pkcs11_path string
160 160 The string that follows is a name of a shared object (.so) that
161 161 implements the PKCS#11 standard. The name is passed directly into
162 162 dlopen(3C) for linking, with all of the semantics of that library
163 163 call. By default, in.iked(1M) runs the same ISA as the running
164 164 kernel, so a library specified using pkcs11_path and an absolute
165 165 pathname must match the same ISA as the kernel. One can use the
166 166 start/exec SMF property (see svccfg(1M)) to change in.iked's ISA,
167 167 but it is not recommended.
168 168
169 169 If this setting is not present, the default value is set to
170 170 libpkcs11.so. Most cryptographic providers go through the default
171 171 library, and this parameter should only be used if a specialized
172 172 provider of IKE-useful cryptographic services cannot interface with
173 173 the Solaris Cryptographic Framework. See cryptoadm(1M).
174 174
175 175 This option is now deprecated, and may be removed in a future
176 176 release.
177 177
178 178
179 179 retry_limit integer
180 180 The number of retransmits before any IKE negotiation is aborted.
181 181 Default value: 5 times.
182 182
183 183
184 184 retry_timer_init integer or float
185 185 The initial interval (in seconds) between retransmits. This
186 186 interval is doubled until the retry_timer_max value (see below) is
187 187 reached. Default value: 0.5 seconds.
188 188
189 189
190 190 retry_timer_max integer or float
191 191 The maximum interval (in seconds) between retransmits. The doubling
192 192 retransmit interval stops growing at this limit. Default value: 30
193 193 seconds.
194 194
195 195 Note -
196 196
197 197 This value is never reached with the default configuration. The
198 198 longest interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
199 199
200 200
201 201 proxy string
202 202 The string following this keyword must be a URL for an HTTP proxy,
203 203 for example, http://proxy:8080.
204 204
205 205
206 206 socks string
207 207 The string following this keyword must be a URL for a SOCKS proxy,
208 208 for example, socks://socks-proxy.
209 209
210 210
211 211 use_http
212 212 If this keyword is present in the file, in.iked(1M) uses HTTP to
213 213 retrieve Certificate Revocation Lists (CRLs).
214 214
215 215
216 216
217 217 The following IKE phase 1 transform parameters can be prefigured using
218 218 file-level defaults. Values specified within any given transform
219 219 override these defaults.
220 220
221 221
222 222 The IKE phase 1 transform defaults are as follows:
223 223
224 224 p1_lifetime_secs num
225 225 The proposed default lifetime, in seconds, of an IKE phase 1
226 226 security association (SA).
227 227
228 228
229 229 p1_nonce_len num
230 230 The length in bytes of the phase 1 (quick mode) nonce data. This
231 231 cannot be specified on a per-rule basis.
232 232
233 233
234 234
235 235 The following IKE rule parameters can be prefigured using file-level
236 236 defaults. Values specified within any given rule override these
237 237 defaults, unless a rule cannot.
238 238
239 239 p2_lifetime_secs num
240 240 The proposed default lifetime, in seconds, of an IKE phase 2
241 241 security association (SA). This value is optional. If omitted, a
242 242 default value is used.
243 243
244 244
245 245 p2_softlife_secs num
246 246 The soft lifetime of a phase 2 SA, in seconds. If this value is
247 247 specified, the SA soft expires after the number of seconds
248 248 specified by p2_softlife_secs. This causes in.iked to renegotiate a
249 249 new phase 2 SA before the original SA expires.
250 250
251 251 This value is optional, if omitted soft expiry occurs after 90% of
252 252 the lifetime specified by p2_lifetime_secs. The value specified by
253 253 p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
254 254
255 255 Setting p2_softlife_secs to the same value as p2_lifetime_secs
256 256 disables soft expires.
257 257
258 258
259 259 p2_idletime_secs num
260 260 The idle lifetime of a phase 2 SA, in seconds. If the value is
261 261 specified, the value specifies the lifetime of the SA, if the
262 262 security association is not used before the SA is revalidated.
263 263
264 264
265 265 p2_lifetime_kb num
266 266 The lifetime of an SA can optionally be specified in kilobytes.
267 267 This parameter specifies the default value. If lifetimes are
268 268 specified in both seconds and kilobytes, the SA expires when either
269 269 the seconds or kilobyte threshholds are passed.
270 270
271 271
272 272 p2_softlife_kb num
273 273 This value is the number of kilobytes that can be protected by an
274 274 SA before a soft expire occurs (see p2_softlife_secs, above).
275 275
276 276 This value is optional. If omitted, soft expiry occurs after 90% of
277 277 the lifetime specified by p2_lifetime_kb. The value specified by
278 278 p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
279 279
280 280
281 281 p2_nonce_len num
282 282 The length in bytes of the phase 2 (quick mode) nonce data. This
283 283 cannot be specified on a per-rule basis.
284 284
285 285
286 286 local_id_type p1-id-type
287 287 The local identity for IKE requires a type. This identity type is
288 288 reflected in the IKE exchange. The type can be one of the
289 289 following:
290 290
291 291 o an IP address (for example, 10.1.1.2)
292 292
293 293 o DNS name (for example, test.domain.com)
294 294
295 295 o MBOX RFC 822 name (for example, root@domain.com)
296 296
297 297 o DNX.509 distinguished name (for example, C=US, O=Sun
298 298 Microsystems, Inc., CN=Sun Test cert)
299 299
300 300
301 301 p1_xform '{' parameter-list '}
302 302 A phase 1 transform specifies a method for protecting an IKE phase
303 303 1 exchange. An initiator offers up lists of phase 1 transforms,
304 304 and a receiver is expected to only accept such an entry if it
|
↓ open down ↓ |
304 lines elided |
↑ open up ↑ |
305 305 matches one in a phase 1 rule. There can be several of these, and
306 306 they are additive. There must be either at least one phase 1
307 307 transform in a rule or a global default phase 1 transform list. In
308 308 a configuration file without a global default phase 1 transform
309 309 list and a rule without a phase, transform list is an invalid file.
310 310 Unless specified as optional, elements in the parameter-list must
311 311 occur exactly once within a given transform's parameter-list:
312 312
313 313 oakley_group number
314 314 The Oakley Diffie-Hellman group used for IKE SA key derivation.
315 - The group numbers are defined in RFC 2409, Appendix A, and RFC
316 - 3526. Acceptable values are currently:
317 - 1 (768-bit)
318 - 2 (1024-bit)
319 - 5 (1536-bit)
320 - 14 (2048-bit)
321 - 15 (3072-bit)
322 - 16 (4096-bit)
315 + The group numbers are defined in RFC 2409, Appendix A, RFC
316 + 3526, and RFC 5114, section 3.2. Acceptable values are
317 + currently:
318 + 1 (MODP 768-bit)
319 + 2 (MODP 1024-bit)
320 + 3 (EC2N 155-bit)
321 + 4 (EC2N 185-bit)
322 + 5 (MODP 1536-bit)
323 + 14 (MODP 2048-bit)
324 + 15 (MODP 3072-bit)
325 + 16 (MODP 4096-bit)
326 + 17 (MODP 6144-bit)
327 + 18 (MODP 8192-bit)
328 + 19 (ECP 256-bit)
329 + 20 (ECP 384-bit)
330 + 21 (ECP 521-bit)
331 + 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
332 + 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
333 + 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
334 + 25 (ECP 192-bit)
335 + 26 (ECP 224-bit)
323 336
324 337
325 338 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
326 339 aes-cbc}
327 340 An encryption algorithm, as in ipsecconf(1M). However, of the
328 341 ciphers listed above, only aes and aes-cbc allow optional key-
329 342 size setting, using the "low value-to-high value" syntax. To
330 343 specify a single AES key size, the low value must equal the
331 344 high value. If no range is specified, all three AES key sizes
332 345 are allowed.
333 346
334 347
335 348 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
336 349 An authentication algorithm.
337 350
338 351 Use ipsecalgs(1M) with the -l option to list the IPsec protocols
339 352 and algorithms currently defined on a system. The cryptoadm
340 353 list command diplays a list of installed providers and their
341 354 mechanisms. See cryptoadm(1M).
342 355
343 356
344 357 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
345 358 The authentication method used for IKE phase 1.
346 359
347 360
348 361 p1_lifetime_secs num
349 362 Optional. The lifetime for a phase 1 SA.
350 363
351 364
352 365
353 366 p2_lifetime_secs num
354 367 If configuring the kernel defaults is not sufficient for different
355 368 tasks, this parameter can be used on a per-rule basis to set the
356 369 IPsec SA lifetimes in seconds.
357 370
358 371
359 372 p2_pfs num
360 373 Use perfect forward secrecy for phase 2 (quick mode). If selected,
361 374 the oakley group specified is used for phase 2 PFS. Acceptable
362 375 values are:
363 376 0 (do not use Perfect Forward Secrecy for IPsec SAs)
364 377 1 (768-bit)
365 378 2 (1024-bit)
366 379 5 (1536-bit)
367 380 14 (2048-bit)
368 381 15 (3072-bit)
369 382 16 (4096-bit)
370 383
371 384
372 385
373 386 An IKE rule starts with a right-curly-brace ({), ends with a left-curly-
374 387 brace (}), and has the following parameters in between:
375 388
376 389 label string
377 390 Required parameter. The administrative interface to in.iked looks
378 391 up phase 1 policy rules with the label as the search string. The
379 392 administrative interface also converts the label into an index,
380 393 suitable for an extended ACQUIRE message from PF_KEY - effectively
381 394 tying IPsec policy to IKE policy in the case of a node initiating
382 395 traffic. Only one label parameter is allowed per rule.
383 396
384 397
385 398 local_addr <IPaddr/prefix/range>
386 399 Required parameter. The local address, address prefix, or address
387 400 range for this phase 1 rule. Multiple local_addr parameters
388 401 accumulate within a given rule.
389 402
390 403
391 404 remote_addr <IPaddr/prefix/range>
392 405 Required parameter. The remote address, address prefix, or address
393 406 range for this phase 1 rule. Multiple remote_addr parameters
394 407 accumulate within a given rule.
395 408
396 409
397 410 local_id_type p1-id-type
398 411 Which phase 1 identity type I uses. This is needed because a single
399 412 certificate can contain multiple values for use in IKE phase 1.
400 413 Within a given rule, all phase 1 transforms must either use
401 414 preshared or non-preshared authentication (they cannot be mixed).
402 415 For rules with preshared authentication, the local_id_type
403 416 parameter is optional, and defaults to IP. For rules which use non-
404 417 preshared authentication, the 'local_id_type' parameter is
405 418 required. Multiple 'local_id_type' parameters within a rule are not
406 419 allowed.
407 420
408 421
409 422 local_id cert-sel
410 423 Disallowed for preshared authentication method; required parameter
411 424 for non-preshared authentication method. The local identity string
412 425 or certificate selector. Only one local identity per rule is used,
413 426 the first one stated.
414 427
415 428
416 429 remote_id cert-sel
417 430 Disallowed for preshared authentication method; required parameter
418 431 for non-preshared authentication method. Selector for which remote
419 432 phase 1 identities are allowed by this rule. Multiple remote_id
420 433 parameters accumulate within a given rule. If a single empty string
421 434 ("") is given, then this accepts any remote ID for phase 1. It is
422 435 recommended that certificate trust chains or address enforcement be
423 436 configured strictly to prevent a breakdown in security if this
424 437 value for remote_id is used.
425 438
426 439
427 440 p2_lifetime_secs num
428 441 If configuring the kernel defaults is not sufficient for different
429 442 tasks, this parameter can be used on a per-rule basis to set the
430 443 IPsec SA lifetimes in seconds.
431 444
432 445
433 446 p2_pfs num
434 447 Use perfect forward secrecy for phase 2 (quick mode). If selected,
435 448 the oakley group specified is used for phase 2 PFS. Acceptable
436 449 values are:
437 450 0 (do not use Perfect Forward Secrecy for IPsec SAs)
438 451 1 (768-bit)
439 452 2 (1024-bit)
440 453 5 (1536-bit)
441 454 14 (2048-bit)
442 455 15 (3072-bit)
443 456 16 (4096-bit)
444 457
445 458
446 459 p1_xform { parameter-list }
447 460 A phase 1 transform specifies a method for protecting an IKE phase
448 461 1 exchange. An initiator offers up lists of phase 1 transforms,
449 462 and a receiver is expected to only accept such an entry if it
450 463 matches one in a phase 1 rule. There can be several of these, and
451 464 they are additive. There must be either at least one phase 1
452 465 transform in a rule or a global default phase 1 transform list. A
453 466 ike.config file without a global default phase 1transform list and
454 467 a rule without a phase 1 transform list is an invalid file.
455 468 Elements within the parameter-list; unless specified as optional,
456 469 must occur exactly once within a given transform's parameter-list:
457 470
458 471 oakley_group number
459 472 The Oakley Diffie-Hellman group used for IKE SA key derivation.
460 473 Acceptable values are currently:
461 474 1 (768-bit)
462 475 2 (1024-bit)
463 476 5 (1536-bit)
464 477 14 (2048-bit)
465 478 15 (3072-bit)
466 479 16 (4096-bit)
467 480
468 481
469 482 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
470 483 aes-cbc}
471 484 An encryption algorithm, as in ipsecconf(1M). However, of the
472 485 ciphers listed above, only aes and aes-cbc allow optional key-
473 486 size setting, using the "low value-to-high value" syntax. To
474 487 specify a single AES key size, the low value must equal the
475 488 high value. If no range is specified, all three AES key sizes
476 489 are allowed.
477 490
478 491
479 492 auth_alg {md5, sha, sha1}
480 493 An authentication algorithm, as specified in ipseckey(1M).
481 494
482 495
483 496 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
484 497 The authentication method used for IKE phase 1.
485 498
486 499
487 500 p1_lifetime_secs num
488 501 Optional. The lifetime for a phase 1 SA.
489 502
490 503
491 504
492 505 EXAMPLES
493 506 Example 1 A Sample ike.config File
494 507
495 508
496 509 The following is an example of an ike.config file:
497 510
498 511
499 512
500 513 ### BEGINNING OF FILE
501 514
502 515 ### First some global parameters...
503 516
504 517 ### certificate parameters...
505 518
506 519 # Root certificates. I SHOULD use a full Distinguished Name.
507 520 # I must have this certificate in my local filesystem, see ikecert(1m).
508 521 cert_root "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
509 522
510 523 # Explicitly trusted certs that need no signatures, or perhaps
511 524 # self-signed ones. Like root certificates, use full DNs for them
512 525 # for now.
513 526 cert_trust "EMAIL=root@domain.org"
514 527
515 528 # Where do I send LDAP requests?
516 529 ldap_server "ldap1.domain.org,ldap2.domain.org:389"
517 530
518 531 ## phase 1 transform defaults...
519 532
520 533 p1_lifetime_secs 14400
521 534 p1_nonce_len 20
522 535
523 536 ## Parameters that might also show up in rules.
524 537
525 538 p1_xform { auth_method preshared oakley_group 5 auth_alg sha
526 539 encr_alg 3des }
527 540 p2_pfs 2
528 541
529 542
530 543
531 544 ### Now some rules...
532 545
533 546 {
534 547 label "simple inheritor"
535 548 local_id_type ip
536 549 local_addr 10.1.1.1
537 550 remote_addr 10.1.1.2
538 551 }
539 552 {
540 553 label "simple inheritor IPv6"
541 554 local_id_type ipv6
542 555 local_addr fe80::a00:20ff:fe7d:6
543 556 remote_addr fe80::a00:20ff:fefb:3780
544 557 }
545 558
546 559 {
547 560 # an index-only rule. If I'm a receiver, and all I
548 561 # have are index-only rules, what do I do about inbound IKE requests?
549 562 # Answer: Take them all!
550 563
551 564 label "default rule"
552 565 # Use whatever "host" (e.g. IP address) identity is appropriate
553 566 local_id_type ipv4
554 567
555 568 local_addr 0.0.0.0/0
556 569 remote_addr 0.0.0.0/0
557 570
558 571 p2_pfs 5
559 572
560 573 # Now I'm going to have the p1_xforms
561 574 p1_xform
562 575 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
563 576 blowfish } p1_xform
564 577 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
565 578
566 579 # After said list, another keyword (or a '}') stops xform
567 580 # parsing.
568 581 }
569 582
570 583 {
571 584 # Let's try something a little more conventional.
572 585
573 586 label "host to .80 subnet"
574 587 local_id_type ip
575 588 local_id "10.1.86.51"
576 589
577 590 remote_id "" # Take any, use remote_addr for access control.
578 591
579 592 local_addr 10.1.86.51
580 593 remote_addr 10.1.80.0/24
581 594
582 595 p1_xform
583 596 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
584 597 p1_xform
585 598 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
586 599 blowfish }
587 600 p1_xform
588 601 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
589 602 p1_xform
590 603 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
591 604 blowfish }
592 605 }
593 606
594 607 {
595 608 # Let's try something a little more conventional, but with ipv6.
596 609
597 610 label "host to fe80::/10 subnet"
598 611 local_id_type ip
599 612 local_id "fe80::a00:20ff:fe7d:6"
600 613
601 614 remote_id "" # Take any, use remote_addr for access control.
602 615
603 616 local_addr fe80::a00:20ff:fe7d:6
604 617 remote_addr fe80::/10
605 618
606 619 p1_xform
607 620 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
608 621 p1_xform
609 622 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
610 623 blowfish }
611 624 p1_xform
612 625 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
613 626 3des }
614 627 p1_xform
615 628 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
616 629 blowfish }
617 630 }
618 631
619 632 {
620 633 # How 'bout something with a different cert type and name?
621 634
622 635 label "punchin-point"
623 636 local_id_type mbox
624 637 local_id "ipsec-wizard@domain.org"
625 638
626 639 remote_id "10.5.5.128"
627 640
628 641 local_addr 0.0.0.0/0
629 642 remote_addr 10.5.5.128
630 643
631 644 p1_xform
632 645 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
633 646 blowfish }
634 647 }
635 648
636 649 {
637 650 label "receiver side"
638 651
639 652 remote_id "ipsec-wizard@domain.org"
640 653
641 654 local_id_type ip
642 655 local_id "10.5.5.128"
643 656
644 657 local_addr 10.5.5.128
645 658 remote_addr 0.0.0.0/0
646 659
647 660 p1_xform
648 661 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
649 662 # NOTE: Specifying preshared null-and-voids the remote_id/local_id
650 663 # fields.
651 664 p1_xform
652 665 { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
653 666 blowfish}
654 667
655 668 }
656 669
657 670
658 671 ATTRIBUTES
659 672 See attributes(5) for descriptions of the following attributes:
660 673
661 674
662 675
663 676
664 677 +--------------------+-----------------+
665 678 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
666 679 +--------------------+-----------------+
667 680 |Interface Stability | Committed |
668 681 +--------------------+-----------------+
669 682
670 683 SEE ALSO
671 684 cryptoadm(1M), ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
672 685 ipsecalgs(1M), ipsecconf(1M), svccfg(1M), dlopen(3C), attributes(5),
673 686 random(7D)
674 687
675 688
676 689 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
677 690 Cisco Systems, November 1998.
678 691
679 692
680 693 Maughan, Douglas et. al. RFC 2408, Internet Security Association and
681 694 Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
682 695 MD. November 1998.
683 696
684 697
|
↓ open down ↓ |
352 lines elided |
↑ open up ↑ |
685 698 Piper, Derrell. RFC 2407, The Internet IP Security Domain of
686 699 Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
687 700 November 1998.
688 701
689 702
690 703 Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
691 704 Groups for Internet Key Exchange (IKE). The Internet Society, Network
692 705 Working Group. May 2003.
693 706
694 707
708 + Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups for
709 + Use with IETF Standards. BBN Technologies, January 2008.
710 +
711 +
695 712
696 713 April 27, 2009 IKE.CONFIG(4)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX