Print this page
5782 ike.config(4) needs additional oakley_group numbers
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man4/ike.config.4
+++ new/usr/src/man/man4/ike.config.4
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 +.\" Copyright (c) 2015, Circonus, Inc. All Rights Reserved.
3 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 7 .TH IKE.CONFIG 4 "Apr 27, 2009"
7 8 .SH NAME
8 9 ike.config \- configuration file for IKE policy
9 10 .SH SYNOPSIS
10 11 .LP
11 12 .nf
12 13 \fB/etc/inet/ike/config\fR
13 14 .fi
14 15
15 16 .SH DESCRIPTION
16 17 .sp
17 18 .LP
18 19 The \fB/etc/inet/ike/config\fR file contains rules for matching inbound IKE
19 20 requests. It also contains rules for preparing outbound \fBIKE\fR requests.
20 21 .sp
21 22 .LP
22 23 You can test the syntactic correctness of an \fB/etc/inet/ike/config\fR file by
23 24 using the \fB-c\fR or \fB-f\fR options of \fBin.iked\fR(1M). You must use the
24 25 \fB-c\fR option to test a \fBconfig\fR file. You might need to use the \fB-f\fR
25 26 option if it is not in \fB/etc/inet/ike/config\fR.
26 27 .SS "Lexical Components"
27 28 .sp
28 29 .LP
29 30 On any line, an unquoted \fB#\fR character introduces a comment. The remainder
30 31 of that line is ignored. Additionally, on any line, an unquoted \fB//\fR
31 32 sequence introduces a comment. The remainder of that line is ignored.
32 33 .sp
33 34 .LP
34 35 There are several types of lexical tokens in the \fBike.config\fR file:
35 36 .sp
36 37 .ne 2
37 38 .na
38 39 \fB\fInum\fR\fR
39 40 .ad
40 41 .sp .6
41 42 .RS 4n
42 43 A decimal, hex, or octal number representation is as in 'C'.
43 44 .RE
44 45
45 46 .sp
46 47 .ne 2
47 48 .na
48 49 \fB\fIIPaddr\fR/\fIprefix\fR/\fIrange\fR\fR
49 50 .ad
50 51 .sp .6
51 52 .RS 4n
52 53 An IPv4 or IPv6 address with an optional /\fINNN\fR suffix, (where \fINNN\fR is
53 54 a \fInum\fR) that indicates an address (\fBCIDR\fR) prefix (for example,
54 55 \fB10.1.2.0/24\fR). An optional /\fIADDR\fR suffix (where \fIADDR\fR is a
55 56 second IP address) indicates an address/mask pair (for example,
56 57 \fB10.1.2.0/255.255.255.0\fR). An optional -\fIADDR\fR suffix (where \fIADDR\fR
57 58 is a second IPv4 address) indicates an inclusive range of addresses (for
58 59 example, \fB10.1.2.0-10.1.2.255\fR). The \fB/\fR or \fB-\fR can be surrounded
59 60 by an arbitrary amount of white space.
60 61 .RE
61 62
62 63 .sp
63 64 .ne 2
64 65 .na
65 66 \fB\fBXXX\fR | \fBYYY\fR | \fBZZZ\fR\fR
66 67 .ad
67 68 .sp .6
68 69 .RS 4n
69 70 Either the words \fBXX\fRX, \fBYYY\fR, or \fBZZZ\fR, for example, {yes,no}.
70 71 .RE
71 72
72 73 .sp
73 74 .ne 2
74 75 .na
75 76 \fBp1-id-type\fR
76 77 .ad
77 78 .sp .6
78 79 .RS 4n
79 80 An IKE phase 1 identity type. IKE phase 1 identity types include:
80 81 .br
81 82 .in +2
82 83 \fBdn, DN\fR
83 84 .in -2
84 85 .br
85 86 .in +2
86 87 \fBdns, DNS\fR
87 88 .in -2
88 89 .br
89 90 .in +2
90 91 \fBfqdn, FQDN\fR
91 92 .in -2
92 93 .br
93 94 .in +2
94 95 \fBgn, GN\fR
95 96 .in -2
96 97 .br
97 98 .in +2
98 99 \fBip, IP\fR
99 100 .in -2
100 101 .br
101 102 .in +2
102 103 \fBipv4\fR
103 104 .in -2
104 105 .br
105 106 .in +2
106 107 \fBipv4_prefix\fR
107 108 .in -2
108 109 .br
109 110 .in +2
110 111 \fBipv4_range\fR
111 112 .in -2
112 113 .br
113 114 .in +2
114 115 \fBipv6\fR
115 116 .in -2
116 117 .br
117 118 .in +2
118 119 \fBipv6_prefix\fR
119 120 .in -2
120 121 .br
121 122 .in +2
122 123 \fBipv6_range\fR
123 124 .in -2
124 125 .br
125 126 .in +2
126 127 \fBmbox, MBOX\fR
127 128 .in -2
128 129 .br
129 130 .in +2
130 131 \fBuser_fqdn\fR
131 132 .in -2
132 133 .RE
133 134
134 135 .sp
135 136 .ne 2
136 137 .na
137 138 \fB\fB"\fR\fIstring\fR\fB"\fR\fR
138 139 .ad
139 140 .sp .6
140 141 .RS 4n
141 142 A quoted string.
142 143 .sp
143 144 Examples include:\fB"Label foo"\fR, or \fB"C=US, OU=Sun Microsystems\\, Inc.,
144 145 N=olemcd@eng.example.com"\fR
145 146 .sp
146 147 A backslash (\fB\e\fR) is an escape character. If the string needs an actual
147 148 backslash, two must be specified.
148 149 .RE
149 150
150 151 .sp
151 152 .ne 2
152 153 .na
153 154 \fB\fIcert-sel\fR\fR
154 155 .ad
155 156 .sp .6
156 157 .RS 4n
157 158 A certificate selector, a \fIstring\fR which specifies the identities of zero
158 159 or more certificates. The specifiers can conform to \fBX.509\fR naming
159 160 conventions.
160 161 .sp
161 162 A \fIcert-sel\fR can also use various shortcuts to match either subject
162 163 alternative names, the filename or \fBslot\fR of a certificate in
163 164 \fB/etc/inet/ike/publickeys\fR, or even the \fBISSUER\fR. For example:
164 165 .sp
165 166 .in +2
166 167 .nf
167 168 "SLOT=0"
168 169 "EMAIL=postmaster@domain.org"
169 170 "webmaster@domain.org" # Some just work w/o TYPE=
170 171 "IP=10.0.0.1"
171 172 "10.21.11.11" # Some just work w/o TYPE=
172 173 "DNS=www.domain.org"
173 174 "mailhost.domain.org" # Some just work w/o TYPE=
174 175 "ISSUER=C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
175 176 .fi
176 177 .in -2
177 178 .sp
178 179
179 180 Any \fIcert-sel\fR preceded by the character \fB!\fR indicates a negative
180 181 match, that is, not matching this specifier. These are the same kind of strings
181 182 used in \fBikecert\fR(1M).
182 183 .RE
183 184
184 185 .sp
185 186 .ne 2
186 187 .na
187 188 \fB\fIldap-list\fR\fR
188 189 .ad
189 190 .sp .6
190 191 .RS 4n
191 192 A quoted, comma-separated list of LDAP servers and ports.
192 193 .sp
193 194 For example, \fB"ldap1.example.com"\fR, \fB"ldap1.example.com:389"\fR,
194 195 \fB"ldap1.example.com:389,ldap2.example.com"\fR.
195 196 .sp
196 197 The default port for LDAP is \fB389\fR.
197 198 .RE
198 199
199 200 .sp
200 201 .ne 2
201 202 .na
202 203 \fB\fIparameter-list\fR\fR
203 204 .ad
204 205 .sp .6
205 206 .RS 4n
206 207 A list of parameters.
207 208 .RE
208 209
209 210 .SS "File Body Entries"
210 211 .sp
211 212 .LP
212 213 There are four main types of entries:
213 214 .RS +4
214 215 .TP
215 216 .ie t \(bu
216 217 .el o
217 218 global parameters
218 219 .RE
219 220 .RS +4
220 221 .TP
221 222 .ie t \(bu
222 223 .el o
223 224 IKE phase 1 transform defaults
224 225 .RE
225 226 .RS +4
226 227 .TP
227 228 .ie t \(bu
228 229 .el o
229 230 IKE rule defaults
230 231 .RE
231 232 .RS +4
232 233 .TP
233 234 .ie t \(bu
234 235 .el o
235 236 IKE rules
236 237 .RE
237 238 .sp
238 239 .LP
239 240 The global parameter entries are as follows:
240 241 .sp
241 242 .ne 2
242 243 .na
243 244 \fBcert_root \fIcert-sel\fR\fR
244 245 .ad
245 246 .sp .6
246 247 .RS 4n
247 248 The X.509 distinguished name of a certificate that is a trusted root CA
248 249 certificate.It must be encoded in a file in the \fB/etc/inet/ike/publickeys\fR
249 250 directory. It must have a CRL in \fB/etc/inet/ike/crl\fRs. Multiple
250 251 \fBcert_root\fR parameters aggregate.
251 252 .RE
252 253
253 254 .sp
254 255 .ne 2
255 256 .na
256 257 \fBcert_trust \fIcert-sel\fR\fR
257 258 .ad
258 259 .sp .6
259 260 .RS 4n
260 261 Specifies an X.509 distinguished name of a certificate that is self-signed, or
261 262 has otherwise been verified as trustworthy for signing IKE exchanges. It must
262 263 be encoded in a file in \fB/etc/inet/ike/publickeys\fR. Multiple
263 264 \fBcert_trust\fR parameters aggregate.
264 265 .RE
265 266
266 267 .sp
267 268 .ne 2
268 269 .na
269 270 \fBexpire_timer \fIinteger\fR\fR
270 271 .ad
271 272 .sp .6
272 273 .RS 4n
273 274 The number of seconds to let a not-yet-complete IKE Phase I (Main Mode)
274 275 negotiation linger before deleting it. Default value: 300 seconds.
275 276 .RE
276 277
277 278 .sp
278 279 .ne 2
279 280 .na
280 281 \fBignore_crls\fR
281 282 .ad
282 283 .sp .6
283 284 .RS 4n
284 285 If this keyword is present in the file, \fBin.iked\fR(1M) ignores Certificate
285 286 Revocation Lists (\fBCRL\fRs) for root \fBCA\fRs (as given in \fBcert_root\fR)
286 287 .RE
287 288
288 289 .sp
289 290 .ne 2
290 291 .na
291 292 \fBldap_server \fIldap-list\fR\fR
292 293 .ad
293 294 .sp .6
294 295 .RS 4n
295 296 A list of LDAP servers to query for certificates. The list can be additive.
296 297 .RE
297 298
298 299 .sp
299 300 .ne 2
300 301 .na
301 302 \fBpkcs11_path \fIstring\fR\fR
302 303 .ad
303 304 .sp .6
304 305 .RS 4n
305 306 The string that follows is a name of a shared object (\fB\&.so\fR) that
306 307 implements the PKCS#11 standard. The name is passed directly into
307 308 \fBdlopen\fR(3C) for linking, with all of the semantics of that library call.
308 309 By default, \fBin.iked\fR(1M) runs the same ISA as the running kernel, so a
309 310 library specified using \fBpkcs11_path\fR and an absolute pathname \fBmust\fR
310 311 match the same ISA as the kernel. One can use the start/exec SMF property (see
311 312 \fBsvccfg\fR(1M)) to change \fBin.iked\fR's ISA, but it is not recommended.
312 313 .sp
313 314 If this setting is not present, the default value is set to \fBlibpkcs11.so\fR.
314 315 Most cryptographic providers go through the default library, and this parameter
315 316 should only be used if a specialized provider of IKE-useful cryptographic
316 317 services cannot interface with the Solaris Cryptographic Framework. See
317 318 \fBcryptoadm\fR(1M).
318 319 .sp
319 320 This option is now deprecated, and may be removed in a future release.
320 321 .RE
321 322
322 323 .sp
323 324 .ne 2
324 325 .na
325 326 \fBretry_limit \fIinteger\fR\fR
326 327 .ad
327 328 .sp .6
328 329 .RS 4n
329 330 The number of retransmits before any IKE negotiation is aborted. Default value:
330 331 5 times.
331 332 .RE
332 333
333 334 .sp
334 335 .ne 2
335 336 .na
336 337 \fBretry_timer_init \fIinteger\fR or \fIfloat\fR\fR
337 338 .ad
338 339 .sp .6
339 340 .RS 4n
340 341 The initial interval (in seconds) between retransmits. This interval is doubled
341 342 until the \fBretry_timer_max\fR value (see below) is reached. Default value:
342 343 0.5 seconds.
343 344 .RE
344 345
345 346 .sp
346 347 .ne 2
347 348 .na
348 349 \fBretry_timer_max \fIinteger\fR or \fIfloat\fR\fR
349 350 .ad
350 351 .sp .6
351 352 .RS 4n
352 353 The maximum interval (in seconds) between retransmits. The doubling retransmit
353 354 interval stops growing at this limit. Default value: 30 seconds.
354 355 .LP
355 356 Note -
356 357 .sp
357 358 .RS 2
358 359 This value is never reached with the default configuration. The longest
359 360 interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
360 361 .RE
361 362 .RE
362 363
363 364 .sp
364 365 .ne 2
365 366 .na
366 367 \fBproxy \fIstring\fR\fR
367 368 .ad
368 369 .sp .6
369 370 .RS 4n
370 371 The string following this keyword must be a URL for an HTTP proxy, for example,
371 372 \fBhttp://proxy:8080\fR.
372 373 .RE
373 374
374 375 .sp
375 376 .ne 2
376 377 .na
377 378 \fBsocks \fIstring\fR\fR
378 379 .ad
379 380 .sp .6
380 381 .RS 4n
381 382 The string following this keyword must be a URL for a SOCKS proxy, for example,
382 383 \fBsocks://socks-proxy\fR.
383 384 .RE
384 385
385 386 .sp
386 387 .ne 2
387 388 .na
388 389 \fBuse_http\fR
389 390 .ad
390 391 .sp .6
391 392 .RS 4n
392 393 If this keyword is present in the file, \fBin.iked\fR(1M) uses HTTP to retrieve
393 394 Certificate Revocation Lists (\fBCRL\fRs).
394 395 .RE
395 396
396 397 .sp
397 398 .LP
398 399 The following IKE phase 1 transform parameters can be prefigured using
399 400 file-level defaults. Values specified within any given transform override these
400 401 defaults.
401 402 .sp
402 403 .LP
403 404 The IKE phase 1 transform defaults are as follows:
404 405 .sp
405 406 .ne 2
406 407 .na
407 408 \fBp1_lifetime_secs \fInum\fR\fR
408 409 .ad
409 410 .sp .6
410 411 .RS 4n
411 412 The proposed default lifetime, in seconds, of an IKE phase 1 security
412 413 association (\fBSA\fR).
413 414 .RE
414 415
415 416 .sp
416 417 .ne 2
417 418 .na
418 419 \fBp1_nonce_len \fInum\fR\fR
419 420 .ad
420 421 .sp .6
421 422 .RS 4n
422 423 The length in bytes of the phase 1 (quick mode) nonce data. This cannot be
423 424 specified on a per-rule basis.
424 425 .RE
425 426
426 427 .sp
427 428 .LP
428 429 The following IKE rule parameters can be prefigured using file-level defaults.
429 430 Values specified within any given rule override these defaults, unless a rule
430 431 cannot.
431 432 .sp
432 433 .ne 2
433 434 .na
434 435 \fBp2_lifetime_secs \fInum\fR\fR
435 436 .ad
436 437 .sp .6
437 438 .RS 4n
438 439 The proposed default lifetime, in seconds, of an IKE phase 2 security
439 440 association (SA). This value is optional. If omitted, a default value is used.
440 441 .RE
441 442
442 443 .sp
443 444 .ne 2
444 445 .na
445 446 \fBp2_softlife_secs \fInum\fR\fR
446 447 .ad
447 448 .sp .6
448 449 .RS 4n
449 450 The soft lifetime of a phase 2 SA, in seconds. If this value is specified, the
450 451 SA soft expires after the number of seconds specified by
451 452 \fBp2_softlife_secs\fR. This causes \fBin.iked\fR to renegotiate a new phase 2
452 453 SA before the original SA expires.
453 454 .sp
454 455 This value is optional, if omitted soft expiry occurs after 90% of the lifetime
455 456 specified by \fBp2_lifetime_secs\fR. The value specified by
456 457 \fBp2_softlife_secs\fR is ignored if \fBp2_lifetime_secs\fR is not specified.
457 458 .sp
458 459 Setting \fBp2_softlife_secs\fR to the same value as \fBp2_lifetime_secs\fR
459 460 disables soft expires.
460 461 .RE
461 462
462 463 .sp
463 464 .ne 2
464 465 .na
465 466 \fBp2_idletime_secs \fInum\fR\fR
466 467 .ad
467 468 .sp .6
468 469 .RS 4n
469 470 The idle lifetime of a phase 2 SA, in seconds. If the value is specified, the
470 471 value specifies the lifetime of the SA, if the security association is not used
471 472 before the SA is revalidated.
472 473 .RE
473 474
474 475 .sp
475 476 .ne 2
476 477 .na
477 478 \fBp2_lifetime_kb \fInum\fR\fR
478 479 .ad
479 480 .sp .6
480 481 .RS 4n
481 482 The lifetime of an SA can optionally be specified in kilobytes. This parameter
482 483 specifies the default value. If lifetimes are specified in both seconds and
483 484 kilobytes, the SA expires when either the seconds or kilobyte threshholds are
484 485 passed.
485 486 .RE
486 487
487 488 .sp
488 489 .ne 2
489 490 .na
490 491 \fBp2_softlife_kb \fInum\fR\fR
491 492 .ad
492 493 .sp .6
493 494 .RS 4n
494 495 This value is the number of kilobytes that can be protected by an SA before a
495 496 soft expire occurs (see \fBp2_softlife_secs\fR, above).
496 497 .sp
497 498 This value is optional. If omitted, soft expiry occurs after 90% of the
498 499 lifetime specified by \fBp2_lifetime_kb\fR. The value specified by
499 500 \fBp2_softlife_kb\fR is ignored if \fBp2_lifetime_kb\fR is not specified.
500 501 .RE
501 502
502 503 .sp
503 504 .ne 2
504 505 .na
505 506 \fBp2_nonce_len \fInum\fR\fR
506 507 .ad
507 508 .sp .6
508 509 .RS 4n
509 510 The length in bytes of the phase 2 (quick mode) nonce data. This cannot be
510 511 specified on a per-rule basis.
511 512 .RE
512 513
513 514 .sp
514 515 .ne 2
515 516 .na
516 517 \fBlocal_id_type \fIp1-id-type\fR\fR
517 518 .ad
518 519 .sp .6
519 520 .RS 4n
520 521 The local identity for IKE requires a type. This identity type is reflected in
521 522 the IKE exchange. The type can be one of the following:
522 523 .RS +4
523 524 .TP
524 525 .ie t \(bu
525 526 .el o
526 527 an IP address (for example, \fB10.1.1.2\fR)
527 528 .RE
528 529 .RS +4
529 530 .TP
530 531 .ie t \(bu
531 532 .el o
532 533 DNS name (for example, \fBtest.domain.com\fR)
533 534 .RE
534 535 .RS +4
535 536 .TP
536 537 .ie t \(bu
537 538 .el o
538 539 MBOX RFC 822 name (for example, \fBroot@domain.com\fR)
539 540 .RE
540 541 .RS +4
541 542 .TP
542 543 .ie t \(bu
543 544 .el o
544 545 DNX.509 distinguished name (for example, \fBC=US, O=Sun Microsystems\, Inc.,
545 546 CN=Sun Test cert\fR)
546 547 .RE
547 548 .RE
548 549
549 550 .sp
550 551 .ne 2
551 552 .na
552 553 \fBp1_xform '{' parameter-list '}\fR
553 554 .ad
554 555 .sp .6
555 556 .RS 4n
556 557 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
557 558 An initiator offers up lists of phase 1 transforms, and a receiver is expected
558 559 to only accept such an entry if it matches one in a phase 1 rule. There can be
559 560 several of these, and they are additive. There must be either at least one
560 561 phase 1 transform in a rule or a global default phase 1 transform list. In a
561 562 configuration file without a global default phase 1 transform list \fBand\fR a
562 563 rule without a phase, transform list is an invalid file. Unless specified as
↓ open down ↓ |
550 lines elided |
↑ open up ↑ |
563 564 optional, elements in the parameter-list must occur exactly once within a given
564 565 transform's parameter-list:
565 566 .sp
566 567 .ne 2
567 568 .na
568 569 \fBoakley_group \fInumber\fR\fR
569 570 .ad
570 571 .sp .6
571 572 .RS 4n
572 573 The Oakley Diffie-Hellman group used for IKE SA key derivation. The group
573 -numbers are defined in RFC 2409, Appendix A, and RFC 3526. Acceptable values
574 -are currently:
574 +numbers are defined in RFC 2409, Appendix A, RFC 3526, and RFC 5114, section
575 +3.2. Acceptable values are currently:
575 576 .br
576 577 .in +2
577 -1 (768-bit)
578 +1 (MODP 768-bit)
578 579 .in -2
579 580 .br
580 581 .in +2
581 -2 (1024-bit)
582 +2 (MODP 1024-bit)
582 583 .in -2
583 584 .br
584 585 .in +2
585 -5 (1536-bit)
586 +3 (EC2N 155-bit)
586 587 .in -2
587 588 .br
588 589 .in +2
589 -14 (2048-bit)
590 +4 (EC2N 185-bit)
590 591 .in -2
591 592 .br
592 593 .in +2
593 -15 (3072-bit)
594 +5 (MODP 1536-bit)
594 595 .in -2
595 596 .br
596 597 .in +2
597 -16 (4096-bit)
598 +14 (MODP 2048-bit)
598 599 .in -2
600 +.br
601 +.in +2
602 +15 (MODP 3072-bit)
603 +.in -2
604 +.br
605 +.in +2
606 +16 (MODP 4096-bit)
607 +.in -2
608 +.br
609 +.in +2
610 +17 (MODP 6144-bit)
611 +.in -2
612 +.br
613 +.in +2
614 +18 (MODP 8192-bit)
615 +.in -2
616 +.br
617 +.in +2
618 +19 (ECP 256-bit)
619 +.in -2
620 +.br
621 +.in +2
622 +20 (ECP 384-bit)
623 +.in -2
624 +.br
625 +.in +2
626 +21 (ECP 521-bit)
627 +.in -2
628 +.br
629 +.in +2
630 +22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
631 +.in -2
632 +.br
633 +.in +2
634 +23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
635 +.in -2
636 +.br
637 +.in +2
638 +24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
639 +.in -2
640 +.br
641 +.in +2
642 +25 (ECP 192-bit)
643 +.in -2
644 +.br
645 +.in +2
646 +26 (ECP 224-bit)
647 +.in -2
599 648 .RE
600 649
601 650 .sp
602 651 .ne 2
603 652 .na
604 653 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
605 654 aes-cbc}\fR
606 655 .ad
607 656 .sp .6
608 657 .RS 4n
609 658 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
610 659 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
611 660 using the "low value-to-high value" syntax. To specify a single AES key size,
612 661 the low value must equal the high value. If no range is specified, all three
613 662 AES key sizes are allowed.
614 663 .RE
615 664
616 665 .sp
617 666 .ne 2
618 667 .na
619 668 \fBauth_alg {md5, sha, sha1, sha256, sha384, sha512}\fR
620 669 .ad
621 670 .sp .6
622 671 .RS 4n
623 672 An authentication algorithm.
624 673 .sp
625 674 Use \fBipsecalgs\fR(1M) with the \fB-l\fR option to list the IPsec protocols
626 675 and algorithms currently defined on a system. The \fBcryptoadm list\fR command
627 676 diplays a list of installed providers and their mechanisms. See
628 677 \fBcryptoadm\fR(1M).
629 678 .RE
630 679
631 680 .sp
632 681 .ne 2
633 682 .na
634 683 \fBauth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}\fR
635 684 .ad
636 685 .sp .6
637 686 .RS 4n
638 687 The authentication method used for IKE phase 1.
639 688 .RE
640 689
641 690 .sp
642 691 .ne 2
643 692 .na
644 693 \fBp1_lifetime_secs \fInum\fR\fR
645 694 .ad
646 695 .sp .6
647 696 .RS 4n
648 697 Optional. The lifetime for a phase 1 SA.
649 698 .RE
650 699
651 700 .RE
652 701
653 702 .sp
654 703 .ne 2
655 704 .na
656 705 \fBp2_lifetime_secs \fInum\fR\fR
657 706 .ad
658 707 .sp .6
659 708 .RS 4n
660 709 If configuring the kernel defaults is not sufficient for different tasks, this
661 710 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
662 711 in seconds.
663 712 .RE
664 713
665 714 .sp
666 715 .ne 2
667 716 .na
668 717 \fBp2_pfs \fInum\fR\fR
669 718 .ad
670 719 .sp .6
671 720 .RS 4n
672 721 Use perfect forward secrecy for phase 2 (quick mode). If selected, the oakley
673 722 group specified is used for phase 2 PFS. Acceptable values are:
674 723 .br
675 724 .in +2
676 725 0 (do not use Perfect Forward Secrecy for IPsec SAs)
677 726 .in -2
678 727 .br
679 728 .in +2
680 729 1 (768-bit)
681 730 .in -2
682 731 .br
683 732 .in +2
684 733 2 (1024-bit)
685 734 .in -2
686 735 .br
687 736 .in +2
688 737 5 (1536-bit)
689 738 .in -2
690 739 .br
691 740 .in +2
692 741 14 (2048-bit)
693 742 .in -2
694 743 .br
695 744 .in +2
696 745 15 (3072-bit)
697 746 .in -2
698 747 .br
699 748 .in +2
700 749 16 (4096-bit)
701 750 .in -2
702 751 .RE
703 752
704 753 .sp
705 754 .LP
706 755 An IKE rule starts with a right-curly-brace (\fB{\fR), ends with a
707 756 left-curly-brace (\fB}\fR), and has the following parameters in between:
708 757 .sp
709 758 .ne 2
710 759 .na
711 760 \fBlabel \fIstring\fR\fR
712 761 .ad
713 762 .sp .6
714 763 .RS 4n
715 764 Required parameter. The administrative interface to \fBin.iked\fR looks up
716 765 phase 1 policy rules with the label as the search string. The administrative
717 766 interface also converts the label into an index, suitable for an extended
718 767 ACQUIRE message from PF_KEY - effectively tying IPsec policy to IKE policy in
719 768 the case of a node initiating traffic. Only one \fBlabel\fR parameter is
720 769 allowed per rule.
721 770 .RE
722 771
723 772 .sp
724 773 .ne 2
725 774 .na
726 775 \fBlocal_addr <\fIIPaddr\fR/\fIprefix\fR/\fIrange\fR>\fR
727 776 .ad
728 777 .sp .6
729 778 .RS 4n
730 779 Required parameter. The local address, address prefix, or address range for
731 780 this phase 1 rule. Multiple \fBlocal_addr\fR parameters accumulate within a
732 781 given rule.
733 782 .RE
734 783
735 784 .sp
736 785 .ne 2
737 786 .na
738 787 \fBremote_addr <\fIIPaddr\fR/\fIprefix\fR/\fIrang\fRe>\fR
739 788 .ad
740 789 .sp .6
741 790 .RS 4n
742 791 Required parameter. The remote address, address prefix, or address range for
743 792 this phase 1 rule. Multiple \fBremote_addr\fR parameters accumulate within a
744 793 given rule.
745 794 .RE
746 795
747 796 .sp
748 797 .ne 2
749 798 .na
750 799 \fBlocal_id_type \fIp1-id-type\fR\fR
751 800 .ad
752 801 .sp .6
753 802 .RS 4n
754 803 Which phase 1 identity type I uses. This is needed because a single certificate
755 804 can contain multiple values for use in IKE phase 1. Within a given rule, all
756 805 phase 1 transforms must either use preshared or non-preshared authentication
757 806 (they cannot be mixed). For rules with preshared authentication, the
758 807 \fBlocal_id_type\fR parameter is optional, and defaults to \fBIP\fR. For rules
759 808 which use non-preshared authentication, the 'local_id_type' parameter is
760 809 required. Multiple 'local_id_type' parameters within a rule are not allowed.
761 810 .RE
762 811
763 812 .sp
764 813 .ne 2
765 814 .na
766 815 \fBlocal_id \fIcert-sel\fR\fR
767 816 .ad
768 817 .sp .6
769 818 .RS 4n
770 819 Disallowed for preshared authentication method; required parameter for
771 820 non-preshared authentication method. The local identity string or certificate
772 821 selector. Only one local identity per rule is used, the first one stated.
773 822 .RE
774 823
775 824 .sp
776 825 .ne 2
777 826 .na
778 827 \fBremote_id \fIcert-sel\fR\fR
779 828 .ad
780 829 .sp .6
781 830 .RS 4n
782 831 Disallowed for preshared authentication method; required parameter for
783 832 non-preshared authentication method. Selector for which remote phase 1
784 833 identities are allowed by this rule. Multiple \fBremote_id\fR parameters
785 834 accumulate within a given rule. If a single empty string (\fB""\fR) is given,
786 835 then this accepts any remote \fBID\fR for phase 1. It is recommended that
787 836 certificate trust chains or address enforcement be configured strictly to
788 837 prevent a breakdown in security if this value for \fBremote_id\fR is used.
789 838 .RE
790 839
791 840 .sp
792 841 .ne 2
793 842 .na
794 843 \fBp2_lifetime_secs \fInum\fR\fR
795 844 .ad
796 845 .sp .6
797 846 .RS 4n
798 847 If configuring the kernel defaults is not sufficient for different tasks, this
799 848 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
800 849 in seconds.
801 850 .RE
802 851
803 852 .sp
804 853 .ne 2
805 854 .na
806 855 \fBp2_pfs \fInum\fR\fR
807 856 .ad
808 857 .sp .6
809 858 .RS 4n
810 859 Use perfect forward secrecy for phase 2 (quick mode). If selected, the oakley
811 860 group specified is used for phase 2 PFS. Acceptable values are:
812 861 .br
813 862 .in +2
814 863 0 (do not use Perfect Forward Secrecy for IPsec SAs)
815 864 .in -2
816 865 .br
817 866 .in +2
818 867 1 (768-bit)
819 868 .in -2
820 869 .br
821 870 .in +2
822 871 2 (1024-bit)
823 872 .in -2
824 873 .br
825 874 .in +2
826 875 5 (1536-bit)
827 876 .in -2
828 877 .br
829 878 .in +2
830 879 14 (2048-bit)
831 880 .in -2
832 881 .br
833 882 .in +2
834 883 15 (3072-bit)
835 884 .in -2
836 885 .br
837 886 .in +2
838 887 16 (4096-bit)
839 888 .in -2
840 889 .RE
841 890
842 891 .sp
843 892 .ne 2
844 893 .na
845 894 \fBp1_xform \fB{\fR \fIparameter-list\fR \fB}\fR\fR
846 895 .ad
847 896 .sp .6
848 897 .RS 4n
849 898 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
850 899 An initiator offers up lists of phase 1 transforms, and a receiver is expected
851 900 to only accept such an entry if it matches one in a phase 1 rule. There can be
852 901 several of these, and they are additive. There must be either at least one
853 902 phase 1 transform in a rule or a global default phase 1 transform list. A
854 903 \fBike.config\fR file without a global default phase 1transform list \fBand\fR
855 904 a rule without a phase 1 transform list is an invalid file. Elements within the
856 905 parameter-list; unless specified as optional, must occur exactly once within a
857 906 given transform's parameter-list:
858 907 .sp
859 908 .ne 2
860 909 .na
861 910 \fBoakley_group \fInumber\fR\fR
862 911 .ad
863 912 .sp .6
864 913 .RS 4n
865 914 The Oakley Diffie-Hellman group used for \fBIKE SA\fR key derivation.
866 915 Acceptable values are currently:
867 916 .br
868 917 .in +2
869 918 1 (768-bit)
870 919 .in -2
871 920 .br
872 921 .in +2
873 922 2 (1024-bit)
874 923 .in -2
875 924 .br
876 925 .in +2
877 926 5 (1536-bit)
878 927 .in -2
879 928 .br
880 929 .in +2
881 930 14 (2048-bit)
882 931 .in -2
883 932 .br
884 933 .in +2
885 934 15 (3072-bit)
886 935 .in -2
887 936 .br
888 937 .in +2
889 938 16 (4096-bit)
890 939 .in -2
891 940 .RE
892 941
893 942 .sp
894 943 .ne 2
895 944 .na
896 945 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
897 946 aes-cbc}\fR
898 947 .ad
899 948 .sp .6
900 949 .RS 4n
901 950 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
902 951 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
903 952 using the "low value-to-high value" syntax. To specify a single AES key size,
904 953 the low value must equal the high value. If no range is specified, all three
905 954 AES key sizes are allowed.
906 955 .RE
907 956
908 957 .sp
909 958 .ne 2
910 959 .na
911 960 \fBauth_alg {md5, sha, sha1}\fR
912 961 .ad
913 962 .sp .6
914 963 .RS 4n
915 964 An authentication algorithm, as specified in \fBipseckey\fR(1M).
916 965 .RE
917 966
918 967 .sp
919 968 .ne 2
920 969 .na
921 970 \fBauth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}\fR
922 971 .ad
923 972 .sp .6
924 973 .RS 4n
925 974 The authentication method used for IKE phase 1.
926 975 .RE
927 976
928 977 .sp
929 978 .ne 2
930 979 .na
931 980 \fBp1_lifetime_secs \fInum\fR\fR
932 981 .ad
933 982 .sp .6
934 983 .RS 4n
935 984 Optional. The lifetime for a phase 1 SA.
936 985 .RE
937 986
938 987 .RE
939 988
940 989 .SH EXAMPLES
941 990 .LP
942 991 \fBExample 1 \fRA Sample \fBike.config\fR File
943 992 .sp
944 993 .LP
945 994 The following is an example of an \fBike.config\fR file:
946 995
947 996 .sp
948 997 .in +2
949 998 .nf
950 999
951 1000 ### BEGINNING OF FILE
952 1001
953 1002 ### First some global parameters...
954 1003
955 1004 ### certificate parameters...
956 1005
957 1006 # Root certificates. I SHOULD use a full Distinguished Name.
958 1007 # I must have this certificate in my local filesystem, see ikecert(1m).
959 1008 cert_root "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
960 1009
961 1010 # Explicitly trusted certs that need no signatures, or perhaps
962 1011 # self-signed ones. Like root certificates, use full DNs for them
963 1012 # for now.
964 1013 cert_trust "EMAIL=root@domain.org"
965 1014
966 1015 # Where do I send LDAP requests?
967 1016 ldap_server "ldap1.domain.org,ldap2.domain.org:389"
968 1017
969 1018 ## phase 1 transform defaults...
970 1019
971 1020 p1_lifetime_secs 14400
972 1021 p1_nonce_len 20
973 1022
974 1023 ## Parameters that might also show up in rules.
975 1024
976 1025 p1_xform { auth_method preshared oakley_group 5 auth_alg sha
977 1026 encr_alg 3des }
978 1027 p2_pfs 2
979 1028
980 1029
981 1030
982 1031 ### Now some rules...
983 1032
984 1033 {
985 1034 label "simple inheritor"
986 1035 local_id_type ip
987 1036 local_addr 10.1.1.1
988 1037 remote_addr 10.1.1.2
989 1038 }
990 1039 {
991 1040 label "simple inheritor IPv6"
992 1041 local_id_type ipv6
993 1042 local_addr fe80::a00:20ff:fe7d:6
994 1043 remote_addr fe80::a00:20ff:fefb:3780
995 1044 }
996 1045
997 1046 {
998 1047 # an index-only rule. If I'm a receiver, and all I
999 1048 # have are index-only rules, what do I do about inbound IKE requests?
1000 1049 # Answer: Take them all!
1001 1050
1002 1051 label "default rule"
1003 1052 # Use whatever "host" (e.g. IP address) identity is appropriate
1004 1053 local_id_type ipv4
1005 1054
1006 1055 local_addr 0.0.0.0/0
1007 1056 remote_addr 0.0.0.0/0
1008 1057
1009 1058 p2_pfs 5
1010 1059
1011 1060 # Now I'm going to have the p1_xforms
1012 1061 p1_xform
1013 1062 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg \e
1014 1063 blowfish } p1_xform
1015 1064 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
1016 1065
1017 1066 # After said list, another keyword (or a '}') stops xform
1018 1067 # parsing.
1019 1068 }
1020 1069
1021 1070 {
1022 1071 # Let's try something a little more conventional.
1023 1072
1024 1073 label "host to .80 subnet"
1025 1074 local_id_type ip
1026 1075 local_id "10.1.86.51"
1027 1076
1028 1077 remote_id "" # Take any, use remote_addr for access control.
1029 1078
1030 1079 local_addr 10.1.86.51
1031 1080 remote_addr 10.1.80.0/24
1032 1081
1033 1082 p1_xform
1034 1083 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
1035 1084 p1_xform
1036 1085 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1037 1086 blowfish }
1038 1087 p1_xform
1039 1088 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
1040 1089 p1_xform
1041 1090 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1042 1091 blowfish }
1043 1092 }
1044 1093
1045 1094 {
1046 1095 # Let's try something a little more conventional, but with ipv6.
1047 1096
1048 1097 label "host to fe80::/10 subnet"
1049 1098 local_id_type ip
1050 1099 local_id "fe80::a00:20ff:fe7d:6"
1051 1100
1052 1101 remote_id "" # Take any, use remote_addr for access control.
1053 1102
1054 1103 local_addr fe80::a00:20ff:fe7d:6
1055 1104 remote_addr fe80::/10
1056 1105
1057 1106 p1_xform
1058 1107 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
1059 1108 p1_xform
1060 1109 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1061 1110 blowfish }
1062 1111 p1_xform
1063 1112 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1064 1113 3des }
1065 1114 p1_xform
1066 1115 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1067 1116 blowfish }
1068 1117 }
1069 1118
1070 1119 {
1071 1120 # How 'bout something with a different cert type and name?
1072 1121
1073 1122 label "punchin-point"
1074 1123 local_id_type mbox
1075 1124 local_id "ipsec-wizard@domain.org"
1076 1125
1077 1126 remote_id "10.5.5.128"
1078 1127
1079 1128 local_addr 0.0.0.0/0
1080 1129 remote_addr 10.5.5.128
1081 1130
1082 1131 p1_xform
1083 1132 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1084 1133 blowfish }
1085 1134 }
1086 1135
1087 1136 {
1088 1137 label "receiver side"
1089 1138
1090 1139 remote_id "ipsec-wizard@domain.org"
1091 1140
1092 1141 local_id_type ip
1093 1142 local_id "10.5.5.128"
1094 1143
1095 1144 local_addr 10.5.5.128
1096 1145 remote_addr 0.0.0.0/0
1097 1146
1098 1147 p1_xform
1099 1148 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
1100 1149 # NOTE: Specifying preshared null-and-voids the remote_id/local_id
1101 1150 # fields.
1102 1151 p1_xform
1103 1152 { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \e
1104 1153 blowfish}
1105 1154
1106 1155 }
1107 1156 .fi
1108 1157 .in -2
1109 1158
1110 1159 .SH ATTRIBUTES
1111 1160 .sp
1112 1161 .LP
1113 1162 See \fBattributes\fR(5) for descriptions of the following attributes:
1114 1163 .sp
1115 1164
1116 1165 .sp
1117 1166 .TS
1118 1167 box;
1119 1168 c | c
1120 1169 l | l .
1121 1170 ATTRIBUTE TYPE ATTRIBUTE VALUE
1122 1171 _
1123 1172 Interface Stability Committed
1124 1173 .TE
1125 1174
1126 1175 .SH SEE ALSO
1127 1176 .sp
1128 1177 .LP
1129 1178 \fBcryptoadm\fR(1M), \fBikeadm\fR(1M), \fBin.iked\fR(1M), \fBikecert\fR(1M),
1130 1179 \fBipseckey\fR(1M), \fBipsecalgs\fR(1M), \fBipsecconf\fR(1M), \fBsvccfg\fR(1M),
1131 1180 \fBdlopen\fR(3C), \fBattributes\fR(5), \fBrandom\fR(7D)
1132 1181 .sp
1133 1182 .LP
1134 1183 Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR.
1135 1184 Cisco Systems, November 1998.
1136 1185 .sp
1137 1186 .LP
1138 1187 Maughan, Douglas et. al. \fIRFC 2408, Internet Security Association and Key
1139 1188 Management Protocol (ISAKMP)\fR. National Security Agency, Ft. Meade, MD.
↓ open down ↓ |
531 lines elided |
↑ open up ↑ |
1140 1189 November 1998.
1141 1190 .sp
1142 1191 .LP
1143 1192 Piper, Derrell. \fIRFC 2407, The Internet IP Security Domain of Interpretation
1144 1193 for ISAKMP\fR. Network Alchemy. Santa Cruz, California. November 1998.
1145 1194 .sp
1146 1195 .LP
1147 1196 Kivinen, T. \fIRFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups
1148 1197 for Internet Key Exchange (IKE)\fR. The Internet Society, Network Working
1149 1198 Group. May 2003.
1199 +.sp
1200 +.LP
1201 +Lepinksi, M. and Kent, S. \fIRFC 5114, Additional Diffie-Hellman Groups for Use
1202 +with IETF Standards\fR. BBN Technologies, January 2008.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX