Print this page
5794 Add reference to RFC 5903 to ike.config(4)
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man4/ike.config.4.man.txt
+++ new/usr/src/man/man4/ike.config.4.man.txt
1 1 IKE.CONFIG(4) File Formats IKE.CONFIG(4)
2 2
3 3
4 4
5 5 NAME
6 6 ike.config - configuration file for IKE policy
7 7
8 8 SYNOPSIS
9 9 /etc/inet/ike/config
10 10
11 11
12 12 DESCRIPTION
13 13 The /etc/inet/ike/config file contains rules for matching inbound IKE
14 14 requests. It also contains rules for preparing outbound IKE requests.
15 15
16 16
17 17 You can test the syntactic correctness of an /etc/inet/ike/config file
18 18 by using the -c or -f options of in.iked(1M). You must use the -c option
19 19 to test a config file. You might need to use the -f option if it is not
20 20 in /etc/inet/ike/config.
21 21
22 22 Lexical Components
23 23 On any line, an unquoted # character introduces a comment. The
24 24 remainder of that line is ignored. Additionally, on any line, an
25 25 unquoted // sequence introduces a comment. The remainder of that line
26 26 is ignored.
27 27
28 28
29 29 There are several types of lexical tokens in the ike.config file:
30 30
31 31 num
32 32 A decimal, hex, or octal number representation is as in 'C'.
33 33
34 34
35 35 IPaddr/prefix/range
36 36 An IPv4 or IPv6 address with an optional /NNN suffix, (where NNN is
37 37 a num) that indicates an address (CIDR) prefix (for example,
38 38 10.1.2.0/24). An optional /ADDR suffix (where ADDR is a second IP
39 39 address) indicates an address/mask pair (for example,
40 40 10.1.2.0/255.255.255.0). An optional -ADDR suffix (where ADDR is a
41 41 second IPv4 address) indicates an inclusive range of addresses (for
42 42 example, 10.1.2.0-10.1.2.255). The / or - can be surrounded by an
43 43 arbitrary amount of white space.
44 44
45 45
46 46 XXX | YYY | ZZZ
47 47 Either the words XXX, YYY, or ZZZ, for example, {yes,no}.
48 48
49 49
50 50 p1-id-type
51 51 An IKE phase 1 identity type. IKE phase 1 identity types include:
52 52 dn, DN
53 53 dns, DNS
54 54 fqdn, FQDN
55 55 gn, GN
56 56 ip, IP
57 57 ipv4
58 58 ipv4_prefix
59 59 ipv4_range
60 60 ipv6
61 61 ipv6_prefix
62 62 ipv6_range
63 63 mbox, MBOX
64 64 user_fqdn
65 65
66 66
67 67 "string"
68 68 A quoted string.
69 69
70 70 Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc.,
71 71 N=olemcd@eng.example.com"
72 72
73 73 A backslash (\) is an escape character. If the string needs an
74 74 actual backslash, two must be specified.
75 75
76 76
77 77 cert-sel
78 78 A certificate selector, a string which specifies the identities of
79 79 zero or more certificates. The specifiers can conform to X.509
80 80 naming conventions.
81 81
82 82 A cert-sel can also use various shortcuts to match either subject
83 83 alternative names, the filename or slot of a certificate in
84 84 /etc/inet/ike/publickeys, or even the ISSUER. For example:
85 85
86 86 "SLOT=0"
87 87 "EMAIL=postmaster@domain.org"
88 88 "webmaster@domain.org" # Some just work w/o TYPE=
89 89 "IP=10.0.0.1"
90 90 "10.21.11.11" # Some just work w/o TYPE=
91 91 "DNS=www.domain.org"
92 92 "mailhost.domain.org" # Some just work w/o TYPE=
93 93 "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
94 94
95 95
96 96 Any cert-sel preceded by the character ! indicates a negative match,
97 97 that is, not matching this specifier. These are the same kind of
98 98 strings used in ikecert(1M).
99 99
100 100
101 101 ldap-list
102 102 A quoted, comma-separated list of LDAP servers and ports.
103 103
104 104 For example, "ldap1.example.com", "ldap1.example.com:389",
105 105 "ldap1.example.com:389,ldap2.example.com".
106 106
107 107 The default port for LDAP is 389.
108 108
109 109
110 110 parameter-list
111 111 A list of parameters.
112 112
113 113
114 114 File Body Entries
115 115 There are four main types of entries:
116 116
117 117 o global parameters
118 118
119 119 o IKE phase 1 transform defaults
120 120
121 121 o IKE rule defaults
122 122
123 123 o IKE rules
124 124
125 125
126 126 The global parameter entries are as follows:
127 127
128 128 cert_root cert-sel
129 129 The X.509 distinguished name of a certificate that is a trusted
130 130 root CA certificate.It must be encoded in a file in the
131 131 /etc/inet/ike/publickeys directory. It must have a CRL in
132 132 /etc/inet/ike/crls. Multiple cert_root parameters aggregate.
133 133
134 134
135 135 cert_trust cert-sel
136 136 Specifies an X.509 distinguished name of a certificate that is
137 137 self-signed, or has otherwise been verified as trustworthy for
138 138 signing IKE exchanges. It must be encoded in a file in
139 139 /etc/inet/ike/publickeys. Multiple cert_trust parameters aggregate.
140 140
141 141
142 142 expire_timer integer
143 143 The number of seconds to let a not-yet-complete IKE Phase I (Main
144 144 Mode) negotiation linger before deleting it. Default value: 300
145 145 seconds.
146 146
147 147
148 148 ignore_crls
149 149 If this keyword is present in the file, in.iked(1M) ignores
150 150 Certificate Revocation Lists (CRLs) for root CAs (as given in
151 151 cert_root)
152 152
153 153
154 154 ldap_server ldap-list
155 155 A list of LDAP servers to query for certificates. The list can be
156 156 additive.
157 157
158 158
159 159 pkcs11_path string
160 160 The string that follows is a name of a shared object (.so) that
161 161 implements the PKCS#11 standard. The name is passed directly into
162 162 dlopen(3C) for linking, with all of the semantics of that library
163 163 call. By default, in.iked(1M) runs the same ISA as the running
164 164 kernel, so a library specified using pkcs11_path and an absolute
165 165 pathname must match the same ISA as the kernel. One can use the
166 166 start/exec SMF property (see svccfg(1M)) to change in.iked's ISA,
167 167 but it is not recommended.
168 168
169 169 If this setting is not present, the default value is set to
170 170 libpkcs11.so. Most cryptographic providers go through the default
171 171 library, and this parameter should only be used if a specialized
172 172 provider of IKE-useful cryptographic services cannot interface with
173 173 the Solaris Cryptographic Framework. See cryptoadm(1M).
174 174
175 175 This option is now deprecated, and may be removed in a future
176 176 release.
177 177
178 178
179 179 retry_limit integer
180 180 The number of retransmits before any IKE negotiation is aborted.
181 181 Default value: 5 times.
182 182
183 183
184 184 retry_timer_init integer or float
185 185 The initial interval (in seconds) between retransmits. This
186 186 interval is doubled until the retry_timer_max value (see below) is
187 187 reached. Default value: 0.5 seconds.
188 188
189 189
190 190 retry_timer_max integer or float
191 191 The maximum interval (in seconds) between retransmits. The doubling
192 192 retransmit interval stops growing at this limit. Default value: 30
193 193 seconds.
194 194
195 195 Note -
196 196
197 197 This value is never reached with the default configuration. The
198 198 longest interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
199 199
200 200
201 201 proxy string
202 202 The string following this keyword must be a URL for an HTTP proxy,
203 203 for example, http://proxy:8080.
204 204
205 205
206 206 socks string
207 207 The string following this keyword must be a URL for a SOCKS proxy,
208 208 for example, socks://socks-proxy.
209 209
210 210
211 211 use_http
212 212 If this keyword is present in the file, in.iked(1M) uses HTTP to
213 213 retrieve Certificate Revocation Lists (CRLs).
214 214
215 215
216 216
217 217 The following IKE phase 1 transform parameters can be prefigured using
218 218 file-level defaults. Values specified within any given transform
219 219 override these defaults.
220 220
221 221
222 222 The IKE phase 1 transform defaults are as follows:
223 223
224 224 p1_lifetime_secs num
225 225 The proposed default lifetime, in seconds, of an IKE phase 1
226 226 security association (SA).
227 227
228 228
229 229 p1_nonce_len num
230 230 The length in bytes of the phase 1 (quick mode) nonce data. This
231 231 cannot be specified on a per-rule basis.
232 232
233 233
234 234
235 235 The following IKE rule parameters can be prefigured using file-level
236 236 defaults. Values specified within any given rule override these
237 237 defaults, unless a rule cannot.
238 238
239 239 p2_lifetime_secs num
240 240 The proposed default lifetime, in seconds, of an IKE phase 2
241 241 security association (SA). This value is optional. If omitted, a
242 242 default value is used.
243 243
244 244
245 245 p2_softlife_secs num
246 246 The soft lifetime of a phase 2 SA, in seconds. If this value is
247 247 specified, the SA soft expires after the number of seconds
248 248 specified by p2_softlife_secs. This causes in.iked to renegotiate a
249 249 new phase 2 SA before the original SA expires.
250 250
251 251 This value is optional, if omitted soft expiry occurs after 90% of
252 252 the lifetime specified by p2_lifetime_secs. The value specified by
253 253 p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
254 254
255 255 Setting p2_softlife_secs to the same value as p2_lifetime_secs
256 256 disables soft expires.
257 257
258 258
259 259 p2_idletime_secs num
260 260 The idle lifetime of a phase 2 SA, in seconds. If the value is
261 261 specified, the value specifies the lifetime of the SA, if the
262 262 security association is not used before the SA is revalidated.
263 263
264 264
265 265 p2_lifetime_kb num
266 266 The lifetime of an SA can optionally be specified in kilobytes.
267 267 This parameter specifies the default value. If lifetimes are
268 268 specified in both seconds and kilobytes, the SA expires when either
269 269 the seconds or kilobyte threshholds are passed.
270 270
271 271
272 272 p2_softlife_kb num
273 273 This value is the number of kilobytes that can be protected by an
274 274 SA before a soft expire occurs (see p2_softlife_secs, above).
275 275
276 276 This value is optional. If omitted, soft expiry occurs after 90% of
277 277 the lifetime specified by p2_lifetime_kb. The value specified by
278 278 p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
279 279
280 280
281 281 p2_nonce_len num
282 282 The length in bytes of the phase 2 (quick mode) nonce data. This
283 283 cannot be specified on a per-rule basis.
284 284
285 285
286 286 local_id_type p1-id-type
287 287 The local identity for IKE requires a type. This identity type is
288 288 reflected in the IKE exchange. The type can be one of the
289 289 following:
290 290
291 291 o an IP address (for example, 10.1.1.2)
292 292
293 293 o DNS name (for example, test.domain.com)
294 294
295 295 o MBOX RFC 822 name (for example, root@domain.com)
296 296
297 297 o DNX.509 distinguished name (for example, C=US, O=Sun
298 298 Microsystems, Inc., CN=Sun Test cert)
299 299
300 300
301 301 p1_xform '{' parameter-list '}
302 302 A phase 1 transform specifies a method for protecting an IKE phase
303 303 1 exchange. An initiator offers up lists of phase 1 transforms,
304 304 and a receiver is expected to only accept such an entry if it
305 305 matches one in a phase 1 rule. There can be several of these, and
306 306 they are additive. There must be either at least one phase 1
307 307 transform in a rule or a global default phase 1 transform list. In
308 308 a configuration file without a global default phase 1 transform
309 309 list and a rule without a phase, transform list is an invalid file.
310 310 Unless specified as optional, elements in the parameter-list must
311 311 occur exactly once within a given transform's parameter-list:
312 312
313 313 oakley_group number
314 314 The Oakley Diffie-Hellman group used for IKE SA key derivation.
315 315 The group numbers are defined in RFC 2409, Appendix A, RFC
316 316 3526, and RFC 5114, section 3.2. Acceptable values are
317 317 currently:
318 318 1 (MODP 768-bit)
319 319 2 (MODP 1024-bit)
320 320 3 (EC2N 155-bit)
321 321 4 (EC2N 185-bit)
322 322 5 (MODP 1536-bit)
323 323 14 (MODP 2048-bit)
324 324 15 (MODP 3072-bit)
325 325 16 (MODP 4096-bit)
326 326 17 (MODP 6144-bit)
327 327 18 (MODP 8192-bit)
328 328 19 (ECP 256-bit)
329 329 20 (ECP 384-bit)
330 330 21 (ECP 521-bit)
331 331 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
332 332 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
333 333 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
334 334 25 (ECP 192-bit)
335 335 26 (ECP 224-bit)
336 336
337 337
338 338 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
339 339 aes-cbc}
340 340 An encryption algorithm, as in ipsecconf(1M). However, of the
341 341 ciphers listed above, only aes and aes-cbc allow optional key-
342 342 size setting, using the "low value-to-high value" syntax. To
343 343 specify a single AES key size, the low value must equal the
344 344 high value. If no range is specified, all three AES key sizes
345 345 are allowed.
346 346
347 347
348 348 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
349 349 An authentication algorithm.
350 350
351 351 Use ipsecalgs(1M) with the -l option to list the IPsec protocols
352 352 and algorithms currently defined on a system. The cryptoadm
353 353 list command diplays a list of installed providers and their
354 354 mechanisms. See cryptoadm(1M).
355 355
356 356
357 357 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
358 358 The authentication method used for IKE phase 1.
359 359
360 360
361 361 p1_lifetime_secs num
362 362 Optional. The lifetime for a phase 1 SA.
363 363
364 364
365 365
366 366 p2_lifetime_secs num
367 367 If configuring the kernel defaults is not sufficient for different
368 368 tasks, this parameter can be used on a per-rule basis to set the
369 369 IPsec SA lifetimes in seconds.
370 370
371 371
372 372 p2_pfs num
373 373 Use perfect forward secrecy for phase 2 (quick mode). If selected,
374 374 the oakley group specified is used for phase 2 PFS. Acceptable
375 375 values are:
376 376 0 (do not use Perfect Forward Secrecy for IPsec SAs)
377 377 1 (768-bit)
378 378 2 (1024-bit)
379 379 5 (1536-bit)
380 380 14 (2048-bit)
381 381 15 (3072-bit)
382 382 16 (4096-bit)
383 383
384 384
385 385
386 386 An IKE rule starts with a right-curly-brace ({), ends with a left-curly-
387 387 brace (}), and has the following parameters in between:
388 388
389 389 label string
390 390 Required parameter. The administrative interface to in.iked looks
391 391 up phase 1 policy rules with the label as the search string. The
392 392 administrative interface also converts the label into an index,
393 393 suitable for an extended ACQUIRE message from PF_KEY - effectively
394 394 tying IPsec policy to IKE policy in the case of a node initiating
395 395 traffic. Only one label parameter is allowed per rule.
396 396
397 397
398 398 local_addr <IPaddr/prefix/range>
399 399 Required parameter. The local address, address prefix, or address
400 400 range for this phase 1 rule. Multiple local_addr parameters
401 401 accumulate within a given rule.
402 402
403 403
404 404 remote_addr <IPaddr/prefix/range>
405 405 Required parameter. The remote address, address prefix, or address
406 406 range for this phase 1 rule. Multiple remote_addr parameters
407 407 accumulate within a given rule.
408 408
409 409
410 410 local_id_type p1-id-type
411 411 Which phase 1 identity type I uses. This is needed because a single
412 412 certificate can contain multiple values for use in IKE phase 1.
413 413 Within a given rule, all phase 1 transforms must either use
414 414 preshared or non-preshared authentication (they cannot be mixed).
415 415 For rules with preshared authentication, the local_id_type
416 416 parameter is optional, and defaults to IP. For rules which use non-
417 417 preshared authentication, the 'local_id_type' parameter is
418 418 required. Multiple 'local_id_type' parameters within a rule are not
419 419 allowed.
420 420
421 421
422 422 local_id cert-sel
423 423 Disallowed for preshared authentication method; required parameter
424 424 for non-preshared authentication method. The local identity string
425 425 or certificate selector. Only one local identity per rule is used,
426 426 the first one stated.
427 427
428 428
429 429 remote_id cert-sel
430 430 Disallowed for preshared authentication method; required parameter
431 431 for non-preshared authentication method. Selector for which remote
432 432 phase 1 identities are allowed by this rule. Multiple remote_id
433 433 parameters accumulate within a given rule. If a single empty string
434 434 ("") is given, then this accepts any remote ID for phase 1. It is
435 435 recommended that certificate trust chains or address enforcement be
436 436 configured strictly to prevent a breakdown in security if this
437 437 value for remote_id is used.
438 438
439 439
440 440 p2_lifetime_secs num
441 441 If configuring the kernel defaults is not sufficient for different
442 442 tasks, this parameter can be used on a per-rule basis to set the
443 443 IPsec SA lifetimes in seconds.
444 444
445 445
446 446 p2_pfs num
447 447 Use perfect forward secrecy for phase 2 (quick mode). If selected,
448 448 the oakley group specified is used for phase 2 PFS. Acceptable
449 449 values are:
450 450 0 (do not use Perfect Forward Secrecy for IPsec SAs)
451 451 1 (768-bit)
452 452 2 (1024-bit)
453 453 5 (1536-bit)
454 454 14 (2048-bit)
455 455 15 (3072-bit)
456 456 16 (4096-bit)
457 457
458 458
459 459 p1_xform { parameter-list }
460 460 A phase 1 transform specifies a method for protecting an IKE phase
461 461 1 exchange. An initiator offers up lists of phase 1 transforms,
462 462 and a receiver is expected to only accept such an entry if it
463 463 matches one in a phase 1 rule. There can be several of these, and
464 464 they are additive. There must be either at least one phase 1
465 465 transform in a rule or a global default phase 1 transform list. A
466 466 ike.config file without a global default phase 1transform list and
467 467 a rule without a phase 1 transform list is an invalid file.
468 468 Elements within the parameter-list; unless specified as optional,
469 469 must occur exactly once within a given transform's parameter-list:
470 470
471 471 oakley_group number
472 472 The Oakley Diffie-Hellman group used for IKE SA key derivation.
473 473 Acceptable values are currently:
474 474 1 (768-bit)
475 475 2 (1024-bit)
476 476 5 (1536-bit)
477 477 14 (2048-bit)
478 478 15 (3072-bit)
479 479 16 (4096-bit)
480 480
481 481
482 482 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
483 483 aes-cbc}
484 484 An encryption algorithm, as in ipsecconf(1M). However, of the
485 485 ciphers listed above, only aes and aes-cbc allow optional key-
486 486 size setting, using the "low value-to-high value" syntax. To
487 487 specify a single AES key size, the low value must equal the
488 488 high value. If no range is specified, all three AES key sizes
489 489 are allowed.
490 490
491 491
492 492 auth_alg {md5, sha, sha1}
493 493 An authentication algorithm, as specified in ipseckey(1M).
494 494
495 495
496 496 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
497 497 The authentication method used for IKE phase 1.
498 498
499 499
500 500 p1_lifetime_secs num
501 501 Optional. The lifetime for a phase 1 SA.
502 502
503 503
504 504
505 505 EXAMPLES
506 506 Example 1 A Sample ike.config File
507 507
508 508
509 509 The following is an example of an ike.config file:
510 510
511 511
512 512
513 513 ### BEGINNING OF FILE
514 514
515 515 ### First some global parameters...
516 516
517 517 ### certificate parameters...
518 518
519 519 # Root certificates. I SHOULD use a full Distinguished Name.
520 520 # I must have this certificate in my local filesystem, see ikecert(1m).
521 521 cert_root "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
522 522
523 523 # Explicitly trusted certs that need no signatures, or perhaps
524 524 # self-signed ones. Like root certificates, use full DNs for them
525 525 # for now.
526 526 cert_trust "EMAIL=root@domain.org"
527 527
528 528 # Where do I send LDAP requests?
529 529 ldap_server "ldap1.domain.org,ldap2.domain.org:389"
530 530
531 531 ## phase 1 transform defaults...
532 532
533 533 p1_lifetime_secs 14400
534 534 p1_nonce_len 20
535 535
536 536 ## Parameters that might also show up in rules.
537 537
538 538 p1_xform { auth_method preshared oakley_group 5 auth_alg sha
539 539 encr_alg 3des }
540 540 p2_pfs 2
541 541
542 542
543 543
544 544 ### Now some rules...
545 545
546 546 {
547 547 label "simple inheritor"
548 548 local_id_type ip
549 549 local_addr 10.1.1.1
550 550 remote_addr 10.1.1.2
551 551 }
552 552 {
553 553 label "simple inheritor IPv6"
554 554 local_id_type ipv6
555 555 local_addr fe80::a00:20ff:fe7d:6
556 556 remote_addr fe80::a00:20ff:fefb:3780
557 557 }
558 558
559 559 {
560 560 # an index-only rule. If I'm a receiver, and all I
561 561 # have are index-only rules, what do I do about inbound IKE requests?
562 562 # Answer: Take them all!
563 563
564 564 label "default rule"
565 565 # Use whatever "host" (e.g. IP address) identity is appropriate
566 566 local_id_type ipv4
567 567
568 568 local_addr 0.0.0.0/0
569 569 remote_addr 0.0.0.0/0
570 570
571 571 p2_pfs 5
572 572
573 573 # Now I'm going to have the p1_xforms
574 574 p1_xform
575 575 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
576 576 blowfish } p1_xform
577 577 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
578 578
579 579 # After said list, another keyword (or a '}') stops xform
580 580 # parsing.
581 581 }
582 582
583 583 {
584 584 # Let's try something a little more conventional.
585 585
586 586 label "host to .80 subnet"
587 587 local_id_type ip
588 588 local_id "10.1.86.51"
589 589
590 590 remote_id "" # Take any, use remote_addr for access control.
591 591
592 592 local_addr 10.1.86.51
593 593 remote_addr 10.1.80.0/24
594 594
595 595 p1_xform
596 596 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
597 597 p1_xform
598 598 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
599 599 blowfish }
600 600 p1_xform
601 601 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
602 602 p1_xform
603 603 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
604 604 blowfish }
605 605 }
606 606
607 607 {
608 608 # Let's try something a little more conventional, but with ipv6.
609 609
610 610 label "host to fe80::/10 subnet"
611 611 local_id_type ip
612 612 local_id "fe80::a00:20ff:fe7d:6"
613 613
614 614 remote_id "" # Take any, use remote_addr for access control.
615 615
616 616 local_addr fe80::a00:20ff:fe7d:6
617 617 remote_addr fe80::/10
618 618
619 619 p1_xform
620 620 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
621 621 p1_xform
622 622 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
623 623 blowfish }
624 624 p1_xform
625 625 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
626 626 3des }
627 627 p1_xform
628 628 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
629 629 blowfish }
630 630 }
631 631
632 632 {
633 633 # How 'bout something with a different cert type and name?
634 634
635 635 label "punchin-point"
636 636 local_id_type mbox
637 637 local_id "ipsec-wizard@domain.org"
638 638
639 639 remote_id "10.5.5.128"
640 640
641 641 local_addr 0.0.0.0/0
642 642 remote_addr 10.5.5.128
643 643
644 644 p1_xform
645 645 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
646 646 blowfish }
647 647 }
648 648
649 649 {
650 650 label "receiver side"
651 651
652 652 remote_id "ipsec-wizard@domain.org"
653 653
654 654 local_id_type ip
655 655 local_id "10.5.5.128"
656 656
657 657 local_addr 10.5.5.128
658 658 remote_addr 0.0.0.0/0
659 659
660 660 p1_xform
661 661 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
662 662 # NOTE: Specifying preshared null-and-voids the remote_id/local_id
663 663 # fields.
664 664 p1_xform
665 665 { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
666 666 blowfish}
667 667
668 668 }
669 669
670 670
671 671 ATTRIBUTES
672 672 See attributes(5) for descriptions of the following attributes:
673 673
674 674
675 675
676 676
677 677 +--------------------+-----------------+
678 678 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
679 679 +--------------------+-----------------+
680 680 |Interface Stability | Committed |
681 681 +--------------------+-----------------+
682 682
683 683 SEE ALSO
684 684 cryptoadm(1M), ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
685 685 ipsecalgs(1M), ipsecconf(1M), svccfg(1M), dlopen(3C), attributes(5),
686 686 random(7D)
687 687
688 688
689 689 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
690 690 Cisco Systems, November 1998.
691 691
692 692
693 693 Maughan, Douglas et. al. RFC 2408, Internet Security Association and
694 694 Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
695 695 MD. November 1998.
696 696
697 697
698 698 Piper, Derrell. RFC 2407, The Internet IP Security Domain of
699 699 Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
700 700 November 1998.
701 701
↓ open down ↓ |
701 lines elided |
↑ open up ↑ |
702 702
703 703 Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
704 704 Groups for Internet Key Exchange (IKE). The Internet Society, Network
705 705 Working Group. May 2003.
706 706
707 707
708 708 Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups for
709 709 Use with IETF Standards. BBN Technologies, January 2008.
710 710
711 711
712 + Fu, D. and Solinas, J. RFC 5903, Elliptic Curve Groups modulo a Prime
713 + (ECP Groups) for IKE and IKEv2. NSA, June 2010.
712 714
715 +
716 +
713 717 April 27, 2009 IKE.CONFIG(4)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX