Print this page
5794 Add reference to RFC 5903 to ike.config(4)
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man4/ike.config.4
+++ new/usr/src/man/man4/ike.config.4
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright (c) 2015, Circonus, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 7 .TH IKE.CONFIG 4 "Apr 27, 2009"
8 8 .SH NAME
9 9 ike.config \- configuration file for IKE policy
10 10 .SH SYNOPSIS
11 11 .LP
12 12 .nf
13 13 \fB/etc/inet/ike/config\fR
14 14 .fi
15 15
16 16 .SH DESCRIPTION
17 17 .LP
18 18 The \fB/etc/inet/ike/config\fR file contains rules for matching inbound IKE
19 19 requests. It also contains rules for preparing outbound \fBIKE\fR requests.
20 20 .sp
21 21 .LP
22 22 You can test the syntactic correctness of an \fB/etc/inet/ike/config\fR file by
23 23 using the \fB-c\fR or \fB-f\fR options of \fBin.iked\fR(1M). You must use the
24 24 \fB-c\fR option to test a \fBconfig\fR file. You might need to use the \fB-f\fR
25 25 option if it is not in \fB/etc/inet/ike/config\fR.
26 26 .SS "Lexical Components"
27 27 .LP
28 28 On any line, an unquoted \fB#\fR character introduces a comment. The remainder
29 29 of that line is ignored. Additionally, on any line, an unquoted \fB//\fR
30 30 sequence introduces a comment. The remainder of that line is ignored.
31 31 .sp
32 32 .LP
33 33 There are several types of lexical tokens in the \fBike.config\fR file:
34 34 .sp
35 35 .ne 2
36 36 .na
37 37 \fB\fInum\fR\fR
38 38 .ad
39 39 .sp .6
40 40 .RS 4n
41 41 A decimal, hex, or octal number representation is as in 'C'.
42 42 .RE
43 43
44 44 .sp
45 45 .ne 2
46 46 .na
47 47 \fB\fIIPaddr\fR/\fIprefix\fR/\fIrange\fR\fR
48 48 .ad
49 49 .sp .6
50 50 .RS 4n
51 51 An IPv4 or IPv6 address with an optional /\fINNN\fR suffix, (where \fINNN\fR is
52 52 a \fInum\fR) that indicates an address (\fBCIDR\fR) prefix (for example,
53 53 \fB10.1.2.0/24\fR). An optional /\fIADDR\fR suffix (where \fIADDR\fR is a
54 54 second IP address) indicates an address/mask pair (for example,
55 55 \fB10.1.2.0/255.255.255.0\fR). An optional -\fIADDR\fR suffix (where \fIADDR\fR
56 56 is a second IPv4 address) indicates an inclusive range of addresses (for
57 57 example, \fB10.1.2.0-10.1.2.255\fR). The \fB/\fR or \fB-\fR can be surrounded
58 58 by an arbitrary amount of white space.
59 59 .RE
60 60
61 61 .sp
62 62 .ne 2
63 63 .na
64 64 \fB\fBXXX\fR | \fBYYY\fR | \fBZZZ\fR\fR
65 65 .ad
66 66 .sp .6
67 67 .RS 4n
68 68 Either the words \fBXX\fRX, \fBYYY\fR, or \fBZZZ\fR, for example, {yes,no}.
69 69 .RE
70 70
71 71 .sp
72 72 .ne 2
73 73 .na
74 74 \fBp1-id-type\fR
75 75 .ad
76 76 .sp .6
77 77 .RS 4n
78 78 An IKE phase 1 identity type. IKE phase 1 identity types include:
79 79 .br
80 80 .in +2
81 81 \fBdn, DN\fR
82 82 .in -2
83 83 .br
84 84 .in +2
85 85 \fBdns, DNS\fR
86 86 .in -2
87 87 .br
88 88 .in +2
89 89 \fBfqdn, FQDN\fR
90 90 .in -2
91 91 .br
92 92 .in +2
93 93 \fBgn, GN\fR
94 94 .in -2
95 95 .br
96 96 .in +2
97 97 \fBip, IP\fR
98 98 .in -2
99 99 .br
100 100 .in +2
101 101 \fBipv4\fR
102 102 .in -2
103 103 .br
104 104 .in +2
105 105 \fBipv4_prefix\fR
106 106 .in -2
107 107 .br
108 108 .in +2
109 109 \fBipv4_range\fR
110 110 .in -2
111 111 .br
112 112 .in +2
113 113 \fBipv6\fR
114 114 .in -2
115 115 .br
116 116 .in +2
117 117 \fBipv6_prefix\fR
118 118 .in -2
119 119 .br
120 120 .in +2
121 121 \fBipv6_range\fR
122 122 .in -2
123 123 .br
124 124 .in +2
125 125 \fBmbox, MBOX\fR
126 126 .in -2
127 127 .br
128 128 .in +2
129 129 \fBuser_fqdn\fR
130 130 .in -2
131 131 .RE
132 132
133 133 .sp
134 134 .ne 2
135 135 .na
136 136 \fB\fB"\fR\fIstring\fR\fB"\fR\fR
137 137 .ad
138 138 .sp .6
139 139 .RS 4n
140 140 A quoted string.
141 141 .sp
142 142 Examples include:\fB"Label foo"\fR, or \fB"C=US, OU=Sun Microsystems\\, Inc.,
143 143 N=olemcd@eng.example.com"\fR
144 144 .sp
145 145 A backslash (\fB\e\fR) is an escape character. If the string needs an actual
146 146 backslash, two must be specified.
147 147 .RE
148 148
149 149 .sp
150 150 .ne 2
151 151 .na
152 152 \fB\fIcert-sel\fR\fR
153 153 .ad
154 154 .sp .6
155 155 .RS 4n
156 156 A certificate selector, a \fIstring\fR which specifies the identities of zero
157 157 or more certificates. The specifiers can conform to \fBX.509\fR naming
158 158 conventions.
159 159 .sp
160 160 A \fIcert-sel\fR can also use various shortcuts to match either subject
161 161 alternative names, the filename or \fBslot\fR of a certificate in
162 162 \fB/etc/inet/ike/publickeys\fR, or even the \fBISSUER\fR. For example:
163 163 .sp
164 164 .in +2
165 165 .nf
166 166 "SLOT=0"
167 167 "EMAIL=postmaster@domain.org"
168 168 "webmaster@domain.org" # Some just work w/o TYPE=
169 169 "IP=10.0.0.1"
170 170 "10.21.11.11" # Some just work w/o TYPE=
171 171 "DNS=www.domain.org"
172 172 "mailhost.domain.org" # Some just work w/o TYPE=
173 173 "ISSUER=C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
174 174 .fi
175 175 .in -2
176 176 .sp
177 177
178 178 Any \fIcert-sel\fR preceded by the character \fB!\fR indicates a negative
179 179 match, that is, not matching this specifier. These are the same kind of strings
180 180 used in \fBikecert\fR(1M).
181 181 .RE
182 182
183 183 .sp
184 184 .ne 2
185 185 .na
186 186 \fB\fIldap-list\fR\fR
187 187 .ad
188 188 .sp .6
189 189 .RS 4n
190 190 A quoted, comma-separated list of LDAP servers and ports.
191 191 .sp
192 192 For example, \fB"ldap1.example.com"\fR, \fB"ldap1.example.com:389"\fR,
193 193 \fB"ldap1.example.com:389,ldap2.example.com"\fR.
194 194 .sp
195 195 The default port for LDAP is \fB389\fR.
196 196 .RE
197 197
198 198 .sp
199 199 .ne 2
200 200 .na
201 201 \fB\fIparameter-list\fR\fR
202 202 .ad
203 203 .sp .6
204 204 .RS 4n
205 205 A list of parameters.
206 206 .RE
207 207
208 208 .SS "File Body Entries"
209 209 .LP
210 210 There are four main types of entries:
211 211 .RS +4
212 212 .TP
213 213 .ie t \(bu
214 214 .el o
215 215 global parameters
216 216 .RE
217 217 .RS +4
218 218 .TP
219 219 .ie t \(bu
220 220 .el o
221 221 IKE phase 1 transform defaults
222 222 .RE
223 223 .RS +4
224 224 .TP
225 225 .ie t \(bu
226 226 .el o
227 227 IKE rule defaults
228 228 .RE
229 229 .RS +4
230 230 .TP
231 231 .ie t \(bu
232 232 .el o
233 233 IKE rules
234 234 .RE
235 235 .sp
236 236 .LP
237 237 The global parameter entries are as follows:
238 238 .sp
239 239 .ne 2
240 240 .na
241 241 \fBcert_root \fIcert-sel\fR\fR
242 242 .ad
243 243 .sp .6
244 244 .RS 4n
245 245 The X.509 distinguished name of a certificate that is a trusted root CA
246 246 certificate.It must be encoded in a file in the \fB/etc/inet/ike/publickeys\fR
247 247 directory. It must have a CRL in \fB/etc/inet/ike/crl\fRs. Multiple
248 248 \fBcert_root\fR parameters aggregate.
249 249 .RE
250 250
251 251 .sp
252 252 .ne 2
253 253 .na
254 254 \fBcert_trust \fIcert-sel\fR\fR
255 255 .ad
256 256 .sp .6
257 257 .RS 4n
258 258 Specifies an X.509 distinguished name of a certificate that is self-signed, or
259 259 has otherwise been verified as trustworthy for signing IKE exchanges. It must
260 260 be encoded in a file in \fB/etc/inet/ike/publickeys\fR. Multiple
261 261 \fBcert_trust\fR parameters aggregate.
262 262 .RE
263 263
264 264 .sp
265 265 .ne 2
266 266 .na
267 267 \fBexpire_timer \fIinteger\fR\fR
268 268 .ad
269 269 .sp .6
270 270 .RS 4n
271 271 The number of seconds to let a not-yet-complete IKE Phase I (Main Mode)
272 272 negotiation linger before deleting it. Default value: 300 seconds.
273 273 .RE
274 274
275 275 .sp
276 276 .ne 2
277 277 .na
278 278 \fBignore_crls\fR
279 279 .ad
280 280 .sp .6
281 281 .RS 4n
282 282 If this keyword is present in the file, \fBin.iked\fR(1M) ignores Certificate
283 283 Revocation Lists (\fBCRL\fRs) for root \fBCA\fRs (as given in \fBcert_root\fR)
284 284 .RE
285 285
286 286 .sp
287 287 .ne 2
288 288 .na
289 289 \fBldap_server \fIldap-list\fR\fR
290 290 .ad
291 291 .sp .6
292 292 .RS 4n
293 293 A list of LDAP servers to query for certificates. The list can be additive.
294 294 .RE
295 295
296 296 .sp
297 297 .ne 2
298 298 .na
299 299 \fBpkcs11_path \fIstring\fR\fR
300 300 .ad
301 301 .sp .6
302 302 .RS 4n
303 303 The string that follows is a name of a shared object (\fB\&.so\fR) that
304 304 implements the PKCS#11 standard. The name is passed directly into
305 305 \fBdlopen\fR(3C) for linking, with all of the semantics of that library call.
306 306 By default, \fBin.iked\fR(1M) runs the same ISA as the running kernel, so a
307 307 library specified using \fBpkcs11_path\fR and an absolute pathname \fBmust\fR
308 308 match the same ISA as the kernel. One can use the start/exec SMF property (see
309 309 \fBsvccfg\fR(1M)) to change \fBin.iked\fR's ISA, but it is not recommended.
310 310 .sp
311 311 If this setting is not present, the default value is set to \fBlibpkcs11.so\fR.
312 312 Most cryptographic providers go through the default library, and this parameter
313 313 should only be used if a specialized provider of IKE-useful cryptographic
314 314 services cannot interface with the Solaris Cryptographic Framework. See
315 315 \fBcryptoadm\fR(1M).
316 316 .sp
317 317 This option is now deprecated, and may be removed in a future release.
318 318 .RE
319 319
320 320 .sp
321 321 .ne 2
322 322 .na
323 323 \fBretry_limit \fIinteger\fR\fR
324 324 .ad
325 325 .sp .6
326 326 .RS 4n
327 327 The number of retransmits before any IKE negotiation is aborted. Default value:
328 328 5 times.
329 329 .RE
330 330
331 331 .sp
332 332 .ne 2
333 333 .na
334 334 \fBretry_timer_init \fIinteger\fR or \fIfloat\fR\fR
335 335 .ad
336 336 .sp .6
337 337 .RS 4n
338 338 The initial interval (in seconds) between retransmits. This interval is doubled
339 339 until the \fBretry_timer_max\fR value (see below) is reached. Default value:
340 340 0.5 seconds.
341 341 .RE
342 342
343 343 .sp
344 344 .ne 2
345 345 .na
346 346 \fBretry_timer_max \fIinteger\fR or \fIfloat\fR\fR
347 347 .ad
348 348 .sp .6
349 349 .RS 4n
350 350 The maximum interval (in seconds) between retransmits. The doubling retransmit
351 351 interval stops growing at this limit. Default value: 30 seconds.
352 352 .LP
353 353 Note -
354 354 .sp
355 355 .RS 2
356 356 This value is never reached with the default configuration. The longest
357 357 interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
358 358 .RE
359 359 .RE
360 360
361 361 .sp
362 362 .ne 2
363 363 .na
364 364 \fBproxy \fIstring\fR\fR
365 365 .ad
366 366 .sp .6
367 367 .RS 4n
368 368 The string following this keyword must be a URL for an HTTP proxy, for example,
369 369 \fBhttp://proxy:8080\fR.
370 370 .RE
371 371
372 372 .sp
373 373 .ne 2
374 374 .na
375 375 \fBsocks \fIstring\fR\fR
376 376 .ad
377 377 .sp .6
378 378 .RS 4n
379 379 The string following this keyword must be a URL for a SOCKS proxy, for example,
380 380 \fBsocks://socks-proxy\fR.
381 381 .RE
382 382
383 383 .sp
384 384 .ne 2
385 385 .na
386 386 \fBuse_http\fR
387 387 .ad
388 388 .sp .6
389 389 .RS 4n
390 390 If this keyword is present in the file, \fBin.iked\fR(1M) uses HTTP to retrieve
391 391 Certificate Revocation Lists (\fBCRL\fRs).
392 392 .RE
393 393
394 394 .sp
395 395 .LP
396 396 The following IKE phase 1 transform parameters can be prefigured using
397 397 file-level defaults. Values specified within any given transform override these
398 398 defaults.
399 399 .sp
400 400 .LP
401 401 The IKE phase 1 transform defaults are as follows:
402 402 .sp
403 403 .ne 2
404 404 .na
405 405 \fBp1_lifetime_secs \fInum\fR\fR
406 406 .ad
407 407 .sp .6
408 408 .RS 4n
409 409 The proposed default lifetime, in seconds, of an IKE phase 1 security
410 410 association (\fBSA\fR).
411 411 .RE
412 412
413 413 .sp
414 414 .ne 2
415 415 .na
416 416 \fBp1_nonce_len \fInum\fR\fR
417 417 .ad
418 418 .sp .6
419 419 .RS 4n
420 420 The length in bytes of the phase 1 (quick mode) nonce data. This cannot be
421 421 specified on a per-rule basis.
422 422 .RE
423 423
424 424 .sp
425 425 .LP
426 426 The following IKE rule parameters can be prefigured using file-level defaults.
427 427 Values specified within any given rule override these defaults, unless a rule
428 428 cannot.
429 429 .sp
430 430 .ne 2
431 431 .na
432 432 \fBp2_lifetime_secs \fInum\fR\fR
433 433 .ad
434 434 .sp .6
435 435 .RS 4n
436 436 The proposed default lifetime, in seconds, of an IKE phase 2 security
437 437 association (SA). This value is optional. If omitted, a default value is used.
438 438 .RE
439 439
440 440 .sp
441 441 .ne 2
442 442 .na
443 443 \fBp2_softlife_secs \fInum\fR\fR
444 444 .ad
445 445 .sp .6
446 446 .RS 4n
447 447 The soft lifetime of a phase 2 SA, in seconds. If this value is specified, the
448 448 SA soft expires after the number of seconds specified by
449 449 \fBp2_softlife_secs\fR. This causes \fBin.iked\fR to renegotiate a new phase 2
450 450 SA before the original SA expires.
451 451 .sp
452 452 This value is optional, if omitted soft expiry occurs after 90% of the lifetime
453 453 specified by \fBp2_lifetime_secs\fR. The value specified by
454 454 \fBp2_softlife_secs\fR is ignored if \fBp2_lifetime_secs\fR is not specified.
455 455 .sp
456 456 Setting \fBp2_softlife_secs\fR to the same value as \fBp2_lifetime_secs\fR
457 457 disables soft expires.
458 458 .RE
459 459
460 460 .sp
461 461 .ne 2
462 462 .na
463 463 \fBp2_idletime_secs \fInum\fR\fR
464 464 .ad
465 465 .sp .6
466 466 .RS 4n
467 467 The idle lifetime of a phase 2 SA, in seconds. If the value is specified, the
468 468 value specifies the lifetime of the SA, if the security association is not used
469 469 before the SA is revalidated.
470 470 .RE
471 471
472 472 .sp
473 473 .ne 2
474 474 .na
475 475 \fBp2_lifetime_kb \fInum\fR\fR
476 476 .ad
477 477 .sp .6
478 478 .RS 4n
479 479 The lifetime of an SA can optionally be specified in kilobytes. This parameter
480 480 specifies the default value. If lifetimes are specified in both seconds and
481 481 kilobytes, the SA expires when either the seconds or kilobyte threshholds are
482 482 passed.
483 483 .RE
484 484
485 485 .sp
486 486 .ne 2
487 487 .na
488 488 \fBp2_softlife_kb \fInum\fR\fR
489 489 .ad
490 490 .sp .6
491 491 .RS 4n
492 492 This value is the number of kilobytes that can be protected by an SA before a
493 493 soft expire occurs (see \fBp2_softlife_secs\fR, above).
494 494 .sp
495 495 This value is optional. If omitted, soft expiry occurs after 90% of the
496 496 lifetime specified by \fBp2_lifetime_kb\fR. The value specified by
497 497 \fBp2_softlife_kb\fR is ignored if \fBp2_lifetime_kb\fR is not specified.
498 498 .RE
499 499
500 500 .sp
501 501 .ne 2
502 502 .na
503 503 \fBp2_nonce_len \fInum\fR\fR
504 504 .ad
505 505 .sp .6
506 506 .RS 4n
507 507 The length in bytes of the phase 2 (quick mode) nonce data. This cannot be
508 508 specified on a per-rule basis.
509 509 .RE
510 510
511 511 .sp
512 512 .ne 2
513 513 .na
514 514 \fBlocal_id_type \fIp1-id-type\fR\fR
515 515 .ad
516 516 .sp .6
517 517 .RS 4n
518 518 The local identity for IKE requires a type. This identity type is reflected in
519 519 the IKE exchange. The type can be one of the following:
520 520 .RS +4
521 521 .TP
522 522 .ie t \(bu
523 523 .el o
524 524 an IP address (for example, \fB10.1.1.2\fR)
525 525 .RE
526 526 .RS +4
527 527 .TP
528 528 .ie t \(bu
529 529 .el o
530 530 DNS name (for example, \fBtest.domain.com\fR)
531 531 .RE
532 532 .RS +4
533 533 .TP
534 534 .ie t \(bu
535 535 .el o
536 536 MBOX RFC 822 name (for example, \fBroot@domain.com\fR)
537 537 .RE
538 538 .RS +4
539 539 .TP
540 540 .ie t \(bu
541 541 .el o
542 542 DNX.509 distinguished name (for example, \fBC=US, O=Sun Microsystems\, Inc.,
543 543 CN=Sun Test cert\fR)
544 544 .RE
545 545 .RE
546 546
547 547 .sp
548 548 .ne 2
549 549 .na
550 550 \fBp1_xform '{' parameter-list '}\fR
551 551 .ad
552 552 .sp .6
553 553 .RS 4n
554 554 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
555 555 An initiator offers up lists of phase 1 transforms, and a receiver is expected
556 556 to only accept such an entry if it matches one in a phase 1 rule. There can be
557 557 several of these, and they are additive. There must be either at least one
558 558 phase 1 transform in a rule or a global default phase 1 transform list. In a
559 559 configuration file without a global default phase 1 transform list \fBand\fR a
560 560 rule without a phase, transform list is an invalid file. Unless specified as
561 561 optional, elements in the parameter-list must occur exactly once within a given
562 562 transform's parameter-list:
563 563 .sp
564 564 .ne 2
565 565 .na
566 566 \fBoakley_group \fInumber\fR\fR
567 567 .ad
568 568 .sp .6
569 569 .RS 4n
570 570 The Oakley Diffie-Hellman group used for IKE SA key derivation. The group
571 571 numbers are defined in RFC 2409, Appendix A, RFC 3526, and RFC 5114, section
572 572 3.2. Acceptable values are currently:
573 573 .br
574 574 .in +2
575 575 1 (MODP 768-bit)
576 576 .in -2
577 577 .br
578 578 .in +2
579 579 2 (MODP 1024-bit)
580 580 .in -2
581 581 .br
582 582 .in +2
583 583 3 (EC2N 155-bit)
584 584 .in -2
585 585 .br
586 586 .in +2
587 587 4 (EC2N 185-bit)
588 588 .in -2
589 589 .br
590 590 .in +2
591 591 5 (MODP 1536-bit)
592 592 .in -2
593 593 .br
594 594 .in +2
595 595 14 (MODP 2048-bit)
596 596 .in -2
597 597 .br
598 598 .in +2
599 599 15 (MODP 3072-bit)
600 600 .in -2
601 601 .br
602 602 .in +2
603 603 16 (MODP 4096-bit)
604 604 .in -2
605 605 .br
606 606 .in +2
607 607 17 (MODP 6144-bit)
608 608 .in -2
609 609 .br
610 610 .in +2
611 611 18 (MODP 8192-bit)
612 612 .in -2
613 613 .br
614 614 .in +2
615 615 19 (ECP 256-bit)
616 616 .in -2
617 617 .br
618 618 .in +2
619 619 20 (ECP 384-bit)
620 620 .in -2
621 621 .br
622 622 .in +2
623 623 21 (ECP 521-bit)
624 624 .in -2
625 625 .br
626 626 .in +2
627 627 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
628 628 .in -2
629 629 .br
630 630 .in +2
631 631 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
632 632 .in -2
633 633 .br
634 634 .in +2
635 635 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
636 636 .in -2
637 637 .br
638 638 .in +2
639 639 25 (ECP 192-bit)
640 640 .in -2
641 641 .br
642 642 .in +2
643 643 26 (ECP 224-bit)
644 644 .in -2
645 645 .RE
646 646
647 647 .sp
648 648 .ne 2
649 649 .na
650 650 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
651 651 aes-cbc}\fR
652 652 .ad
653 653 .sp .6
654 654 .RS 4n
655 655 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
656 656 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
657 657 using the "low value-to-high value" syntax. To specify a single AES key size,
658 658 the low value must equal the high value. If no range is specified, all three
659 659 AES key sizes are allowed.
660 660 .RE
661 661
662 662 .sp
663 663 .ne 2
664 664 .na
665 665 \fBauth_alg {md5, sha, sha1, sha256, sha384, sha512}\fR
666 666 .ad
667 667 .sp .6
668 668 .RS 4n
669 669 An authentication algorithm.
670 670 .sp
671 671 Use \fBipsecalgs\fR(1M) with the \fB-l\fR option to list the IPsec protocols
672 672 and algorithms currently defined on a system. The \fBcryptoadm list\fR command
673 673 diplays a list of installed providers and their mechanisms. See
674 674 \fBcryptoadm\fR(1M).
675 675 .RE
676 676
677 677 .sp
678 678 .ne 2
679 679 .na
680 680 \fBauth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}\fR
681 681 .ad
682 682 .sp .6
683 683 .RS 4n
684 684 The authentication method used for IKE phase 1.
685 685 .RE
686 686
687 687 .sp
688 688 .ne 2
689 689 .na
690 690 \fBp1_lifetime_secs \fInum\fR\fR
691 691 .ad
692 692 .sp .6
693 693 .RS 4n
694 694 Optional. The lifetime for a phase 1 SA.
695 695 .RE
696 696
697 697 .RE
698 698
699 699 .sp
700 700 .ne 2
701 701 .na
702 702 \fBp2_lifetime_secs \fInum\fR\fR
703 703 .ad
704 704 .sp .6
705 705 .RS 4n
706 706 If configuring the kernel defaults is not sufficient for different tasks, this
707 707 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
708 708 in seconds.
709 709 .RE
710 710
711 711 .sp
712 712 .ne 2
713 713 .na
714 714 \fBp2_pfs \fInum\fR\fR
715 715 .ad
716 716 .sp .6
717 717 .RS 4n
718 718 Use perfect forward secrecy for phase 2 (quick mode). If selected, the oakley
719 719 group specified is used for phase 2 PFS. Acceptable values are:
720 720 .br
721 721 .in +2
722 722 0 (do not use Perfect Forward Secrecy for IPsec SAs)
723 723 .in -2
724 724 .br
725 725 .in +2
726 726 1 (768-bit)
727 727 .in -2
728 728 .br
729 729 .in +2
730 730 2 (1024-bit)
731 731 .in -2
732 732 .br
733 733 .in +2
734 734 5 (1536-bit)
735 735 .in -2
736 736 .br
737 737 .in +2
738 738 14 (2048-bit)
739 739 .in -2
740 740 .br
741 741 .in +2
742 742 15 (3072-bit)
743 743 .in -2
744 744 .br
745 745 .in +2
746 746 16 (4096-bit)
747 747 .in -2
748 748 .RE
749 749
750 750 .sp
751 751 .LP
752 752 An IKE rule starts with a right-curly-brace (\fB{\fR), ends with a
753 753 left-curly-brace (\fB}\fR), and has the following parameters in between:
754 754 .sp
755 755 .ne 2
756 756 .na
757 757 \fBlabel \fIstring\fR\fR
758 758 .ad
759 759 .sp .6
760 760 .RS 4n
761 761 Required parameter. The administrative interface to \fBin.iked\fR looks up
762 762 phase 1 policy rules with the label as the search string. The administrative
763 763 interface also converts the label into an index, suitable for an extended
764 764 ACQUIRE message from PF_KEY - effectively tying IPsec policy to IKE policy in
765 765 the case of a node initiating traffic. Only one \fBlabel\fR parameter is
766 766 allowed per rule.
767 767 .RE
768 768
769 769 .sp
770 770 .ne 2
771 771 .na
772 772 \fBlocal_addr <\fIIPaddr\fR/\fIprefix\fR/\fIrange\fR>\fR
773 773 .ad
774 774 .sp .6
775 775 .RS 4n
776 776 Required parameter. The local address, address prefix, or address range for
777 777 this phase 1 rule. Multiple \fBlocal_addr\fR parameters accumulate within a
778 778 given rule.
779 779 .RE
780 780
781 781 .sp
782 782 .ne 2
783 783 .na
784 784 \fBremote_addr <\fIIPaddr\fR/\fIprefix\fR/\fIrang\fRe>\fR
785 785 .ad
786 786 .sp .6
787 787 .RS 4n
788 788 Required parameter. The remote address, address prefix, or address range for
789 789 this phase 1 rule. Multiple \fBremote_addr\fR parameters accumulate within a
790 790 given rule.
791 791 .RE
792 792
793 793 .sp
794 794 .ne 2
795 795 .na
796 796 \fBlocal_id_type \fIp1-id-type\fR\fR
797 797 .ad
798 798 .sp .6
799 799 .RS 4n
800 800 Which phase 1 identity type I uses. This is needed because a single certificate
801 801 can contain multiple values for use in IKE phase 1. Within a given rule, all
802 802 phase 1 transforms must either use preshared or non-preshared authentication
803 803 (they cannot be mixed). For rules with preshared authentication, the
804 804 \fBlocal_id_type\fR parameter is optional, and defaults to \fBIP\fR. For rules
805 805 which use non-preshared authentication, the 'local_id_type' parameter is
806 806 required. Multiple 'local_id_type' parameters within a rule are not allowed.
807 807 .RE
808 808
809 809 .sp
810 810 .ne 2
811 811 .na
812 812 \fBlocal_id \fIcert-sel\fR\fR
813 813 .ad
814 814 .sp .6
815 815 .RS 4n
816 816 Disallowed for preshared authentication method; required parameter for
817 817 non-preshared authentication method. The local identity string or certificate
818 818 selector. Only one local identity per rule is used, the first one stated.
819 819 .RE
820 820
821 821 .sp
822 822 .ne 2
823 823 .na
824 824 \fBremote_id \fIcert-sel\fR\fR
825 825 .ad
826 826 .sp .6
827 827 .RS 4n
828 828 Disallowed for preshared authentication method; required parameter for
829 829 non-preshared authentication method. Selector for which remote phase 1
830 830 identities are allowed by this rule. Multiple \fBremote_id\fR parameters
831 831 accumulate within a given rule. If a single empty string (\fB""\fR) is given,
832 832 then this accepts any remote \fBID\fR for phase 1. It is recommended that
833 833 certificate trust chains or address enforcement be configured strictly to
834 834 prevent a breakdown in security if this value for \fBremote_id\fR is used.
835 835 .RE
836 836
837 837 .sp
838 838 .ne 2
839 839 .na
840 840 \fBp2_lifetime_secs \fInum\fR\fR
841 841 .ad
842 842 .sp .6
843 843 .RS 4n
844 844 If configuring the kernel defaults is not sufficient for different tasks, this
845 845 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
846 846 in seconds.
847 847 .RE
848 848
849 849 .sp
850 850 .ne 2
851 851 .na
852 852 \fBp2_pfs \fInum\fR\fR
853 853 .ad
854 854 .sp .6
855 855 .RS 4n
856 856 Use perfect forward secrecy for phase 2 (quick mode). If selected, the oakley
857 857 group specified is used for phase 2 PFS. Acceptable values are:
858 858 .br
859 859 .in +2
860 860 0 (do not use Perfect Forward Secrecy for IPsec SAs)
861 861 .in -2
862 862 .br
863 863 .in +2
864 864 1 (768-bit)
865 865 .in -2
866 866 .br
867 867 .in +2
868 868 2 (1024-bit)
869 869 .in -2
870 870 .br
871 871 .in +2
872 872 5 (1536-bit)
873 873 .in -2
874 874 .br
875 875 .in +2
876 876 14 (2048-bit)
877 877 .in -2
878 878 .br
879 879 .in +2
880 880 15 (3072-bit)
881 881 .in -2
882 882 .br
883 883 .in +2
884 884 16 (4096-bit)
885 885 .in -2
886 886 .RE
887 887
888 888 .sp
889 889 .ne 2
890 890 .na
891 891 \fBp1_xform \fB{\fR \fIparameter-list\fR \fB}\fR\fR
892 892 .ad
893 893 .sp .6
894 894 .RS 4n
895 895 A phase 1 transform specifies a method for protecting an IKE phase 1 exchange.
896 896 An initiator offers up lists of phase 1 transforms, and a receiver is expected
897 897 to only accept such an entry if it matches one in a phase 1 rule. There can be
898 898 several of these, and they are additive. There must be either at least one
899 899 phase 1 transform in a rule or a global default phase 1 transform list. A
900 900 \fBike.config\fR file without a global default phase 1transform list \fBand\fR
901 901 a rule without a phase 1 transform list is an invalid file. Elements within the
902 902 parameter-list; unless specified as optional, must occur exactly once within a
903 903 given transform's parameter-list:
904 904 .sp
905 905 .ne 2
906 906 .na
907 907 \fBoakley_group \fInumber\fR\fR
908 908 .ad
909 909 .sp .6
910 910 .RS 4n
911 911 The Oakley Diffie-Hellman group used for \fBIKE SA\fR key derivation.
912 912 Acceptable values are currently:
913 913 .br
914 914 .in +2
915 915 1 (768-bit)
916 916 .in -2
917 917 .br
918 918 .in +2
919 919 2 (1024-bit)
920 920 .in -2
921 921 .br
922 922 .in +2
923 923 5 (1536-bit)
924 924 .in -2
925 925 .br
926 926 .in +2
927 927 14 (2048-bit)
928 928 .in -2
929 929 .br
930 930 .in +2
931 931 15 (3072-bit)
932 932 .in -2
933 933 .br
934 934 .in +2
935 935 16 (4096-bit)
936 936 .in -2
937 937 .RE
938 938
939 939 .sp
940 940 .ne 2
941 941 .na
942 942 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
943 943 aes-cbc}\fR
944 944 .ad
945 945 .sp .6
946 946 .RS 4n
947 947 An encryption algorithm, as in \fBipsecconf\fR(1M). However, of the ciphers
948 948 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
949 949 using the "low value-to-high value" syntax. To specify a single AES key size,
950 950 the low value must equal the high value. If no range is specified, all three
951 951 AES key sizes are allowed.
952 952 .RE
953 953
954 954 .sp
955 955 .ne 2
956 956 .na
957 957 \fBauth_alg {md5, sha, sha1}\fR
958 958 .ad
959 959 .sp .6
960 960 .RS 4n
961 961 An authentication algorithm, as specified in \fBipseckey\fR(1M).
962 962 .RE
963 963
964 964 .sp
965 965 .ne 2
966 966 .na
967 967 \fBauth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}\fR
968 968 .ad
969 969 .sp .6
970 970 .RS 4n
971 971 The authentication method used for IKE phase 1.
972 972 .RE
973 973
974 974 .sp
975 975 .ne 2
976 976 .na
977 977 \fBp1_lifetime_secs \fInum\fR\fR
978 978 .ad
979 979 .sp .6
980 980 .RS 4n
981 981 Optional. The lifetime for a phase 1 SA.
982 982 .RE
983 983
984 984 .RE
985 985
986 986 .SH EXAMPLES
987 987 .LP
988 988 \fBExample 1 \fRA Sample \fBike.config\fR File
989 989 .sp
990 990 .LP
991 991 The following is an example of an \fBike.config\fR file:
992 992
993 993 .sp
994 994 .in +2
995 995 .nf
996 996
997 997 ### BEGINNING OF FILE
998 998
999 999 ### First some global parameters...
1000 1000
1001 1001 ### certificate parameters...
1002 1002
1003 1003 # Root certificates. I SHOULD use a full Distinguished Name.
1004 1004 # I must have this certificate in my local filesystem, see ikecert(1m).
1005 1005 cert_root "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
1006 1006
1007 1007 # Explicitly trusted certs that need no signatures, or perhaps
1008 1008 # self-signed ones. Like root certificates, use full DNs for them
1009 1009 # for now.
1010 1010 cert_trust "EMAIL=root@domain.org"
1011 1011
1012 1012 # Where do I send LDAP requests?
1013 1013 ldap_server "ldap1.domain.org,ldap2.domain.org:389"
1014 1014
1015 1015 ## phase 1 transform defaults...
1016 1016
1017 1017 p1_lifetime_secs 14400
1018 1018 p1_nonce_len 20
1019 1019
1020 1020 ## Parameters that might also show up in rules.
1021 1021
1022 1022 p1_xform { auth_method preshared oakley_group 5 auth_alg sha
1023 1023 encr_alg 3des }
1024 1024 p2_pfs 2
1025 1025
1026 1026
1027 1027
1028 1028 ### Now some rules...
1029 1029
1030 1030 {
1031 1031 label "simple inheritor"
1032 1032 local_id_type ip
1033 1033 local_addr 10.1.1.1
1034 1034 remote_addr 10.1.1.2
1035 1035 }
1036 1036 {
1037 1037 label "simple inheritor IPv6"
1038 1038 local_id_type ipv6
1039 1039 local_addr fe80::a00:20ff:fe7d:6
1040 1040 remote_addr fe80::a00:20ff:fefb:3780
1041 1041 }
1042 1042
1043 1043 {
1044 1044 # an index-only rule. If I'm a receiver, and all I
1045 1045 # have are index-only rules, what do I do about inbound IKE requests?
1046 1046 # Answer: Take them all!
1047 1047
1048 1048 label "default rule"
1049 1049 # Use whatever "host" (e.g. IP address) identity is appropriate
1050 1050 local_id_type ipv4
1051 1051
1052 1052 local_addr 0.0.0.0/0
1053 1053 remote_addr 0.0.0.0/0
1054 1054
1055 1055 p2_pfs 5
1056 1056
1057 1057 # Now I'm going to have the p1_xforms
1058 1058 p1_xform
1059 1059 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg \e
1060 1060 blowfish } p1_xform
1061 1061 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
1062 1062
1063 1063 # After said list, another keyword (or a '}') stops xform
1064 1064 # parsing.
1065 1065 }
1066 1066
1067 1067 {
1068 1068 # Let's try something a little more conventional.
1069 1069
1070 1070 label "host to .80 subnet"
1071 1071 local_id_type ip
1072 1072 local_id "10.1.86.51"
1073 1073
1074 1074 remote_id "" # Take any, use remote_addr for access control.
1075 1075
1076 1076 local_addr 10.1.86.51
1077 1077 remote_addr 10.1.80.0/24
1078 1078
1079 1079 p1_xform
1080 1080 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
1081 1081 p1_xform
1082 1082 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1083 1083 blowfish }
1084 1084 p1_xform
1085 1085 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
1086 1086 p1_xform
1087 1087 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1088 1088 blowfish }
1089 1089 }
1090 1090
1091 1091 {
1092 1092 # Let's try something a little more conventional, but with ipv6.
1093 1093
1094 1094 label "host to fe80::/10 subnet"
1095 1095 local_id_type ip
1096 1096 local_id "fe80::a00:20ff:fe7d:6"
1097 1097
1098 1098 remote_id "" # Take any, use remote_addr for access control.
1099 1099
1100 1100 local_addr fe80::a00:20ff:fe7d:6
1101 1101 remote_addr fe80::/10
1102 1102
1103 1103 p1_xform
1104 1104 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
1105 1105 p1_xform
1106 1106 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1107 1107 blowfish }
1108 1108 p1_xform
1109 1109 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1110 1110 3des }
1111 1111 p1_xform
1112 1112 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \e
1113 1113 blowfish }
1114 1114 }
1115 1115
1116 1116 {
1117 1117 # How 'bout something with a different cert type and name?
1118 1118
1119 1119 label "punchin-point"
1120 1120 local_id_type mbox
1121 1121 local_id "ipsec-wizard@domain.org"
1122 1122
1123 1123 remote_id "10.5.5.128"
1124 1124
1125 1125 local_addr 0.0.0.0/0
1126 1126 remote_addr 10.5.5.128
1127 1127
1128 1128 p1_xform
1129 1129 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \e
1130 1130 blowfish }
1131 1131 }
1132 1132
1133 1133 {
1134 1134 label "receiver side"
1135 1135
1136 1136 remote_id "ipsec-wizard@domain.org"
1137 1137
1138 1138 local_id_type ip
1139 1139 local_id "10.5.5.128"
1140 1140
1141 1141 local_addr 10.5.5.128
1142 1142 remote_addr 0.0.0.0/0
1143 1143
1144 1144 p1_xform
1145 1145 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
1146 1146 # NOTE: Specifying preshared null-and-voids the remote_id/local_id
1147 1147 # fields.
1148 1148 p1_xform
1149 1149 { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \e
1150 1150 blowfish}
1151 1151
1152 1152 }
1153 1153 .fi
1154 1154 .in -2
1155 1155
1156 1156 .SH ATTRIBUTES
1157 1157 .LP
1158 1158 See \fBattributes\fR(5) for descriptions of the following attributes:
1159 1159 .sp
1160 1160
1161 1161 .sp
1162 1162 .TS
1163 1163 box;
1164 1164 c | c
1165 1165 l | l .
1166 1166 ATTRIBUTE TYPE ATTRIBUTE VALUE
1167 1167 _
1168 1168 Interface Stability Committed
1169 1169 .TE
1170 1170
1171 1171 .SH SEE ALSO
1172 1172 .LP
1173 1173 \fBcryptoadm\fR(1M), \fBikeadm\fR(1M), \fBin.iked\fR(1M), \fBikecert\fR(1M),
1174 1174 \fBipseckey\fR(1M), \fBipsecalgs\fR(1M), \fBipsecconf\fR(1M), \fBsvccfg\fR(1M),
1175 1175 \fBdlopen\fR(3C), \fBattributes\fR(5), \fBrandom\fR(7D)
1176 1176 .sp
1177 1177 .LP
1178 1178 Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR.
1179 1179 Cisco Systems, November 1998.
1180 1180 .sp
1181 1181 .LP
1182 1182 Maughan, Douglas et. al. \fIRFC 2408, Internet Security Association and Key
1183 1183 Management Protocol (ISAKMP)\fR. National Security Agency, Ft. Meade, MD.
1184 1184 November 1998.
1185 1185 .sp
1186 1186 .LP
1187 1187 Piper, Derrell. \fIRFC 2407, The Internet IP Security Domain of Interpretation
↓ open down ↓ |
1187 lines elided |
↑ open up ↑ |
1188 1188 for ISAKMP\fR. Network Alchemy. Santa Cruz, California. November 1998.
1189 1189 .sp
1190 1190 .LP
1191 1191 Kivinen, T. \fIRFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups
1192 1192 for Internet Key Exchange (IKE)\fR. The Internet Society, Network Working
1193 1193 Group. May 2003.
1194 1194 .sp
1195 1195 .LP
1196 1196 Lepinksi, M. and Kent, S. \fIRFC 5114, Additional Diffie-Hellman Groups for Use
1197 1197 with IETF Standards\fR. BBN Technologies, January 2008.
1198 +.sp
1199 +.LP
1200 +Fu, D. and Solinas, J. \fIRFC 5903, Elliptic Curve Groups modulo a Prime (ECP
1201 +Groups) for IKE and IKEv2\fR. NSA, June 2010.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX