Print this page
9842 man page typos and spelling
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/ike.config.4.man.txt
+++ new/usr/src/man/man4/ike.config.4.man.txt
1 1 IKE.CONFIG(4) File Formats and Configurations IKE.CONFIG(4)
2 2
3 3
4 4
5 5 NAME
6 6 ike.config - configuration file for IKE policy
7 7
8 8 SYNOPSIS
9 9 /etc/inet/ike/config
10 10
11 11
12 12 DESCRIPTION
13 13 The /etc/inet/ike/config file contains rules for matching inbound IKE
14 14 requests. It also contains rules for preparing outbound IKE requests.
15 15
16 16
17 17 You can test the syntactic correctness of an /etc/inet/ike/config file
18 18 by using the -c or -f options of in.iked(1M). You must use the -c
19 19 option to test a config file. You might need to use the -f option if it
20 20 is not in /etc/inet/ike/config.
21 21
22 22 Lexical Components
23 23 On any line, an unquoted # character introduces a comment. The
24 24 remainder of that line is ignored. Additionally, on any line, an
25 25 unquoted // sequence introduces a comment. The remainder of that line
26 26 is ignored.
27 27
28 28
29 29 There are several types of lexical tokens in the ike.config file:
30 30
31 31 num
32 32
33 33 A decimal, hex, or octal number representation is as in 'C'.
34 34
35 35
36 36 IPaddr/prefix/range
37 37
38 38 An IPv4 or IPv6 address with an optional /NNN suffix, (where NNN is
39 39 a num) that indicates an address (CIDR) prefix (for example,
40 40 10.1.2.0/24). An optional /ADDR suffix (where ADDR is a second IP
41 41 address) indicates an address/mask pair (for example,
42 42 10.1.2.0/255.255.255.0). An optional -ADDR suffix (where ADDR is a
43 43 second IPv4 address) indicates an inclusive range of addresses (for
44 44 example, 10.1.2.0-10.1.2.255). The / or - can be surrounded by an
45 45 arbitrary amount of white space.
46 46
47 47
48 48 XXX | YYY | ZZZ
49 49
50 50 Either the words XXX, YYY, or ZZZ, for example, {yes,no}.
51 51
52 52
53 53 p1-id-type
54 54
55 55 An IKE phase 1 identity type. IKE phase 1 identity types include:
56 56 dn, DN
57 57 dns, DNS
58 58 fqdn, FQDN
59 59 gn, GN
60 60 ip, IP
61 61 ipv4
62 62 ipv4_prefix
63 63 ipv4_range
64 64 ipv6
65 65 ipv6_prefix
66 66 ipv6_range
67 67 mbox, MBOX
68 68 user_fqdn
69 69
70 70
71 71 "string"
72 72
73 73 A quoted string.
74 74
75 75 Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc.,
76 76 N=olemcd@eng.example.com"
77 77
78 78 A backslash (\) is an escape character. If the string needs an
79 79 actual backslash, two must be specified.
80 80
81 81
82 82 cert-sel
83 83
84 84 A certificate selector, a string which specifies the identities of
85 85 zero or more certificates. The specifiers can conform to X.509
86 86 naming conventions.
87 87
88 88 A cert-sel can also use various shortcuts to match either subject
89 89 alternative names, the filename or slot of a certificate in
90 90 /etc/inet/ike/publickeys, or even the ISSUER. For example:
91 91
92 92 "SLOT=0"
93 93 "EMAIL=postmaster@domain.org"
94 94 "webmaster@domain.org" # Some just work w/o TYPE=
95 95 "IP=10.0.0.1"
96 96 "10.21.11.11" # Some just work w/o TYPE=
97 97 "DNS=www.domain.org"
98 98 "mailhost.domain.org" # Some just work w/o TYPE=
99 99 "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
100 100
101 101
102 102 Any cert-sel preceded by the character ! indicates a negative
103 103 match, that is, not matching this specifier. These are the same
104 104 kind of strings used in ikecert(1M).
105 105
106 106
107 107 ldap-list
108 108
109 109 A quoted, comma-separated list of LDAP servers and ports.
110 110
111 111 For example, "ldap1.example.com", "ldap1.example.com:389",
112 112 "ldap1.example.com:389,ldap2.example.com".
113 113
114 114 The default port for LDAP is 389.
115 115
116 116
117 117 parameter-list
118 118
119 119 A list of parameters.
120 120
121 121
122 122 File Body Entries
123 123 There are four main types of entries:
124 124
125 125 o global parameters
126 126
127 127 o IKE phase 1 transform defaults
128 128
129 129 o IKE rule defaults
130 130
131 131 o IKE rules
132 132
133 133
134 134 The global parameter entries are as follows:
135 135
136 136 cert_root cert-sel
137 137
138 138 The X.509 distinguished name of a certificate that is a trusted
139 139 root CA certificate.It must be encoded in a file in the
140 140 /etc/inet/ike/publickeys directory. It must have a CRL in
141 141 /etc/inet/ike/crls. Multiple cert_root parameters aggregate.
142 142
143 143
144 144 cert_trust cert-sel
145 145
146 146 Specifies an X.509 distinguished name of a certificate that is
147 147 self-signed, or has otherwise been verified as trustworthy for
148 148 signing IKE exchanges. It must be encoded in a file in
149 149 /etc/inet/ike/publickeys. Multiple cert_trust parameters aggregate.
150 150
151 151
152 152 expire_timer integer
153 153
154 154 The number of seconds to let a not-yet-complete IKE Phase I (Main
155 155 Mode) negotiation linger before deleting it. Default value: 300
156 156 seconds.
157 157
158 158
159 159 ignore_crls
160 160
161 161 If this keyword is present in the file, in.iked(1M) ignores
162 162 Certificate Revocation Lists (CRLs) for root CAs (as given in
163 163 cert_root)
164 164
165 165
166 166 ldap_server ldap-list
167 167
168 168 A list of LDAP servers to query for certificates. The list can be
169 169 additive.
170 170
171 171
172 172 pkcs11_path string
173 173
174 174 The string that follows is a name of a shared object (.so) that
175 175 implements the PKCS#11 standard. The name is passed directly into
176 176 dlopen(3C) for linking, with all of the semantics of that library
177 177 call. By default, in.iked(1M) runs the same ISA as the running
178 178 kernel, so a library specified using pkcs11_path and an absolute
179 179 pathname must match the same ISA as the kernel. One can use the
180 180 start/exec SMF property (see svccfg(1M)) to change in.iked's ISA,
181 181 but it is not recommended.
182 182
183 183 If this setting is not present, the default value is set to
184 184 libpkcs11.so. Most cryptographic providers go through the default
185 185 library, and this parameter should only be used if a specialized
186 186 provider of IKE-useful cryptographic services cannot interface with
187 187 the Solaris Cryptographic Framework. See cryptoadm(1M).
188 188
189 189 This option is now deprecated, and may be removed in a future
190 190 release.
191 191
192 192
193 193 retry_limit integer
194 194
195 195 The number of retransmits before any IKE negotiation is aborted.
196 196 Default value: 5 times.
197 197
198 198
199 199 retry_timer_init integer or float
200 200
201 201 The initial interval (in seconds) between retransmits. This
202 202 interval is doubled until the retry_timer_max value (see below) is
203 203 reached. Default value: 0.5 seconds.
204 204
205 205
206 206 retry_timer_max integer or float
207 207
208 208 The maximum interval (in seconds) between retransmits. The doubling
209 209 retransmit interval stops growing at this limit. Default value: 30
210 210 seconds.
211 211
212 212 Note -
213 213
214 214 This value is never reached with the default configuration. The
215 215 longest interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
216 216
217 217
218 218 proxy string
219 219
220 220 The string following this keyword must be a URL for an HTTP proxy,
221 221 for example, http://proxy:8080.
222 222
223 223
224 224 socks string
225 225
226 226 The string following this keyword must be a URL for a SOCKS proxy,
227 227 for example, socks://socks-proxy.
228 228
229 229
230 230 use_http
231 231
232 232 If this keyword is present in the file, in.iked(1M) uses HTTP to
233 233 retrieve Certificate Revocation Lists (CRLs).
234 234
235 235
236 236
237 237 The following IKE phase 1 transform parameters can be prefigured using
238 238 file-level defaults. Values specified within any given transform
239 239 override these defaults.
240 240
241 241
242 242 The IKE phase 1 transform defaults are as follows:
243 243
244 244 p1_lifetime_secs num
245 245
246 246 The proposed default lifetime, in seconds, of an IKE phase 1
247 247 security association (SA).
248 248
249 249
250 250 p1_nonce_len num
251 251
252 252 The length in bytes of the phase 1 (quick mode) nonce data. This
253 253 cannot be specified on a per-rule basis.
254 254
255 255
256 256
257 257 The following IKE rule parameters can be prefigured using file-level
258 258 defaults. Values specified within any given rule override these
259 259 defaults, unless a rule cannot.
260 260
261 261 p2_lifetime_secs num
262 262
263 263 The proposed default lifetime, in seconds, of an IKE phase 2
264 264 security association (SA). This value is optional. If omitted, a
265 265 default value is used.
266 266
267 267
268 268 p2_softlife_secs num
269 269
270 270 The soft lifetime of a phase 2 SA, in seconds. If this value is
271 271 specified, the SA soft expires after the number of seconds
272 272 specified by p2_softlife_secs. This causes in.iked to renegotiate a
273 273 new phase 2 SA before the original SA expires.
274 274
275 275 This value is optional, if omitted soft expiry occurs after 90% of
276 276 the lifetime specified by p2_lifetime_secs. The value specified by
277 277 p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
278 278
279 279 Setting p2_softlife_secs to the same value as p2_lifetime_secs
280 280 disables soft expires.
281 281
282 282
283 283 p2_idletime_secs num
284 284
|
↓ open down ↓ |
284 lines elided |
↑ open up ↑ |
285 285 The idle lifetime of a phase 2 SA, in seconds. If the value is
286 286 specified, the value specifies the lifetime of the SA, if the
287 287 security association is not used before the SA is revalidated.
288 288
289 289
290 290 p2_lifetime_kb num
291 291
292 292 The lifetime of an SA can optionally be specified in kilobytes.
293 293 This parameter specifies the default value. If lifetimes are
294 294 specified in both seconds and kilobytes, the SA expires when either
295 - the seconds or kilobyte threshholds are passed.
295 + the seconds or kilobyte thresholds are passed.
296 296
297 297
298 298 p2_softlife_kb num
299 299
300 300 This value is the number of kilobytes that can be protected by an
301 301 SA before a soft expire occurs (see p2_softlife_secs, above).
302 302
303 303 This value is optional. If omitted, soft expiry occurs after 90% of
304 304 the lifetime specified by p2_lifetime_kb. The value specified by
305 305 p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
306 306
307 307
308 308 p2_nonce_len num
309 309
310 310 The length in bytes of the phase 2 (quick mode) nonce data. This
311 311 cannot be specified on a per-rule basis.
312 312
313 313
314 314 local_id_type p1-id-type
315 315
316 316 The local identity for IKE requires a type. This identity type is
317 317 reflected in the IKE exchange. The type can be one of the
318 318 following:
319 319
320 320 o an IP address (for example, 10.1.1.2)
321 321
322 322 o DNS name (for example, test.domain.com)
323 323
324 324 o MBOX RFC 822 name (for example, root@domain.com)
325 325
326 326 o DNX.509 distinguished name (for example, C=US, O=Sun
327 327 Microsystems Inc., CN=Sun Test cert)
328 328
329 329
330 330 p1_xform '{' parameter-list '}
331 331
332 332 A phase 1 transform specifies a method for protecting an IKE phase
333 333 1 exchange. An initiator offers up lists of phase 1 transforms,
334 334 and a receiver is expected to only accept such an entry if it
335 335 matches one in a phase 1 rule. There can be several of these, and
336 336 they are additive. There must be either at least one phase 1
337 337 transform in a rule or a global default phase 1 transform list. In
338 338 a configuration file without a global default phase 1 transform
339 339 list and a rule without a phase, transform list is an invalid file.
340 340 Unless specified as optional, elements in the parameter-list must
341 341 occur exactly once within a given transform's parameter-list:
342 342
343 343 oakley_group number
344 344
345 345 The Oakley Diffie-Hellman group used for IKE SA key derivation.
346 346 The group numbers are defined in RFC 2409, Appendix A, RFC
347 347 3526, and RFC 5114, section 3.2. Acceptable values are
348 348 currently:
349 349 1 (MODP 768-bit)
350 350 2 (MODP 1024-bit)
351 351 3 (EC2N 155-bit)
352 352 4 (EC2N 185-bit)
353 353 5 (MODP 1536-bit)
354 354 14 (MODP 2048-bit)
355 355 15 (MODP 3072-bit)
356 356 16 (MODP 4096-bit)
357 357 17 (MODP 6144-bit)
358 358 18 (MODP 8192-bit)
359 359 19 (ECP 256-bit)
360 360 20 (ECP 384-bit)
361 361 21 (ECP 521-bit)
362 362 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
363 363 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
364 364 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
365 365 25 (ECP 192-bit)
366 366 26 (ECP 224-bit)
367 367
368 368
369 369 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
370 370 aes, aes-cbc}
371 371
372 372 An encryption algorithm, as in ipsecconf(1M). However, of the
373 373 ciphers listed above, only aes and aes-cbc allow optional key-
374 374 size setting, using the "low value-to-high value" syntax. To
375 375 specify a single AES key size, the low value must equal the
|
↓ open down ↓ |
70 lines elided |
↑ open up ↑ |
376 376 high value. If no range is specified, all three AES key sizes
377 377 are allowed.
378 378
379 379
380 380 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
381 381
382 382 An authentication algorithm.
383 383
384 384 Use ipsecalgs(1M) with the -l option to list the IPsec
385 385 protocols and algorithms currently defined on a system. The
386 - cryptoadm list command diplays a list of installed providers
386 + cryptoadm list command displays a list of installed providers
387 387 and their mechanisms. See cryptoadm(1M).
388 388
389 389
390 390 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
391 391
392 392 The authentication method used for IKE phase 1.
393 393
394 394
395 395 p1_lifetime_secs num
396 396
397 397 Optional. The lifetime for a phase 1 SA.
398 398
399 399
400 400
401 401 p2_lifetime_secs num
402 402
403 403 If configuring the kernel defaults is not sufficient for different
404 404 tasks, this parameter can be used on a per-rule basis to set the
405 405 IPsec SA lifetimes in seconds.
406 406
407 407
408 408 p2_pfs num
409 409
410 410 Use perfect forward secrecy for phase 2 (quick mode). If selected,
411 411 the oakley group specified is used for phase 2 PFS. Acceptable
412 412 values are:
413 413 0 (do not use Perfect Forward Secrecy for IPsec SAs)
414 414 1 (768-bit)
415 415 2 (1024-bit)
416 416 5 (1536-bit)
417 417 14 (2048-bit)
418 418 15 (3072-bit)
419 419 16 (4096-bit)
420 420
421 421
422 422
423 423 An IKE rule starts with a right-curly-brace ({), ends with a left-
424 424 curly-brace (}), and has the following parameters in between:
425 425
426 426 label string
427 427
428 428 Required parameter. The administrative interface to in.iked looks
429 429 up phase 1 policy rules with the label as the search string. The
430 430 administrative interface also converts the label into an index,
431 431 suitable for an extended ACQUIRE message from PF_KEY - effectively
432 432 tying IPsec policy to IKE policy in the case of a node initiating
433 433 traffic. Only one label parameter is allowed per rule.
434 434
435 435
436 436 local_addr <IPaddr/prefix/range>
437 437
438 438 Required parameter. The local address, address prefix, or address
439 439 range for this phase 1 rule. Multiple local_addr parameters
440 440 accumulate within a given rule.
441 441
442 442
443 443 remote_addr <IPaddr/prefix/range>
444 444
445 445 Required parameter. The remote address, address prefix, or address
446 446 range for this phase 1 rule. Multiple remote_addr parameters
447 447 accumulate within a given rule.
448 448
449 449
450 450 local_id_type p1-id-type
451 451
452 452 Which phase 1 identity type I uses. This is needed because a single
453 453 certificate can contain multiple values for use in IKE phase 1.
454 454 Within a given rule, all phase 1 transforms must either use
455 455 preshared or non-preshared authentication (they cannot be mixed).
456 456 For rules with preshared authentication, the local_id_type
457 457 parameter is optional, and defaults to IP. For rules which use non-
458 458 preshared authentication, the 'local_id_type' parameter is
459 459 required. Multiple 'local_id_type' parameters within a rule are not
460 460 allowed.
461 461
462 462
463 463 local_id cert-sel
464 464
465 465 Disallowed for preshared authentication method; required parameter
466 466 for non-preshared authentication method. The local identity string
467 467 or certificate selector. Only one local identity per rule is used,
468 468 the first one stated.
469 469
470 470
471 471 remote_id cert-sel
472 472
473 473 Disallowed for preshared authentication method; required parameter
474 474 for non-preshared authentication method. Selector for which remote
475 475 phase 1 identities are allowed by this rule. Multiple remote_id
476 476 parameters accumulate within a given rule. If a single empty string
477 477 ("") is given, then this accepts any remote ID for phase 1. It is
478 478 recommended that certificate trust chains or address enforcement be
479 479 configured strictly to prevent a breakdown in security if this
480 480 value for remote_id is used.
481 481
482 482
483 483 p2_lifetime_secs num
484 484
485 485 If configuring the kernel defaults is not sufficient for different
486 486 tasks, this parameter can be used on a per-rule basis to set the
487 487 IPsec SA lifetimes in seconds.
488 488
489 489
490 490 p2_pfs num
491 491
492 492 Use perfect forward secrecy for phase 2 (quick mode). If selected,
493 493 the oakley group specified is used for phase 2 PFS. Acceptable
494 494 values are:
495 495 0 (do not use Perfect Forward Secrecy for IPsec SAs)
496 496 1 (768-bit)
497 497 2 (1024-bit)
498 498 5 (1536-bit)
499 499 14 (2048-bit)
500 500 15 (3072-bit)
501 501 16 (4096-bit)
502 502
503 503
504 504 p1_xform { parameter-list }
505 505
506 506 A phase 1 transform specifies a method for protecting an IKE phase
507 507 1 exchange. An initiator offers up lists of phase 1 transforms,
508 508 and a receiver is expected to only accept such an entry if it
509 509 matches one in a phase 1 rule. There can be several of these, and
510 510 they are additive. There must be either at least one phase 1
511 511 transform in a rule or a global default phase 1 transform list. A
512 512 ike.config file without a global default phase 1transform list and
513 513 a rule without a phase 1 transform list is an invalid file.
514 514 Elements within the parameter-list; unless specified as optional,
515 515 must occur exactly once within a given transform's parameter-list:
516 516
517 517 oakley_group number
518 518
519 519 The Oakley Diffie-Hellman group used for IKE SA key derivation.
520 520 Acceptable values are currently:
521 521 1 (768-bit)
522 522 2 (1024-bit)
523 523 5 (1536-bit)
524 524 14 (2048-bit)
525 525 15 (3072-bit)
526 526 16 (4096-bit)
527 527
528 528
529 529 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
530 530 aes, aes-cbc}
531 531
532 532 An encryption algorithm, as in ipsecconf(1M). However, of the
533 533 ciphers listed above, only aes and aes-cbc allow optional key-
534 534 size setting, using the "low value-to-high value" syntax. To
535 535 specify a single AES key size, the low value must equal the
536 536 high value. If no range is specified, all three AES key sizes
537 537 are allowed.
538 538
539 539
540 540 auth_alg {md5, sha, sha1}
541 541
542 542 An authentication algorithm, as specified in ipseckey(1M).
543 543
544 544
545 545 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
546 546
547 547 The authentication method used for IKE phase 1.
548 548
549 549
550 550 p1_lifetime_secs num
551 551
552 552 Optional. The lifetime for a phase 1 SA.
553 553
554 554
555 555
556 556 EXAMPLES
557 557 Example 1 A Sample ike.config File
558 558
559 559
560 560 The following is an example of an ike.config file:
561 561
562 562
563 563
564 564 ### BEGINNING OF FILE
565 565
566 566 ### First some global parameters...
567 567
568 568 ### certificate parameters...
569 569
570 570 # Root certificates. I SHOULD use a full Distinguished Name.
571 571 # I must have this certificate in my local filesystem, see ikecert(1m).
572 572 cert_root "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
573 573
574 574 # Explicitly trusted certs that need no signatures, or perhaps
575 575 # self-signed ones. Like root certificates, use full DNs for them
576 576 # for now.
577 577 cert_trust "EMAIL=root@domain.org"
578 578
579 579 # Where do I send LDAP requests?
580 580 ldap_server "ldap1.domain.org,ldap2.domain.org:389"
581 581
582 582 ## phase 1 transform defaults...
583 583
584 584 p1_lifetime_secs 14400
585 585 p1_nonce_len 20
586 586
587 587 ## Parameters that might also show up in rules.
588 588
589 589 p1_xform { auth_method preshared oakley_group 5 auth_alg sha
590 590 encr_alg 3des }
591 591 p2_pfs 2
592 592
593 593
594 594
595 595 ### Now some rules...
596 596
597 597 {
598 598 label "simple inheritor"
599 599 local_id_type ip
600 600 local_addr 10.1.1.1
601 601 remote_addr 10.1.1.2
602 602 }
603 603 {
604 604 label "simple inheritor IPv6"
605 605 local_id_type ipv6
606 606 local_addr fe80::a00:20ff:fe7d:6
607 607 remote_addr fe80::a00:20ff:fefb:3780
608 608 }
609 609
610 610 {
611 611 # an index-only rule. If I'm a receiver, and all I
612 612 # have are index-only rules, what do I do about inbound IKE requests?
613 613 # Answer: Take them all!
614 614
615 615 label "default rule"
616 616 # Use whatever "host" (e.g. IP address) identity is appropriate
617 617 local_id_type ipv4
618 618
619 619 local_addr 0.0.0.0/0
620 620 remote_addr 0.0.0.0/0
621 621
622 622 p2_pfs 5
623 623
624 624 # Now I'm going to have the p1_xforms
625 625 p1_xform
626 626 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
627 627 blowfish } p1_xform
628 628 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
629 629
630 630 # After said list, another keyword (or a '}') stops xform
631 631 # parsing.
632 632 }
633 633
634 634 {
635 635 # Let's try something a little more conventional.
636 636
637 637 label "host to .80 subnet"
638 638 local_id_type ip
639 639 local_id "10.1.86.51"
640 640
641 641 remote_id "" # Take any, use remote_addr for access control.
642 642
643 643 local_addr 10.1.86.51
644 644 remote_addr 10.1.80.0/24
645 645
646 646 p1_xform
647 647 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
648 648 p1_xform
649 649 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
650 650 blowfish }
651 651 p1_xform
652 652 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
653 653 p1_xform
654 654 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
655 655 blowfish }
656 656 }
657 657
658 658 {
659 659 # Let's try something a little more conventional, but with ipv6.
660 660
661 661 label "host to fe80::/10 subnet"
662 662 local_id_type ip
663 663 local_id "fe80::a00:20ff:fe7d:6"
664 664
665 665 remote_id "" # Take any, use remote_addr for access control.
666 666
667 667 local_addr fe80::a00:20ff:fe7d:6
668 668 remote_addr fe80::/10
669 669
670 670 p1_xform
671 671 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
672 672 p1_xform
673 673 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
674 674 blowfish }
675 675 p1_xform
676 676 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
677 677 3des }
678 678 p1_xform
679 679 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
680 680 blowfish }
681 681 }
682 682
683 683 {
684 684 # How 'bout something with a different cert type and name?
685 685
686 686 label "punchin-point"
687 687 local_id_type mbox
688 688 local_id "ipsec-wizard@domain.org"
689 689
690 690 remote_id "10.5.5.128"
691 691
692 692 local_addr 0.0.0.0/0
693 693 remote_addr 10.5.5.128
694 694
695 695 p1_xform
696 696 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
697 697 blowfish }
698 698 }
699 699
700 700 {
701 701 label "receiver side"
702 702
703 703 remote_id "ipsec-wizard@domain.org"
704 704
705 705 local_id_type ip
706 706 local_id "10.5.5.128"
707 707
708 708 local_addr 10.5.5.128
709 709 remote_addr 0.0.0.0/0
710 710
711 711 p1_xform
712 712 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
713 713 # NOTE: Specifying preshared null-and-voids the remote_id/local_id
714 714 # fields.
715 715 p1_xform
716 716 { auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
717 717 blowfish}
718 718
719 719 }
720 720
721 721
722 722 ATTRIBUTES
723 723 See attributes(5) for descriptions of the following attributes:
724 724
725 725
726 726
727 727
728 728 +--------------------+-----------------+
729 729 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
730 730 +--------------------+-----------------+
731 731 |Interface Stability | Committed |
732 732 +--------------------+-----------------+
733 733
734 734 SEE ALSO
735 735 cryptoadm(1M), ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
736 736 ipsecalgs(1M), ipsecconf(1M), svccfg(1M), dlopen(3C), attributes(5),
737 737 random(7D)
738 738
739 739
740 740 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
741 741 Cisco Systems, November 1998.
742 742
743 743
744 744 Maughan, Douglas et. al. RFC 2408, Internet Security Association and
745 745 Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
746 746 MD. November 1998.
747 747
748 748
749 749 Piper, Derrell. RFC 2407, The Internet IP Security Domain of
750 750 Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California.
751 751 November 1998.
752 752
753 753
754 754 Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
755 755 Groups for Internet Key Exchange (IKE). The Internet Society, Network
756 756 Working Group. May 2003.
757 757
758 758
759 759 Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups
760 760 for Use with IETF Standards. BBN Technologies, January 2008.
761 761
762 762
763 763 Fu, D. and Solinas, J. RFC 5903, Elliptic Curve Groups modulo a Prime
764 764 (ECP Groups) for IKE and IKEv2. NSA, June 2010.
765 765
766 766
767 767
768 768 April 27, 2009 IKE.CONFIG(4)
|
↓ open down ↓ |
372 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX