Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ISAKMPD.CONF(5)		    BSD	File Formats Manual	       ISAKMPD.CONF(5)

NAME
     isakmpd.conf -- configuration file	for isakmpd

DESCRIPTION
     isakmpd.conf is the configuration file for	the isakmpd daemon managing
     security association and key management for the IPsec layer of the	ker-
     nel's networking stack.

     The file is of a well known type of format	called .INI style, named after
     the suffix	used by	an overrated windowing environment for its configura-
     tion files.  This format consists of sections, each beginning with	a line
     looking like:

     [Section name]
     Between the brackets is the name of the section following this section
     header.  Inside a section many tag/value pairs can	be stored, each	one
     looking like:

     Tag=Value
     If	the value needs	more space than	fits on	a single line it's possible to
     continue it on the	next by	ending the first with a	backslash character
     immediately before	the newline character.	This method can	extend a value
     for an arbitrary number of	lines.

     Comments can be put anywhere in the file by using a hash mark (`#').  The
     comment extends to	the end	of the current line.

     Often the right-hand side values consist of other section names.  This
     results in	a tree structure.  Some	values are treated as a	list of	sev-
     eral scalar values.  Such lists always use	a comma	character as the sepa-
     rator.  Some values are formatted like this: X,Y:Z, which is an offer/ac-
     cept syntax, where	X is a value we	offer and Y:Z is a range of accepted
     values, inclusive.

     To	activate changes to isakmpd.conf without restarting isakmpd, send a
     SIGHUP signal to the daemon process.

   Auto-generated parts	of the configuration
     Some predefined section names are recognized by the daemon, avoiding the
     need to fully specify the Main Mode transforms and	Quick Mode suites,
     protocols,	and transforms.

     For Main Mode:
     {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}]

     For Quick Mode:
     QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE

       where
	 {proto}  is either ESP	or AH
	 {cipher} is either DES, 3DES, CAST, BLF or AES
	 {hash}	  is either MD5, SHA, RIPEMD, SHA2-{256,384,512}
	 {group}  is either GRP1, GRP2,	GRP5 or	GRP14

     For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization
     by	pre-shared keys.  Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP pro-
     tocol, 3DES encryption, SHA hash, and use Perfect Forward Secrecy.

     Unless explicitly stated with -GRP1, 2, 5 or 14 transforms	and PFS	suites
     use DH group 2.  There are	currently no predefined	ESP+AH Quick Mode
     suites.

     The predefinitions	include	some default values for	the special sections
     "General",	"Keynote", "X509-certificates",	and "Default-phase-1-configu-
     ration".  These default values are	presented in the example below.

     All autogenerated values can be overridden	by manual entries by using the
     same section and tag names	in the configuration file.  In particular, the
     default phase 1 (Main or Aggressive Mode) and phase 2 (Quick Mode)	life-
     times can be overridden by	these tags under the "General" section;

     [General]
     Default-phase-1-lifetime=	     3600,60:86400
     Default-phase-2-lifetime=	     1200,60:86400

     The Main Mode lifetime currently defaults to one hour (minimum 60 sec-
     onds, maximum 1 day).  The	Quick Mode lifetime defaults to	20 minutes
     (minimum 60 seconds, maximum 1 day).

     Also, the default phase 1 ID can be set by	creating a <Phase1-ID> sec-
     tion, as shown below, and adding this tag under the "General" section;

     [General]
     Default-phase-1-ID=	     Phase1-ID-name

     [Phase1-ID-name]
     ID-type=			     USER_FQDN
     Name=			     foo@bar.com

   Roots
     General	   Generic global configuration	parameters

		   Default-phase-1-ID
				 Optional default phase	1 ID name.

		   Default-phase-1-lifetime
				 The default lifetime for autogenerated	trans-
				 forms (phase 1).  If unspecified, the value
				 3600,60:86400 is used as the default.

		   Default-phase-2-lifetime
				 The default lifetime for autogenerated	suites
				 (phase	2).  If	unspecified, the value
				 1200,60:86400 is used as the default.

		   Default-phase-2-suites
				 A list	of phase 2 suites that will be used
				 when establishing dynamic SAs.	 If left un-
				 specified, QM-ESP-3DES-SHA-PFS-SUITE is used
				 as the	default.

		   Acquire-Only	 If this tag is	defined, isakmpd will not set
				 up flows automatically.  This is useful when
				 flows are configured with ipsecadm(4) or by
				 other programs	like bgpd(8).  Thus isakmpd
				 only takes care of the	SA establishment.

		   Check-interval
				 The interval between watchdog checks of con-
				 nections we want up at	all times.

		   DPD-check-interval
				 The interval between RFC 3706 (Dead Peer De-
				 tection) messages.  The default value is 0
				 (zero), which means DPD is disabled.

		   Exchange-max-time
				 How many seconds should an exchange maximally
				 take to set up	before we give up.

		   Listen-on	 A list	of IP-addresses	OK to listen on.  This
				 list is used as a filter for the set of ad-
				 dresses the interfaces	configured provides.
				 This means that we won't see if an address
				 given here does not exist on this host, and
				 thus no error is given	for that case.

		   Loglevel	 A list	of the form class=level, where both
				 class and level are numbers.  This is similar
				 to the	-D command line	switch of isakmpd.
				 See isakmpd(8)	for details.

		   Logverbose	 If this tag is	defined, whatever the value
				 is, verbose logging is	enabled.  This is sim-
				 ilar to the -v	command	line switch of
				 isakmpd.  See isakmpd(8) for details.

		   NAT-T-Keepalive
				 The number of seconds between NAT-T keepalive
				 messages, sent	by the peer behind NAT to keep
				 the mapping active.  Defaults to 20.

		   Policy-file	 The name of the file that contains keynote(4)
				 policies.  The	default	is "/usr/lo-
				 cal/etc/isakmpd/isakmpd.policy".

		   Pubkey-directory
				 The directory in which	isakmpd.conf looks for
				 explicitly trusted public keys.  The default
				 is "/usr/local/etc/isakmpd/pubkeys".  Read
				 isakmpd(8) for	the required naming convention
				 of the	files in here.

		   Renegotiate-on-HUP
				 If this tag is	defined, whatever the value
				 is, isakmpd will renegotiate all current
				 phase 2 SAs when the daemon receives a	SIGHUP
				 signal, or an `R' is sent to the FIFO inter-
				 face (see isakmpd(8)).

		   Retransmits	 How many times	should a message be retrans-
				 mitted	before giving up.

		   Shared-SADB	 If this tag is	defined, whatever the value
				 is, some semantics of isakmpd.conf are
				 changed so that multiple instances can	run on
				 top of	one SADB and set up SAs	with each
				 other.	 Specifically this means replay	pro-
				 tection will not be asked for,	and errors
				 that can occur	when updating an SA with its
				 parameters a 2nd time will be ignored.

		   Use-Keynote	 This tag controls the use of keynote(4) pol-
				 icy checking.	The default value is "yes",
				 which enables the policy checking.  When set
				 to any	other value, policies will not be
				 checked.  This	is useful when policies	for
				 flows and SA establishment are	arranged by
				 other programs	like ipsecadm(8) or bgpd(8).

     Phase 1	   ISAKMP SA negotiation parameter root

		   _IP-address_	 A name	of the ISAKMP peer at the given	IP-ad-
				 dress.

		   Default	 A name	of the default ISAKMP peer.  Incoming
				 phase 1 connections from other	IP-addresses
				 will use this peer name.

				 This name is used as the section name for
				 further information to	be found.  Look	at
				 <ISAKMP-peer> below.

     Phase 2	   IPsec SA negotiation	parameter root

		   Connections	 A list	of directed IPsec "connection" names
				 that should be	brought	up automatically, ei-
				 ther on first use if the system supports it,
				 or at startup of the daemon.  These names are
				 section names where further information can
				 be found.  Look at <IPsec-connection> below.
				 Normally any connections mentioned here are
				 treated as part of the	"Passive-connection"
				 list we present below,	however	there is a
				 flag: "Active-only" that disables this	behav-
				 iour.	This too is mentioned in the <IPsec-
				 connection> section, in the "Flags" tag.

		   Passive-connections
				 A list	of IPsec "connection" names we recog-
				 nize and accept initiations for.  These names
				 are section names where further information
				 can be	found.	Look at	<IPsec-connection> be-
				 low.  Currently only the Local-ID and Remote-
				 ID tags are looked at in those	sections, as
				 they are matched against the IDs given	by the
				 initiator.

     KeyNote

		   Credential-directory
				 A directory containing	directories named af-
				 ter IDs (IP addresses,	"user@domain", or
				 hostnames) that contain files named
				 "credentials" and "private_key".

				 The credentials file contains keynote(4) cre-
				 dentials that are sent	to a remote IKE	daemon
				 when we use the associated ID,	or credentials
				 that we may want to consider when doing an
				 exchange with a remote	IKE daemon that	uses
				 that ID.  Note	that, in the former case, the
				 last credential in the	file MUST contain our
				 public	key in its Licensees field.  More than
				 one credentials may exist in the file.	 They
				 are separated by whitelines (the format is
				 essentially the same as that of the policy
				 file).	 The credentials are of	the same for-
				 mat as	the policies described in
				 isakmpd.policy(5).  The only difference is
				 that the Authorizer field contains a public
				 key, and the assertion	is signed.  Signed as-
				 sertions can be generated using the
				 keynote(1) utility.

				 The private_key file contains the private RSA
				 key we	use for	authentication.	 If the	direc-
				 tory (and the files) exist, they take prece-
				 dence over X509-based authentication.

     X509-Certificates

		   Accept-self-signed
				 If this tag is	defined, whatever the value
				 is, certificates that do not originate	from a
				 trusted CA but	are self-signed	will be	ac-
				 cepted.

		   Ca-directory	 A directory containing	PEM certificates of
				 certification authorities that	we trust to
				 sign other certificates.  Note	that for a CA
				 to be really trusted, it needs	to be somehow
				 referred to by	policy,	in isakmpd.policy(5).
				 The certificates in this directory are	used
				 for the actual	X.509 authentication and for
				 cross-referencing policies that refer to Dis-
				 tinguished Names (DNs).  Keeping a separate
				 directory (as opposed to integrating policies
				 and X.509 CA certificates) allows for mainte-
				 nance of a list of "well known" CAs without
				 actually having to trust all (or any) of
				 them.

		   Cert-directory
				 A directory containing	PEM certificates that
				 we trust to be	valid.	These certificates are
				 used in preference to those passed in mes-
				 sages and are required	to have	a subjectAlt-
				 Name extension	containing the certificate
				 holder	identity; usually IP address, FQDN, or
				 User FQDN, as provided	by certpatch(8).

		   Private-key	 The private key matching the public key of
				 our certificate (which	should be in the
				 "Cert-directory", and have an appropriate
				 subjectAltName	field).

   Referred-to sections
     _ISAKMP-peer_ Parameters for negotiation with an ISAKMP peer

		   Phase	 The constant 1, as ISAKMP-peers and IPsec-
				 connections really are	handled	by the same
				 code inside isakmpd.

		   Transport	 The name of the transport protocol, defaults
				 to UDP.

		   Port		 In case of UDP, the UDP port number to	send
				 to.  This is optional,	the default value is
				 500 which is the IANA-registered number for
				 ISAKMP.

		   Local-address
				 The Local IP-address to use, if we are	multi-
				 homed,	or have	aliases.

		   Address	 If existent, the IP-address of	the peer.

		   Configuration
				 The name of the ISAKMP-configuration section
				 to use.  Look at <ISAKMP-configuration> be-
				 low.  If unspecified, defaults	to "Default-
				 phase-1-configuration".

		   Authentication
				 If existent, authentication data for this
				 specific peer.	 In the	case of	preshared key,
				 this is the key value itself.

		   ID		 If existent, the name of the section that de-
				 scribes the local client ID that we should
				 present to our	peer.  If not present, it de-
				 faults	to the address of the local interface
				 we are	sending	packets	over to	the remote
				 daemon.  Look at <Phase1-ID> below.

		   Remote-ID	 If existent, the name of the section that de-
				 scribes the remote client ID we expect	the
				 remote	daemon to send us.  If not present, it
				 defaults to the address of the	remote daemon.
				 Look at <Phase1-ID> below.

		   Flags	 A comma-separated list	of flags controlling
				 the further handling of the ISAKMP SA.	 Cur-
				 rently	there are no specific ISAKMP SA	flags
				 defined.

     _Phase1-ID_

		   ID-type	 The ID	type as	given by the RFC specifica-
				 tions.	 For phase 1 this is currently
				 IPV4_ADDR, IPV4_ADDR_SUBNET, IPV6_ADDR,
				 IPV6_ADDR_SUBNET, FQDN, USER_FQDN or KEY_ID.

		   Address	 If the	ID-type	is IPV4_ADDR or	IPV6_ADDR,
				 this tag should exist and be an IP-address.

		   Network	 If the	ID-type	is IPV4_ADDR_SUBNET or
				 IPV6_ADDR_SUBNET this tag should exist	and be
				 a network address.

		   Netmask	 If the	ID-type	is IPV4_ADDR_SUBNET or
				 IPV6_ADDR_SUBNET this tag should exist	and be
				 a network subnet mask.

		   Name		 If the	ID-type	is FQDN, USER_FQDN or KEY_ID,
				 this tag should exist and contain a domain
				 name, user@domain, or other identifying
				 string	respectively.

				 In the	case of	KEY_ID,	note that the IKE pro-
				 tocol allows any octet	sequence to be sent or
				 received under	this payload, potentially in-
				 cluding non-printable ones.  isakmpd(8) can
				 only transmit printable KEY_ID	payloads, but
				 can receive and process arbitrary KEY_ID pay-
				 loads.	 This effectively means	that non-
				 printable KEY_ID remote identities cannot be
				 verified through this means, although it is
				 still possible	to do so through
				 isakmpd.policy(5).

     _ISAKMP-configuration_

		   DOI		 The domain of interpretation as given by the
				 RFCs.	Normally IPSEC.	 If unspecified, de-
				 faults	to IPSEC.

		   EXCHANGE_TYPE
				 The exchange type as given by the RFCs.  For
				 main mode this	is ID_PROT and for aggressive
				 mode it is AGGRESSIVE.

		   Transforms	 A list	of proposed transforms to use for pro-
				 tecting the ISAKMP traffic.  These are	actu-
				 ally names for	sections further describing
				 the transforms.  Look at <ISAKMP-transform>
				 below.

     _ISAKMP-transform_

		   ENCRYPTION_ALGORITHM
				 The encryption	algorithm as the RFCs name it,
				 or ANY	to denote that any encryption algo-
				 rithm proposed	will be	accepted.

		   KEY_LENGTH	 For encryption	algorithms with	variable key
				 length, this is where the offered/accepted
				 keylengths are	described.  The	value is of
				 the offer-accept kind described above.

		   HASH_ALGORITHM
				 The hash algorithm as the RFCs	name it, or
				 ANY.

		   AUTHENTICATION_METHOD
				 The authentication method as the RFCs name
				 it, or	ANY.

		   GROUP_DESCRIPTION
				 The group used	for Diffie-Hellman exponentia-
				 tions,	or ANY.	 The names are symbolic, like
				 MODP_768, MODP_1024, EC_155 and EC_185.

		   PRF		 The algorithm to use for the keyed pseudo-
				 random	function (used for key derivation and
				 authentication	in phase 1), or	ANY.

		   Life		 A list	of lifetime descriptions, or ANY.  In
				 the former case, each element is in itself a
				 name of the section that defines the life-
				 time.	Look at	<Lifetime> below.  If it is
				 set to	ANY, then any type of proposed life-
				 time type and value will be accepted.

     _Lifetime_

		   LIFE_TYPE	 SECONDS or KILOBYTES depending	on the type of
				 the duration.	Notice that this field may NOT
				 be set	to ANY.

		   LIFE_DURATION
				 An offer/accept kind of value,	see above.
				 Can also be set to ANY.

     _IPsec-connection_

		   Phase	 The constant 2, as ISAKMP-peers and IPsec-
				 connections really are	handled	by the same
				 code inside isakmpd.

		   ISAKMP-peer	 The name of the ISAKMP-peer which to talk to
				 in order to set up this connection.  The
				 value is the name of an <ISAKMP-peer> sec-
				 tion.	See above.

		   Configuration
				 The name of the IPsec-configuration section
				 to use.  Look at <IPsec-configuration>	below.

		   Local-ID	 If existent, the name of the section that de-
				 scribes the optional local client ID that we
				 should	present	to our peer.  It is also used
				 when we act as	responders to find out what
				 <IPsec-connection> we are dealing with.  Look
				 at <IPsec-ID> below.

		   Remote-ID	 If existent, the name of the section that de-
				 scribes the optional remote client ID that we
				 should	present	to our peer.  It is also used
				 when we act as	responders to find out what
				 <IPsec-connection> we are dealing with.  Look
				 at <IPsec-ID> below.

		   Flags	 A comma-separated list	of flags controlling
				 the further handling of the IPsec SA.	Cur-
				 rently	only one flag is defined:

				 Active-only   If this flag is given and this
					       <IPsec-connection> is part of
					       the phase 2 connections we au-
					       tomatically keep	up, it will
					       not automatically be used for
					       accepting connections from the
					       peer.

     _IPsec-configuration_

		   DOI		 The domain of interpretation as given by the
				 RFCs.	Normally IPSEC.	 If unspecified, de-
				 faults	to IPSEC.

		   EXCHANGE_TYPE
				 The exchange type as given by the RFCs.  For
				 quick mode this is QUICK_MODE.

		   Suites	 A list	of protection suites (bundles of pro-
				 tocols) usable	for protecting the IP traffic.
				 Each of the list elements is a	name of	an
				 <IPsec-suite> section.	 See below.

     _IPsec-suite_

		   Protocols	 A list	of the protocols included in this pro-
				 tection suite.	 Each of the list elements is
				 a name	of an <IPsec-protocol> section.	 See
				 below.

     _IPsec-protocol_

		   PROTOCOL_ID	 The protocol as given by the RFCs.  Accept-
				 able values today are IPSEC_AH	and IPSEC_ESP.

		   Transforms	 A list	of transforms usable for implementing
				 the protocol.	Each of	the list elements is a
				 name of an <IPsec-transform> section.	See
				 below.

		   ReplayWindow	 The size of the window	used for replay	pro-
				 tection.  This	is normally left alone.	 Look
				 at the	ESP and	AH RFCs	for a better descrip-
				 tion.

     _IPsec-transform_

		   TRANSFORM_ID	 The transform ID as given by the RFCs.

		   ENCAPSULATION_MODE
				 The encapsulation mode	as given by the	RFCs.
				 This means TRANSPORT or TUNNEL.

		   AUTHENTICATION_ALGORITHM
				 The optional authentication algorithm in the
				 case of this being an ESP transform.

		   GROUP_DESCRIPTION
				 An optional (provides PFS if present) Diffie-
				 Hellman group description.  The values	are
				 the same as GROUP_DESCRIPTION's in <ISAKMP-
				 transform> sections shown above.

		   Life		 List of lifetimes, each element is a <Life-
				 time> section name.

     _IPsec-ID_

		   ID-type	 The ID	type as	given by the RFCs.  For	IPsec
				 this is currently IPV4_ADDR, IPV6_ADDR,
				 IPV4_ADDR_SUBNET or IPV6_ADDR_SUBNET.

		   Address	 If the	ID-type	is IPV4_ADDR or	IPV6_ADDR this
				 tag should exist and be an IP-address.

		   Network	 If the	ID-type	is IPV4_ADDR_SUBNET or
				 IPV6_ADDR_SUBNET this tag should exist	and be
				 a network address.

		   Netmask	 If the	ID-type	is IPV4_ADDR_SUBNET or
				 IPV6_ADDR_SUBNET this tag should exist	and be
				 a network subnet mask.

		   Protocol	 If the	ID-type	is IPV4_ADDR,
				 IPV4_ADDR_SUBNET, IPV6_ADDR or
				 IPV6_ADDR_SUBNET this tag indicates what
				 transport protocol should be transmitted over
				 the SA.  If left unspecified, all transport
				 protocols between the two address (ranges)
				 will be sent (or permitted) over that SA.

		   Port		 If the	ID-type	is IPV4_ADDR,
				 IPV4_ADDR_SUBNET, IPV6_ADDR or
				 IPV6_ADDR_SUBNET this tag indicates what
				 source	or destination port is allowed to be
				 transported over the SA (depending on whether
				 this is a local or remote ID).	 If left un-
				 specified, all	ports of the given transport
				 protocol will be transmitted (or permitted)
				 over the SA.  The Protocol tag	must be	speci-
				 fied in conjunction with this tag.

   Other sections
     _IKECFG-ID_   Parameters to use with IKE mode-config.  One	ID per peer.

		   An IKECFG-ID	is written as [<ID-type>/<name>].  The follow-
		   ing ID types	are supported:

		   IPv4		 [ipv4/A.B.C.D]

		   IPv6		 [ipv6/abcd:abcd::ab:cd]

		   FQDN		 [fqdn/foo.bar.org]

		   UFQDN	 [ufqdn/user@foo.bar.org]

		   ASN1_DN	 [asn1_dn//C=aa/O=cc/...] (Note	the double
				 slashes as the	DN itself starts with a	`/'.)

		   Each	section	specifies what configuration values to return
		   to the peer requesting IKE mode-config.  Currently sup-
		   ported values are:

		   Address	 The peer's network address.

		   Netmask	 The peer's netmask.

		   Nameserver	 The IP	address	of a DNS nameserver.

		   WINS-server	 The IP	address	of a WINS server.

     _Initiator-ID_

		   During phase	1 negotiation isakmpd looks for	a pre-shared
		   key in the <ISAKMP-peer> section.  If no Authentication
		   data	is specified in	that section, and isakmpd is not the
		   initiator, it looks for Authentication data in a section
		   named after the initiator's phase 1 ID.  This allows	mobile
		   users with dynamic IP addresses to have different shared
		   secrets.

		   This	only works for aggressive mode because in main mode
		   the remote initiator	ID would not yet be known.

		   The name of the <Initiator-ID> section depends on the ID
		   type	sent by	the initiator.	Currently this can be:

		   IPv4		 [A.B.C.D]

		   IPv6		 [abcd:abcd::ab:cd]

		   FQDN		 [foo.bar.org]

		   UFQDN	 [user@foo.bar.org]

FILES
     /usr/local/etc/isakmpd/isakmpd.conf  The default isakmpd configuration
					  file.

     /usr/share/ipsec/isakmpd/		  A directory containing some sample
					  isakmpd configuration	files.

EXAMPLES
     An	example	of a configuration file:

     # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

     [General]
     Listen-on=		     10.1.0.2

     # Incoming	phase 1	negotiations are multiplexed on	the source IP address
     [Phase 1]
     10.1.0.1=		     ISAKMP-peer-west

     # These connections are walked over after config file parsing and told
     # to the application layer	so that	it will	inform us when traffic wants to
     # pass over them.
     This means	we can do on-demand keying.
     [Phase 2]
     Connections=	     IPsec-east-west

     # Default values are commented out.
     [ISAKMP-peer-west]
     Phase=		     1
     #Transport=	     udp
     Local-address=	     10.1.0.2
     Address=		     10.1.0.1
     #Port=		     isakmp
     #Port=		     500
     #Configuration=	     Default-phase-1-configuration
     Authentication=	     mekmitasdigoat
     #Flags=

     [IPsec-east-west]
     Phase=		     2
     ISAKMP-peer=	     ISAKMP-peer-west
     Configuration=	     Default-quick-mode
     Local-ID=		     Net-east
     Remote-ID=		     Net-west
     #Flags=

     [Net-west]
     ID-type=		     IPV4_ADDR_SUBNET
     Network=		     192.168.1.0
     Netmask=		     255.255.255.0

     [Net-east]
     ID-type=		     IPV4_ADDR_SUBNET
     Network=		     192.168.2.0
     Netmask=		     255.255.255.0

     # Quick mode descriptions

     [Default-quick-mode]
     EXCHANGE_TYPE=	     QUICK_MODE
     Suites=		     QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE

     # Data for	an IKE mode-config peer
     [asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com]
     Address=		     192.168.1.123
     Netmask=		     255.255.255.0
     Nameserver=	     192.168.1.10
     WINS-server=	     192.168.1.11

     # pre-shared key based on initiator's phase 1 ID
     [foo.bar.org]
     Authentication=	     mekmitasdigoat

     #
     # #####################################################################
     # All configuration data below this point is not required as the example
     # uses the	predefined Main	Mode transform and Quick Mode suite names.
     # It is included here for completeness.  Note the default values for the
     # [General] and [X509-certificates] sections just below.
     # #####################################################################
     #

     [General]
     Policy-file=	     /usr/local/etc/isakmpd/isakmpd.policy
     Retransmits=	     3
     Exchange-max-time=	     120

     # KeyNote credential storage
     [KeyNote]
     Credential-directory=   /usr/local/etc/isakmpd/keynote/

     # Certificates stored in PEM format
     [X509-certificates]
     CA-directory=	     /usr/local/etc/isakmpd/ca/
     Cert-directory=	     /usr/local/etc/isakmpd/certs/
     CRL-directory=	     /usr/local/etc/isakmpd/crls/
     Private-key=	     /usr/local/etc/isakmpd/private/local.key

     # Default phase 1 description (Main Mode)

     [Default-phase-1-configuration]
     EXCHANGE_TYPE=	     ID_PROT
     Transforms=	     3DES-SHA

     # Main mode transforms
     ######################

     # DES

     [DES-MD5]
     ENCRYPTION_ALGORITHM=   DES_CBC
     HASH_ALGORITHM=	     MD5
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-1-lifetime

     [DES-SHA]
     ENCRYPTION_ALGORITHM=   DES_CBC
     HASH_ALGORITHM=	     SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-1-lifetime

     # 3DES

     [3DES-SHA]
     ENCRYPTION_ALGORITHM=   3DES_CBC
     HASH_ALGORITHM=	     SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-1-lifetime

     # Blowfish

     [BLF-SHA]
     ENCRYPTION_ALGORITHM=   BLOWFISH_CBC
     KEY_LENGTH=	     128,96:192
     HASH_ALGORITHM=	     SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-1-lifetime

     # Blowfish, using DH group	4 (non-default)
     [BLF-SHA-EC185]
     ENCRYPTION_ALGORITHM=   BLOWFISH_CBC
     KEY_LENGTH=	     128,96:192
     HASH_ALGORITHM=	     SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=	     EC2N_185
     Life=		     Default-phase-1-lifetime

     # Quick mode protection suites
     ##############################

     # DES

     [QM-ESP-DES-SUITE]
     Protocols=		     QM-ESP-DES

     [QM-ESP-DES-PFS-SUITE]
     Protocols=		     QM-ESP-DES-PFS

     [QM-ESP-DES-MD5-SUITE]
     Protocols=		     QM-ESP-DES-MD5

     [QM-ESP-DES-MD5-PFS-SUITE]
     Protocols=		     QM-ESP-DES-MD5-PFS

     [QM-ESP-DES-SHA-SUITE]
     Protocols=		     QM-ESP-DES-SHA

     [QM-ESP-DES-SHA-PFS-SUITE]
     Protocols=		     QM-ESP-DES-SHA-PFS

     # 3DES

     [QM-ESP-3DES-SHA-SUITE]
     Protocols=		     QM-ESP-3DES-SHA

     [QM-ESP-3DES-SHA-PFS-SUITE]
     Protocols=		     QM-ESP-3DES-SHA-PFS

     # AES

     [QM-ESP-AES-SHA-SUITE]
     Protocols=		     QM-ESP-AES-SHA

     [QM-ESP-AES-SHA-PFS-SUITE]
     Protocols=		     QM-ESP-AES-SHA-PFS

     # AH

     [QM-AH-MD5-SUITE]
     Protocols=		     QM-AH-MD5

     [QM-AH-MD5-PFS-SUITE]
     Protocols=		     QM-AH-MD5-PFS

     # AH + ESP	(non-default)

     [QM-AH-MD5-ESP-DES-SUITE]
     Protocols=		     QM-AH-MD5,QM-ESP-DES

     [QM-AH-MD5-ESP-DES-MD5-SUITE]
     Protocols=		     QM-AH-MD5,QM-ESP-DES-MD5

     [QM-ESP-DES-MD5-AH-MD5-SUITE]
     Protocols=		     QM-ESP-DES-MD5,QM-AH-MD5

     # Quick mode protocols

     # DES

     [QM-ESP-DES]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-DES-XF

     [QM-ESP-DES-MD5]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-DES-MD5-XF

     [QM-ESP-DES-MD5-PFS]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-DES-MD5-PFS-XF

     [QM-ESP-DES-SHA]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-DES-SHA-XF

     # 3DES

     [QM-ESP-3DES-SHA]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-3DES-SHA-XF

     [QM-ESP-3DES-SHA-PFS]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-3DES-SHA-PFS-XF

     [QM-ESP-3DES-SHA-TRP]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-3DES-SHA-TRP-XF

     # AES

     [QM-ESP-AES-SHA]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-AES-SHA-XF

     [QM-ESP-AES-SHA-PFS]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-AES-SHA-PFS-XF

     [QM-ESP-AES-SHA-TRP]
     PROTOCOL_ID=	     IPSEC_ESP
     Transforms=	     QM-ESP-AES-SHA-TRP-XF

     # AH MD5

     [QM-AH-MD5]
     PROTOCOL_ID=	     IPSEC_AH
     Transforms=	     QM-AH-MD5-XF

     [QM-AH-MD5-PFS]
     PROTOCOL_ID=	     IPSEC_AH
     Transforms=	     QM-AH-MD5-PFS-XF

     # Quick mode transforms

     # ESP DES+MD5

     [QM-ESP-DES-XF]
     TRANSFORM_ID=	     DES
     ENCAPSULATION_MODE=     TUNNEL
     Life=		     Default-phase-2-lifetime

     [QM-ESP-DES-MD5-XF]
     TRANSFORM_ID=	     DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_MD5
     Life=		     Default-phase-2-lifetime

     [QM-ESP-DES-MD5-PFS-XF]
     TRANSFORM_ID=	     DES
     ENCAPSULATION_MODE=     TUNNEL
     GROUP_DESCRIPTION=	     MODP_1024
     AUTHENTICATION_ALGORITHM=	     HMAC_MD5
     Life=		     Default-phase-2-lifetime

     [QM-ESP-DES-SHA-XF]
     TRANSFORM_ID=	     DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     Life=		     Default-phase-2-lifetime

     # 3DES

     [QM-ESP-3DES-SHA-XF]
     TRANSFORM_ID=	     3DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     Life=		     Default-phase-2-lifetime

     [QM-ESP-3DES-SHA-PFS-XF]
     TRANSFORM_ID=	     3DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-2-lifetime

     [QM-ESP-3DES-SHA-TRP-XF]
     TRANSFORM_ID=	     3DES
     ENCAPSULATION_MODE=     TRANSPORT
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     Life=		     Default-phase-2-lifetime

     # AES

     [QM-ESP-AES-SHA-XF]
     TRANSFORM_ID=	     AES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     Life=		     Default-phase-2-lifetime

     [QM-ESP-AES-SHA-PFS-XF]
     TRANSFORM_ID=	     AES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-2-lifetime

     [QM-ESP-AES-SHA-TRP-XF]
     TRANSFORM_ID=	     AES
     ENCAPSULATION_MODE=     TRANSPORT
     AUTHENTICATION_ALGORITHM=	     HMAC_SHA
     Life=		     Default-phase-2-lifetime

     # AH

     [QM-AH-MD5-XF]
     TRANSFORM_ID=	     MD5
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=	     HMAC_MD5
     Life=		     Default-phase-2-lifetime

     [QM-AH-MD5-PFS-XF]
     TRANSFORM_ID=	     MD5
     ENCAPSULATION_MODE=     TUNNEL
     GROUP_DESCRIPTION=	     MODP_1024
     Life=		     Default-phase-2-lifetime

     [Sample-Life-Time]
     LIFE_TYPE=		     SECONDS
     LIFE_DURATION=	     3600,1800:7200

     [Sample-Life-Volume]
     LIFE_TYPE=		     KILOBYTES
     LIFE_DURATION=	     1000,768:1536

SEE ALSO
     keynote(1), ipsec(4), keynote(4), isakmpd.policy(5), isakmpd(8)

BUGS
     The RFCs do not permit differing DH groups	in the same proposal for ag-
     gressive and quick	mode exchanges.	 Mixing	both PFS and non-PFS suites in
     a quick mode proposal is not possible, as PFS implies using a DH group.

BSD				August 07, 2002				   BSD

NAME | DESCRIPTION | FILES | EXAMPLES | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=isakmpd.conf&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help