1.\" $OpenBSD: ipsec.conf.5,v 1.163 2022/02/04 07:59:54 tb Exp $ 2.\" 3.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24.\" 25.Dd $Mdocdate: February 4 2022 $ 26.Dt IPSEC.CONF 5 27.Os 28.Sh NAME 29.Nm ipsec.conf 30.Nd IPsec configuration file 31.Sh DESCRIPTION 32The 33.Nm 34file specifies rules and definitions for IPsec, 35which provides security services for IP datagrams. 36IPsec itself is a pair of protocols: 37Encapsulating Security Payload (ESP), 38which provides integrity and confidentiality; 39and Authentication Header (AH), 40which provides integrity. 41The IPsec protocol itself is described in 42.Xr ipsec 4 . 43.Pp 44In its most basic form, a 45.Em flow 46is established between hosts and/or networks, 47and then Security Associations (SAs) are established, 48which detail how the desired protection will be achieved. 49IPsec uses flows 50to determine whether to apply security services to an IP packet or not. 51.Pp 52Generally speaking 53an automated keying daemon, 54such as 55.Xr isakmpd 8 , 56is used to set up flows and establish SAs, 57by specifying an 58.Sq ike 59line in 60.Nm 61(see 62.Sx AUTOMATIC KEYING , 63below). 64An authentication method, 65such as public key authentication, 66will also have to be set up: 67see the PKI section of 68.Xr isakmpd 8 69for information on the types of authentication available, 70and the procedures for setting them up. 71.Pp 72The keying daemon, 73.Xr isakmpd 8 , 74can be enabled to run at boot time via 75.Dq rcctl enable isakmpd . 76Note that to avoid 77.Xr keynote 4 78policy checking, it will probably need to be run with at least the 79.Fl K 80option via the 81.Dq rcctl set isakmpd flags -K 82command which sets 83.Pp 84.Dl isakmpd_flags=\(dq-K\(dq 85.Pp 86in 87.Xr rc.conf.local 8 . 88The 89.Nm 90configuration itself is loaded at boot time 91if IPsec is enabled by using 92.Dq rcctl enable ipsec , 93which sets 94.Pp 95.Dl ipsec=YES 96.Pp 97in 98.Xr rc.conf.local 8 . 99A utility called 100.Xr ipsecctl 8 101is also available to load 102.Nm 103configurations, and can additionally be used 104to view and modify IPsec flows. 105.Pp 106An alternative method of setting up SAs is also possible using 107manual keying. 108Manual keying is not recommended, 109but can be convenient for quick setups and testing. 110Those procedures are documented within this page. 111.Sh IPSEC.CONF FILE FORMAT 112The current line can be extended over multiple lines using a backslash 113.Pq Sq \e . 114Comments can be put anywhere in the file using a hash mark 115.Pq Sq # , 116and extend to the end of the current line. 117Care should be taken when commenting out multi-line text: 118the comment is effective until the end of the entire block. 119.Pp 120Argument names not beginning with a letter, digit, or underscore 121must be quoted. 122.Pp 123Addresses can be specified in CIDR notation (matching netblocks), 124as symbolic host names, interface names, or interface group names. 125.Pp 126Certain parameters can be expressed as lists, in which case 127.Xr ipsecctl 8 128generates all the necessary combinations. 129For example: 130.Bd -literal -offset indent 131ike esp from {192.168.1.1, 192.168.1.2} to \e 132 {10.0.0.17, 10.0.0.18} peer 192.168.10.1 133.Ed 134.Pp 135Will expand to: 136.Bd -literal -offset indent 137ike esp from 192.168.1.1 to 10.0.0.17 peer 192.168.10.1 138ike esp from 192.168.1.1 to 10.0.0.18 peer 192.168.10.1 139ike esp from 192.168.1.2 to 10.0.0.17 peer 192.168.10.1 140ike esp from 192.168.1.2 to 10.0.0.18 peer 192.168.10.1 141.Ed 142.Pp 143Macros can be defined that will later be expanded in context. 144Macro names must start with a letter, digit, or underscore, 145and may contain any of those characters. 146Macro names may not be reserved words (for example 147.Ic flow , 148.Ic from , 149.Ic esp ) . 150Macros are not expanded inside quotes. 151.Pp 152For example: 153.Bd -literal -offset indent 154remote_gw = "192.168.3.12" 155flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 156.Ed 157.Pp 158Additional configuration files can be included with the 159.Ic include 160keyword, for example: 161.Bd -literal -offset indent 162include "/etc/macros.conf" 163.Ed 164.Sh AUTOMATIC KEYING 165In this scenario, 166.Nm 167is used to set up flows and SAs automatically using 168.Xr isakmpd 8 169with the ISAKMP/Oakley a.k.a. IKEv1 protocol. 170To configure automatic keying using the IKEv2 protocol, see 171.Xr iked.conf 5 172instead. 173Some examples of setting up automatic keying: 174.Bd -literal -offset 3n 175# Set up a VPN: 176# First between the gateway machines 192.168.3.1 and 192.168.3.2 177# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 178ike esp from 192.168.3.1 to 192.168.3.2 179ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 180.Ed 181.Pp 182The commands are as follows: 183.Bl -tag -width xxxx 184.It Xo 185.Ic ike 186.Op Ar mode 187.Op Ar encap 188.Op Ar tmode 189.Xc 190.Ar mode 191specifies the IKEv1 mode to use: 192one of 193.Ar passive , 194.Ar active , 195or 196.Ar dynamic . 197When 198.Ar passive 199is specified, 200.Xr isakmpd 8 201will not immediately start negotiation of this tunnel, but wait for an incoming 202request from the remote peer. 203When 204.Ar active 205or 206.Ar dynamic 207is specified, negotiation will be started at once. 208The 209.Ar dynamic 210mode will additionally enable Dead Peer Detection (DPD) and use the 211local hostname as the identity of the local peer, if not specified by 212the 213.Ic srcid 214parameter. 215.Ar dynamic 216mode should be used for hosts with dynamic IP addresses like road 217warriors or dialup hosts. 218If omitted, 219.Ar active 220mode will be used. 221.Pp 222.Ar encap 223specifies the encapsulation protocol to be used. 224Possible protocols are 225.Ar esp 226and 227.Ar ah ; 228the default is 229.Ar esp . 230.Pp 231.Ar tmode 232describes the encapsulation mode to be used. 233Possible modes are 234.Ar tunnel 235and 236.Ar transport ; 237the default is 238.Ar tunnel . 239.It Ic proto Ar protocol 240The optional 241.Ic proto 242parameter restricts the flow to a specific IP protocol. 243Common protocols are 244.Xr icmp 4 , 245.Xr tcp 4 , 246and 247.Xr udp 4 . 248For a list of all the protocol name to number mappings used by 249.Xr ipsecctl 8 , 250see the file 251.Pa /etc/protocols . 252.It Xo 253.Ic from Ar src 254.Op Ic port Ar sport 255.Op Pq Ar srcnat 256.Ic to Ar dst 257.Op Ic port Ar dport 258.Xc 259This rule applies for packets with source address 260.Ar src 261and destination address 262.Ar dst . 263The keyword 264.Ar any 265will match any address (i.e. 0.0.0.0/0). 266If the 267.Ar src 268argument specifies a fictional source ID, 269the 270.Ar srcnat 271parameter can be used to specify the actual source address. 272This can be used in outgoing NAT/BINAT scenarios as described below in 273.Sx OUTGOING NETWORK ADDRESS TRANSLATION . 274Host addresses are parsed as type 275.Dq IPV4_ADDR ; 276adding the suffix /32 will change the type to 277.Dq IPV4_ADDR_SUBNET , 278which can improve interoperability with some IKEv1 implementations. 279.Pp 280The optional 281.Ic port 282modifiers restrict the flows to the specified ports. 283They are only valid in conjunction with the 284.Xr tcp 4 285and 286.Xr udp 4 287protocols. 288Ports can be specified by number or by name. 289For a list of all port name to number mappings used by 290.Xr ipsecctl 8 , 291see the file 292.Pa /etc/services . 293.It Ic local Ar localip Ic peer Ar remote 294The 295.Ic local 296parameter specifies the address or FQDN of the local endpoint. 297Unless we are multi-homed or have aliases, 298this parameter is generally not needed. 299This parameter does not affect the set of IP addresses 300.Xr isakmpd 8 301will listen on and send packets from. 302The 303.Em Listen-on 304directive in 305.Xr isakmpd.conf 5 306should additionally be used to ensure that the local endpoint will 307send IKE messages with an appropriate source IP address. 308.Pp 309The 310.Ic peer 311parameter specifies the address or FQDN of the remote endpoint. 312For host-to-host connections where 313.Ar dst 314is identical to 315.Ar remote , 316this option is generally not needed as it will be set to 317.Ar dst 318automatically. 319If it is not specified or if the keyword 320.Ar any 321is given, the default peer is used. 322.It Xo 323.Ar mode 324.Ic auth Ar algorithm 325.Ic enc Ar algorithm 326.Ic group Ar group 327.Ic lifetime Ar time 328.Xc 329These parameters define the mode and cryptographic transforms to be 330used for the phase 1 negotiation. 331During phase 1 332the machines authenticate and set up an encrypted channel. 333.Pp 334The mode can be either 335.Ar main , 336which specifies main mode, or 337.Ar aggressive , 338which specifies aggressive mode. 339Possible values for 340.Ic auth , 341.Ic enc , 342and 343.Ic group 344are described below in 345.Sx CRYPTO TRANSFORMS . 346.Pp 347The 348.Ic lifetime 349parameter specifies the phase 1 lifetime in seconds. 350Two unit specifiers are recognized (ignoring case): 351.Ql m 352and 353.Ql h 354for minutes and hours, respectively. 355.Pp 356If omitted, 357.Xr ipsecctl 8 358will use the default values 359.Ar main , 360.Ar hmac-sha1 , 361.Ar aes , 362.Ar modp3072 , 363and 364.Ar 3600 . 365.It Xo 366.Ic quick auth Ar algorithm 367.Ic enc Ar algorithm 368.Ic group Ar group 369.Ic lifetime Ar time 370.Xc 371These parameters define the cryptographic transforms to be used for 372the phase 2 negotiation. 373During phase 2 374the actual IPsec negotiations happen. 375.Pp 376Possible values for 377.Ic auth , 378.Ic enc , 379and 380.Ic group 381are described below in 382.Sx CRYPTO TRANSFORMS . 383Perfect Forward Secrecy (PFS) is enabled unless 384.Ic group Ar none 385is specified. 386.Pp 387The 388.Ic lifetime 389parameter specifies the phase 2 lifetime in seconds. 390Two unit specifiers are recognized (ignoring case): 391.Ql m 392and 393.Ql h 394for minutes and hours, respectively. 395.Pp 396If omitted, 397.Xr ipsecctl 8 398will use the default values 399.Ar hmac-sha2-256 400and 401.Ar aes ; 402PFS will only be used if the remote side requests it. 403The default phase 2 lifetime value is 404.Ar 1200 . 405.It Ic srcid Ar string Ic dstid Ar string 406.Ic srcid 407defines an ID of type 408.Dq USER_FQDN 409or 410.Dq FQDN 411that will be used by 412.Xr isakmpd 8 413as the identity of the local peer. 414If the argument is an email address (bob@example.com), 415.Xr ipsecctl 8 416will use USER_FQDN as the ID type. 417Anything else is considered to be an FQDN. 418If 419.Ic srcid 420is omitted, 421the default is to use the IP address of the connecting machine. 422.Pp 423.Ic dstid 424is similar to 425.Ic srcid , 426but instead specifies the ID to be used 427by the remote peer. 428.It Ic psk Ar string 429Use a pre-shared key 430.Ar string 431for authentication. 432If this option is not specified, 433public key authentication is used (see 434.Xr isakmpd 8 ) . 435.It Ic tag Ar string 436Add a 437.Xr pf 4 438tag to all packets of phase 2 SAs created for this connection. 439This will allow matching packets for this connection by defining 440rules in 441.Xr pf.conf 5 442using the 443.Cm tagged 444keyword. 445.Pp 446The following variables can be used in tags to include information 447from the remote peer on runtime: 448.Pp 449.Bl -tag -width $domain -compact -offset indent 450.It Ar $id 451The remote phase 1 ID. 452It will be expanded to 453.Ar id-type/id-value , 454e.g.\& 455.Ar fqdn/foo.bar.org . 456.It Ar $domain 457Extract the domain from IDs of type FQDN or UFQDN. 458.El 459.Pp 460For example, if the ID is 461.Ar fqdn/foo.bar.org 462or 463.Ar ufqdn/user@bar.org , 464.Dq ipsec-$domain 465expands to 466.Dq ipsec-bar.org . 467The variable expansion for the 468.Ar tag 469directive occurs only at runtime (not when the file is parsed) 470and must be quoted, or it will be interpreted as a macro. 471.El 472.Sh PACKET FILTERING 473IPsec traffic appears unencrypted on the 474.Xr enc 4 475interface 476and can be filtered accordingly using the 477.Ox 478packet filter, 479.Xr pf 4 . 480The grammar for the packet filter is described in 481.Xr pf.conf 5 . 482.Pp 483The following components are relevant to filtering IPsec traffic: 484.Bl -ohang -offset indent 485.It external interface 486Interface for ISAKMP traffic and encapsulated IPsec traffic. 487.It proto udp port 500 488ISAKMP traffic on the external interface. 489.It proto udp port 4500 490ISAKMP NAT-Traversal traffic on the external interface. 491.It proto ah | esp 492Encapsulated IPsec traffic 493on the external interface. 494.It enc0 495Interface for outgoing traffic before it's been encapsulated, 496and incoming traffic after it's been decapsulated. 497State on this interface should be interface bound; 498see 499.Xr enc 4 500for further information. 501.It proto ipencap 502[tunnel mode only] 503IP-in-IP traffic flowing between gateways 504on the enc0 interface. 505.It tagged ipsec-example.org 506Match traffic of phase 2 SAs using the 507.Ic tag 508keyword. 509.El 510.Pp 511If the filtering rules specify to block everything by default, 512the following rule 513would ensure that IPsec traffic never hits the packet filtering engine, 514and is therefore passed: 515.Bd -literal -offset indent 516set skip on enc0 517.Ed 518.Pp 519In the following example, all traffic is blocked by default. 520IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 521networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 522.Bd -literal -offset indent 523block on sk0 524block on enc0 525 526pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e 527 port {500, 4500} 528pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e 529 port {500, 4500} 530 531pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 532pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 533 534pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 535 keep state (if-bound) 536pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 537 keep state (if-bound) 538pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 539 keep state (if-bound) 540pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 541 keep state (if-bound) 542.Ed 543.Pp 544.Xr pf 4 545has the ability to filter IPsec-related packets 546based on an arbitrary 547.Em tag 548specified within a ruleset. 549The tag is used as an internal marker 550which can be used to identify the packets later on. 551This could be helpful, 552for example, 553in scenarios where users are connecting in from differing IP addresses, 554or to support queue-based bandwidth control, 555since the enc0 interface does not support it. 556.Pp 557The following 558.Xr pf.conf 5 559fragment uses queues for all IPsec traffic with special 560handling for developers and employees: 561.Bd -literal -offset indent 562queue std on sk0 bandwidth 100M 563queue deflt parent std bandwidth 10M default 564queue developers parent std bandwidth 75M 565queue employees parent std bandwidth 5M 566queue ipsec parent std bandwidth 10M 567 568pass out on sk0 proto esp set queue ipsec 569 570pass out on sk0 tagged ipsec-developers.bar.org set queue developers 571pass out on sk0 tagged ipsec-employees.bar.org set queue employees 572.Ed 573.Pp 574The tags will be assigned by the following 575.Nm 576example: 577.Bd -literal -offset indent 578ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 579 tag "ipsec-$domain" 580.Ed 581.Sh OUTGOING NETWORK ADDRESS TRANSLATION 582In some network topologies it is desirable to perform NAT on traffic leaving 583through the VPN tunnel. 584In order to achieve that, 585the 586.Ar src 587argument is used to negotiate the desired network ID with the peer 588and the 589.Ar srcnat 590parameter defines the true local subnet, 591so that a correct SA can be installed on the local side. 592.Pp 593For example, 594if the local subnet is 192.168.1.0/24 and all the traffic 595for a specific VPN peer should appear as coming from 10.10.10.1, 596the following configuration is used: 597.Bd -literal -offset indent 598ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 599 peer 10.10.20.1 600.Ed 601.Pp 602Naturally, 603a relevant NAT rule is required in 604.Xr pf.conf 5 . 605For the example above, 606this would be: 607.Bd -literal -offset indent 608match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 609 nat-to 10.10.10.1 610.Ed 611.Pp 612From the peer's point of view, 613the local end of the VPN tunnel is declared to be 10.10.10.1 614and all the traffic arrives with that source address. 615.Sh CRYPTO TRANSFORMS 616It is very important that keys are not guessable. 617One practical way of generating keys is to use 618.Xr openssl 1 . 619The following generates a 160-bit (20-byte) key: 620.Bd -literal -offset indent 621$ openssl rand -hex 20 622.Ed 623.Pp 624The following authentication types are permitted with the 625.Ic auth 626keyword: 627.Bl -column "Authentication" "Key Length" "Description" -offset indent 628.It Em "Authentication" Ta Em "Key Length" Ta "" 629.It Li hmac-md5 Ta "128 bits" Ta "" 630.It Li hmac-ripemd160 Ta "160 bits" Ta "[phase 2 only]" 631.It Li hmac-sha1 Ta "160 bits" Ta "" 632.It Li hmac-sha2-256 Ta "256 bits" Ta "" 633.It Li hmac-sha2-384 Ta "384 bits" Ta "" 634.It Li hmac-sha2-512 Ta "512 bits" Ta "" 635.El 636.Pp 637The following cipher types are permitted with the 638.Ic enc 639keyword: 640.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent 641.It Em "Cipher" Ta Em "Key Length" Ta "" 642.It Li 3des Ta "168 bits" Ta "" 643.It Li aes Ta "128-256 bits" Ta "" 644.It Li aes-128 Ta "128 bits" Ta "" 645.It Li aes-192 Ta "192 bits" Ta "" 646.It Li aes-256 Ta "256 bits" Ta "" 647.It Li aesctr Ta "160 bits" Ta "[phase 2 only, IKE only]" 648.It Li aes-128-ctr Ta "160 bits" Ta "[phase 2 only, IKE only]" 649.It Li aes-192-ctr Ta "224 bits" Ta "[phase 2 only, IKE only]" 650.It Li aes-256-ctr Ta "288 bits" Ta "[phase 2 only, IKE only]" 651.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only, IKE only]" 652.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only, IKE only]" 653.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only, IKE only]" 654.It Li blowfish Ta "160 bits" Ta "" 655.It Li cast128 Ta "128 bits" Ta "" 656.It Li chacha20-poly1305 Ta "288 bits" Ta "" 657.El 658.Pp 659The following cipher types provide only authentication, not encryption: 660.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent 661.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only, IKE only]" 662.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only, IKE only]" 663.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only, IKE only]" 664.It Li null Ta "(none)" Ta "[phase 2 only]" 665.El 666.Pp 667Transforms followed by 668.Bq IKE only 669can only be used with the 670.Ic ike 671keyword; transforms with 672.Bq phase 2 only 673can only be used with the 674.Ic quick 675keyword. 676.Pp 6773DES requires 24 bytes to form its 168-bit key. 678This is because the most significant bit of each byte is used for parity. 679.Pp 680The keysize of AES-CTR can be 128, 192, or 256 bits. 681However as well as the key, a 32-bit nonce has to be supplied. 682Thus 160, 224, or 288 bits of key material, respectively, have to be supplied. 683The same applies to AES-GCM, AES-GMAC and ChaCha20-Poly1305, 684however in the latter case the keysize is 256 bits. 685.Pp 686Using AES-GMAC or NULL with ESP will only provide authentication. 687This is useful in setups where AH cannot be used, e.g. when NAT is involved. 688.Pp 689The following group types are permitted with the 690.Ic group 691keyword: 692.Bl -column "modp1024" "Size" "Description" -offset indent 693.It Em Group Ta Em Size Ta "" 694.It Li modp768 Ta 768 Ta "[DH group 1]" 695.It Li modp1024 Ta 1024 Ta "[DH group 2]" 696.It Li modp1536 Ta 1536 Ta "[DH group 5]" 697.It Li modp2048 Ta 2048 Ta "[DH group 14]" 698.It Li modp3072 Ta 3072 Ta "[DH group 15]" 699.It Li modp4096 Ta 4096 Ta "[DH group 16]" 700.It Li modp6144 Ta 6144 Ta "[DH group 17]" 701.It Li modp8192 Ta 8192 Ta "[DH group 18]" 702.It Li ecp256 Ta 256 Ta "[DH group 19]" 703.It Li ecp384 Ta 384 Ta "[DH group 20]" 704.It Li ecp521 Ta 512 Ta "[DH group 21]" 705.It Li ecp192 Ta 192 Ta "[DH group 25]" 706.It Li ecp224 Ta 224 Ta "[DH group 26]" 707.It Li bp224 Ta 224 Ta "[DH group 27]" 708.It Li bp256 Ta 256 Ta "[DH group 28]" 709.It Li bp384 Ta 384 Ta "[DH group 29]" 710.It Li bp512 Ta 512 Ta "[DH group 30]" 711.It Li none Ta 0 Ta "[phase 2 only]" 712.El 713.Sh MANUAL FLOWS 714In this scenario, 715.Nm 716is used to set up flows manually. 717IPsec uses flows 718to determine whether to apply security services to an IP packet or not. 719Some examples of setting up flows: 720.Bd -literal -offset 3n 721# Set up two flows: 722# First between the machines 192.168.3.14 and 192.168.3.100 723# Second between the networks 192.168.7.0/24 and 192.168.8.0/24 724flow esp from 192.168.3.14 to 192.168.3.100 725flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.12 726.Ed 727.Pp 728The following types of flow are available: 729.Bl -tag -width xxxx 730.It Ic flow esp 731ESP can provide the following properties: 732authentication, integrity, replay protection, and confidentiality of the data. 733If no flow type is specified, 734this is the default. 735.It Ic flow ah 736AH provides authentication, integrity, and replay protection, but not 737confidentiality. 738.It Ic flow ipip 739IPIP does not provide authentication, integrity, replay protection, or 740confidentiality. 741However, it does allow tunnelling of IP traffic over IP, without setting up 742.Xr gif 4 743interfaces. 744.El 745.Pp 746The commands are as follows: 747.Bl -tag -width xxxx 748.It Ic in No or Ic out 749This rule applies to incoming or outgoing packets. 750If neither 751.Ic in 752nor 753.Ic out 754are specified, 755.Xr ipsecctl 8 756will assume the direction 757.Ic out 758for this rule and will construct a proper 759.Ic in 760rule. 761Thus packets in both directions will be matched. 762.It Ic proto Ar protocol 763The optional 764.Ic proto 765parameter restricts the flow to a specific IP protocol. 766Common protocols are 767.Xr icmp 4 , 768.Xr tcp 4 , 769and 770.Xr udp 4 . 771For a list of all the protocol name to number mappings used by 772.Xr ipsecctl 8 , 773see the file 774.Pa /etc/protocols . 775.It Xo 776.Ic from Ar src 777.Op Ic port Ar sport 778.Ic to Ar dst 779.Op Ic port Ar dport 780.Xc 781This rule applies for packets with source address 782.Ar src 783and destination address 784.Ar dst . 785The keyword 786.Ar any 787will match any address (i.e. 0.0.0.0/0). 788The optional 789.Ic port 790modifiers restrict the flows to the specified ports. 791They are only valid in conjunction with the 792.Xr tcp 4 793and 794.Xr udp 4 795protocols. 796Ports can be specified by number or by name. 797For a list of all port name to number mappings used by 798.Xr ipsecctl 8 , 799see the file 800.Pa /etc/services . 801.It Ic local Ar localip 802The 803.Ic local 804parameter specifies the address or FQDN of the local endpoint of this 805flow and can be usually left out. 806.It Ic peer Ar remote 807The 808.Ic peer 809parameter specifies the address or FQDN of the remote endpoint of this 810flow. 811For host-to-host connections where 812.Ar dst 813is identical to 814.Ar remote , 815the 816.Ic peer 817specification can be left out as it will be set to 818.Ar dst 819automatically. 820Only if the keyword 821.Ar any 822is given is a flow without peer created. 823.It Ic type Ar modifier 824This optional parameter sets up special flows using modifiers. 825By default, 826.Xr ipsecctl 8 827will automatically set up normal flows with the corresponding type. 828.Ar modifier 829may be one of the following: 830.Pp 831.Bl -tag -width "acquireXX" -offset indent -compact 832.It acquire 833Use IPsec and establish SAs dynamically. 834Unencrypted traffic is permitted until it is protected by IPsec. 835.It bypass 836Matching packets are not processed by IPsec. 837.It deny 838Matching packets are dropped. 839.It dontacq 840Use IPsec. 841If no SAs are available, 842does not trigger 843.Xr isakmpd 8 . 844.It require 845Use IPsec and establish SAs dynamically. 846Unencrypted traffic is not permitted until it is protected by IPsec. 847.It use 848Use IPsec. 849Unencrypted traffic is permitted. 850Does not trigger 851.Xr isakmpd 8 . 852.El 853.El 854.Sh MANUAL SECURITY ASSOCIATIONS (SAs) 855In this scenario, 856.Nm 857is used to set up SAs manually. 858The security parameters for a flow 859are stored in the Security Association Database (SADB). 860An example of setting up an SA: 861.Bd -literal -offset 3n 862# Set up an IPsec SA for flows between 192.168.3.14 and 192.168.3.12 863esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \e 864 authkey file "auth14:auth12" enckey file "enc14:enc12" 865.Ed 866.Pp 867Parameters specify the peers, Security Parameter Index (SPI), 868cryptographic transforms, and key material to be used. 869The following rules enter SAs in the SADB: 870.Pp 871.Bl -tag -width "tcpmd5XX" -offset indent -compact 872.It Ic esp 873Enter an ESP SA. 874.It Ic ah 875Enter an AH SA. 876.It Ic ipcomp 877Enter an IPCOMP SA. 878.It Ic ipip 879Enter an IPIP pseudo SA. 880.It Ic tcpmd5 881Enter a TCP MD5 SA. 882.El 883.Pp 884The commands are as follows: 885.Bl -tag -width xxxx 886.It Ar mode 887For ESP and AH 888.\".Ic ipcomp 889the encapsulation mode can be specified. 890Possible modes are 891.Ar tunnel 892and 893.Ar transport . 894When left out, 895.Ar tunnel 896is chosen. 897For details on modes see 898.Xr ipsec 4 . 899.It Ic from Ar src Ic to Ar dst 900This SA is for a 901.Ar flow 902between the peers 903.Ar src 904and 905.Ar dst . 906.It Ic spi Ar number 907The SPI identifies a specific SA. 908.Ar number 909is a 32-bit value and needs to be unique. 910.It Ic udpencap Op Ic port Ar dport 911For NAT-Traversal encapsulate the IPsec traffic in UDP. 912The port number of the peer can be set to 913.Ar dport . 914.It Ic auth Ar algorithm 915For ESP and AH 916an authentication algorithm can be specified. 917Possible values 918are described above in 919.Sx CRYPTO TRANSFORMS . 920.Pp 921If no algorithm is specified, 922.Xr ipsecctl 8 923will choose 924.Ar hmac-sha2-256 925by default. 926.It Ic enc Ar algorithm 927For ESP 928an encryption algorithm can be specified. 929Possible values 930are described above in 931.Sx CRYPTO TRANSFORMS . 932.Pp 933If no algorithm is specified, 934.Xr ipsecctl 8 935will choose 936.Ar aes 937by default. 938.It Ic authkey Ar keyspec 939.Ar keyspec 940defines the authentication key to be used. 941It is either a hexadecimal string or a path to a file containing the key. 942The filename may be given as either an absolute path to the file 943or a relative pathname, 944and is specified as follows: 945.Bd -literal -offset indent 946authkey file "filename" 947.Ed 948.It Ic enckey Ar keyspec 949The encryption key is defined similarly to 950.Ic authkey . 951.It Ic bundle Ar identifier 952Several SAs can be attached to a single flow. 953The cryptographic transforms are applied in order. 954The type of the first SA has to match the type of the flow. 955All SAs with identical 956.Ar src , dst , 957and 958.Ar identifier 959are grouped together. 960.It Xo 961.Ic tcpmd5 962.Ic from Ar src 963.Ic to Ar dst 964.Ic spi Ar number 965.Ic authkey Ar keyspec 966.Xc 967TCP MD5 signatures are generally used between BGP daemons, such as 968.Xr bgpd 8 . 969Since 970.Xr bgpd 8 971itself already provides this functionality, 972this option is generally not needed. 973More information on TCP MD5 signatures can be found in 974.Xr tcp 4 , 975.Xr bgpd.conf 5 , 976and RFC 2385. 977.Pp 978This rule applies for packets with source address 979.Ar src 980and destination address 981.Ar dst . 982The parameter 983.Ic spi 984is a 32-bit value defining the Security Parameter Index (SPI) for this SA. 985The encryption key is defined similarly to 986.Ic authkey . 987.El 988.Pp 989Since an SA is directional, a second SA is normally configured in the 990reverse direction. 991This is done by adding a second, colon-separated, value to 992.Ic spi , 993.Ic authkey , 994and 995.Ic enckey . 996.Sh FILES 997.Bl -tag -width /etc/examples/ipsec.conf -compact 998.It Pa /etc/ipsec.conf 999.It Pa /etc/examples/ipsec.conf 1000.El 1001.Sh SEE ALSO 1002.Xr openssl 1 , 1003.Xr enc 4 , 1004.Xr ipcomp 4 , 1005.Xr ipsec 4 , 1006.Xr tcp 4 , 1007.Xr pf.conf 5 , 1008.Xr ipsecctl 8 , 1009.Xr isakmpd 8 1010.Sh HISTORY 1011The 1012.Nm 1013file format first appeared in 1014.Ox 3.8 . 1015