1.\" $OpenBSD: isakmpd.policy.5,v 1.41 2007/05/31 19:19:45 jmc Exp $ 2.\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $ 3.\" 4.\" Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" 27.\" Manual page, using -mandoc macros 28.\" 29.Dd $Mdocdate: May 31 2007 $ 30.Dt ISAKMPD.POLICY 5 31.Os 32.Sh NAME 33.Nm isakmpd.policy 34.Nd policy configuration file for isakmpd 35.Sh DESCRIPTION 36.Nm 37is the policy configuration file for the 38.Xr isakmpd 8 39daemon, managing security association and key management for the 40.Xr ipsec 4 41layer of the kernel's networking stack. 42.Pp 43The 44.Xr isakmpd 8 45daemon (also known as IKE, for Internet Key Exchange) is used when two 46systems need to automatically set up a pair of Security Associations 47(SAs) for secure communication using IPsec. 48IKE operates in two stages: 49.Pp 50In the first stage (Main or Identity Protection Mode), the two IKE 51daemons establish a secure link between themselves, fully 52authenticating each other and establishing key material for 53encrypting/authenticating future communications between them. 54This step is typically only performed once for every pair of IKE daemons. 55.Pp 56In the second stage (also called Quick Mode), the two IKE daemons 57create the pair of SAs for the parties that wish to communicate using 58IPsec. 59These parties may be the hosts the IKE daemons run on, a host 60and a network behind a firewall, or two networks behind their 61respective firewalls. 62At this stage, the exact parameters of the SAs 63(e.g., algorithms to use, encapsulation mode, lifetime) and the 64identities of the communicating parties (hosts, networks, etc.) are 65specified. 66The reason for the existence of Quick Mode is to allow for fast 67SA setup, once the more heavy-weight Main Mode has been completed. 68Generally, Quick Mode uses the key material derived from Main Mode to 69provide keys to the IPsec transforms to be used. 70.Pp 71Alternatively, a new 72Diffie-Hellman computation may be performed, which significantly slows 73down the exchange, but at the same time provides Perfect Forward 74Secrecy (PFS). 75Briefly, this means that even should an attacker 76manage to break long-term keys used in other sessions (or, 77specifically, if an attacker breaks the Diffie-Hellman exchange 78performed during Main Mode), they will not be able to decrypt this 79traffic. 80Normally, no PFS is provided (the key material used by the 81IPsec SAs established as a result of this exchange will be derived 82from the key material of the Main Mode exchange), allowing for a 83faster Quick Mode exchange (no public key computations). 84.Pp 85IKE proposals are "suggestions" by the initiator of an exchange to the 86responder as to what protocols and attributes should be used on a 87class of packets. 88For example, a given exchange may ask for ESP with 893DES and MD5 and AH with SHA1 (applied successively on the same 90packet), or just ESP with Blowfish and RIPEMD-160. 91The responder 92examines the proposals and determines which of them are acceptable, 93according to policy and any credentials. 94.Pp 95The following paragraphs assume some knowledge of the contents of the 96.Xr keynote 4 97and 98.Xr keynote 5 99man pages. 100.Pp 101In the KeyNote policy model for IPsec, no distinction is currently 102made based on the ordering of AH and ESP in the packet. 103Should this 104change in the future, an appropriate attribute (see below) will be 105added. 106.Pp 107The goal of security policy for IKE is thus to determine, based on 108local policy (provided in the 109.Nm 110file), credentials provided during the IKE exchanges (or obtained 111through other means), the SA attributes proposed during the exchange, 112and perhaps other (side-channel) information, whether a pair of SAs 113should be installed in the system (in fact, whether both the IPsec SAs 114and the flows should be installed). 115For each proposal suggested by or 116to the remote IKE daemon, the KeyNote system is consulted as to 117whether the proposal is acceptable based on local policy (contained in 118.Nm , 119in the form of policy assertions) and remote credentials (e.g., 120KeyNote credentials or X509 certificates provided by the remote IKE 121daemon). 122.Pp 123.Nm 124is simply a flat 125.Xr ascii 7 126file containing KeyNote policy assertions, separated by blank lines 127(note that KeyNote assertions may not contain blank lines). 128.Nm 129is read when 130.Xr isakmpd 8 131is first started, and every time it receives a 132.Dv SIGHUP 133signal. 134The new policies read will be used for all new Phase 2 (IPsec) 135SAs established from that point on (even if the associated Phase 1 SA 136was already established when the new policies were loaded). 137The policy change will not affect already established Phase 2 SAs. 138.Pp 139For more details on KeyNote assertion format, please see 140.Xr keynote 5 . 141Briefly, KeyNote policy assertions used in IKE have the following 142characteristics: 143.Bl -bullet 144.It 145The Authorizer field is typically "POLICY" (but see the examples 146below, for use of policy delegation). 147.It 148The Licensees field can be an expression of passphrases used for 149authentication of the Main Mode exchanges, and/or public keys 150(typically, X509 certificates), and/or X509 distinguished names. 151.It 152The Conditions field contains an expression of attributes from the 153IPsec policy action set (see below as well as the keynote syntax man 154page for more details). 155.It 156The ordered return-values set for IPsec policy is "false, true". 157.El 158.Pp 159For an explanation of these fields and their semantics, see 160.Xr keynote 5 . 161.Pp 162For example, the following policy assertion: 163.Bd -literal 164 Authorizer: "POLICY" 165 Licensees: "passphrase:foobar" || "x509-base64:abcd==" || 166 "passphrase-md5-hex:3858f62230ac3c915f300c664312c63f" || 167 "passphrase-sha1-hex:8843d7f92416211de9ebb963ff4ce28125932878" 168 Conditions: app_domain == "IPsec policy" && esp_present == "yes" 169 && esp_enc_alg != "null" -> "true"; 170.Ed 171.Pp 172says that any proposal from a remote host that authenticates using the 173passphrase "foobar" or the public key contained in the X509 174certificate encoded as "abcd==" will be accepted, as long as it 175contains ESP with a non-null algorithm (i.e., the packet will be 176encrypted). 177The last two authorizers are the MD5 and SHA1 hashes respectively of 178the passphrase "foobar". 179This form may be used instead of the "passphrase:..." one to protect 180the passphrase as included in the policy file (or as distributed in a 181signed credential). 182.Pp 183The following policy assertion: 184.Bd -literal 185 Authorizer: "POLICY" 186 Licensees: "DN:/CN=CA Certificate" 187 Conditions: app_domain == "IPsec policy" && esp_present == "yes" 188 && esp_enc_alg != "null" -> "true"; 189.Ed 190.Pp 191is similar to the previous one, but instead of including a complete 192X509 credential in the Licensees field, only the X509 certificate's 193Subject Canonical Name needs to be specified (note that the "DN:" 194prefix is necessary). 195.Pp 196KeyNote credentials have the same format as policy assertions, with 197one difference: the Authorizer field always contains a public key, and 198the assertion is signed (and thus its integrity can be 199cryptographically verified). 200Credentials are used to build chains of delegation of authority. 201They can be exchanged during an IKE exchange, 202or can be retrieved through some out-of-band mechanism (no such 203mechanism is currently supported in this implementation however). 204See 205.Xr isakmpd.conf 5 206on how to specify what credentials to send in an IKE exchange. 207.Pp 208Passphrases that appear in the Licensees field are encoded as the 209string "passphrase:", followed by the passphrase itself 210(case-sensitive). 211Alternatively (and preferably), they may be encoded using the 212"passphrase-md5-hex:" or "passphrase-sha1-hex:" prefixes, followed 213by the 214.Xr md5 1 215or 216.Xr sha1 1 217hash of the passphrase itself, encoded as a hexadecimal string (using 218lower-case letters only). 219.Pp 220When X509-based authentication is performed in Main Mode, any X509 221certificates received from the remote IKE daemon are converted to very 222simple KeyNote credentials. 223The conversion is straightforward: the 224issuer of the X509 certificate becomes the Authorizer of the KeyNote 225credential, the subject becomes the only Licensees entry, while the 226Conditions field simply asserts that the credential is only valid for 227"IPsec policy" use (see the app_domain action attribute below). 228.Pp 229Similarly, any X509 CA certificates present in the directory pointed 230to by the appropriate 231.Xr isakmpd.conf 5 232entry are converted to such pseudo-credentials. 233This allows one to 234write KeyNote policies that delegate specific authority to CAs (and 235the keys those CAs certify, recursively). 236.Pp 237For more details on KeyNote assertion format, see 238.Xr keynote 5 . 239.Pp 240Information about the proposals, the identity of the remote IKE 241daemon, the packet classes to be protected, etc. are encoded in what 242is called an action set. 243The action set is composed of name-value 244attributes, similar in some ways to shell environment variables. 245These values are initialized by 246.Xr isakmpd 8 247before each query to the KeyNote system, and can be tested against in 248the Conditions field of assertions. 249See 250.Xr keynote 4 251and 252.Xr keynote 5 253for more details on the format and semantics of the Conditions field. 254.Pp 255Note that assertions and credentials can make references to 256non-existent attributes without catastrophic failures (access may be 257denied, depending on the overall structure, but will not be 258accidentally granted). 259One reason for credentials referencing 260non-existent attributes is that they were defined within a specific 261implementation or network only. 262.Pp 263In the following attribute set, IPv4 addresses are encoded as ASCII 264strings in the usual dotted-quad format. 265However, all quads are three digits long. 266For example, the IPv4 address 10.128.1.12 would be encoded as 010.128.001.012. 267Similarly, IPv6 addresses are encoded in the standard x:x:x:x:x:x:x:x 268format, where the 'x's are the hexadecimal values of the eight 16-bit 269pieces of the address. 270All 'x's are four digits long. 271For example, the address 1080:0:12:0:8:800:200C:417A 272would be encoded as 1080:0000:0012:0000:0008:0800:200C:417A. 273.Pp 274The following attributes are currently defined: 275.Bl -tag -width -indent 276.It ah_auth_alg 277One of 278.Va hmac-md5 , 279.Va hmac-sha , 280.Va des-mac , 281.Va kpdk , 282.Va hmac-sha2-256 , 283.Va hmac-sha2-384 , 284.Va hmac-sha2-512 , 285or 286.Va hmac-ripemd . 287based on the authentication method specified in the AH proposal. 288.It ah_ecn, esp_ecn, comp_ecn 289Set to 290.Va yes 291or 292.Va no , 293based on whether ECN was requested for the IPsec tunnel. 294.It ah_encapsulation, esp_encapsulation, comp_encapsulation 295Set to 296.Va tunnel 297or 298.Va transport , 299based on the AH, ESP, and compression proposal. 300.It ah_group_desc, esp_group_desc, comp_group_desc 301The Diffie-Hellman group identifier from the AH, ESP, and compression 302proposal, used for PFS during Quick Mode (see the pfs attribute 303above). 304If more than one of these attributes are set to a value other 305than zero, they should have the same value (in valid IKE proposals). 306Valid values are 1 (768-bit MODP), 2 (1024-bit MODP), 3 (155-bit EC), 3074 (185-bit EC), and 5 (1536-bit MODP). 308.It ah_hash_alg 309One of 310.Va md5 , 311.Va sha , 312.Va ripemd , 313.Va sha2-256 , 314.Va sha2-384 , 315.Va sha2-512 , 316or 317.Va des , 318based on the hash algorithm specified in the AH proposal. 319This attribute describes the generic transform to be used in the AH 320authentication. 321.It ah_key_length, esp_key_length 322The number of key bits to be used by the authentication and encryption 323algorithms respectively (for variable key-size algorithms). 324.It ah_key_rounds, esp_key length 325The number of rounds of the authentication and encryption algorithms 326respectively (for variable round algorithms). 327.It ah_life_kbytes, esp_life_kbytes, comp_life_kbytes 328Set to the lifetime of the AH, ESP, and compression proposal, in 329kbytes of traffic. 330If no lifetime was proposed for the corresponding 331protocol (e.g., there was no proposal for AH), the corresponding 332attribute will be set to zero. 333.It ah_life_seconds, esp_life_seconds, comp_life_seconds 334Set to the lifetime of the AH, ESP, and compression proposal, in 335seconds. 336If no lifetime was proposed for the corresponding protocol 337(e.g., there was no proposal for AH), the corresponding attribute will 338be set to zero. 339.It ah_present, esp_present, comp_present 340Set to 341.Va yes 342if an AH, ESP, or compression proposal was received respectively, 343.Va no 344otherwise. 345.It app_domain 346Always set to 347.Va IPsec policy . 348.It comp_alg 349One of 350.Va oui , 351.Va deflate , 352.Va lzs , 353or 354.Va v42bis , 355based on the compression algorithm specified in the compression 356proposal. 357.It comp_dict_size 358Specifies the log2 maximum size of the dictionary, according to the 359compression proposal. 360.It comp_private_alg 361Set to an integer specifying the private algorithm in use, according 362to the compression proposal. 363.It doi 364Always set to 365.Va ipsec . 366.It esp_auth_alg 367One of 368.Va hmac-md5 , 369.Va hmac-sha , 370.Va des-mac , 371.Va kpdk , 372.Va hmac-sha2-256 , 373.Va hmac-sha2-384 , 374.Va hmac-sha2-512 , 375or 376.Va hmac-ripemd 377based on the authentication method specified in the ESP proposal. 378.It esp_enc_alg 379One of 380.Va des , 381.Va des-iv64 , 382.Va 3des , 383.Va rc4 , 384.Va idea , 385.Va cast , 386.Va blowfish , 387.Va 3idea , 388.Va des-iv32 , 389.Va rc4 , 390.Va null , 391or 392.Va aes , 393based on the encryption algorithm specified in the ESP proposal. 394.It GMTTimeOfDay 395Set to the UTC date/time, in YYYYMMDDHHmmSS format. 396.It initiator 397Set to 398.Va yes 399if the local daemon is initiating the Phase 2 SA, 400.Va no 401otherwise. 402.It local_negotiation_address 403Set to the IPv4 or IPv6 address of the local interface used by the local IKE 404daemon for this exchange. 405.It LocalTimeOfDay 406Set to the local date/time, in YYYYMMDDHHmmSS format. 407.It pfs 408Set to 409.Va yes 410if a Diffie-Hellman exchange will be performed during this Quick Mode, 411.Va no 412otherwise. 413.It phase_1 414Set to 415.Va aggressive 416if aggressive mode was used to establish the Phase 1 SA, or 417.Va main 418if main mode was used instead. 419.It phase1_group_desc 420The Diffie-Hellman group identifier used in IKE Phase 1. 421Takes the same values as 422.Va ah_group_desc . 423.It remote_filter, local_filter, remote_id 424When the corresponding filter_type specifies an address range or 425subnet, these are set to the upper and lower part of the address 426space separated by a dash ('-') character (if the type specifies a 427single address, they are set to that address). 428.Pp 429For FQDN and User FQDN types, these are set to the respective string. 430For Key ID, these are set to the hexadecimal representation of the 431associated byte string (lower-case letters used) if the Key ID payload 432contains non-printable characters. 433Otherwise, they are set to the respective string. 434.Pp 435For ASN1 DN, these are set to the text encoding of the Distinguished 436Name in the payload sent or received. 437The format is the same as that used in the Licensees field. 438.It remote_filter_addr_lower, local_filter_addr_lower, remote_id_addr_lower 439When the corresponding filter_type is 440.Va IPv4 address 441or 442.Va IPv6 address , 443these contain the respective address. 444For 445.Va IPv4 range 446or 447.Va IPv6 range , 448these contain the lower end of the address range. 449For 450.Va IPv4 subnet 451or 452.Va IPv6 subnet , 453these contain the lowest address in the specified subnet. 454.It remote_filter_addr_upper, local_filter_addr_upper, remote_id_addr_upper 455When the corresponding filter_type is 456.Va IPv4 address 457or 458.Va IPv6 address , 459these contain the respective address. 460For 461.Va IPv4 range 462or 463.Va IPv6 range , 464they contain the upper end of the address range. 465For 466.Va IPv4 subnet 467or 468.Va IPv6 subnet , 469they contain the highest address in the specified subnet. 470.It remote_filter_port, local_filter_port, remote_id_port 471Set to the transport protocol port. 472.It remote_filter_proto, local_filter_proto, remote_id_proto 473Set to 474.Va etherip , 475.Va tcp , 476.Va udp , 477or the transport protocol number, depending on the transport protocol set 478in the IDci, IDcr, and Main Mode peer ID respectively. 479.It remote_filter_type, local_filter_type, remote_id_type 480Set to 481.Va IPv4 address , 482.Va IPv4 range , 483.Va IPv4 subnet , 484.Va IPv6 address , 485.Va IPv6 range , 486.Va IPv6 subnet , 487.Va FQDN , 488.Va User FQDN , 489.Va ASN1 DN , 490.Va ASN1 GN , 491or 492.Va Key ID , 493based on the Quick Mode Initiator ID, Quick Mode Responder ID, and 494Main Mode peer ID respectively. 495.It remote_negotiation_address 496Set to the IPv4 or IPv6 address of the remote IKE daemon. 497.El 498.Sh FILES 499.Bl -tag -width /etc/isakmpd/isakmpd.policy 500.It Pa /etc/isakmpd/isakmpd.policy 501The default 502.Xr isakmpd 8 503policy configuration file. 504.El 505.Sh EXAMPLES 506.Bd -literal 507 Authorizer: "POLICY" 508 Comment: This bare-bones assertion accepts everything 509 510 511 512 Authorizer: "POLICY" 513 Licensees: "passphrase-md5-hex:10838982612aff543e2e62a67c786550" 514 Comment: This policy accepts anyone using shared-secret 515 authentication using the password mekmitasdigoat, 516 and does ESP with some form of encryption (not null). 517 Conditions: app_domain == "IPsec policy" && 518 esp_present == "yes" && 519 esp_enc_alg != "null" -> "true"; 520 521 522 523 Authorizer: "POLICY" 524 Licensees: "subpolicy1" || "subpolicy2" 525 Comment: Delegate to two other sub-policies, so we 526 can manage our policy better. Since these subpolicies 527 are not "owned" by a key (and are thus unsigned), they 528 have to be in isakmpd.policy. 529 Conditions: app_domain == "IPsec policy"; 530 531 532 533 KeyNote-Version: 2 534 Licensees: "passphrase-md5-hex:9c42a1346e333a770904b2a2b37fa7d3" 535 Conditions: esp_present == "yes" -> "true"; 536 Authorizer: "subpolicy1" 537 538 539 540 Conditions: ah_present == "yes" -> 541 { 542 ah_auth_alg == "md5" -> "true"; 543 ah_auth_alg == "sha" && 544 esp_present == "no" -> "true"; 545 }; 546 Licensees: "passphrase:otherpassword" || 547 "passphrase-sha1-hex:f5ed6e4abd30c36a89409b5da7ecb542c9fbf00f" 548 Authorizer: "subpolicy2" 549 550 551 552 keynote-version: 2 553 comment: this is an example of a policy delegating to a CN. 554 authorizer: "POLICY" 555 licensees: "DN:/CN=CA Certificate/emailAddress=ca@foo.bar.com" 556 557 558 559 keynote-version: 2 560 comment: This is an example of a policy delegating to a key. 561 authorizer: "POLICY" 562 licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ 563 FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ 564 NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ 565 m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\ 566 MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ 567 GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ 568 dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ 569 QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\ 570 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\ 571 PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\ 572 MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ 573 DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\ 574 jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\ 575 ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\ 576 d1Pn17LbJC1ZVRNjR5" 577 conditions: app_domain == "IPsec policy" && doi == "ipsec" && 578 pfs == "yes" && esp_present == "yes" && ah_present == "no" && 579 (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; 580 581 582 583 keynote-version: 2 584 comment: This is an example of a credential, the signature does 585 not really verify (although the keys are real). 586 licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ 587 FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ 588 NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ 589 m91cC5jby51azAeFw05OTEwMTEyMzA2MjJaFw05OTExMTAyMzA2\\ 590 MjJaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ 591 GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ 592 dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ 593 QDaCs+JAB6YRKAVkoi1NkOpE1V3syApjBj0Ahjq5HqYAACo1JhM\\ 594 +QsPwuSWCNhBT51HX6G6UzfY3mOUz/vou6MJ/wor8EdeTX4nucx\\ 595 NSz/r6XI262aXezAp+GdBviuJZx3Q67ON/IWYrB4QtvihI4bMn5\\ 596 E55nF6TKtUMJTdATvs/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ 597 MaQOSkaiR8id0h6Zo0VSB4HpBnjpWqz1jNG8N4RPN0W8muRA2b9\\ 598 85GNP1bkC3fK1ZPpFTB0A76lLn11CfhAf/gV1iz3ELlUHo5J8nx\\ 599 Pu6XfsGJm3HsXJOuvOog8Aean4ODo4KInuAsnbLzpGl0d+Jqa5u\\ 600 TZUxsyg4QOBwYEU92H" 601 authorizer: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ 602 FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ 603 NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ 604 m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\ 605 MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ 606 GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ 607 dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ 608 QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\ 609 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\ 610 PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\ 611 MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ 612 DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\ 613 jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\ 614 ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\ 615 d1Pn17LbJC1ZVRNjR5" 616conditions: app_domain == "IPsec policy" && doi == "ipsec" && 617 pfs == "yes" && esp_present == "yes" && ah_present == "no" && 618 (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; 619Signature: "sig-x509-sha1-base64:ql+vrUxv14DcBOQHR2jsbXayq6T\\ 620 mmtMiUB745a8rjwSrQwh+KIVDlUrghPnqhSIkWSDi9oWWMbfg\\ 621 mkdudZ0wjgeTLMI2NI4GibMMsToakOKMex/0q4cpdpln3DKcQ\\ 622 IcjzRv4khDws69FT3QfELjcpShvbLrXmh1Z00OFmxjyqDw=" 623.Ed 624.Sh SEE ALSO 625.Xr ipsec 4 , 626.Xr keynote 4 , 627.Xr keynote 5 , 628.Xr isakmpd 8 629.Sh BUGS 630A more sane way of expressing IPv6 address ranges is needed. 631