1.\" $OpenBSD: iked.conf.5,v 1.85 2021/04/11 23:27:06 tobhe Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: April 11 2021 $ 19.Dt IKED.CONF 5 20.Os 21.Sh NAME 22.Nm iked.conf 23.Nd IKEv2 configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for 27.Xr iked 8 , 28the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. 29IPsec itself is a pair of protocols: 30Encapsulating Security Payload (ESP), 31which provides integrity and confidentiality; 32and Authentication Header (AH), 33which provides integrity. 34The IPsec protocol itself is described in 35.Xr ipsec 4 . 36.Pp 37In its most basic form, a flow is established between hosts and/or 38networks, and then Security Associations (SA) are established, 39which detail how the desired protection will be achieved. 40IPsec uses flows to determine whether to apply security services to an 41IP packet or not. 42.Xr iked 8 43is used to set up flows and establish SAs automatically, 44by specifying 45.Sq ikev2 46policies in 47.Nm 48(see 49.Sx AUTOMATIC KEYING POLICIES , 50below). 51.Pp 52Alternative methods of setting up flows and SAs are also possible 53using manual keying or automatic keying using the older ISAKMP/Oakley 54a.k.a. IKEv1 protocol. 55Manual keying is not recommended, but can be convenient for quick 56setups and testing. 57See 58.Xr ipsec.conf 5 59and 60.Xr isakmpd 8 61for more information about manual keying and ISAKMP support. 62.Sh IKED.CONF FILE FORMAT 63.Nm 64is divided into three main sections: 65.Bl -tag -width xxxx 66.It Sy Macros 67User-defined macros may be defined and used later, simplifying the 68configuration file. 69.It Sy Global Configuration 70Global settings for 71.Xr iked 8 . 72.It Sy Automatic Keying Policies 73Policies to set up IPsec flows and SAs automatically. 74.El 75.Pp 76Lines beginning with 77.Sq # 78and empty lines are regarded as comments, 79and ignored. 80Lines may be split using the 81.Sq \e 82character. 83.Pp 84Argument names not beginning with a letter, digit, or underscore 85must be quoted. 86.Pp 87Addresses can be specified in CIDR notation (matching netblocks), 88as symbolic host names, interface names, or interface group names. 89.Pp 90Additional configuration files can be included with the 91.Ic include 92keyword, for example: 93.Bd -literal -offset indent 94include "/etc/macros.conf" 95.Ed 96.Sh MACROS 97Macros can be defined that will later be expanded in context. 98Macro names must start with a letter, digit, or underscore, 99and may contain any of those characters. 100Macro names may not be reserved words (for example 101.Ic flow , 102.Ic from , 103.Ic esp ) . 104Macros are not expanded inside quotes. 105.Pp 106For example: 107.Bd -literal -offset indent 108remote_gw = "192.168.3.12" 109ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 110.Ed 111.Sh GLOBAL CONFIGURATION 112Here are the settings that can be set globally: 113.Bl -tag -width xxxx 114.It Ic set active 115Set 116.Xr iked 8 117to global active mode. 118In active mode the per-policy 119.Ar mode 120setting is respected. 121.Xr iked 8 122will initiate policies set to 123.Ar active 124and wait for incoming requests for policies set to 125.Ar passive . 126This is the default. 127.It Ic set passive 128Set 129.Xr iked 8 130to global passive mode. 131In passive mode no packets are sent to peers and no connections are 132initiated by 133.Xr iked 8 , 134even for 135.Ar active 136policies. 137This option is used for setups using 138.Xr sasyncd 8 139and 140.Xr carp 4 141to provide redundancy. 142.Xr iked 8 143will run in passive mode until sasyncd has determined that the host 144is the master and can switch to active mode. 145.It Ic set couple 146Load the negotiated security associations (SAs) and flows into the kernel. 147This is the default. 148.It Ic set decouple 149Don't load the negotiated SAs and flows from the kernel. 150This mode is only useful for testing and debugging. 151.It Ic set dpd_check_interval Ar time 152Specify the liveness check interval, in seconds. 153Setting 154.Ar time 155to 0 disables DPD. 156The default value is 60 seconds. 157.It Ic set enforcesingleikesa 158Allow only a single active IKE SA for each 159.Ic dstid . 160When a new SA with the same 161.Ic dstid 162is established, it replaces the old SA. 163.It Ic set noenforcesingleikesa 164Don't limit the number of IKE SAs per 165.Ic dstid . 166This is the default. 167.It Ic set fragmentation 168Enable IKEv2 Message Fragmentation (RFC 7383) support. 169This allows IKEv2 to operate in environments that might block IP fragments. 170.It Ic set nofragmentation 171Disables IKEv2 Message Fragmentation support. 172This is the default. 173.It Ic set mobike 174Enable MOBIKE (RFC 4555) support. 175This is the default. 176MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. 177Currently 178.Xr iked 8 179only supports MOBIKE when acting as a responder. 180.It Ic set nomobike 181Disables MOBIKE support. 182.It Ic set cert_partial_chain 183Allow partial certificate chain if at least one certificate is a trusted CA from 184.Pa /etc/iked/ca/ . 185.It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time 186Enable OCSP and set the fallback URL of the OCSP responder. 187This fallback will be used if the trusted CA from 188.Pa /etc/iked/ca/ 189does not have an OCSP-URL extension. 190Please note that the matching responder certificates 191have to be placed in 192.Pa /etc/iked/ocsp/responder.crt . 193.Pp 194The optional 195.Ic tolerate 196parameter specifies how much the OCSP response attribute 197.Sq thisUpdate 198may be in the future and how much 199.Sq nextUpdate 200may be in the past, with respect to the local time. 201The optional 202.Ic maxage 203parameter specifies how much 204.Sq thisUpdate 205may be in the past. 206If 207.Ic tolerate 208is set to 0 then the times are not verified at all. 209This is the default setting. 210.It Ic user Ar name password 211.Xr iked 8 212supports user-based authentication by tunneling the Extensible 213Authentication Protocol (EAP) over IKEv2. 214In its most basic form, the users will be authenticated against a 215local, integrated password database that is configured with the 216.Ic user 217lines in 218.Nm 219and the 220.Ar name 221and 222.Ar password 223arguments. 224Note that the password has to be specified in plain text which is 225required to support different challenge-based EAP methods like 226EAP-MD5 or EAP-MSCHAPv2. 227.El 228.Sh AUTOMATIC KEYING POLICIES 229This section is used to configure policies that will be used by 230.Xr iked 8 231to set up flows and SAs automatically. 232Some examples of setting up automatic keying: 233.Bd -literal -offset 3n 234# Set up a VPN: 235# First between the gateway machines 192.168.3.1 and 192.168.3.2 236# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 237ikev2 esp from 192.168.3.1 to 192.168.3.2 238ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 239.Ed 240.Pp 241For incoming connections from remote peers, the policies are evaluated 242in sequential order, from first to last. 243The last matching policy decides what action is taken; if no policy matches 244the connection, the default action is to ignore the connection attempt or 245to use the 246.Ar default 247policy, if set. 248Please also see the 249.Sx EXAMPLES 250section for a detailed example of the policy evaluation. 251.Pp 252The first time an IKEv2 connection matches a policy, an IKE SA is 253created; for subsequent packets the connection is identified by the 254IKEv2 parameters that are stored in the SA without evaluating any 255policies. 256After the connection is closed or times out, the IKE SA is 257automatically removed. 258.Pp 259The commands are as follows: 260.Bl -tag -width xxxx -compact 261.It Xo 262.Ic ikev2 263.Op Ar name 264.Xc 265The mandatory 266.Ic ikev2 267keyword will identify an IKEv2 automatic keying policy. 268.Ar name 269is an optional arbitrary string identifying the policy. 270The name should only occur once in 271.Nm 272or any included files. 273If omitted, 274a name will be generated automatically for the policy. 275.Pp 276.It Op Ar eval 277The 278.Ar eval 279option modifies the policy evaluation for this policy. 280It can be one of 281.Ar quick , 282.Ar skip 283or 284.Ar default . 285If a new incoming connection matches a policy with the 286.Ar quick 287option set, that policy is considered the last matching policy, 288and evaluation of subsequent policies is skipped. 289The 290.Ar skip 291option will disable evaluation of this policy for incoming connections. 292The 293.Ar default 294option sets the default policy and should only be specified once. 295.Pp 296.It Op Ar mode 297.Ar mode 298specifies the IKEv2 mode to use: 299one of 300.Ar passive 301or 302.Ar active . 303When 304.Ar passive 305is specified, 306.Xr iked 8 307will not immediately start negotiation of this tunnel, but wait for an incoming 308request from the remote peer. 309When 310.Ar active 311is specified, negotiation will be started at once. 312If omitted, 313.Ar passive 314mode will be used. 315.Pp 316.It Op Ar ipcomp 317The keyword 318.Ar ipcomp 319specifies that 320.Xr ipcomp 4 , 321the IP Payload Compression protocol, is negotiated in addition to encapsulation. 322The optional compression is applied before packets are encapsulated. 323IPcomp must be enabled in the kernel: 324.Pp 325.Dl # sysctl net.inet.ipcomp.enable=1 326.Pp 327.It Op Ar tmode 328.Ar tmode 329describes the encapsulation mode to be used. 330Possible modes are 331.Ar tunnel 332and 333.Ar transport ; 334the default is 335.Ar tunnel . 336.Pp 337.It Op Ar encap 338.Ar encap 339specifies the encapsulation protocol to be used. 340Possible protocols are 341.Ar esp 342and 343.Ar ah ; 344the default is 345.Ar esp . 346.Pp 347.It Op Ar af 348This policy only applies to endpoints of the specified address family 349which can be either 350.Ar inet 351or 352.Ar inet6 . 353Note that this only matters for IKEv2 endpoints and does not 354restrict the traffic selectors to negotiate flows with different 355address families, e.g. IPv6 flows negotiated by IPv4 endpoints. 356.Pp 357.It Ic proto Ar protocol 358The optional 359.Ic proto 360parameter restricts the flow to a specific IP protocol. 361Common protocols are 362.Xr icmp 4 , 363.Xr tcp 4 , 364and 365.Xr udp 4 . 366For a list of all the protocol name to number mappings used by 367.Xr iked 8 , 368see the file 369.Pa /etc/protocols . 370.Pp 371.It Ic rdomain Ar number 372Specify a different routing domain for unencrypted traffic. 373The resulting IPsec SAs will match outgoing packets in the specified 374.Ic rdomain Ar number 375and move the encrypted packets to the rdomain the 376.Xr iked 8 377instance is running in. 378Vice versa, incoming 379.Xr ipsec 4 380traffic is moved to 381.Ic rdomain Ar number 382after decryption. 383.Pp 384.It Xo 385.Ic from Ar src 386.Op Ic port Ar sport 387.Op Pq Ar srcnat 388.Ic to Ar dst 389.Op Ic port Ar dport 390.Xc 391Specify one or more traffic selectors for this policy which will be 392used to negotiate the IPsec flows between the IKEv2 peers. 393During the negotiation, the peers may decide to narrow a flow to a 394subset of the configured traffic selector networks to match the 395policies on each side. 396.Pp 397Each traffic selector will apply for packets with source address 398.Ar src 399and destination address 400.Ar dst . 401If the 402.Ar src 403argument specifies a fictional source ID, 404the 405.Ar srcnat 406parameter can be used to specify the actual source address. 407This can be used in outgoing NAT/BINAT scenarios as described below. 408The keyword 409.Ar any 410will match any address (i.e. 0.0.0.0/0 and ::/0). 411If the 412.Ic config address 413option is specified, the 414.Ar dynamic 415keyword can be used to create flows from or to the dynamically 416assigned address. 417.Pp 418The optional 419.Ic port 420modifiers restrict the traffic selectors to the specified ports. 421They are only valid in conjunction with the 422.Xr tcp 4 423and 424.Xr udp 4 425protocols. 426Ports can be specified by number or by name. 427For a list of all port name to number mappings used by 428.Xr ipsecctl 8 , 429see the file 430.Pa /etc/services . 431.Pp 432.It Ic local Ar localip Ic peer Ar remote 433The 434.Ic local 435parameter specifies the address or FQDN of the local endpoint. 436Unless the gateway is multi-homed or uses address aliases, 437this option is generally not needed. 438.Pp 439The 440.Ic peer 441parameter specifies the address or FQDN of the remote endpoint. 442For host-to-host connections where 443.Ar dst 444is identical to 445.Ar remote , 446this option is generally not needed as it will be set to 447.Ar dst 448automatically. 449If it is not specified or if the keyword 450.Ar any 451is given, the default peer is used. 452.Pp 453.It Xo 454.Ic ikesa 455.Ic auth Ar algorithm 456.Ic enc Ar algorithm 457.Ic prf Ar algorithm 458.Ic group Ar group 459.Xc 460These parameters define the mode and cryptographic transforms to be 461used for the IKE SA negotiation, also known as phase 1. 462The IKE SA will be used to authenticate the machines and to set up an 463encrypted channel for the IKEv2 protocol. 464.Pp 465Possible values for 466.Ic auth , 467.Ic enc , 468.Ic prf , 469.Ic group , 470and the default proposals are described below in 471.Sx CRYPTO TRANSFORMS . 472If omitted, 473.Xr iked 8 474will use the default proposals for the IKEv2 protocol. 475.Pp 476The keyword 477.Ic ikesa 478can be used multiple times as a delimiter between IKE SA proposals. 479The order of the proposals depend on the order in the configuration. 480The keywords 481.Ic auth , 482.Ic enc , 483.Ic prf 484and 485.Ic group 486can be used multiple times within a single proposal to configure 487multiple crypto transforms. 488.Pp 489.It Xo 490.Ic childsa 491.Ic auth Ar algorithm 492.Ic enc Ar algorithm 493.Ic group Ar group 494.Ic esn 495.Xc 496These parameters define the cryptographic transforms to be used for 497the Child SA negotiation, also known as phase 2. 498Each Child SA will be used to negotiate the actual IPsec SAs. 499The initial Child SA is always negotiated with the initial IKEv2 key 500exchange; additional Child SAs may be negotiated with additional 501Child SA key exchanges for an established IKE SA. 502.Pp 503Possible values for 504.Ic auth , 505.Ic enc , 506.Ic group , 507.Ic esn , 508and the default proposals are described below in 509.Sx CRYPTO TRANSFORMS . 510If omitted, 511.Xr iked 8 512will use the default proposals for the ESP or AH protocol. 513.Pp 514The 515.Ic group 516option will only be used to enable Perfect Forward Secrecy (PFS) 517for additional Child SAs exchanges that are not part of the initial 518key exchange. 519.Pp 520The keyword 521.Ic childsa 522can be used multiple times as a delimiter between Child SA proposals. 523The order of the proposals depend on the order in the configuration. 524The keywords 525.Ic auth , 526.Ic enc 527and 528.Ic group 529can be used multiple times within a single proposal to configure 530multiple crypto transforms. 531.Pp 532.It Ic srcid Ar string Ic dstid Ar string 533.Ic srcid 534defines an ID of type 535.Dq FQDN , 536.Dq ASN1_DN , 537.Dq IPV4 , 538.Dq IPV6 , 539or 540.Dq UFQDN 541that will be used by 542.Xr iked 8 543as the identity of the local peer. 544If the argument is an email address (reyk@example.com), 545.Xr iked 8 546will use UFQDN as the ID type. 547The ASN1_DN type will be used if the string starts with a slash 548.Sq / 549(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). 550If the argument is an IPv4 address or a compressed IPv6 address, 551the ID types IPV4 or IPV6 will be used. 552Anything else is considered to be an FQDN. 553.Pp 554If 555.Ic srcid 556is omitted, 557the default is to use the hostname of the local machine, 558see 559.Xr hostname 1 560to set or print the hostname. 561.Pp 562.Ic dstid 563is similar to 564.Ic srcid , 565but instead specifies the ID to be used 566by the remote peer. 567.Pp 568.It Ic ikelifetime Ar time 569The optional 570.Ic ikelifetime 571parameter defines the IKE SA expiration timeout by the 572.Ar time 573SA was created. 574A zero value disables active IKE SA rekeying. 575This is the default. 576.Pp 577The accepted format of the 578.Ar time 579specification is described below. 580.Pp 581.It Ic lifetime Ar time Op Ic bytes Ar bytes 582The optional 583.Ic lifetime 584parameter defines the Child SA expiration timeout by the 585.Ar time 586SA was in use and by the number of 587.Ar bytes 588that were processed using the SA. 589Default values are 3 hours and 512 megabytes which means that SA will be 590rekeyed before reaching the time limit or 512 megabytes of data 591will pass through. 592Zero values disable rekeying. 593.Pp 594Several unit specifiers are recognized (ignoring case): 595.Ql m 596and 597.Ql h 598for minutes and hours, and 599.Ql K , 600.Ql M 601and 602.Ql G 603for kilo-, mega- and gigabytes accordingly. 604.Pp 605Please note that rekeying must happen at least several times a day as 606IPsec security heavily depends on frequent key renewals. 607.Pp 608.It Op Ar ikeauth 609Specify a method to be used to authenticate the remote peer. 610.Xr iked 8 611will automatically determine a method based on public keys or certificates 612configured for the peer. 613.Ar ikeauth 614can be used to override this behaviour. 615Non-psk modes will require setting up certificates and RSA or ECDSA public 616keys; see 617.Xr iked 8 618for more information. 619.Pp 620.Bl -tag -width $domain -compact -offset indent 621.It Ic eap Ar type 622Use EAP to authenticate the initiator. 623The only supported EAP 624.Ar type 625is currently 626.Ar MSCHAP-V2 . 627The responder will use RSA public key authentication. 628.It Ic ecdsa256 629Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. 630.It Ic ecdsa384 631Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. 632.It Ic ecdsa521 633Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. 634.It Ic psk Ar string 635Use a pre-shared key 636.Ar string 637or hex value (starting with 0x) for authentication. 638.It Ic rfc7427 639Only use RFC 7427 signatures for authentication. 640RFC 7427 signatures currently only support SHA2-256 as the hash. 641.It Ic rsa 642Use RSA public key authentication with SHA1 as the hash. 643.El 644.Pp 645The default is to allow any signature authentication. 646.Pp 647.It Cm config Ar option address 648.It Cm request Ar option address 649Request or serve one or more optional configuration payloads (CP). 650The configuration 651.Ar option 652can be one of the following with the expected address format: 653.Pp 654.Bl -tag -width Ds -compact -offset indent 655.It Ic address Ar address 656Assign a static address on the internal network. 657.It Ic address Ar address/prefix 658Assign a dynamic address on the internal network. 659The address will be assigned from an address pool with the size specified by 660.Ar prefix . 661.It Ic netmask Ar netmask 662The IPv4 netmask of the internal network. 663.It Ic name-server Ar address 664The DNS server address within the internal network. 665.It Ic netbios-server Ar address 666The NetBIOS name server (WINS) within the internal network. 667This option is provided for compatibility with legacy clients. 668.It Ic dhcp-server Ar address 669The address of an internal DHCP server for further configuration. 670.It Ic protected-subnet Ar address/prefix 671The address of an additional IPv4 or IPv6 subnet reachable over the 672gateway. 673This option is used to notify the peer of a subnet behind the gateway (that 674might require a second SA). 675Networks specified in this SA's "from" or "to" options do not need to be 676included. 677.It Ic access-server Ar address 678The address of an internal remote access server. 679.El 680.Pp 681.It Ic iface Ar interface 682Configure requested addresses and routes on the specified 683.Ar interface . 684.Pp 685.It Ic tag Ar string 686Add a 687.Xr pf 4 688tag to all packets of IPsec SAs created for this connection. 689This will allow matching packets for this connection by defining 690rules in 691.Xr pf.conf 5 692using the 693.Cm tagged 694keyword. 695.Pp 696The following variables can be used in tags to include information 697from the remote peer on runtime: 698.Pp 699.Bl -tag -width $domain -compact -offset indent 700.It Ar $id 701The 702.Ic dstid 703that was proposed by the remote peer to identify itself. 704It will be expanded to 705.Ar id-value , 706e.g.\& 707.Ar FQDN/foo.example.com . 708To limit the size of the derived tag, 709.Xr iked 8 710will extract the common name 711.Sq CN= 712from ASN1_DN IDs, for example 713.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. 714will be expanded to 715.Ar 10.1.1.1 . 716.It Ar $eapid 717For a connection using EAP, the identity (username) used by the remote peer. 718.It Ar $domain 719Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. 720.It Ar $name 721The name of the IKEv2 policy that was configured in 722.Nm 723or automatically generated by 724.Xr iked 8 . 725.El 726.Pp 727For example, if the ID is 728.Ar FQDN/foo.example.com 729or 730.Ar UFQDN/user@example.com , 731.Dq ipsec-$domain 732expands to 733.Dq ipsec-example.com . 734The variable expansion for the 735.Ar tag 736directive occurs only at runtime (not when the file is parsed) 737and must be quoted, or it will be interpreted as a macro. 738.Pp 739.It Ic tap Ar interface 740Send the decapsulated IPsec traffic to the specified 741.Xr enc 4 742.Ar interface 743instead of 744.Ar enc0 745for filtering and monitoring. 746The traffic will be blocked if the specified 747.Ar interface 748does not exist. 749.El 750.Sh PACKET FILTERING 751IPsec traffic appears unencrypted on the 752.Xr enc 4 753interface 754and can be filtered accordingly using the 755.Ox 756packet filter, 757.Xr pf 4 . 758The grammar for the packet filter is described in 759.Xr pf.conf 5 . 760.Pp 761The following components are relevant to filtering IPsec traffic: 762.Bl -ohang -offset indent 763.It external interface 764Interface for IKE traffic and encapsulated IPsec traffic. 765.It proto udp port 500 766IKE traffic on the external interface. 767.It proto udp port 4500 768IKE NAT-Traversal traffic on the external interface. 769.It proto ah | esp 770Encapsulated IPsec traffic 771on the external interface. 772.It enc0 773Default interface for outgoing traffic before it's been encapsulated, 774and incoming traffic after it's been decapsulated. 775State on this interface should be interface bound; 776see 777.Xr enc 4 778for further information. 779.It proto ipencap 780[tunnel mode only] 781IP-in-IP traffic flowing between gateways 782on the enc0 interface. 783.It tagged ipsec-example.org 784Match traffic of IPsec SAs using the 785.Ic tag 786keyword. 787.El 788.Pp 789If the filtering rules specify to block everything by default, 790the following rule 791would ensure that IPsec traffic never hits the packet filtering engine, 792and is therefore passed: 793.Bd -literal -offset indent 794set skip on enc0 795.Ed 796.Pp 797In the following example, all traffic is blocked by default. 798IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 799networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 800.Bd -literal -offset indent 801block on ix0 802block on enc0 803 804pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e 805 port {500, 4500} 806pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e 807 port {500, 4500} 808 809pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 810pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 811 812pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 813 keep state (if-bound) 814pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 815 keep state (if-bound) 816pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 817 keep state (if-bound) 818pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 819 keep state (if-bound) 820.Ed 821.Pp 822.Xr pf 4 823has the ability to filter IPsec-related packets 824based on an arbitrary 825.Em tag 826specified within a ruleset. 827The tag is used as an internal marker 828which can be used to identify the packets later on. 829This could be helpful, 830for example, 831in scenarios where users are connecting in from differing IP addresses, 832or to support queue-based bandwidth control, 833since the enc0 interface does not support it. 834.Pp 835The following 836.Xr pf.conf 5 837fragment uses queues for all IPsec traffic with special 838handling for developers and employees: 839.Bd -literal -offset indent 840queue std on ix0 bandwidth 100M 841queue deflt parent std bandwidth 10M default 842queue developers parent std bandwidth 75M 843queue employees parent std bandwidth 5M 844queue ipsec parent std bandwidth 10M 845 846pass out on ix0 proto esp set queue ipsec 847 848pass out on ix0 tagged ipsec-developers.example.com \e 849 set queue developers 850pass out on ix0 tagged ipsec-employees.example.com \e 851 set queue employees 852.Ed 853.Pp 854The following example assigns the tags in the 855.Nm 856configuration and also sets an alternative 857.Xr enc 4 858device: 859.Bd -literal -offset indent 860ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 861 tag "ipsec-$domain" tap "enc1" 862.Ed 863.Sh OUTGOING NETWORK ADDRESS TRANSLATION 864In some network topologies it is desirable to perform NAT on traffic leaving 865through the VPN tunnel. 866In order to achieve that, 867the 868.Ar src 869argument is used to negotiate the desired network ID with the peer 870and the 871.Ar srcnat 872parameter defines the true local subnet, 873so that a correct SA can be installed on the local side. 874.Pp 875For example, 876if the local subnet is 192.168.1.0/24 and all the traffic 877for a specific VPN peer should appear as coming from 10.10.10.1, 878the following configuration is used: 879.Bd -literal -offset indent 880ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 881 peer 10.10.20.1 882.Ed 883.Pp 884Naturally, 885a relevant NAT rule is required in 886.Xr pf.conf 5 . 887For the example above, 888this would be: 889.Bd -literal -offset indent 890match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 891 nat-to 10.10.10.1 892.Ed 893.Pp 894From the peer's point of view, 895the local end of the VPN tunnel is declared to be 10.10.10.1 896and all the traffic arrives with that source address. 897.Sh CRYPTO TRANSFORMS 898The following authentication types are permitted with the 899.Ic auth 900keyword: 901.Bl -column "Authentication" "Key Length" "Truncated Length" "Default" -offset indent 902.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" Ta Em "Default" 903.It Li hmac-md5 Ta "128 bits" Ta "96 bits" Ta "" 904.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" Ta "x" 905.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" Ta "x" 906.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" Ta "x" 907.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" Ta "x" 908.El 909.Pp 910The following pseudo-random function types are permitted with the 911.Ic prf 912keyword: 913.Bl -column "hmac-sha2-512" "Key Length" "Default" "[IKE only]" -offset indent 914.It Em "PRF" Ta Em "Key Length" Ta Em "Default" Ta "" 915.It Li hmac-md5 Ta "128 bits" Ta "" Ta "[IKE only]" 916.It Li hmac-sha1 Ta "160 bits" Ta "x" Ta "[IKE only]" 917.It Li hmac-sha2-256 Ta "256 bits" Ta "x" Ta "[IKE only]" 918.It Li hmac-sha2-384 Ta "384 bits" Ta "x" Ta "[IKE only]" 919.It Li hmac-sha2-512 Ta "512 bits" Ta "x" Ta "[IKE only]" 920.El 921.Pp 922The following cipher types are permitted with the 923.Ic enc 924keyword: 925.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 926.It Em "Cipher" Ta Em "Key Length" Ta Em "Default" Ta "" 927.It Li 3des Ta "168 bits" Ta "x" Ta "" 928.It Li aes-128 Ta "128 bits" Ta "x" Ta "" 929.It Li aes-192 Ta "192 bits" Ta "x" Ta "" 930.It Li aes-256 Ta "256 bits" Ta "x" Ta "" 931.It Li aes-128-ctr Ta "160 bits" Ta "" Ta "[ESP only]" 932.It Li aes-192-ctr Ta "224 bits" Ta "" Ta "[ESP only]" 933.It Li aes-256-ctr Ta "288 bits" Ta "" Ta "[ESP only]" 934.It Li aes-128-gcm Ta "160 bits" Ta "x" Ta "" 935.It Li aes-192-gcm Ta "224 bits" Ta "" Ta "[ESP only]" 936.It Li aes-256-gcm Ta "288 bits" Ta "x" Ta "" 937.It Li aes-128-gcm-12 Ta "160 bits" Ta "" Ta "[IKE only]" 938.It Li aes-256-gcm-12 Ta "288 bits" Ta "" Ta "[IKE only]" 939.It Li blowfish Ta "160 bits" Ta "" Ta "[ESP only]" 940.It Li cast Ta "128 bits" Ta "" Ta "[ESP only]" 941.It Li chacha20-poly1305 Ta "288 bits" Ta "" Ta "[ESP only]" 942.El 943.Pp 944The following cipher types provide only authentication, 945not encryption: 946.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 947.It Li aes-128-gmac Ta "160 bits" Ta "" Ta "[ESP only]" 948.It Li aes-192-gmac Ta "224 bits" Ta "" Ta "[ESP only]" 949.It Li aes-256-gmac Ta "288 bits" Ta "" Ta "[ESP only]" 950.It Li null Ta "" Ta "" Ta "[ESP only]" 951.El 952.Pp 953The Extended Sequence Numbers option can be enabled or disabled with the 954.Ic esn 955or 956.Ic noesn 957keywords: 958.Bl -column "noesn" "Default" "[ESP only]" -offset indent 959.It Em ESN Ta Em "Default" Ta Em "" 960.It Li esn Ta "x" Ta "[ESP only]" 961.It Li noesn Ta "x" Ta "[ESP only]" 962.El 963.Pp 964Transforms followed by 965.Bq IKE only 966can only be used with the 967.Ic ikesa 968keyword, transforms with 969.Bq ESP only 970can only be used with the 971.Ic childsa 972keyword. 973.Pp 9743DES requires 24 bytes to form its 168-bit key. 975This is because the most significant bit of each byte is used for parity. 976.Pp 977The keysize of AES-CTR is actually 128-bit. 978However as well as the key, a 32-bit nonce has to be supplied. 979Thus 160 bits of key material have to be supplied. 980The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305, 981however in the latter case the keysize is 256 bit. 982.Pp 983Using AES-GMAC or NULL with ESP will only provide authentication. 984This is useful in setups where AH cannot be used, e.g. when NAT is involved. 985.Pp 986The following group types are permitted with the 987.Ic group 988keyword: 989.Bl -column "brainpool224" "Group" "Size" "Curve25519" "Default" -offset indent 990.It Em Name Ta Em Group Ta Em Size Ta Em Type Ta Em Default 991.It Li modp768 Ta grp1 Ta 768 Ta "MODP" Ta "" Ta "[insecure]" 992.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" Ta "x" Ta "[weak]" 993.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" Ta "x" Ta "[weak]" 994.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" Ta "x" 995.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" Ta "x" 996.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" Ta "x" 997.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" Ta "" 998.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" Ta "" 999.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" Ta "x" 1000.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" Ta "x" 1001.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" Ta "x" 1002.It Li ecp192 Ta grp25 Ta 192 Ta "ECP" Ta "" 1003.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" Ta "" 1004.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP" Ta "" 1005.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP" Ta "" 1006.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP" Ta "" 1007.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP" Ta "" 1008.It Li curve25519 Ta grp31 Ta 256 Ta "Curve25519" Ta "x" 1009.El 1010.Pp 1011The currently supported group types are either 1012MODP (exponentiation groups modulo a prime), 1013ECP (elliptic curve groups modulo a prime), 1014or Curve25519. 1015Please note that MODP groups of less than 2048 bits are considered 1016as weak or insecure (see RFC 8247 section 2.4) and only provided for 1017backwards compatibility. 1018.Sh FILES 1019.Bl -tag -width /etc/examples/iked.conf -compact 1020.It Pa /etc/iked.conf 1021.It Pa /etc/examples/iked.conf 1022.El 1023.Sh EXAMPLES 1024The first example is intended for a server with clients connecting to 1025.Xr iked 8 1026as an IPsec gateway, or IKEv2 responder, using mutual public key 1027authentication and additional challenge-based EAP-MSCHAPv2 password 1028authentication: 1029.Bd -literal -offset indent 1030user "test" "password123" 1031 1032ikev2 "win7" esp \e 1033 from dynamic to 172.16.2.0/24 \e 1034 peer 10.0.0.0/8 local 192.168.56.0/24 \e 1035 eap "mschap-v2" \e 1036 config address 172.16.2.1 \e 1037 tag "$name-$id" 1038.Ed 1039.Pp 1040The next example allows peers to authenticate using a pre-shared key 1041.Sq foobar : 1042.Bd -literal -offset indent 1043ikev2 "big test" \e 1044 esp proto tcp \e 1045 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e 1046 from 192.168.1.1 to 192.168.2.2 \e 1047 peer any local any \e 1048 ikesa \e 1049 enc 3des auth hmac-sha2-256 \e 1050 group ecp256 group modp1024 \e 1051 ikesa \e 1052 enc 3des auth hmac-sha1 \e 1053 group ecp256 group modp1024 \e 1054 childsa enc aes-128 auth hmac-sha2-256 \e 1055 childsa enc aes-128 auth hmac-sha1 \e 1056 srcid host.example.com \e 1057 dstid 192.168.0.254 \e 1058 psk "foobar" 1059.Ed 1060.Pp 1061The following example illustrates the last matching policy 1062evaluation for incoming connections on an IKEv2 gateway. 1063The peer 192.168.1.34 will always match the first policy because of the 1064.Ar quick 1065keyword; 1066connections from the peers 192.168.1.3 and 192.168.1.2 will be matched 1067by one of the last two policies; 1068any other connections from 192.168.1.0/24 will be matched by the 1069.Sq subnet 1070policy; 1071and any other connection will be matched by the 1072.Sq catch all 1073policy. 1074.Bd -literal -offset indent 1075ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e 1076 peer 192.168.1.34 1077ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e 1078 peer any 1079ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e 1080 peer 192.168.1.0/24 1081ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 1082ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 1083.Ed 1084.Pp 1085This example encrypts a 1086.Xr gre 4 1087tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on 1088FQDN-based public key authentication; 1089.Ar transport 1090mode avoids double encapsulation: 1091.Bd -literal -offset indent 1092ikev2 transport \e 1093 proto gre \e 1094 from 2001:db8::aa:1 to 2001:db8::dd:4 \e 1095 peer D.example.com 1096.Ed 1097.Sh SEE ALSO 1098.Xr enc 4 , 1099.Xr ipsec 4 , 1100.Xr ipsec.conf 5 , 1101.Xr pf.conf 5 , 1102.Xr ikectl 8 , 1103.Xr iked 8 1104.Sh HISTORY 1105The 1106.Nm 1107file format first appeared in 1108.Ox 4.8 . 1109.Sh AUTHORS 1110The 1111.Xr iked 8 1112program was written by 1113.An Reyk Floeter Aq Mt reyk@openbsd.org . 1114