1.\" $OpenBSD: iked.conf.5,v 1.72 2020/07/21 12:33:02 kn Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: July 21 2020 $ 19.Dt IKED.CONF 5 20.Os 21.Sh NAME 22.Nm iked.conf 23.Nd IKEv2 configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for 27.Xr iked 8 , 28the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. 29IPsec itself is a pair of protocols: 30Encapsulating Security Payload (ESP), 31which provides integrity and confidentiality; 32and Authentication Header (AH), 33which provides integrity. 34The IPsec protocol itself is described in 35.Xr ipsec 4 . 36.Pp 37In its most basic form, a flow is established between hosts and/or 38networks, and then Security Associations (SA) are established, 39which detail how the desired protection will be achieved. 40IPsec uses flows to determine whether to apply security services to an 41IP packet or not. 42.Xr iked 8 43is used to set up flows and establish SAs automatically, 44by specifying 45.Sq ikev2 46policies in 47.Nm 48(see 49.Sx AUTOMATIC KEYING POLICIES , 50below). 51.Pp 52Alternative methods of setting up flows and SAs are also possible 53using manual keying or automatic keying using the older ISAKMP/Oakley 54a.k.a. IKEv1 protocol. 55Manual keying is not recommended, but can be convenient for quick 56setups and testing. 57See 58.Xr ipsec.conf 5 59and 60.Xr isakmpd 8 61for more information about manual keying and ISAKMP support. 62.Sh IKED.CONF FILE FORMAT 63.Nm 64is divided into three main sections: 65.Bl -tag -width xxxx 66.It Sy Macros 67User-defined macros may be defined and used later, simplifying the 68configuration file. 69.It Sy Global Configuration 70Global settings for 71.Xr iked 8 . 72.It Sy Automatic Keying Policies 73Policies to set up IPsec flows and SAs automatically. 74.El 75.Pp 76Lines beginning with 77.Sq # 78and empty lines are regarded as comments, 79and ignored. 80Lines may be split using the 81.Sq \e 82character. 83.Pp 84Argument names not beginning with a letter, digit, or underscore 85must be quoted. 86.Pp 87Addresses can be specified in CIDR notation (matching netblocks), 88as symbolic host names, interface names, or interface group names. 89.Pp 90Additional configuration files can be included with the 91.Ic include 92keyword, for example: 93.Bd -literal -offset indent 94include "/etc/macros.conf" 95.Ed 96.Sh MACROS 97Macros can be defined that will later be expanded in context. 98Macro names must start with a letter, digit, or underscore, 99and may contain any of those characters. 100Macro names may not be reserved words (for example 101.Ic flow , 102.Ic from , 103.Ic esp ) . 104Macros are not expanded inside quotes. 105.Pp 106For example: 107.Bd -literal -offset indent 108remote_gw = "192.168.3.12" 109ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 110.Ed 111.Sh GLOBAL CONFIGURATION 112Here are the settings that can be set globally: 113.Bl -tag -width xxxx 114.It Ic set active 115Set 116.Xr iked 8 117to global active mode. 118In active mode the per-policy 119.Ar mode 120setting is respected. 121.Xr iked 8 122will initiate policies set to 123.Ar active 124and wait for incoming requests for policies set to 125.Ar passive . 126This is the default. 127.It Ic set passive 128Set 129.Xr iked 8 130to global passive mode. 131In passive mode no packets are sent to peers and no connections are 132initiated by 133.Xr iked 8 , 134even for 135.Ar active 136policies. 137This option is used for setups using 138.Xr sasyncd 8 139and 140.Xr carp 4 141to provide redundancy. 142.Xr iked 8 143will run in passive mode until sasyncd has determined that the host 144is the master and can switch to active mode. 145.It Ic set couple 146Load the negotiated security associations (SAs) and flows into the kernel. 147This is the default. 148.It Ic set decouple 149Don't load the negotiated SAs and flows from the kernel. 150This mode is only useful for testing and debugging. 151.It Ic set fragmentation 152Enable IKEv2 Message Fragmentation (RFC 7383) support. 153This allows IKEv2 to operate in environments that might block IP fragments. 154.It Ic set nofragmentation 155Disables IKEv2 Message Fragmentation support. 156This is the default. 157.It Ic set mobike 158Enable MOBIKE (RFC 4555) support. 159This is the default. 160MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. 161Currently 162.Xr iked 8 163only supports MOBIKE when acting as a responder. 164.It Ic set nomobike 165Disables MOBIKE support. 166.It Ic set ocsp Ar URL 167Enable OCSP and set the URL of the OCSP responder. 168Please note that the matching responder and issuer certificates 169have to be placed in 170.Pa /etc/iked/ocsp/responder.crt 171and 172.Pa /etc/iked/ocsp/issuer.crt . 173.It Ic user Ar name password 174.Xr iked 8 175supports user-based authentication by tunneling the Extensible 176Authentication Protocol (EAP) over IKEv2. 177In its most basic form, the users will be authenticated against a 178local, integrated password database that is configured with the 179.Ic user 180lines in 181.Nm 182and the 183.Ar name 184and 185.Ar password 186arguments. 187Note that the password has to be specified in plain text which is 188required to support different challenge-based EAP methods like 189EAP-MD5 or EAP-MSCHAPv2. 190.El 191.Sh AUTOMATIC KEYING POLICIES 192This section is used to configure policies that will be used by 193.Xr iked 8 194to set up flows and SAs automatically. 195Some examples of setting up automatic keying: 196.Bd -literal -offset 3n 197# Set up a VPN: 198# First between the gateway machines 192.168.3.1 and 192.168.3.2 199# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 200ikev2 esp from 192.168.3.1 to 192.168.3.2 201ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 202.Ed 203.Pp 204For incoming connections from remote peers, the policies are evaluated 205in sequential order, from first to last. 206The last matching policy decides what action is taken; if no policy matches 207the connection, the default action is to ignore the connection attempt or 208to use the 209.Ar default 210policy, if set. 211Please also see the 212.Sx EXAMPLES 213section for a detailed example of the policy evaluation. 214.Pp 215The first time an IKEv2 connection matches a policy, an IKE SA is 216created; for subsequent packets the connection is identified by the 217IKEv2 parameters that are stored in the SA without evaluating any 218policies. 219After the connection is closed or times out, the IKE SA is 220automatically removed. 221.Pp 222The commands are as follows: 223.Bl -tag -width xxxx 224.It Xo 225.Ic ikev2 226.Op Ar name 227.Xc 228The mandatory 229.Ic ikev2 230keyword will identify an IKEv2 automatic keying policy. 231.Ar name 232is an optional arbitrary string identifying the policy. 233The name should only occur once in 234.Nm 235or any included files. 236If omitted, 237a name will be generated automatically for the policy. 238.It Op Ar eval 239The 240.Ar eval 241option modifies the policy evaluation for this policy. 242It can be one of 243.Ar quick , 244.Ar skip 245or 246.Ar default . 247If a new incoming connection matches a policy with the 248.Ar quick 249option set, that policy is considered the last matching policy, 250and evaluation of subsequent policies is skipped. 251The 252.Ar skip 253option will disable evaluation of this policy for incoming connections. 254The 255.Ar default 256option sets the default policy and should only be specified once. 257.It Op Ar mode 258.Ar mode 259specifies the IKEv2 mode to use: 260one of 261.Ar passive 262or 263.Ar active . 264When 265.Ar passive 266is specified, 267.Xr iked 8 268will not immediately start negotiation of this tunnel, but wait for an incoming 269request from the remote peer. 270When 271.Ar active 272is specified, negotiation will be started at once. 273If omitted, 274.Ar passive 275mode will be used. 276.It Op Ar ipcomp 277The keyword 278.Ar ipcomp 279specifies that 280.Xr ipcomp 4 , 281the IP Payload Compression protocol, is negotiated in addition to encapsulation. 282The optional compression is applied before packets are encapsulated. 283IPcomp must be enabled in the kernel: 284.Pp 285.Dl # sysctl net.inet.ipcomp.enable=1 286.It Op Ar tmode 287.Ar tmode 288describes the encapsulation mode to be used. 289Possible modes are 290.Ar tunnel 291and 292.Ar transport ; 293the default is 294.Ar tunnel . 295.It Op Ar encap 296.Ar encap 297specifies the encapsulation protocol to be used. 298Possible protocols are 299.Ar esp 300and 301.Ar ah ; 302the default is 303.Ar esp . 304.It Op Ar af 305This policy only applies to endpoints of the specified address family 306which can be either 307.Ar inet 308or 309.Ar inet6 . 310Note that this only matters for IKEv2 endpoints and does not 311restrict the traffic selectors to negotiate flows with different 312address families, e.g. IPv6 flows negotiated by IPv4 endpoints. 313.It Ic proto Ar protocol 314The optional 315.Ic proto 316parameter restricts the flow to a specific IP protocol. 317Common protocols are 318.Xr icmp 4 , 319.Xr tcp 4 , 320and 321.Xr udp 4 . 322For a list of all the protocol name to number mappings used by 323.Xr iked 8 , 324see the file 325.Pa /etc/protocols . 326.It Ic rdomain Ar number 327Specify a different routing domain for unencrypted traffic. 328The resulting IPsec SAs will match outgoing packets in the specified 329.Ic rdomain Ar number 330and move the encrypted packets to the rdomain the 331.Xr iked 8 332instance is running in. 333Vice versa, incoming 334.Xr ipsec 4 335traffic is moved to 336.Ic rdomain Ar number 337after decryption. 338.It Xo 339.Ic from Ar src 340.Op Ic port Ar sport 341.Op Pq Ar srcnat 342.Ic to Ar dst 343.Op Ic port Ar dport 344.Xc 345Specify one or more traffic selectors for this policy which will be 346used to negotiate the IPsec flows between the IKEv2 peers. 347During the negotiation, the peers may decide to narrow a flow to a 348subset of the configured traffic selector networks to match the 349policies on each side. 350.Pp 351Each traffic selector will apply for packets with source address 352.Ar src 353and destination address 354.Ar dst . 355The keyword 356.Ar any 357will match any address (i.e. 0.0.0.0/0). 358If the 359.Ar src 360argument specifies a fictional source ID, 361the 362.Ar srcnat 363parameter can be used to specify the actual source address. 364This can be used in outgoing NAT/BINAT scenarios as described below. 365.Pp 366The optional 367.Ic port 368modifiers restrict the traffic selectors to the specified ports. 369They are only valid in conjunction with the 370.Xr tcp 4 371and 372.Xr udp 4 373protocols. 374Ports can be specified by number or by name. 375For a list of all port name to number mappings used by 376.Xr ipsecctl 8 , 377see the file 378.Pa /etc/services . 379.It Ic local Ar localip Ic peer Ar remote 380The 381.Ic local 382parameter specifies the address or FQDN of the local endpoint. 383Unless the gateway is multi-homed or uses address aliases, 384this option is generally not needed. 385.Pp 386The 387.Ic peer 388parameter specifies the address or FQDN of the remote endpoint. 389For host-to-host connections where 390.Ar dst 391is identical to 392.Ar remote , 393this option is generally not needed as it will be set to 394.Ar dst 395automatically. 396If it is not specified or if the keyword 397.Ar any 398is given, the default peer is used. 399.It Xo 400.Ic ikesa 401.Ic auth Ar algorithm 402.Ic enc Ar algorithm 403.Ic prf Ar algorithm 404.Ic group Ar group 405.Xc 406These parameters define the mode and cryptographic transforms to be 407used for the IKE SA negotiation, also known as phase 1. 408The IKE SA will be used to authenticate the machines and to set up an 409encrypted channel for the IKEv2 protocol. 410.Pp 411Possible values for 412.Ic auth , 413.Ic enc , 414.Ic prf , 415.Ic group , 416and the default proposals are described below in 417.Sx CRYPTO TRANSFORMS . 418If omitted, 419.Xr iked 8 420will use the default proposals for the IKEv2 protocol. 421.Pp 422The keyword 423.Ic ikesa 424can be used multiple times as a delimiter between IKE SA proposals. 425The order of the proposals depend on the order in the configuration. 426The keywords 427.Ic auth , 428.Ic enc , 429.Ic prf 430and 431.Ic group 432can be used multiple times within a single proposal to configure 433multiple crypto transforms. 434.It Xo 435.Ic childsa 436.Ic auth Ar algorithm 437.Ic enc Ar algorithm 438.Ic group Ar group 439.Ic esn 440.Xc 441These parameters define the cryptographic transforms to be used for 442the Child SA negotiation, also known as phase 2. 443Each Child SA will be used to negotiate the actual IPsec SAs. 444The initial Child SA is always negotiated with the initial IKEv2 key 445exchange; additional Child SAs may be negotiated with additional 446Child SA key exchanges for an established IKE SA. 447.Pp 448Possible values for 449.Ic auth , 450.Ic enc , 451.Ic group , 452.Ic esn , 453and the default proposals are described below in 454.Sx CRYPTO TRANSFORMS . 455If omitted, 456.Xr iked 8 457will use the default proposals for the ESP or AH protocol. 458.Pp 459The 460.Ic group 461option will only be used to enable Perfect Forward Secrecy (PFS) 462for additional Child SAs exchanges that are not part of the initial 463key exchange. 464.Pp 465The keyword 466.Ic childsa 467can be used multiple times as a delimiter between Child SA proposals. 468The order of the proposals depend on the order in the configuration. 469The keywords 470.Ic auth , 471.Ic enc 472and 473.Ic group 474can be used multiple times within a single proposal to configure 475multiple crypto transforms. 476.It Ic srcid Ar string Ic dstid Ar string 477.Ic srcid 478defines an ID of type 479.Dq FQDN , 480.Dq ASN1_DN , 481.Dq IPV4 , 482.Dq IPV6 , 483or 484.Dq UFQDN 485that will be used by 486.Xr iked 8 487as the identity of the local peer. 488If the argument is an email address (reyk@example.com), 489.Xr iked 8 490will use UFQDN as the ID type. 491The ASN1_DN type will be used if the string starts with a slash 492.Sq / 493(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). 494If the argument is an IPv4 address or a compressed IPv6 address, 495the ID types IPV4 or IPV6 will be used. 496Anything else is considered to be an FQDN. 497.Pp 498If 499.Ic srcid 500is omitted, 501the default is to use the hostname of the local machine, 502see 503.Xr hostname 1 504to set or print the hostname. 505.Pp 506.Ic dstid 507is similar to 508.Ic srcid , 509but instead specifies the ID to be used 510by the remote peer. 511.It Ic ikelifetime Ar time 512The optional 513.Ic ikelifetime 514parameter defines the IKE SA expiration timeout by the 515.Ar time 516SA was created. 517A zero value disables active IKE SA rekeying. 518This is the default. 519.Pp 520The accepted format of the 521.Ar time 522specification is described below. 523.It Ic lifetime Ar time Op Ic bytes Ar bytes 524The optional 525.Ic lifetime 526parameter defines the Child SA expiration timeout by the 527.Ar time 528SA was in use and by the number of 529.Ar bytes 530that were processed using the SA. 531Default values are 3 hours and 512 megabytes which means that SA will be 532rekeyed before reaching the time limit or 512 megabytes of data 533will pass through. 534Zero values disable rekeying. 535.Pp 536Several unit specifiers are recognized (ignoring case): 537.Ql m 538and 539.Ql h 540for minutes and hours, and 541.Ql K , 542.Ql M 543and 544.Ql G 545for kilo-, mega- and gigabytes accordingly. 546.Pp 547Please note that rekeying must happen at least several times a day as 548IPsec security heavily depends on frequent key renewals. 549.It Op Ar ikeauth 550Specify a method to be used to authenticate the remote peer. 551.Xr iked 8 552will automatically determine a method based on public keys or certificates 553configured for the peer. 554.Ar ikeauth 555can be used to override this behaviour. 556Non-psk modes will require setting up certificates and RSA or ECDSA public 557keys; see 558.Xr iked 8 559for more information. 560.Pp 561.Bl -tag -width $domain -compact -offset indent 562.It Ic eap Ar type 563Use EAP to authenticate the initiator. 564The only supported EAP 565.Ar type 566is currently 567.Ar MSCHAP-V2 . 568The responder will use RSA public key authentication. 569.It Ic ecdsa256 570Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. 571.It Ic ecdsa384 572Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. 573.It Ic ecdsa521 574Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. 575.It Ic psk Ar string 576Use a pre-shared key 577.Ar string 578or hex value (starting with 0x) for authentication. 579.It Ic rfc7427 580Only use RFC 7427 signatures for authentication. 581RFC 7427 signatures currently only support SHA2-256 as the hash. 582.It Ic rsa 583Use RSA public key authentication with SHA1 as the hash. 584.El 585.Pp 586The default is to allow any signature authentication. 587.It Ic config Ar option address 588Send one or more optional configuration payloads (CP) to the peer. 589The configuration 590.Ar option 591can be one of the following with the expected address format: 592.Pp 593.Bl -tag -width Ds -compact -offset indent 594.It Ic address Ar address 595Assign a static address on the internal network. 596.It Ic address Ar address/prefix 597Assign a dynamic address on the internal network. 598The address will be assigned from an address pool with the size specified by 599.Ar prefix . 600.It Ic netmask Ar netmask 601The IPv4 netmask of the internal network. 602.It Ic name-server Ar address 603The DNS server address within the internal network. 604.It Ic netbios-server Ar address 605The NetBIOS name server (WINS) within the internal network. 606This option is provided for compatibility with legacy clients. 607.It Ic dhcp-server Ar address 608The address of an internal DHCP server for further configuration. 609.It Ic protected-subnet Ar address/prefix 610The address of an additional IPv4 or IPv6 subnet reachable over the 611gateway. 612This option is used to notify the peer of a subnet behind the gateway (that 613might require a second SA). 614Networks specified in this SA's "from" or "to" options do not need to be 615included. 616.It Ic access-server Ar address 617The address of an internal remote access server. 618.El 619.It Ic tag Ar string 620Add a 621.Xr pf 4 622tag to all packets of IPsec SAs created for this connection. 623This will allow matching packets for this connection by defining 624rules in 625.Xr pf.conf 5 626using the 627.Cm tagged 628keyword. 629.Pp 630The following variables can be used in tags to include information 631from the remote peer on runtime: 632.Pp 633.Bl -tag -width $domain -compact -offset indent 634.It Ar $id 635The 636.Ic dstid 637that was proposed by the remote peer to identify itself. 638It will be expanded to 639.Ar id-value , 640e.g.\& 641.Ar FQDN/foo.example.com . 642To limit the size of the derived tag, 643.Xr iked 8 644will extract the common name 645.Sq CN= 646from ASN1_DN IDs, for example 647.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. 648will be expanded to 649.Ar 10.1.1.1 . 650.It Ar $eapid 651For a connection using EAP, the identity (username) used by the remote peer. 652.It Ar $domain 653Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. 654.It Ar $name 655The name of the IKEv2 policy that was configured in 656.Nm 657or automatically generated by 658.Xr iked 8 . 659.El 660.Pp 661For example, if the ID is 662.Ar FQDN/foo.example.com 663or 664.Ar UFQDN/user@example.com , 665.Dq ipsec-$domain 666expands to 667.Dq ipsec-example.com . 668The variable expansion for the 669.Ar tag 670directive occurs only at runtime (not when the file is parsed) 671and must be quoted, or it will be interpreted as a macro. 672.It Ic tap Ar interface 673Send the decapsulated IPsec traffic to the specified 674.Xr enc 4 675.Ar interface 676instead of 677.Ar enc0 678for filtering and monitoring. 679The traffic will be blocked if the specified 680.Ar interface 681does not exist. 682.El 683.Sh PACKET FILTERING 684IPsec traffic appears unencrypted on the 685.Xr enc 4 686interface 687and can be filtered accordingly using the 688.Ox 689packet filter, 690.Xr pf 4 . 691The grammar for the packet filter is described in 692.Xr pf.conf 5 . 693.Pp 694The following components are relevant to filtering IPsec traffic: 695.Bl -ohang -offset indent 696.It external interface 697Interface for IKE traffic and encapsulated IPsec traffic. 698.It proto udp port 500 699IKE traffic on the external interface. 700.It proto udp port 4500 701IKE NAT-Traversal traffic on the external interface. 702.It proto ah | esp 703Encapsulated IPsec traffic 704on the external interface. 705.It enc0 706Default interface for outgoing traffic before it's been encapsulated, 707and incoming traffic after it's been decapsulated. 708State on this interface should be interface bound; 709see 710.Xr enc 4 711for further information. 712.It proto ipencap 713[tunnel mode only] 714IP-in-IP traffic flowing between gateways 715on the enc0 interface. 716.It tagged ipsec-example.org 717Match traffic of IPsec SAs using the 718.Ic tag 719keyword. 720.El 721.Pp 722If the filtering rules specify to block everything by default, 723the following rule 724would ensure that IPsec traffic never hits the packet filtering engine, 725and is therefore passed: 726.Bd -literal -offset indent 727set skip on enc0 728.Ed 729.Pp 730In the following example, all traffic is blocked by default. 731IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 732networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 733.Bd -literal -offset indent 734block on ix0 735block on enc0 736 737pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e 738 port {500, 4500} 739pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e 740 port {500, 4500} 741 742pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 743pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 744 745pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 746 keep state (if-bound) 747pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 748 keep state (if-bound) 749pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 750 keep state (if-bound) 751pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 752 keep state (if-bound) 753.Ed 754.Pp 755.Xr pf 4 756has the ability to filter IPsec-related packets 757based on an arbitrary 758.Em tag 759specified within a ruleset. 760The tag is used as an internal marker 761which can be used to identify the packets later on. 762This could be helpful, 763for example, 764in scenarios where users are connecting in from differing IP addresses, 765or to support queue-based bandwidth control, 766since the enc0 interface does not support it. 767.Pp 768The following 769.Xr pf.conf 5 770fragment uses queues for all IPsec traffic with special 771handling for developers and employees: 772.Bd -literal -offset indent 773queue std on ix0 bandwidth 100M 774queue deflt parent std bandwidth 10M default 775queue developers parent std bandwidth 75M 776queue employees parent std bandwidth 5M 777queue ipsec parent std bandwidth 10M 778 779pass out on ix0 proto esp set queue ipsec 780 781pass out on ix0 tagged ipsec-developers.example.com \e 782 set queue developers 783pass out on ix0 tagged ipsec-employees.example.com \e 784 set queue employees 785.Ed 786.Pp 787The following example assigns the tags in the 788.Nm 789configuration and also sets an alternative 790.Xr enc 4 791device: 792.Bd -literal -offset indent 793ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 794 tag "ipsec-$domain" tap "enc1" 795.Ed 796.Sh OUTGOING NETWORK ADDRESS TRANSLATION 797In some network topologies it is desirable to perform NAT on traffic leaving 798through the VPN tunnel. 799In order to achieve that, 800the 801.Ar src 802argument is used to negotiate the desired network ID with the peer 803and the 804.Ar srcnat 805parameter defines the true local subnet, 806so that a correct SA can be installed on the local side. 807.Pp 808For example, 809if the local subnet is 192.168.1.0/24 and all the traffic 810for a specific VPN peer should appear as coming from 10.10.10.1, 811the following configuration is used: 812.Bd -literal -offset indent 813ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 814 peer 10.10.20.1 815.Ed 816.Pp 817Naturally, 818a relevant NAT rule is required in 819.Xr pf.conf 5 . 820For the example above, 821this would be: 822.Bd -literal -offset indent 823match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 824 nat-to 10.10.10.1 825.Ed 826.Pp 827From the peer's point of view, 828the local end of the VPN tunnel is declared to be 10.10.10.1 829and all the traffic arrives with that source address. 830.Sh CRYPTO TRANSFORMS 831The following authentication types are permitted with the 832.Ic auth 833keyword: 834.Bl -column "Authentication" "Key Length" "Truncated Length" "Default" -offset indent 835.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" Ta Em "Default" 836.It Li hmac-md5 Ta "128 bits" Ta "96 bits" Ta "" 837.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" Ta "x" 838.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" Ta "x" 839.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" Ta "" 840.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" Ta "" 841.El 842.Pp 843The following pseudo-random function types are permitted with the 844.Ic prf 845keyword: 846.Bl -column "hmac-sha2-512" "Key Length" "Default" "[IKE only]" -offset indent 847.It Em "PRF" Ta Em "Key Length" Ta Em "Default" Ta "" 848.It Li hmac-md5 Ta "128 bits" Ta "" Ta "[IKE only]" 849.It Li hmac-sha1 Ta "160 bits" Ta "x" Ta "[IKE only]" 850.It Li hmac-sha2-256 Ta "256 bits" Ta "x" Ta "[IKE only]" 851.It Li hmac-sha2-384 Ta "384 bits" Ta "" Ta "[IKE only]" 852.It Li hmac-sha2-512 Ta "512 bits" Ta "" Ta "[IKE only]" 853.El 854.Pp 855The following cipher types are permitted with the 856.Ic enc 857keyword: 858.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 859.It Em "Cipher" Ta Em "Key Length" Ta Em "Default" Ta "" 860.It Li 3des Ta "168 bits" Ta "x" Ta "" 861.It Li aes-128 Ta "128 bits" Ta "x" Ta "" 862.It Li aes-192 Ta "192 bits" Ta "x" Ta "" 863.It Li aes-256 Ta "256 bits" Ta "x" Ta "" 864.It Li aes-128-ctr Ta "160 bits" Ta "" Ta "[ESP only]" 865.It Li aes-192-ctr Ta "224 bits" Ta "" Ta "[ESP only]" 866.It Li aes-256-ctr Ta "288 bits" Ta "" Ta "[ESP only]" 867.It Li aes-128-gcm Ta "160 bits" Ta "x" Ta "" 868.It Li aes-192-gcm Ta "224 bits" Ta "" Ta "[ESP only]" 869.It Li aes-256-gcm Ta "288 bits" Ta "x" Ta "" 870.It Li aes-128-gcm-12 Ta "160 bits" Ta "" Ta "[IKE only]" 871.It Li aes-256-gcm-12 Ta "288 bits" Ta "" Ta "[IKE only]" 872.It Li blowfish Ta "160 bits" Ta "" Ta "[ESP only]" 873.It Li cast Ta "128 bits" Ta "" Ta "[ESP only]" 874.It Li chacha20-poly1305 Ta "288 bits" Ta "" Ta "[ESP only]" 875.El 876.Pp 877The following cipher types provide only authentication, 878not encryption: 879.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 880.It Li aes-128-gmac Ta "160 bits" Ta "" Ta "[ESP only]" 881.It Li aes-192-gmac Ta "224 bits" Ta "" Ta "[ESP only]" 882.It Li aes-256-gmac Ta "288 bits" Ta "" Ta "[ESP only]" 883.It Li null Ta "" Ta "" Ta "[ESP only]" 884.El 885.Pp 886The Extended Sequence Numbers option can be enabled or disabled with the 887.Ic esn 888or 889.Ic noesn 890keywords: 891.Bl -column "noesn" "Default" "[ESP only]" -offset indent 892.It Em ESN Ta Em "Default" Ta Em "" 893.It Li esn Ta "x" Ta "[ESP only]" 894.It Li noesn Ta "x" Ta "[ESP only]" 895.El 896.Pp 897Transforms followed by 898.Bq IKE only 899can only be used with the 900.Ic ikesa 901keyword, transforms with 902.Bq ESP only 903can only be used with the 904.Ic childsa 905keyword. 906.Pp 9073DES requires 24 bytes to form its 168-bit key. 908This is because the most significant bit of each byte is used for parity. 909.Pp 910The keysize of AES-CTR is actually 128-bit. 911However as well as the key, a 32-bit nonce has to be supplied. 912Thus 160 bits of key material have to be supplied. 913The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305, 914however in the latter case the keysize is 256 bit. 915.Pp 916Using AES-GMAC or NULL with ESP will only provide authentication. 917This is useful in setups where AH cannot be used, e.g. when NAT is involved. 918.Pp 919The following group types are permitted with the 920.Ic group 921keyword: 922.Bl -column "brainpool224" "Group" "Size" "Curve25519" "Default" -offset indent 923.It Em Name Ta Em Group Ta Em Size Ta Em Type Ta Em Default 924.It Li modp768 Ta grp1 Ta 768 Ta "MODP" Ta "" Ta "[insecure]" 925.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" Ta "x" Ta "[weak]" 926.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" Ta "x" Ta "[weak]" 927.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" Ta "x" 928.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" Ta "x" 929.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" Ta "x" 930.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" Ta "" 931.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" Ta "" 932.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" Ta "x" 933.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" Ta "x" 934.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" Ta "x" 935.It Li ecp192 Ta grp25 Ta 192 Ta "ECP" Ta "" 936.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" Ta "" 937.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP" Ta "" 938.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP" Ta "" 939.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP" Ta "" 940.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP" Ta "" 941.It Li curve25519 Ta grp31 Ta 256 Ta "Curve25519" Ta "x" 942.El 943.Pp 944The currently supported group types are either 945MODP (exponentiation groups modulo a prime), 946ECP (elliptic curve groups modulo a prime), 947or Curve25519. 948Please note that MODP groups of less than 2048 bits are considered 949as weak or insecure (see RFC 8247 section 2.4) and only provided for 950backwards compatibility. 951.Sh FILES 952.Bl -tag -width /etc/examples/iked.conf -compact 953.It Pa /etc/iked.conf 954.It Pa /etc/examples/iked.conf 955.El 956.Sh EXAMPLES 957The first example is intended for a server with clients connecting to 958.Xr iked 8 959as an IPsec gateway, or IKEv2 responder, using mutual public key 960authentication and additional challenge-based EAP-MSCHAPv2 password 961authentication: 962.Bd -literal -offset indent 963user "test" "password123" 964 965ikev2 "win7" esp \e 966 from 0.0.0.0/0 to 172.16.2.0/24 \e 967 peer 10.0.0.0/8 local 192.168.56.0/24 \e 968 eap "mschap-v2" \e 969 config address 172.16.2.1 \e 970 tag "$name-$id" 971.Ed 972.Pp 973The next example allows peers to authenticate using a pre-shared key 974.Sq foobar : 975.Bd -literal -offset indent 976ikev2 "big test" \e 977 esp proto tcp \e 978 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e 979 from 192.168.1.1 to 192.168.2.2 \e 980 peer any local any \e 981 ikesa \e 982 enc 3des auth hmac-sha2-256 \e 983 group ecp256 group modp1024 \e 984 ikesa \e 985 enc 3des auth hmac-sha1 \e 986 group ecp256 group modp1024 \e 987 childsa enc aes-128 auth hmac-sha2-256 \e 988 childsa enc aes-128 auth hmac-sha1 \e 989 srcid host.example.com \e 990 dstid 192.168.0.254 \e 991 psk "foobar" 992.Ed 993.Pp 994The following example illustrates the last matching policy 995evaluation for incoming connections on an IKEv2 gateway. 996The peer 192.168.1.34 will always match the first policy because of the 997.Ar quick 998keyword; 999connections from the peers 192.168.1.3 and 192.168.1.2 will be matched 1000by one of the last two policies; 1001any other connections from 192.168.1.0/24 will be matched by the 1002.Sq subnet 1003policy; 1004and any other connection will be matched by the 1005.Sq catch all 1006policy. 1007.Bd -literal -offset indent 1008ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e 1009 peer 192.168.1.34 1010ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e 1011 peer any 1012ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e 1013 peer 192.168.1.0/24 1014ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 1015ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 1016.Ed 1017.Pp 1018This example encrypts a 1019.Xr gre 4 1020tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on 1021FQDN-based public key authentication; 1022.Ar transport 1023mode avoids double encapsulation: 1024.Bd -literal -offset indent 1025ikev2 transport \e 1026 proto gre \e 1027 from 2001:db8::aa:1 to 2001:db8::dd:4 \e 1028 peer D.example.com 1029.Ed 1030.Sh SEE ALSO 1031.Xr enc 4 , 1032.Xr ipsec 4 , 1033.Xr ipsec.conf 5 , 1034.Xr pf.conf 5 , 1035.Xr ikectl 8 , 1036.Xr iked 8 1037.Sh HISTORY 1038The 1039.Nm 1040file format first appeared in 1041.Ox 4.8 . 1042.Sh AUTHORS 1043The 1044.Xr iked 8 1045program was written by 1046.An Reyk Floeter Aq Mt reyk@openbsd.org . 1047