1.\" $OpenBSD: iked.conf.5,v 1.77 2020/08/26 14:49:48 tobhe Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: August 26 2020 $ 19.Dt IKED.CONF 5 20.Os 21.Sh NAME 22.Nm iked.conf 23.Nd IKEv2 configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for 27.Xr iked 8 , 28the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. 29IPsec itself is a pair of protocols: 30Encapsulating Security Payload (ESP), 31which provides integrity and confidentiality; 32and Authentication Header (AH), 33which provides integrity. 34The IPsec protocol itself is described in 35.Xr ipsec 4 . 36.Pp 37In its most basic form, a flow is established between hosts and/or 38networks, and then Security Associations (SA) are established, 39which detail how the desired protection will be achieved. 40IPsec uses flows to determine whether to apply security services to an 41IP packet or not. 42.Xr iked 8 43is used to set up flows and establish SAs automatically, 44by specifying 45.Sq ikev2 46policies in 47.Nm 48(see 49.Sx AUTOMATIC KEYING POLICIES , 50below). 51.Pp 52Alternative methods of setting up flows and SAs are also possible 53using manual keying or automatic keying using the older ISAKMP/Oakley 54a.k.a. IKEv1 protocol. 55Manual keying is not recommended, but can be convenient for quick 56setups and testing. 57See 58.Xr ipsec.conf 5 59and 60.Xr isakmpd 8 61for more information about manual keying and ISAKMP support. 62.Sh IKED.CONF FILE FORMAT 63.Nm 64is divided into three main sections: 65.Bl -tag -width xxxx 66.It Sy Macros 67User-defined macros may be defined and used later, simplifying the 68configuration file. 69.It Sy Global Configuration 70Global settings for 71.Xr iked 8 . 72.It Sy Automatic Keying Policies 73Policies to set up IPsec flows and SAs automatically. 74.El 75.Pp 76Lines beginning with 77.Sq # 78and empty lines are regarded as comments, 79and ignored. 80Lines may be split using the 81.Sq \e 82character. 83.Pp 84Argument names not beginning with a letter, digit, or underscore 85must be quoted. 86.Pp 87Addresses can be specified in CIDR notation (matching netblocks), 88as symbolic host names, interface names, or interface group names. 89.Pp 90Additional configuration files can be included with the 91.Ic include 92keyword, for example: 93.Bd -literal -offset indent 94include "/etc/macros.conf" 95.Ed 96.Sh MACROS 97Macros can be defined that will later be expanded in context. 98Macro names must start with a letter, digit, or underscore, 99and may contain any of those characters. 100Macro names may not be reserved words (for example 101.Ic flow , 102.Ic from , 103.Ic esp ) . 104Macros are not expanded inside quotes. 105.Pp 106For example: 107.Bd -literal -offset indent 108remote_gw = "192.168.3.12" 109ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 110.Ed 111.Sh GLOBAL CONFIGURATION 112Here are the settings that can be set globally: 113.Bl -tag -width xxxx 114.It Ic set active 115Set 116.Xr iked 8 117to global active mode. 118In active mode the per-policy 119.Ar mode 120setting is respected. 121.Xr iked 8 122will initiate policies set to 123.Ar active 124and wait for incoming requests for policies set to 125.Ar passive . 126This is the default. 127.It Ic set passive 128Set 129.Xr iked 8 130to global passive mode. 131In passive mode no packets are sent to peers and no connections are 132initiated by 133.Xr iked 8 , 134even for 135.Ar active 136policies. 137This option is used for setups using 138.Xr sasyncd 8 139and 140.Xr carp 4 141to provide redundancy. 142.Xr iked 8 143will run in passive mode until sasyncd has determined that the host 144is the master and can switch to active mode. 145.It Ic set couple 146Load the negotiated security associations (SAs) and flows into the kernel. 147This is the default. 148.It Ic set decouple 149Don't load the negotiated SAs and flows from the kernel. 150This mode is only useful for testing and debugging. 151.It Ic set dpd_check_interval Ar time 152Specify the liveness check interval, in seconds. 153Setting 154.Ar time 155to 0 disables DPD. 156The default value is 60 seconds. 157.It Ic set enforcesingleikesa 158Allow only a single active IKE SA for each 159.Ic dstid . 160When a new SA with the same 161.Ic dstid 162is established, it replaces the old SA. 163.It Ic set noenforcesingleikesa 164Don't limit the number of IKE SAs per 165.Ic dstid . 166This is the default. 167.It Ic set fragmentation 168Enable IKEv2 Message Fragmentation (RFC 7383) support. 169This allows IKEv2 to operate in environments that might block IP fragments. 170.It Ic set nofragmentation 171Disables IKEv2 Message Fragmentation support. 172This is the default. 173.It Ic set mobike 174Enable MOBIKE (RFC 4555) support. 175This is the default. 176MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. 177Currently 178.Xr iked 8 179only supports MOBIKE when acting as a responder. 180.It Ic set nomobike 181Disables MOBIKE support. 182.It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time 183Enable OCSP and set the fallback URL of the OCSP responder. 184This fallback will be used if the trusted CA from 185.Pa /etc/iked/ca/ 186does not have an OCSP-URL extension. 187Please note that the matching responder certificates 188have to be placed in 189.Pa /etc/iked/ocsp/responder.crt . 190.Pp 191The optional 192.Ic tolerate 193parameter specifies how much the OCSP reponse attribute 194.Sq thisUpdate 195may be in the future and how much 196.Sq nextUpdate 197may be in the past, with respect to the local time. 198The optional 199.Ic maxage 200parameter specifies how much 201.Sq thisUpdate 202may be in the past. 203If 204.Ic tolerate 205is set to 0 then the times are not verified at all. 206This is the default setting. 207.It Ic user Ar name password 208.Xr iked 8 209supports user-based authentication by tunneling the Extensible 210Authentication Protocol (EAP) over IKEv2. 211In its most basic form, the users will be authenticated against a 212local, integrated password database that is configured with the 213.Ic user 214lines in 215.Nm 216and the 217.Ar name 218and 219.Ar password 220arguments. 221Note that the password has to be specified in plain text which is 222required to support different challenge-based EAP methods like 223EAP-MD5 or EAP-MSCHAPv2. 224.El 225.Sh AUTOMATIC KEYING POLICIES 226This section is used to configure policies that will be used by 227.Xr iked 8 228to set up flows and SAs automatically. 229Some examples of setting up automatic keying: 230.Bd -literal -offset 3n 231# Set up a VPN: 232# First between the gateway machines 192.168.3.1 and 192.168.3.2 233# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 234ikev2 esp from 192.168.3.1 to 192.168.3.2 235ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 236.Ed 237.Pp 238For incoming connections from remote peers, the policies are evaluated 239in sequential order, from first to last. 240The last matching policy decides what action is taken; if no policy matches 241the connection, the default action is to ignore the connection attempt or 242to use the 243.Ar default 244policy, if set. 245Please also see the 246.Sx EXAMPLES 247section for a detailed example of the policy evaluation. 248.Pp 249The first time an IKEv2 connection matches a policy, an IKE SA is 250created; for subsequent packets the connection is identified by the 251IKEv2 parameters that are stored in the SA without evaluating any 252policies. 253After the connection is closed or times out, the IKE SA is 254automatically removed. 255.Pp 256The commands are as follows: 257.Bl -tag -width xxxx 258.It Xo 259.Ic ikev2 260.Op Ar name 261.Xc 262The mandatory 263.Ic ikev2 264keyword will identify an IKEv2 automatic keying policy. 265.Ar name 266is an optional arbitrary string identifying the policy. 267The name should only occur once in 268.Nm 269or any included files. 270If omitted, 271a name will be generated automatically for the policy. 272.It Op Ar eval 273The 274.Ar eval 275option modifies the policy evaluation for this policy. 276It can be one of 277.Ar quick , 278.Ar skip 279or 280.Ar default . 281If a new incoming connection matches a policy with the 282.Ar quick 283option set, that policy is considered the last matching policy, 284and evaluation of subsequent policies is skipped. 285The 286.Ar skip 287option will disable evaluation of this policy for incoming connections. 288The 289.Ar default 290option sets the default policy and should only be specified once. 291.It Op Ar mode 292.Ar mode 293specifies the IKEv2 mode to use: 294one of 295.Ar passive 296or 297.Ar active . 298When 299.Ar passive 300is specified, 301.Xr iked 8 302will not immediately start negotiation of this tunnel, but wait for an incoming 303request from the remote peer. 304When 305.Ar active 306is specified, negotiation will be started at once. 307If omitted, 308.Ar passive 309mode will be used. 310.It Op Ar ipcomp 311The keyword 312.Ar ipcomp 313specifies that 314.Xr ipcomp 4 , 315the IP Payload Compression protocol, is negotiated in addition to encapsulation. 316The optional compression is applied before packets are encapsulated. 317IPcomp must be enabled in the kernel: 318.Pp 319.Dl # sysctl net.inet.ipcomp.enable=1 320.It Op Ar tmode 321.Ar tmode 322describes the encapsulation mode to be used. 323Possible modes are 324.Ar tunnel 325and 326.Ar transport ; 327the default is 328.Ar tunnel . 329.It Op Ar encap 330.Ar encap 331specifies the encapsulation protocol to be used. 332Possible protocols are 333.Ar esp 334and 335.Ar ah ; 336the default is 337.Ar esp . 338.It Op Ar af 339This policy only applies to endpoints of the specified address family 340which can be either 341.Ar inet 342or 343.Ar inet6 . 344Note that this only matters for IKEv2 endpoints and does not 345restrict the traffic selectors to negotiate flows with different 346address families, e.g. IPv6 flows negotiated by IPv4 endpoints. 347.It Ic proto Ar protocol 348The optional 349.Ic proto 350parameter restricts the flow to a specific IP protocol. 351Common protocols are 352.Xr icmp 4 , 353.Xr tcp 4 , 354and 355.Xr udp 4 . 356For a list of all the protocol name to number mappings used by 357.Xr iked 8 , 358see the file 359.Pa /etc/protocols . 360.It Ic rdomain Ar number 361Specify a different routing domain for unencrypted traffic. 362The resulting IPsec SAs will match outgoing packets in the specified 363.Ic rdomain Ar number 364and move the encrypted packets to the rdomain the 365.Xr iked 8 366instance is running in. 367Vice versa, incoming 368.Xr ipsec 4 369traffic is moved to 370.Ic rdomain Ar number 371after decryption. 372.It Xo 373.Ic from Ar src 374.Op Ic port Ar sport 375.Op Pq Ar srcnat 376.Ic to Ar dst 377.Op Ic port Ar dport 378.Xc 379Specify one or more traffic selectors for this policy which will be 380used to negotiate the IPsec flows between the IKEv2 peers. 381During the negotiation, the peers may decide to narrow a flow to a 382subset of the configured traffic selector networks to match the 383policies on each side. 384.Pp 385Each traffic selector will apply for packets with source address 386.Ar src 387and destination address 388.Ar dst . 389The keyword 390.Ar any 391will match any address (i.e. 0.0.0.0/0). 392If the 393.Ar src 394argument specifies a fictional source ID, 395the 396.Ar srcnat 397parameter can be used to specify the actual source address. 398This can be used in outgoing NAT/BINAT scenarios as described below. 399.Pp 400The optional 401.Ic port 402modifiers restrict the traffic selectors to the specified ports. 403They are only valid in conjunction with the 404.Xr tcp 4 405and 406.Xr udp 4 407protocols. 408Ports can be specified by number or by name. 409For a list of all port name to number mappings used by 410.Xr ipsecctl 8 , 411see the file 412.Pa /etc/services . 413.It Ic local Ar localip Ic peer Ar remote 414The 415.Ic local 416parameter specifies the address or FQDN of the local endpoint. 417Unless the gateway is multi-homed or uses address aliases, 418this option is generally not needed. 419.Pp 420The 421.Ic peer 422parameter specifies the address or FQDN of the remote endpoint. 423For host-to-host connections where 424.Ar dst 425is identical to 426.Ar remote , 427this option is generally not needed as it will be set to 428.Ar dst 429automatically. 430If it is not specified or if the keyword 431.Ar any 432is given, the default peer is used. 433.It Xo 434.Ic ikesa 435.Ic auth Ar algorithm 436.Ic enc Ar algorithm 437.Ic prf Ar algorithm 438.Ic group Ar group 439.Xc 440These parameters define the mode and cryptographic transforms to be 441used for the IKE SA negotiation, also known as phase 1. 442The IKE SA will be used to authenticate the machines and to set up an 443encrypted channel for the IKEv2 protocol. 444.Pp 445Possible values for 446.Ic auth , 447.Ic enc , 448.Ic prf , 449.Ic group , 450and the default proposals are described below in 451.Sx CRYPTO TRANSFORMS . 452If omitted, 453.Xr iked 8 454will use the default proposals for the IKEv2 protocol. 455.Pp 456The keyword 457.Ic ikesa 458can be used multiple times as a delimiter between IKE SA proposals. 459The order of the proposals depend on the order in the configuration. 460The keywords 461.Ic auth , 462.Ic enc , 463.Ic prf 464and 465.Ic group 466can be used multiple times within a single proposal to configure 467multiple crypto transforms. 468.It Xo 469.Ic childsa 470.Ic auth Ar algorithm 471.Ic enc Ar algorithm 472.Ic group Ar group 473.Ic esn 474.Xc 475These parameters define the cryptographic transforms to be used for 476the Child SA negotiation, also known as phase 2. 477Each Child SA will be used to negotiate the actual IPsec SAs. 478The initial Child SA is always negotiated with the initial IKEv2 key 479exchange; additional Child SAs may be negotiated with additional 480Child SA key exchanges for an established IKE SA. 481.Pp 482Possible values for 483.Ic auth , 484.Ic enc , 485.Ic group , 486.Ic esn , 487and the default proposals are described below in 488.Sx CRYPTO TRANSFORMS . 489If omitted, 490.Xr iked 8 491will use the default proposals for the ESP or AH protocol. 492.Pp 493The 494.Ic group 495option will only be used to enable Perfect Forward Secrecy (PFS) 496for additional Child SAs exchanges that are not part of the initial 497key exchange. 498.Pp 499The keyword 500.Ic childsa 501can be used multiple times as a delimiter between Child SA proposals. 502The order of the proposals depend on the order in the configuration. 503The keywords 504.Ic auth , 505.Ic enc 506and 507.Ic group 508can be used multiple times within a single proposal to configure 509multiple crypto transforms. 510.It Ic srcid Ar string Ic dstid Ar string 511.Ic srcid 512defines an ID of type 513.Dq FQDN , 514.Dq ASN1_DN , 515.Dq IPV4 , 516.Dq IPV6 , 517or 518.Dq UFQDN 519that will be used by 520.Xr iked 8 521as the identity of the local peer. 522If the argument is an email address (reyk@example.com), 523.Xr iked 8 524will use UFQDN as the ID type. 525The ASN1_DN type will be used if the string starts with a slash 526.Sq / 527(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). 528If the argument is an IPv4 address or a compressed IPv6 address, 529the ID types IPV4 or IPV6 will be used. 530Anything else is considered to be an FQDN. 531.Pp 532If 533.Ic srcid 534is omitted, 535the default is to use the hostname of the local machine, 536see 537.Xr hostname 1 538to set or print the hostname. 539.Pp 540.Ic dstid 541is similar to 542.Ic srcid , 543but instead specifies the ID to be used 544by the remote peer. 545.It Ic ikelifetime Ar time 546The optional 547.Ic ikelifetime 548parameter defines the IKE SA expiration timeout by the 549.Ar time 550SA was created. 551A zero value disables active IKE SA rekeying. 552This is the default. 553.Pp 554The accepted format of the 555.Ar time 556specification is described below. 557.It Ic lifetime Ar time Op Ic bytes Ar bytes 558The optional 559.Ic lifetime 560parameter defines the Child SA expiration timeout by the 561.Ar time 562SA was in use and by the number of 563.Ar bytes 564that were processed using the SA. 565Default values are 3 hours and 512 megabytes which means that SA will be 566rekeyed before reaching the time limit or 512 megabytes of data 567will pass through. 568Zero values disable rekeying. 569.Pp 570Several unit specifiers are recognized (ignoring case): 571.Ql m 572and 573.Ql h 574for minutes and hours, and 575.Ql K , 576.Ql M 577and 578.Ql G 579for kilo-, mega- and gigabytes accordingly. 580.Pp 581Please note that rekeying must happen at least several times a day as 582IPsec security heavily depends on frequent key renewals. 583.It Op Ar ikeauth 584Specify a method to be used to authenticate the remote peer. 585.Xr iked 8 586will automatically determine a method based on public keys or certificates 587configured for the peer. 588.Ar ikeauth 589can be used to override this behaviour. 590Non-psk modes will require setting up certificates and RSA or ECDSA public 591keys; see 592.Xr iked 8 593for more information. 594.Pp 595.Bl -tag -width $domain -compact -offset indent 596.It Ic eap Ar type 597Use EAP to authenticate the initiator. 598The only supported EAP 599.Ar type 600is currently 601.Ar MSCHAP-V2 . 602The responder will use RSA public key authentication. 603.It Ic ecdsa256 604Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. 605.It Ic ecdsa384 606Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. 607.It Ic ecdsa521 608Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. 609.It Ic psk Ar string 610Use a pre-shared key 611.Ar string 612or hex value (starting with 0x) for authentication. 613.It Ic rfc7427 614Only use RFC 7427 signatures for authentication. 615RFC 7427 signatures currently only support SHA2-256 as the hash. 616.It Ic rsa 617Use RSA public key authentication with SHA1 as the hash. 618.El 619.Pp 620The default is to allow any signature authentication. 621.It Ic config Ar option address 622Send one or more optional configuration payloads (CP) to the peer. 623The configuration 624.Ar option 625can be one of the following with the expected address format: 626.Pp 627.Bl -tag -width Ds -compact -offset indent 628.It Ic address Ar address 629Assign a static address on the internal network. 630.It Ic address Ar address/prefix 631Assign a dynamic address on the internal network. 632The address will be assigned from an address pool with the size specified by 633.Ar prefix . 634.It Ic netmask Ar netmask 635The IPv4 netmask of the internal network. 636.It Ic name-server Ar address 637The DNS server address within the internal network. 638.It Ic netbios-server Ar address 639The NetBIOS name server (WINS) within the internal network. 640This option is provided for compatibility with legacy clients. 641.It Ic dhcp-server Ar address 642The address of an internal DHCP server for further configuration. 643.It Ic protected-subnet Ar address/prefix 644The address of an additional IPv4 or IPv6 subnet reachable over the 645gateway. 646This option is used to notify the peer of a subnet behind the gateway (that 647might require a second SA). 648Networks specified in this SA's "from" or "to" options do not need to be 649included. 650.It Ic access-server Ar address 651The address of an internal remote access server. 652.El 653.It Ic tag Ar string 654Add a 655.Xr pf 4 656tag to all packets of IPsec SAs created for this connection. 657This will allow matching packets for this connection by defining 658rules in 659.Xr pf.conf 5 660using the 661.Cm tagged 662keyword. 663.Pp 664The following variables can be used in tags to include information 665from the remote peer on runtime: 666.Pp 667.Bl -tag -width $domain -compact -offset indent 668.It Ar $id 669The 670.Ic dstid 671that was proposed by the remote peer to identify itself. 672It will be expanded to 673.Ar id-value , 674e.g.\& 675.Ar FQDN/foo.example.com . 676To limit the size of the derived tag, 677.Xr iked 8 678will extract the common name 679.Sq CN= 680from ASN1_DN IDs, for example 681.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. 682will be expanded to 683.Ar 10.1.1.1 . 684.It Ar $eapid 685For a connection using EAP, the identity (username) used by the remote peer. 686.It Ar $domain 687Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. 688.It Ar $name 689The name of the IKEv2 policy that was configured in 690.Nm 691or automatically generated by 692.Xr iked 8 . 693.El 694.Pp 695For example, if the ID is 696.Ar FQDN/foo.example.com 697or 698.Ar UFQDN/user@example.com , 699.Dq ipsec-$domain 700expands to 701.Dq ipsec-example.com . 702The variable expansion for the 703.Ar tag 704directive occurs only at runtime (not when the file is parsed) 705and must be quoted, or it will be interpreted as a macro. 706.It Ic tap Ar interface 707Send the decapsulated IPsec traffic to the specified 708.Xr enc 4 709.Ar interface 710instead of 711.Ar enc0 712for filtering and monitoring. 713The traffic will be blocked if the specified 714.Ar interface 715does not exist. 716.El 717.Sh PACKET FILTERING 718IPsec traffic appears unencrypted on the 719.Xr enc 4 720interface 721and can be filtered accordingly using the 722.Ox 723packet filter, 724.Xr pf 4 . 725The grammar for the packet filter is described in 726.Xr pf.conf 5 . 727.Pp 728The following components are relevant to filtering IPsec traffic: 729.Bl -ohang -offset indent 730.It external interface 731Interface for IKE traffic and encapsulated IPsec traffic. 732.It proto udp port 500 733IKE traffic on the external interface. 734.It proto udp port 4500 735IKE NAT-Traversal traffic on the external interface. 736.It proto ah | esp 737Encapsulated IPsec traffic 738on the external interface. 739.It enc0 740Default interface for outgoing traffic before it's been encapsulated, 741and incoming traffic after it's been decapsulated. 742State on this interface should be interface bound; 743see 744.Xr enc 4 745for further information. 746.It proto ipencap 747[tunnel mode only] 748IP-in-IP traffic flowing between gateways 749on the enc0 interface. 750.It tagged ipsec-example.org 751Match traffic of IPsec SAs using the 752.Ic tag 753keyword. 754.El 755.Pp 756If the filtering rules specify to block everything by default, 757the following rule 758would ensure that IPsec traffic never hits the packet filtering engine, 759and is therefore passed: 760.Bd -literal -offset indent 761set skip on enc0 762.Ed 763.Pp 764In the following example, all traffic is blocked by default. 765IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 766networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 767.Bd -literal -offset indent 768block on ix0 769block on enc0 770 771pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e 772 port {500, 4500} 773pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e 774 port {500, 4500} 775 776pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 777pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 778 779pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 780 keep state (if-bound) 781pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 782 keep state (if-bound) 783pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 784 keep state (if-bound) 785pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 786 keep state (if-bound) 787.Ed 788.Pp 789.Xr pf 4 790has the ability to filter IPsec-related packets 791based on an arbitrary 792.Em tag 793specified within a ruleset. 794The tag is used as an internal marker 795which can be used to identify the packets later on. 796This could be helpful, 797for example, 798in scenarios where users are connecting in from differing IP addresses, 799or to support queue-based bandwidth control, 800since the enc0 interface does not support it. 801.Pp 802The following 803.Xr pf.conf 5 804fragment uses queues for all IPsec traffic with special 805handling for developers and employees: 806.Bd -literal -offset indent 807queue std on ix0 bandwidth 100M 808queue deflt parent std bandwidth 10M default 809queue developers parent std bandwidth 75M 810queue employees parent std bandwidth 5M 811queue ipsec parent std bandwidth 10M 812 813pass out on ix0 proto esp set queue ipsec 814 815pass out on ix0 tagged ipsec-developers.example.com \e 816 set queue developers 817pass out on ix0 tagged ipsec-employees.example.com \e 818 set queue employees 819.Ed 820.Pp 821The following example assigns the tags in the 822.Nm 823configuration and also sets an alternative 824.Xr enc 4 825device: 826.Bd -literal -offset indent 827ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 828 tag "ipsec-$domain" tap "enc1" 829.Ed 830.Sh OUTGOING NETWORK ADDRESS TRANSLATION 831In some network topologies it is desirable to perform NAT on traffic leaving 832through the VPN tunnel. 833In order to achieve that, 834the 835.Ar src 836argument is used to negotiate the desired network ID with the peer 837and the 838.Ar srcnat 839parameter defines the true local subnet, 840so that a correct SA can be installed on the local side. 841.Pp 842For example, 843if the local subnet is 192.168.1.0/24 and all the traffic 844for a specific VPN peer should appear as coming from 10.10.10.1, 845the following configuration is used: 846.Bd -literal -offset indent 847ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 848 peer 10.10.20.1 849.Ed 850.Pp 851Naturally, 852a relevant NAT rule is required in 853.Xr pf.conf 5 . 854For the example above, 855this would be: 856.Bd -literal -offset indent 857match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 858 nat-to 10.10.10.1 859.Ed 860.Pp 861From the peer's point of view, 862the local end of the VPN tunnel is declared to be 10.10.10.1 863and all the traffic arrives with that source address. 864.Sh CRYPTO TRANSFORMS 865The following authentication types are permitted with the 866.Ic auth 867keyword: 868.Bl -column "Authentication" "Key Length" "Truncated Length" "Default" -offset indent 869.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" Ta Em "Default" 870.It Li hmac-md5 Ta "128 bits" Ta "96 bits" Ta "" 871.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" Ta "x" 872.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" Ta "x" 873.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" Ta "" 874.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" Ta "" 875.El 876.Pp 877The following pseudo-random function types are permitted with the 878.Ic prf 879keyword: 880.Bl -column "hmac-sha2-512" "Key Length" "Default" "[IKE only]" -offset indent 881.It Em "PRF" Ta Em "Key Length" Ta Em "Default" Ta "" 882.It Li hmac-md5 Ta "128 bits" Ta "" Ta "[IKE only]" 883.It Li hmac-sha1 Ta "160 bits" Ta "x" Ta "[IKE only]" 884.It Li hmac-sha2-256 Ta "256 bits" Ta "x" Ta "[IKE only]" 885.It Li hmac-sha2-384 Ta "384 bits" Ta "" Ta "[IKE only]" 886.It Li hmac-sha2-512 Ta "512 bits" Ta "" Ta "[IKE only]" 887.El 888.Pp 889The following cipher types are permitted with the 890.Ic enc 891keyword: 892.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 893.It Em "Cipher" Ta Em "Key Length" Ta Em "Default" Ta "" 894.It Li 3des Ta "168 bits" Ta "x" Ta "" 895.It Li aes-128 Ta "128 bits" Ta "x" Ta "" 896.It Li aes-192 Ta "192 bits" Ta "x" Ta "" 897.It Li aes-256 Ta "256 bits" Ta "x" Ta "" 898.It Li aes-128-ctr Ta "160 bits" Ta "" Ta "[ESP only]" 899.It Li aes-192-ctr Ta "224 bits" Ta "" Ta "[ESP only]" 900.It Li aes-256-ctr Ta "288 bits" Ta "" Ta "[ESP only]" 901.It Li aes-128-gcm Ta "160 bits" Ta "x" Ta "" 902.It Li aes-192-gcm Ta "224 bits" Ta "" Ta "[ESP only]" 903.It Li aes-256-gcm Ta "288 bits" Ta "x" Ta "" 904.It Li aes-128-gcm-12 Ta "160 bits" Ta "" Ta "[IKE only]" 905.It Li aes-256-gcm-12 Ta "288 bits" Ta "" Ta "[IKE only]" 906.It Li blowfish Ta "160 bits" Ta "" Ta "[ESP only]" 907.It Li cast Ta "128 bits" Ta "" Ta "[ESP only]" 908.It Li chacha20-poly1305 Ta "288 bits" Ta "" Ta "[ESP only]" 909.El 910.Pp 911The following cipher types provide only authentication, 912not encryption: 913.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 914.It Li aes-128-gmac Ta "160 bits" Ta "" Ta "[ESP only]" 915.It Li aes-192-gmac Ta "224 bits" Ta "" Ta "[ESP only]" 916.It Li aes-256-gmac Ta "288 bits" Ta "" Ta "[ESP only]" 917.It Li null Ta "" Ta "" Ta "[ESP only]" 918.El 919.Pp 920The Extended Sequence Numbers option can be enabled or disabled with the 921.Ic esn 922or 923.Ic noesn 924keywords: 925.Bl -column "noesn" "Default" "[ESP only]" -offset indent 926.It Em ESN Ta Em "Default" Ta Em "" 927.It Li esn Ta "x" Ta "[ESP only]" 928.It Li noesn Ta "x" Ta "[ESP only]" 929.El 930.Pp 931Transforms followed by 932.Bq IKE only 933can only be used with the 934.Ic ikesa 935keyword, transforms with 936.Bq ESP only 937can only be used with the 938.Ic childsa 939keyword. 940.Pp 9413DES requires 24 bytes to form its 168-bit key. 942This is because the most significant bit of each byte is used for parity. 943.Pp 944The keysize of AES-CTR is actually 128-bit. 945However as well as the key, a 32-bit nonce has to be supplied. 946Thus 160 bits of key material have to be supplied. 947The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305, 948however in the latter case the keysize is 256 bit. 949.Pp 950Using AES-GMAC or NULL with ESP will only provide authentication. 951This is useful in setups where AH cannot be used, e.g. when NAT is involved. 952.Pp 953The following group types are permitted with the 954.Ic group 955keyword: 956.Bl -column "brainpool224" "Group" "Size" "Curve25519" "Default" -offset indent 957.It Em Name Ta Em Group Ta Em Size Ta Em Type Ta Em Default 958.It Li modp768 Ta grp1 Ta 768 Ta "MODP" Ta "" Ta "[insecure]" 959.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" Ta "x" Ta "[weak]" 960.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" Ta "x" Ta "[weak]" 961.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" Ta "x" 962.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" Ta "x" 963.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" Ta "x" 964.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" Ta "" 965.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" Ta "" 966.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" Ta "x" 967.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" Ta "x" 968.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" Ta "x" 969.It Li ecp192 Ta grp25 Ta 192 Ta "ECP" Ta "" 970.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" Ta "" 971.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP" Ta "" 972.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP" Ta "" 973.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP" Ta "" 974.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP" Ta "" 975.It Li curve25519 Ta grp31 Ta 256 Ta "Curve25519" Ta "x" 976.El 977.Pp 978The currently supported group types are either 979MODP (exponentiation groups modulo a prime), 980ECP (elliptic curve groups modulo a prime), 981or Curve25519. 982Please note that MODP groups of less than 2048 bits are considered 983as weak or insecure (see RFC 8247 section 2.4) and only provided for 984backwards compatibility. 985.Sh FILES 986.Bl -tag -width /etc/examples/iked.conf -compact 987.It Pa /etc/iked.conf 988.It Pa /etc/examples/iked.conf 989.El 990.Sh EXAMPLES 991The first example is intended for a server with clients connecting to 992.Xr iked 8 993as an IPsec gateway, or IKEv2 responder, using mutual public key 994authentication and additional challenge-based EAP-MSCHAPv2 password 995authentication: 996.Bd -literal -offset indent 997user "test" "password123" 998 999ikev2 "win7" esp \e 1000 from 0.0.0.0/0 to 172.16.2.0/24 \e 1001 peer 10.0.0.0/8 local 192.168.56.0/24 \e 1002 eap "mschap-v2" \e 1003 config address 172.16.2.1 \e 1004 tag "$name-$id" 1005.Ed 1006.Pp 1007The next example allows peers to authenticate using a pre-shared key 1008.Sq foobar : 1009.Bd -literal -offset indent 1010ikev2 "big test" \e 1011 esp proto tcp \e 1012 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e 1013 from 192.168.1.1 to 192.168.2.2 \e 1014 peer any local any \e 1015 ikesa \e 1016 enc 3des auth hmac-sha2-256 \e 1017 group ecp256 group modp1024 \e 1018 ikesa \e 1019 enc 3des auth hmac-sha1 \e 1020 group ecp256 group modp1024 \e 1021 childsa enc aes-128 auth hmac-sha2-256 \e 1022 childsa enc aes-128 auth hmac-sha1 \e 1023 srcid host.example.com \e 1024 dstid 192.168.0.254 \e 1025 psk "foobar" 1026.Ed 1027.Pp 1028The following example illustrates the last matching policy 1029evaluation for incoming connections on an IKEv2 gateway. 1030The peer 192.168.1.34 will always match the first policy because of the 1031.Ar quick 1032keyword; 1033connections from the peers 192.168.1.3 and 192.168.1.2 will be matched 1034by one of the last two policies; 1035any other connections from 192.168.1.0/24 will be matched by the 1036.Sq subnet 1037policy; 1038and any other connection will be matched by the 1039.Sq catch all 1040policy. 1041.Bd -literal -offset indent 1042ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e 1043 peer 192.168.1.34 1044ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e 1045 peer any 1046ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e 1047 peer 192.168.1.0/24 1048ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 1049ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 1050.Ed 1051.Pp 1052This example encrypts a 1053.Xr gre 4 1054tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on 1055FQDN-based public key authentication; 1056.Ar transport 1057mode avoids double encapsulation: 1058.Bd -literal -offset indent 1059ikev2 transport \e 1060 proto gre \e 1061 from 2001:db8::aa:1 to 2001:db8::dd:4 \e 1062 peer D.example.com 1063.Ed 1064.Sh SEE ALSO 1065.Xr enc 4 , 1066.Xr ipsec 4 , 1067.Xr ipsec.conf 5 , 1068.Xr pf.conf 5 , 1069.Xr ikectl 8 , 1070.Xr iked 8 1071.Sh HISTORY 1072The 1073.Nm 1074file format first appeared in 1075.Ox 4.8 . 1076.Sh AUTHORS 1077The 1078.Xr iked 8 1079program was written by 1080.An Reyk Floeter Aq Mt reyk@openbsd.org . 1081