1.\" $OpenBSD: iked.conf.5,v 1.62 2020/02/16 11:28:28 kn Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: February 16 2020 $ 19.Dt IKED.CONF 5 20.Os 21.Sh NAME 22.Nm iked.conf 23.Nd IKEv2 configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for 27.Xr iked 8 , 28the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. 29IPsec itself is a pair of protocols: 30Encapsulating Security Payload (ESP), 31which provides integrity and confidentiality; 32and Authentication Header (AH), 33which provides integrity. 34The IPsec protocol itself is described in 35.Xr ipsec 4 . 36.Pp 37In its most basic form, a flow is established between hosts and/or 38networks, and then Security Associations (SA) are established, 39which detail how the desired protection will be achieved. 40IPsec uses flows to determine whether to apply security services to an 41IP packet or not. 42.Xr iked 8 43is used to set up flows and establish SAs automatically, 44by specifying 45.Sq ikev2 46policies in 47.Nm 48(see 49.Sx AUTOMATIC KEYING POLICIES , 50below). 51.Pp 52Alternative methods of setting up flows and SAs are also possible 53using manual keying or automatic keying using the older ISAKMP/Oakley 54a.k.a. IKEv1 protocol. 55Manual keying is not recommended, but can be convenient for quick 56setups and testing. 57See 58.Xr ipsec.conf 5 59and 60.Xr isakmpd 8 61for more information about manual keying and ISAKMP support. 62.Sh IKED.CONF FILE FORMAT 63.Nm 64is divided into three main sections: 65.Bl -tag -width xxxx 66.It Sy Macros 67User-defined macros may be defined and used later, simplifying the 68configuration file. 69.It Sy Global Configuration 70Global settings for 71.Xr iked 8 . 72.It Sy Automatic Keying Policies 73Policies to set up IPsec flows and SAs automatically. 74.El 75.Pp 76Lines beginning with 77.Sq # 78and empty lines are regarded as comments, 79and ignored. 80Lines may be split using the 81.Sq \e 82character. 83.Pp 84Argument names not beginning with a letter, digit, or underscore 85must be quoted. 86.Pp 87Addresses can be specified in CIDR notation (matching netblocks), 88as symbolic host names, interface names, or interface group names. 89.Pp 90Additional configuration files can be included with the 91.Ic include 92keyword, for example: 93.Bd -literal -offset indent 94include "/etc/macros.conf" 95.Ed 96.Sh MACROS 97Macros can be defined that will later be expanded in context. 98Macro names must start with a letter, digit, or underscore, 99and may contain any of those characters. 100Macro names may not be reserved words (for example 101.Ic flow , 102.Ic from , 103.Ic esp ) . 104Macros are not expanded inside quotes. 105.Pp 106For example: 107.Bd -literal -offset indent 108remote_gw = "192.168.3.12" 109ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 110.Ed 111.Sh GLOBAL CONFIGURATION 112Here are the settings that can be set globally: 113.Bl -tag -width xxxx 114.It Ic set active 115Set 116.Xr iked 8 117to active mode. 118This is the default. 119.It Ic set passive 120Set 121.Xr iked 8 122to passive mode. 123In passive mode no packets are sent to peers and no connections are 124initiated by 125.Xr iked 8 . 126This option is used for setups using 127.Xr sasyncd 8 128and 129.Xr carp 4 130to provide redundancy. 131iked will run in passive mode until sasyncd has determined that the host 132is the master and can switch to active mode. 133.It Ic set couple 134Load the negotiated security associations (SAs) and flows into the kernel. 135This is the default. 136.It Ic set decouple 137Don't load the negotiated SAs and flows from the kernel. 138This mode is only useful for testing and debugging. 139.It Ic set fragmentation 140Enable IKEv2 Message Fragmentation (RFC 7383) support. 141This allows IKEv2 to operate in environments that might block IP fragments. 142.It Ic set nofragmentation 143Disables IKEv2 Message Fragmentation support. 144This is the default. 145.It Ic set mobike 146Enable MOBIKE (RFC 4555) support. 147This is the default. 148MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. 149Currently 150.Xr iked 8 151only supports MOBIKE when acting as a responder. 152.It Ic set nomobike 153Disables MOBIKE support. 154.It Ic set ocsp Ar URL 155Enable OCSP and set the URL of the OCSP responder. 156Please note that the matching responder and issuer certificates 157have to be placed in 158.Pa /etc/iked/ocsp/responder.crt 159and 160.Pa /etc/iked/ocsp/issuer.crt . 161.It Ic user Ar name Ar password 162.Xr iked 8 163supports user-based authentication by tunneling the Extensible 164Authentication Protocol (EAP) over IKEv2. 165In its most basic form, the users will be authenticated against a 166local, integrated password database that is configured with the 167.Ic user 168lines in 169.Nm 170and the 171.Ar name 172and 173.Ar password 174arguments. 175Note that the password has to be specified in plain text which is 176required to support different challenge-based EAP methods like 177EAP-MD5 or EAP-MSCHAPv2. 178.El 179.Sh AUTOMATIC KEYING POLICIES 180This section is used to configure policies that will be used by 181.Xr iked 8 182to set up flows and SAs automatically. 183Some examples of setting up automatic keying: 184.Bd -literal -offset 3n 185# Set up a VPN: 186# First between the gateway machines 192.168.3.1 and 192.168.3.2 187# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 188ikev2 esp from 192.168.3.1 to 192.168.3.2 189ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 190.Ed 191.Pp 192For incoming connections from remote peers, the policies are evaluated 193in sequential order, from first to last. 194The last matching policy decides what action is taken; if no policy matches 195the connection, the default action is to ignore the connection attempt or 196to use the 197.Ar default 198policy, if set. 199Please also see the 200.Sx EXAMPLES 201section for a detailed example of the policy evaluation. 202.Pp 203The first time an IKEv2 connection matches a policy, an IKE SA is 204created; for subsequent packets the connection is identified by the 205IKEv2 parameters that are stored in the SA without evaluating any 206policies. 207After the connection is closed or times out, the IKE SA is 208automatically removed. 209.Pp 210The commands are as follows: 211.Bl -tag -width xxxx 212.It Xo 213.Ic ikev2 214.Op Ar name 215.Xc 216The mandatory 217.Ic ikev2 218keyword will identify an IKEv2 automatic keying policy. 219.Ar name 220is an optional arbitrary string identifying the policy. 221The name should only occur once in 222.Nm 223or any included files. 224If omitted, 225a name will be generated automatically for the policy. 226.It Op Ar eval 227The 228.Ar eval 229option modifies the policy evaluation for this policy. 230It can be one of 231.Ar quick , 232.Ar skip 233or 234.Ar default . 235If a new incoming connection matches a policy with the 236.Ar quick 237option set, that policy is considered the last matching policy, 238and evaluation of subsequent policies is skipped. 239The 240.Ar skip 241option will disable evaluation of this policy for incoming connections. 242The 243.Ar default 244option sets the default policy and should only be specified once. 245.It Op Ar mode 246.Ar mode 247specifies the IKEv2 mode to use: 248one of 249.Ar passive 250or 251.Ar active . 252When 253.Ar passive 254is specified, 255.Xr iked 8 256will not immediately start negotiation of this tunnel, but wait for an incoming 257request from the remote peer. 258When 259.Ar active 260is specified, negotiation will be started at once. 261If omitted, 262.Ar passive 263mode will be used. 264.It Op Ar ipcomp 265The keyword 266.Ar ipcomp 267specifies that 268.Xr ipcomp 4 , 269the IP Payload Compression protocol, is negotiated in addition to encapsulation. 270The optional compression is applied before packets are encapsulated. 271IPcomp must be enabled in the kernel: 272.Pp 273.Dl # sysctl net.inet.ipcomp.enable=1 274.It Op Ar encap 275.Ar encap 276specifies the encapsulation protocol to be used. 277Possible protocols are 278.Ar esp 279and 280.Ar ah ; 281the default is 282.Ar esp . 283.\" .It Op Ar tmode 284.\" .Ar tmode 285.\" describes the encapsulation mode to be used. 286.\" Possible modes are 287.\" .Ar tunnel 288.\" and 289.\" .Ar transport ; 290.\" the default is 291.\" .Ar tunnel . 292.It Op Ar af 293This policy only applies to endpoints of the specified address family 294which can be either 295.Ar inet 296or 297.Ar inet6 . 298Note that this only matters for IKEv2 endpoints and does not 299restrict the traffic selectors to negotiate flows with different 300address families, e.g. IPv6 flows negotiated by IPv4 endpoints. 301.It Ic proto Ar protocol 302The optional 303.Ic proto 304parameter restricts the flow to a specific IP protocol. 305Common protocols are 306.Xr icmp 4 , 307.Xr tcp 4 , 308and 309.Xr udp 4 . 310For a list of all the protocol name to number mappings used by 311.Xr iked 8 , 312see the file 313.Pa /etc/protocols . 314.It Xo 315.Ic from Ar src 316.Op Ic port Ar sport 317.Op Pq Ar srcnat 318.Ic to Ar dst 319.Op Ic port Ar dport 320.Xc 321Specify one or more traffic selectors for this policy which will be 322used to negotiate the IPsec flows between the IKEv2 peers. 323During the negotiation, the peers may decide to narrow a flow to a 324subset of the configured traffic selector networks to match the 325policies on each side. 326.Pp 327Each traffic selector will apply for packets with source address 328.Ar src 329and destination address 330.Ar dst . 331The keyword 332.Ar any 333will match any address (i.e. 0.0.0.0/0). 334If the 335.Ar src 336argument specifies a fictional source ID, 337the 338.Ar srcnat 339parameter can be used to specify the actual source address. 340This can be used in outgoing NAT/BINAT scenarios as described below. 341.Pp 342The optional 343.Ic port 344modifiers restrict the traffic selectors to the specified ports. 345They are only valid in conjunction with the 346.Xr tcp 4 347and 348.Xr udp 4 349protocols. 350Ports can be specified by number or by name. 351For a list of all port name to number mappings used by 352.Xr ipsecctl 8 , 353see the file 354.Pa /etc/services . 355.It Ic local Ar localip Ic peer Ar remote 356The 357.Ic local 358parameter specifies the address or FQDN of the local endpoint. 359Unless the gateway is multi-homed or uses address aliases, 360this option is generally not needed. 361.Pp 362The 363.Ic peer 364parameter specifies the address or FQDN of the remote endpoint. 365For host-to-host connections where 366.Ar dst 367is identical to 368.Ar remote , 369this option is generally not needed as it will be set to 370.Ar dst 371automatically. 372If it is not specified or if the keyword 373.Ar any 374is given, the default peer is used. 375.It Xo 376.Ic ikesa 377.Ic auth Ar algorithm 378.Ic enc Ar algorithm 379.Ic prf Ar algorithm 380.Ic group Ar group 381.Xc 382These parameters define the mode and cryptographic transforms to be 383used for the IKE SA negotiation, also known as phase 1. 384The IKE SA will be used to authenticate the machines and to set up an 385encrypted channel for the IKEv2 protocol. 386.Pp 387Possible values for 388.Ic auth , 389.Ic enc , 390.Ic prf , 391.Ic group , 392and the default proposals are described below in 393.Sx CRYPTO TRANSFORMS . 394If omitted, 395.Xr iked 8 396will use the default proposals for the IKEv2 protocol. 397.Pp 398The keyword 399.Ic ikesa 400can be used multiple times as a delimiter between IKE SA proposals. 401The order of the proposals depend on the order in the configuration. 402The keywords 403.Ic auth , 404.Ic enc , 405.Ic prf 406and 407.Ic group 408can be used multiple times within a single proposal to configure 409multiple crypto transforms. 410.It Xo 411.Ic childsa 412.Ic auth Ar algorithm 413.Ic enc Ar algorithm 414.Ic group Ar group 415.Ic esn 416.Xc 417These parameters define the cryptographic transforms to be used for 418the Child SA negotiation, also known as phase 2. 419Each Child SA will be used to negotiate the actual IPsec SAs. 420The initial Child SA is always negotiated with the initial IKEv2 key 421exchange; additional Child SAs may be negotiated with additional 422Child SA key exchanges for an established IKE SA. 423.Pp 424Possible values for 425.Ic auth , 426.Ic enc , 427.Ic group , 428.Ic esn , 429and the default proposals are described below in 430.Sx CRYPTO TRANSFORMS . 431If omitted, 432.Xr iked 8 433will use the default proposals for the ESP or AH protocol. 434.Pp 435The 436.Ic group 437option will only be used to enable Perfect Forward Secrecy (PFS) 438for additional Child SAs exchanges that are not part of the initial 439key exchange. 440.Pp 441The keyword 442.Ic childsa 443can be used multiple times as a delimiter between Child SA proposals. 444The order of the proposals depend on the order in the configuration. 445The keywords 446.Ic auth , 447.Ic enc 448and 449.Ic group 450can be used multiple times within a single proposal to configure 451multiple crypto transforms. 452.It Ic srcid Ar string Ic dstid Ar string 453.Ic srcid 454defines an ID of type 455.Dq FQDN , 456.Dq ASN1_DN , 457.Dq IPV4 , 458.Dq IPV6 , 459or 460.Dq UFQDN 461that will be used by 462.Xr iked 8 463as the identity of the local peer. 464If the argument is an email address (reyk@example.com), 465.Xr iked 8 466will use UFQDN as the ID type. 467The ASN1_DN type will be used if the string starts with a slash 468.Sq / 469(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). 470If the argument is an IPv4 address or a compressed IPv6 address, 471the ID types IPV4 or IPV6 will be used. 472Anything else is considered to be an FQDN. 473.Pp 474If 475.Ic srcid 476is omitted, 477the default is to use the hostname of the local machine, 478see 479.Xr hostname 1 480to set or print the hostname. 481.Pp 482.Ic dstid 483is similar to 484.Ic srcid , 485but instead specifies the ID to be used 486by the remote peer. 487.It Ic ikelifetime Ar time 488The optional 489.Ic ikelifetime 490parameter defines the IKE SA expiration timeout by the 491.Ar time 492SA was created. 493A zero value disables active IKE SA rekeying. 494This is the default. 495.Pp 496The accepted format of the 497.Ar time 498specification is described below. 499.It Ic lifetime Ar time Op Ic bytes Ar bytes 500The optional 501.Ic lifetime 502parameter defines the Child SA expiration timeout by the 503.Ar time 504SA was in use and by the number of 505.Ar bytes 506that were processed using the SA. 507Default values are 3 hours and 512 megabytes which means that SA will be 508rekeyed before reaching the time limit or 512 megabytes of data 509will pass through. 510Zero values disable rekeying. 511.Pp 512Several unit specifiers are recognized (ignoring case): 513.Ql m 514and 515.Ql h 516for minutes and hours, and 517.Ql K , 518.Ql M 519and 520.Ql G 521for kilo-, mega- and gigabytes accordingly. 522.Pp 523Please note that rekeying must happen at least several times a day as 524IPsec security heavily depends on frequent key renewals. 525.It Op Ar ikeauth 526Specify a method to be used to authenticate the remote peer. 527.Xr iked 8 528will automatically determine a method based on public keys or certificates 529configured for the peer. 530.Ar ikeauth 531can be used to override this behaviour. 532Non-psk modes will require setting up certificates and RSA or ECDSA public 533keys; see 534.Xr iked 8 535for more information. 536.Pp 537.Bl -tag -width $domain -compact -offset indent 538.It Ic eap Ar type 539Use EAP to authenticate the initiator. 540The only supported EAP 541.Ar type 542is currently 543.Ar MSCHAP-V2 . 544The responder will use RSA public key authentication. 545.It Ic ecdsa256 546Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. 547.It Ic ecdsa384 548Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. 549.It Ic ecdsa521 550Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. 551.It Ic psk Ar string 552Use a pre-shared key 553.Ar string 554or hex value (starting with 0x) for authentication. 555.It Ic rfc7427 556Only use RFC 7427 signatures for authentication. 557RFC 7427 signatures currently only support SHA2-256 as the hash. 558.It Ic rsa 559Use RSA public key authentication with SHA1 as the hash. 560.El 561.Pp 562The default is to allow any signature authentication. 563.It Ic config Ar option address 564Send one or more optional configuration payloads (CP) to the peer. 565The configuration 566.Ar option 567can be one of the following with the expected address format: 568.Pp 569.Bl -tag -width Ds -compact -offset indent 570.It Ic address Ar address 571Assign a static address on the internal network. 572.It Ic address Ar address/prefix 573Assign a dynamic address on the internal network. 574The address will be assigned from an address pool with the size specified by 575.Ar prefix . 576.It Ic netmask Ar netmask 577The IPv4 netmask of the internal network. 578.It Ic name-server Ar address 579The DNS server address within the internal network. 580.It Ic netbios-server Ar address 581The NetBIOS name server (WINS) within the internal network. 582This option is provided for compatibility with legacy clients. 583.It Ic dhcp-server Ar address 584The address of an internal DHCP server for further configuration. 585.It Ic protected-subnet Ar address/prefix 586The address of an additional IPv4 or IPv6 subnet reachable over the 587gateway. 588This option is used to notify the peer of a subnet behind the gateway (that 589might require a second SA). 590Networks specified in this SA's "from" or "to" options do not need to be 591included. 592.It Ic access-server Ar address 593The address of an internal remote access server. 594.El 595.It Ic tag Ar string 596Add a 597.Xr pf 4 598tag to all packets of IPsec SAs created for this connection. 599This will allow matching packets for this connection by defining 600rules in 601.Xr pf.conf 5 602using the 603.Cm tagged 604keyword. 605.Pp 606The following variables can be used in tags to include information 607from the remote peer on runtime: 608.Pp 609.Bl -tag -width $domain -compact -offset indent 610.It Ar $id 611The 612.Ic dstid 613that was proposed by the remote peer to identify itself. 614It will be expanded to 615.Ar id-value , 616e.g.\& 617.Ar FQDN/foo.example.com . 618To limit the size of the derived tag, 619.Xr iked 8 620will extract the common name 621.Sq CN= 622from ASN1_DN IDs, for example 623.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. 624will be expanded to 625.Ar 10.1.1.1 . 626.It Ar $eapid 627For a connection using EAP, the identity (username) used by the remote peer. 628.It Ar $domain 629Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. 630.It Ar $name 631The name of the IKEv2 policy that was configured in 632.Nm 633or automatically generated by 634.Xr iked 8 . 635.El 636.Pp 637For example, if the ID is 638.Ar FQDN/foo.example.com 639or 640.Ar UFQDN/user@example.com , 641.Dq ipsec-$domain 642expands to 643.Dq ipsec-example.com . 644The variable expansion for the 645.Ar tag 646directive occurs only at runtime (not when the file is parsed) 647and must be quoted, or it will be interpreted as a macro. 648.It Ic tap Ar interface 649Send the decapsulated IPsec traffic to the specified 650.Xr enc 4 651.Ar interface 652instead of 653.Ar enc0 654for filtering and monitoring. 655The traffic will be blocked if the specified 656.Ar interface 657does not exist. 658.El 659.Sh PACKET FILTERING 660IPsec traffic appears unencrypted on the 661.Xr enc 4 662interface 663and can be filtered accordingly using the 664.Ox 665packet filter, 666.Xr pf 4 . 667The grammar for the packet filter is described in 668.Xr pf.conf 5 . 669.Pp 670The following components are relevant to filtering IPsec traffic: 671.Bl -ohang -offset indent 672.It external interface 673Interface for IKE traffic and encapsulated IPsec traffic. 674.It proto udp port 500 675IKE traffic on the external interface. 676.It proto udp port 4500 677IKE NAT-Traversal traffic on the external interface. 678.It proto ah | esp 679Encapsulated IPsec traffic 680on the external interface. 681.It enc0 682Default interface for outgoing traffic before it's been encapsulated, 683and incoming traffic after it's been decapsulated. 684State on this interface should be interface bound; 685see 686.Xr enc 4 687for further information. 688.It proto ipencap 689[tunnel mode only] 690IP-in-IP traffic flowing between gateways 691on the enc0 interface. 692.It tagged ipsec-example.org 693Match traffic of IPsec SAs using the 694.Ic tag 695keyword. 696.El 697.Pp 698If the filtering rules specify to block everything by default, 699the following rule 700would ensure that IPsec traffic never hits the packet filtering engine, 701and is therefore passed: 702.Bd -literal -offset indent 703set skip on enc0 704.Ed 705.Pp 706In the following example, all traffic is blocked by default. 707IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 708networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 709.Bd -literal -offset indent 710block on ix0 711block on enc0 712 713pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e 714 port {500, 4500} 715pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e 716 port {500, 4500} 717 718pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 719pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 720 721pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 722 keep state (if-bound) 723pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 724 keep state (if-bound) 725pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 726 keep state (if-bound) 727pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 728 keep state (if-bound) 729.Ed 730.Pp 731.Xr pf 4 732has the ability to filter IPsec-related packets 733based on an arbitrary 734.Em tag 735specified within a ruleset. 736The tag is used as an internal marker 737which can be used to identify the packets later on. 738This could be helpful, 739for example, 740in scenarios where users are connecting in from differing IP addresses, 741or to support queue-based bandwidth control, 742since the enc0 interface does not support it. 743.Pp 744The following 745.Xr pf.conf 5 746fragment uses queues for all IPsec traffic with special 747handling for developers and employees: 748.Bd -literal -offset indent 749queue std on ix0 bandwidth 100M 750queue deflt parent std bandwidth 10M default 751queue developers parent std bandwidth 75M 752queue employees parent std bandwidth 5M 753queue ipsec parent std bandwidth 10M 754 755pass out on ix0 proto esp set queue ipsec 756 757pass out on ix0 tagged ipsec-developers.example.com \e 758 set queue developers 759pass out on ix0 tagged ipsec-employees.example.com \e 760 set queue employees 761.Ed 762.Pp 763The following example assigns the tags in the 764.Nm 765configuration and also sets an alternative 766.Xr enc 4 767device: 768.Bd -literal -offset indent 769ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 770 tag "ipsec-$domain" tap "enc1" 771.Ed 772.Sh OUTGOING NETWORK ADDRESS TRANSLATION 773In some network topologies it is desirable to perform NAT on traffic leaving 774through the VPN tunnel. 775In order to achieve that, 776the 777.Ar src 778argument is used to negotiate the desired network ID with the peer 779and the 780.Ar srcnat 781parameter defines the true local subnet, 782so that a correct SA can be installed on the local side. 783.Pp 784For example, 785if the local subnet is 192.168.1.0/24 and all the traffic 786for a specific VPN peer should appear as coming from 10.10.10.1, 787the following configuration is used: 788.Bd -literal -offset indent 789ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 790 peer 10.10.20.1 791.Ed 792.Pp 793Naturally, 794a relevant NAT rule is required in 795.Xr pf.conf 5 . 796For the example above, 797this would be: 798.Bd -literal -offset indent 799match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 800 nat-to 10.10.10.1 801.Ed 802.Pp 803From the peer's point of view, 804the local end of the VPN tunnel is declared to be 10.10.10.1 805and all the traffic arrives with that source address. 806.Sh CRYPTO TRANSFORMS 807The following authentication types are permitted with the 808.Ic auth 809keyword: 810.Bl -column "Authentication" "Key Length" "Truncated Length" -offset indent 811.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" 812.It Li hmac-md5 Ta "128 bits" Ta "96 bits" 813.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" 814.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" 815.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" 816.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" 817.El 818.Pp 819The following pseudo-random function types are permitted with the 820.Ic prf 821keyword: 822.Bl -column "hmac-sha2-512" "Key Length" "[IKE only]" -offset indent 823.It Em "PRF" Ta Em "Key Length" Ta "" 824.It Li hmac-md5 Ta "128 bits" Ta "[IKE only]" 825.It Li hmac-sha1 Ta "160 bits" Ta "[IKE only]" 826.It Li hmac-sha2-256 Ta "256 bits" Ta "[IKE only]" 827.It Li hmac-sha2-384 Ta "384 bits" Ta "[IKE only]" 828.It Li hmac-sha2-512 Ta "512 bits" Ta "[IKE only]" 829.El 830.Pp 831The following cipher types are permitted with the 832.Ic enc 833keyword: 834.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent 835.It Em "Cipher" Ta Em "Key Length" Ta "" 836.It Li 3des Ta "168 bits" Ta "" 837.It Li aes-128 Ta "128 bits" Ta "" 838.It Li aes-192 Ta "192 bits" Ta "" 839.It Li aes-256 Ta "256 bits" Ta "" 840.It Li aes-128-ctr Ta "160 bits" Ta "[ESP only]" 841.It Li aes-192-ctr Ta "224 bits" Ta "[ESP only]" 842.It Li aes-256-ctr Ta "288 bits" Ta "[ESP only]" 843.It Li aes-128-gcm Ta "160 bits" Ta "[ESP only]" 844.It Li aes-192-gcm Ta "224 bits" Ta "[ESP only]" 845.It Li aes-256-gcm Ta "288 bits" Ta "[ESP only]" 846.It Li blowfish Ta "160 bits" Ta "[ESP only]" 847.It Li cast Ta "128 bits" Ta "[ESP only]" 848.It Li chacha20-poly1305 Ta "288 bits" Ta "[ESP only]" 849.El 850.Pp 851The following cipher types provide only authentication, 852not encryption: 853.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent 854.It Li aes-128-gmac Ta "160 bits" Ta "[ESP only]" 855.It Li aes-192-gmac Ta "224 bits" Ta "[ESP only]" 856.It Li aes-256-gmac Ta "288 bits" Ta "[ESP only]" 857.It Li null Ta "" Ta "[ESP only]" 858.El 859.Pp 860The Extended Sequence Numbers option can be enabled or disabled with the 861.Ic esn 862or 863.Ic noesn 864keywords: 865.Bl -column "noesn" "[ESP only]" -offset indent 866.It Em ESN Ta "" 867.It Li esn Ta "[ESP only]" 868.It Li noesn Ta "[ESP only]" 869.El 870.Pp 871Transforms followed by 872.Bq IKE only 873can only be used with the 874.Ic ikesa 875keyword, transforms with 876.Bq ESP only 877can only be used with the 878.Ic childsa 879keyword. 880.Pp 8813DES requires 24 bytes to form its 168-bit key. 882This is because the most significant bit of each byte is used for parity. 883.Pp 884The keysize of AES-CTR is actually 128-bit. 885However as well as the key, a 32-bit nonce has to be supplied. 886Thus 160 bits of key material have to be supplied. 887The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305, 888however in the latter case the keysize is 256 bit. 889.Pp 890Using AES-GMAC or NULL with ESP will only provide authentication. 891This is useful in setups where AH cannot be used, e.g. when NAT is involved. 892.Pp 893The following group types are permitted with the 894.Ic group 895keyword: 896.Bl -column "modp1024-160" "Group" "Size" "Type" -offset indent 897.It Em Name Ta Em Group Ta Em Size Ta Em Type 898.It Li modp768 Ta grp1 Ta 768 Ta "MODP" 899.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" 900.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]" 901.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]" 902.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" 903.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" 904.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" 905.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" 906.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" 907.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" 908.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" 909.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" 910.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" 911.It Li ecp192 Ta grp25 Ta 192 Ta "ECP" 912.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" 913.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP, brainpoolP224r1" 914.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP, brainpoolP256r1" 915.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP, brainpoolP384r1" 916.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP, brainpoolP512r1" 917.It Li curve25519 Ta - Ta 256 Ta "Curve25519" 918.El 919.Pp 920The currently supported group types are either 921MODP (exponentiation groups modulo a prime), 922EC2N (elliptic curve groups over GF[2^N]), 923ECP (elliptic curve groups modulo a prime), 924or Curve25519. 925Please note that the EC2N groups are considered as insecure and only 926provided for backwards compatibility. 927.Sh FILES 928.Bl -tag -width /etc/examples/iked.conf -compact 929.It Pa /etc/iked.conf 930.It Pa /etc/examples/iked.conf 931.El 932.Sh EXAMPLES 933The first example is intended for a server with clients connecting to 934.Xr iked 8 935as an IPsec gateway, or IKEv2 responder, using mutual public key 936authentication and additional challenge-based EAP-MSCHAPv2 password 937authentication: 938.Bd -literal -offset indent 939user "test" "password123" 940 941ikev2 "win7" esp \e 942 from 0.0.0.0/0 to 172.16.2.0/24 \e 943 peer 10.0.0.0/8 local 192.168.56.0/24 \e 944 eap "mschap-v2" \e 945 config address 172.16.2.1 \e 946 tag "$name-$id" 947.Ed 948.Pp 949The next example allows peers to authenticate using a pre-shared key 950.Sq foobar : 951.Bd -literal -offset indent 952ikev2 "big test" \e 953 esp proto tcp \e 954 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e 955 from 192.168.1.1 to 192.168.2.2 \e 956 peer any local any \e 957 ikesa \e 958 enc 3des auth hmac-sha2-256 \e 959 group ecp256 group modp1024 \e 960 ikesa \e 961 enc 3des auth hmac-sha1 \e 962 group ecp256 group modp1024 \e 963 childsa enc aes-128 auth hmac-sha2-256 \e 964 childsa enc aes-128 auth hmac-sha1 \e 965 srcid host.example.com \e 966 dstid 192.168.0.254 \e 967 psk "foobar" 968.Ed 969.Pp 970The following example illustrates the last matching policy 971evaluation for incoming connections on an IKEv2 gateway. 972The peer 192.168.1.34 will always match the first policy because of the 973.Ar quick 974keyword; 975connections from the peers 192.168.1.3 and 192.168.1.2 will be matched 976by one of the last two policies; 977any other connections from 192.168.1.0/24 will be matched by the 978.Sq subnet 979policy; 980and any other connection will be matched by the 981.Sq catch all 982policy. 983.Bd -literal -offset indent 984ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e 985 peer 192.168.1.34 986ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e 987 peer any 988ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e 989 peer 192.168.1.0/24 990ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 991ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 992.Ed 993.Sh SEE ALSO 994.Xr enc 4 , 995.Xr ipsec 4 , 996.Xr ipsec.conf 5 , 997.Xr pf.conf 5 , 998.Xr ikectl 8 , 999.Xr iked 8 1000.Sh HISTORY 1001The 1002.Nm 1003file format first appeared in 1004.Ox 4.8 . 1005.Sh AUTHORS 1006The 1007.Xr iked 8 1008program was written by 1009.An Reyk Floeter Aq Mt reyk@openbsd.org . 1010