1.\" $OpenBSD: iked.conf.5,v 1.73 2020/08/18 21:02:49 tobhe Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: August 18 2020 $ 19.Dt IKED.CONF 5 20.Os 21.Sh NAME 22.Nm iked.conf 23.Nd IKEv2 configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for 27.Xr iked 8 , 28the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. 29IPsec itself is a pair of protocols: 30Encapsulating Security Payload (ESP), 31which provides integrity and confidentiality; 32and Authentication Header (AH), 33which provides integrity. 34The IPsec protocol itself is described in 35.Xr ipsec 4 . 36.Pp 37In its most basic form, a flow is established between hosts and/or 38networks, and then Security Associations (SA) are established, 39which detail how the desired protection will be achieved. 40IPsec uses flows to determine whether to apply security services to an 41IP packet or not. 42.Xr iked 8 43is used to set up flows and establish SAs automatically, 44by specifying 45.Sq ikev2 46policies in 47.Nm 48(see 49.Sx AUTOMATIC KEYING POLICIES , 50below). 51.Pp 52Alternative methods of setting up flows and SAs are also possible 53using manual keying or automatic keying using the older ISAKMP/Oakley 54a.k.a. IKEv1 protocol. 55Manual keying is not recommended, but can be convenient for quick 56setups and testing. 57See 58.Xr ipsec.conf 5 59and 60.Xr isakmpd 8 61for more information about manual keying and ISAKMP support. 62.Sh IKED.CONF FILE FORMAT 63.Nm 64is divided into three main sections: 65.Bl -tag -width xxxx 66.It Sy Macros 67User-defined macros may be defined and used later, simplifying the 68configuration file. 69.It Sy Global Configuration 70Global settings for 71.Xr iked 8 . 72.It Sy Automatic Keying Policies 73Policies to set up IPsec flows and SAs automatically. 74.El 75.Pp 76Lines beginning with 77.Sq # 78and empty lines are regarded as comments, 79and ignored. 80Lines may be split using the 81.Sq \e 82character. 83.Pp 84Argument names not beginning with a letter, digit, or underscore 85must be quoted. 86.Pp 87Addresses can be specified in CIDR notation (matching netblocks), 88as symbolic host names, interface names, or interface group names. 89.Pp 90Additional configuration files can be included with the 91.Ic include 92keyword, for example: 93.Bd -literal -offset indent 94include "/etc/macros.conf" 95.Ed 96.Sh MACROS 97Macros can be defined that will later be expanded in context. 98Macro names must start with a letter, digit, or underscore, 99and may contain any of those characters. 100Macro names may not be reserved words (for example 101.Ic flow , 102.Ic from , 103.Ic esp ) . 104Macros are not expanded inside quotes. 105.Pp 106For example: 107.Bd -literal -offset indent 108remote_gw = "192.168.3.12" 109ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw 110.Ed 111.Sh GLOBAL CONFIGURATION 112Here are the settings that can be set globally: 113.Bl -tag -width xxxx 114.It Ic set active 115Set 116.Xr iked 8 117to global active mode. 118In active mode the per-policy 119.Ar mode 120setting is respected. 121.Xr iked 8 122will initiate policies set to 123.Ar active 124and wait for incoming requests for policies set to 125.Ar passive . 126This is the default. 127.It Ic set passive 128Set 129.Xr iked 8 130to global passive mode. 131In passive mode no packets are sent to peers and no connections are 132initiated by 133.Xr iked 8 , 134even for 135.Ar active 136policies. 137This option is used for setups using 138.Xr sasyncd 8 139and 140.Xr carp 4 141to provide redundancy. 142.Xr iked 8 143will run in passive mode until sasyncd has determined that the host 144is the master and can switch to active mode. 145.It Ic set couple 146Load the negotiated security associations (SAs) and flows into the kernel. 147This is the default. 148.It Ic set decouple 149Don't load the negotiated SAs and flows from the kernel. 150This mode is only useful for testing and debugging. 151.It Ic set fragmentation 152Enable IKEv2 Message Fragmentation (RFC 7383) support. 153This allows IKEv2 to operate in environments that might block IP fragments. 154.It Ic set nofragmentation 155Disables IKEv2 Message Fragmentation support. 156This is the default. 157.It Ic set mobike 158Enable MOBIKE (RFC 4555) support. 159This is the default. 160MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. 161Currently 162.Xr iked 8 163only supports MOBIKE when acting as a responder. 164.It Ic set nomobike 165Disables MOBIKE support. 166.It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time 167Enable OCSP and set the URL of the OCSP responder. 168Please note that the matching responder and issuer certificates 169have to be placed in 170.Pa /etc/iked/ocsp/responder.crt 171and 172.Pa /etc/iked/ocsp/issuer.crt . 173.Pp 174The optional 175.Ic tolerate 176parameter specifies how much the OCSP reponse attribute 177.Sq thisUpdate 178may be in the future and how much 179.Sq nextUpdate 180may be in the past, with respect to the local time. 181The optional 182.Ic maxage 183parameter specifies how much 184.Sq thisUpdate 185may be in the past. 186If 187.Ic tolerate 188is set to 0 then the times are not verified at all. 189This is the default setting. 190.It Ic user Ar name password 191.Xr iked 8 192supports user-based authentication by tunneling the Extensible 193Authentication Protocol (EAP) over IKEv2. 194In its most basic form, the users will be authenticated against a 195local, integrated password database that is configured with the 196.Ic user 197lines in 198.Nm 199and the 200.Ar name 201and 202.Ar password 203arguments. 204Note that the password has to be specified in plain text which is 205required to support different challenge-based EAP methods like 206EAP-MD5 or EAP-MSCHAPv2. 207.El 208.Sh AUTOMATIC KEYING POLICIES 209This section is used to configure policies that will be used by 210.Xr iked 8 211to set up flows and SAs automatically. 212Some examples of setting up automatic keying: 213.Bd -literal -offset 3n 214# Set up a VPN: 215# First between the gateway machines 192.168.3.1 and 192.168.3.2 216# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 217ikev2 esp from 192.168.3.1 to 192.168.3.2 218ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 219.Ed 220.Pp 221For incoming connections from remote peers, the policies are evaluated 222in sequential order, from first to last. 223The last matching policy decides what action is taken; if no policy matches 224the connection, the default action is to ignore the connection attempt or 225to use the 226.Ar default 227policy, if set. 228Please also see the 229.Sx EXAMPLES 230section for a detailed example of the policy evaluation. 231.Pp 232The first time an IKEv2 connection matches a policy, an IKE SA is 233created; for subsequent packets the connection is identified by the 234IKEv2 parameters that are stored in the SA without evaluating any 235policies. 236After the connection is closed or times out, the IKE SA is 237automatically removed. 238.Pp 239The commands are as follows: 240.Bl -tag -width xxxx 241.It Xo 242.Ic ikev2 243.Op Ar name 244.Xc 245The mandatory 246.Ic ikev2 247keyword will identify an IKEv2 automatic keying policy. 248.Ar name 249is an optional arbitrary string identifying the policy. 250The name should only occur once in 251.Nm 252or any included files. 253If omitted, 254a name will be generated automatically for the policy. 255.It Op Ar eval 256The 257.Ar eval 258option modifies the policy evaluation for this policy. 259It can be one of 260.Ar quick , 261.Ar skip 262or 263.Ar default . 264If a new incoming connection matches a policy with the 265.Ar quick 266option set, that policy is considered the last matching policy, 267and evaluation of subsequent policies is skipped. 268The 269.Ar skip 270option will disable evaluation of this policy for incoming connections. 271The 272.Ar default 273option sets the default policy and should only be specified once. 274.It Op Ar mode 275.Ar mode 276specifies the IKEv2 mode to use: 277one of 278.Ar passive 279or 280.Ar active . 281When 282.Ar passive 283is specified, 284.Xr iked 8 285will not immediately start negotiation of this tunnel, but wait for an incoming 286request from the remote peer. 287When 288.Ar active 289is specified, negotiation will be started at once. 290If omitted, 291.Ar passive 292mode will be used. 293.It Op Ar ipcomp 294The keyword 295.Ar ipcomp 296specifies that 297.Xr ipcomp 4 , 298the IP Payload Compression protocol, is negotiated in addition to encapsulation. 299The optional compression is applied before packets are encapsulated. 300IPcomp must be enabled in the kernel: 301.Pp 302.Dl # sysctl net.inet.ipcomp.enable=1 303.It Op Ar tmode 304.Ar tmode 305describes the encapsulation mode to be used. 306Possible modes are 307.Ar tunnel 308and 309.Ar transport ; 310the default is 311.Ar tunnel . 312.It Op Ar encap 313.Ar encap 314specifies the encapsulation protocol to be used. 315Possible protocols are 316.Ar esp 317and 318.Ar ah ; 319the default is 320.Ar esp . 321.It Op Ar af 322This policy only applies to endpoints of the specified address family 323which can be either 324.Ar inet 325or 326.Ar inet6 . 327Note that this only matters for IKEv2 endpoints and does not 328restrict the traffic selectors to negotiate flows with different 329address families, e.g. IPv6 flows negotiated by IPv4 endpoints. 330.It Ic proto Ar protocol 331The optional 332.Ic proto 333parameter restricts the flow to a specific IP protocol. 334Common protocols are 335.Xr icmp 4 , 336.Xr tcp 4 , 337and 338.Xr udp 4 . 339For a list of all the protocol name to number mappings used by 340.Xr iked 8 , 341see the file 342.Pa /etc/protocols . 343.It Ic rdomain Ar number 344Specify a different routing domain for unencrypted traffic. 345The resulting IPsec SAs will match outgoing packets in the specified 346.Ic rdomain Ar number 347and move the encrypted packets to the rdomain the 348.Xr iked 8 349instance is running in. 350Vice versa, incoming 351.Xr ipsec 4 352traffic is moved to 353.Ic rdomain Ar number 354after decryption. 355.It Xo 356.Ic from Ar src 357.Op Ic port Ar sport 358.Op Pq Ar srcnat 359.Ic to Ar dst 360.Op Ic port Ar dport 361.Xc 362Specify one or more traffic selectors for this policy which will be 363used to negotiate the IPsec flows between the IKEv2 peers. 364During the negotiation, the peers may decide to narrow a flow to a 365subset of the configured traffic selector networks to match the 366policies on each side. 367.Pp 368Each traffic selector will apply for packets with source address 369.Ar src 370and destination address 371.Ar dst . 372The keyword 373.Ar any 374will match any address (i.e. 0.0.0.0/0). 375If the 376.Ar src 377argument specifies a fictional source ID, 378the 379.Ar srcnat 380parameter can be used to specify the actual source address. 381This can be used in outgoing NAT/BINAT scenarios as described below. 382.Pp 383The optional 384.Ic port 385modifiers restrict the traffic selectors to the specified ports. 386They are only valid in conjunction with the 387.Xr tcp 4 388and 389.Xr udp 4 390protocols. 391Ports can be specified by number or by name. 392For a list of all port name to number mappings used by 393.Xr ipsecctl 8 , 394see the file 395.Pa /etc/services . 396.It Ic local Ar localip Ic peer Ar remote 397The 398.Ic local 399parameter specifies the address or FQDN of the local endpoint. 400Unless the gateway is multi-homed or uses address aliases, 401this option is generally not needed. 402.Pp 403The 404.Ic peer 405parameter specifies the address or FQDN of the remote endpoint. 406For host-to-host connections where 407.Ar dst 408is identical to 409.Ar remote , 410this option is generally not needed as it will be set to 411.Ar dst 412automatically. 413If it is not specified or if the keyword 414.Ar any 415is given, the default peer is used. 416.It Xo 417.Ic ikesa 418.Ic auth Ar algorithm 419.Ic enc Ar algorithm 420.Ic prf Ar algorithm 421.Ic group Ar group 422.Xc 423These parameters define the mode and cryptographic transforms to be 424used for the IKE SA negotiation, also known as phase 1. 425The IKE SA will be used to authenticate the machines and to set up an 426encrypted channel for the IKEv2 protocol. 427.Pp 428Possible values for 429.Ic auth , 430.Ic enc , 431.Ic prf , 432.Ic group , 433and the default proposals are described below in 434.Sx CRYPTO TRANSFORMS . 435If omitted, 436.Xr iked 8 437will use the default proposals for the IKEv2 protocol. 438.Pp 439The keyword 440.Ic ikesa 441can be used multiple times as a delimiter between IKE SA proposals. 442The order of the proposals depend on the order in the configuration. 443The keywords 444.Ic auth , 445.Ic enc , 446.Ic prf 447and 448.Ic group 449can be used multiple times within a single proposal to configure 450multiple crypto transforms. 451.It Xo 452.Ic childsa 453.Ic auth Ar algorithm 454.Ic enc Ar algorithm 455.Ic group Ar group 456.Ic esn 457.Xc 458These parameters define the cryptographic transforms to be used for 459the Child SA negotiation, also known as phase 2. 460Each Child SA will be used to negotiate the actual IPsec SAs. 461The initial Child SA is always negotiated with the initial IKEv2 key 462exchange; additional Child SAs may be negotiated with additional 463Child SA key exchanges for an established IKE SA. 464.Pp 465Possible values for 466.Ic auth , 467.Ic enc , 468.Ic group , 469.Ic esn , 470and the default proposals are described below in 471.Sx CRYPTO TRANSFORMS . 472If omitted, 473.Xr iked 8 474will use the default proposals for the ESP or AH protocol. 475.Pp 476The 477.Ic group 478option will only be used to enable Perfect Forward Secrecy (PFS) 479for additional Child SAs exchanges that are not part of the initial 480key exchange. 481.Pp 482The keyword 483.Ic childsa 484can be used multiple times as a delimiter between Child SA proposals. 485The order of the proposals depend on the order in the configuration. 486The keywords 487.Ic auth , 488.Ic enc 489and 490.Ic group 491can be used multiple times within a single proposal to configure 492multiple crypto transforms. 493.It Ic srcid Ar string Ic dstid Ar string 494.Ic srcid 495defines an ID of type 496.Dq FQDN , 497.Dq ASN1_DN , 498.Dq IPV4 , 499.Dq IPV6 , 500or 501.Dq UFQDN 502that will be used by 503.Xr iked 8 504as the identity of the local peer. 505If the argument is an email address (reyk@example.com), 506.Xr iked 8 507will use UFQDN as the ID type. 508The ASN1_DN type will be used if the string starts with a slash 509.Sq / 510(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). 511If the argument is an IPv4 address or a compressed IPv6 address, 512the ID types IPV4 or IPV6 will be used. 513Anything else is considered to be an FQDN. 514.Pp 515If 516.Ic srcid 517is omitted, 518the default is to use the hostname of the local machine, 519see 520.Xr hostname 1 521to set or print the hostname. 522.Pp 523.Ic dstid 524is similar to 525.Ic srcid , 526but instead specifies the ID to be used 527by the remote peer. 528.It Ic ikelifetime Ar time 529The optional 530.Ic ikelifetime 531parameter defines the IKE SA expiration timeout by the 532.Ar time 533SA was created. 534A zero value disables active IKE SA rekeying. 535This is the default. 536.Pp 537The accepted format of the 538.Ar time 539specification is described below. 540.It Ic lifetime Ar time Op Ic bytes Ar bytes 541The optional 542.Ic lifetime 543parameter defines the Child SA expiration timeout by the 544.Ar time 545SA was in use and by the number of 546.Ar bytes 547that were processed using the SA. 548Default values are 3 hours and 512 megabytes which means that SA will be 549rekeyed before reaching the time limit or 512 megabytes of data 550will pass through. 551Zero values disable rekeying. 552.Pp 553Several unit specifiers are recognized (ignoring case): 554.Ql m 555and 556.Ql h 557for minutes and hours, and 558.Ql K , 559.Ql M 560and 561.Ql G 562for kilo-, mega- and gigabytes accordingly. 563.Pp 564Please note that rekeying must happen at least several times a day as 565IPsec security heavily depends on frequent key renewals. 566.It Op Ar ikeauth 567Specify a method to be used to authenticate the remote peer. 568.Xr iked 8 569will automatically determine a method based on public keys or certificates 570configured for the peer. 571.Ar ikeauth 572can be used to override this behaviour. 573Non-psk modes will require setting up certificates and RSA or ECDSA public 574keys; see 575.Xr iked 8 576for more information. 577.Pp 578.Bl -tag -width $domain -compact -offset indent 579.It Ic eap Ar type 580Use EAP to authenticate the initiator. 581The only supported EAP 582.Ar type 583is currently 584.Ar MSCHAP-V2 . 585The responder will use RSA public key authentication. 586.It Ic ecdsa256 587Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. 588.It Ic ecdsa384 589Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. 590.It Ic ecdsa521 591Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. 592.It Ic psk Ar string 593Use a pre-shared key 594.Ar string 595or hex value (starting with 0x) for authentication. 596.It Ic rfc7427 597Only use RFC 7427 signatures for authentication. 598RFC 7427 signatures currently only support SHA2-256 as the hash. 599.It Ic rsa 600Use RSA public key authentication with SHA1 as the hash. 601.El 602.Pp 603The default is to allow any signature authentication. 604.It Ic config Ar option address 605Send one or more optional configuration payloads (CP) to the peer. 606The configuration 607.Ar option 608can be one of the following with the expected address format: 609.Pp 610.Bl -tag -width Ds -compact -offset indent 611.It Ic address Ar address 612Assign a static address on the internal network. 613.It Ic address Ar address/prefix 614Assign a dynamic address on the internal network. 615The address will be assigned from an address pool with the size specified by 616.Ar prefix . 617.It Ic netmask Ar netmask 618The IPv4 netmask of the internal network. 619.It Ic name-server Ar address 620The DNS server address within the internal network. 621.It Ic netbios-server Ar address 622The NetBIOS name server (WINS) within the internal network. 623This option is provided for compatibility with legacy clients. 624.It Ic dhcp-server Ar address 625The address of an internal DHCP server for further configuration. 626.It Ic protected-subnet Ar address/prefix 627The address of an additional IPv4 or IPv6 subnet reachable over the 628gateway. 629This option is used to notify the peer of a subnet behind the gateway (that 630might require a second SA). 631Networks specified in this SA's "from" or "to" options do not need to be 632included. 633.It Ic access-server Ar address 634The address of an internal remote access server. 635.El 636.It Ic tag Ar string 637Add a 638.Xr pf 4 639tag to all packets of IPsec SAs created for this connection. 640This will allow matching packets for this connection by defining 641rules in 642.Xr pf.conf 5 643using the 644.Cm tagged 645keyword. 646.Pp 647The following variables can be used in tags to include information 648from the remote peer on runtime: 649.Pp 650.Bl -tag -width $domain -compact -offset indent 651.It Ar $id 652The 653.Ic dstid 654that was proposed by the remote peer to identify itself. 655It will be expanded to 656.Ar id-value , 657e.g.\& 658.Ar FQDN/foo.example.com . 659To limit the size of the derived tag, 660.Xr iked 8 661will extract the common name 662.Sq CN= 663from ASN1_DN IDs, for example 664.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. 665will be expanded to 666.Ar 10.1.1.1 . 667.It Ar $eapid 668For a connection using EAP, the identity (username) used by the remote peer. 669.It Ar $domain 670Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. 671.It Ar $name 672The name of the IKEv2 policy that was configured in 673.Nm 674or automatically generated by 675.Xr iked 8 . 676.El 677.Pp 678For example, if the ID is 679.Ar FQDN/foo.example.com 680or 681.Ar UFQDN/user@example.com , 682.Dq ipsec-$domain 683expands to 684.Dq ipsec-example.com . 685The variable expansion for the 686.Ar tag 687directive occurs only at runtime (not when the file is parsed) 688and must be quoted, or it will be interpreted as a macro. 689.It Ic tap Ar interface 690Send the decapsulated IPsec traffic to the specified 691.Xr enc 4 692.Ar interface 693instead of 694.Ar enc0 695for filtering and monitoring. 696The traffic will be blocked if the specified 697.Ar interface 698does not exist. 699.El 700.Sh PACKET FILTERING 701IPsec traffic appears unencrypted on the 702.Xr enc 4 703interface 704and can be filtered accordingly using the 705.Ox 706packet filter, 707.Xr pf 4 . 708The grammar for the packet filter is described in 709.Xr pf.conf 5 . 710.Pp 711The following components are relevant to filtering IPsec traffic: 712.Bl -ohang -offset indent 713.It external interface 714Interface for IKE traffic and encapsulated IPsec traffic. 715.It proto udp port 500 716IKE traffic on the external interface. 717.It proto udp port 4500 718IKE NAT-Traversal traffic on the external interface. 719.It proto ah | esp 720Encapsulated IPsec traffic 721on the external interface. 722.It enc0 723Default interface for outgoing traffic before it's been encapsulated, 724and incoming traffic after it's been decapsulated. 725State on this interface should be interface bound; 726see 727.Xr enc 4 728for further information. 729.It proto ipencap 730[tunnel mode only] 731IP-in-IP traffic flowing between gateways 732on the enc0 interface. 733.It tagged ipsec-example.org 734Match traffic of IPsec SAs using the 735.Ic tag 736keyword. 737.El 738.Pp 739If the filtering rules specify to block everything by default, 740the following rule 741would ensure that IPsec traffic never hits the packet filtering engine, 742and is therefore passed: 743.Bd -literal -offset indent 744set skip on enc0 745.Ed 746.Pp 747In the following example, all traffic is blocked by default. 748IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and 749networks {10.0.1.0/24, 10.0.2.0/24} is permitted. 750.Bd -literal -offset indent 751block on ix0 752block on enc0 753 754pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e 755 port {500, 4500} 756pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e 757 port {500, 4500} 758 759pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 760pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 761 762pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e 763 keep state (if-bound) 764pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e 765 keep state (if-bound) 766pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e 767 keep state (if-bound) 768pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e 769 keep state (if-bound) 770.Ed 771.Pp 772.Xr pf 4 773has the ability to filter IPsec-related packets 774based on an arbitrary 775.Em tag 776specified within a ruleset. 777The tag is used as an internal marker 778which can be used to identify the packets later on. 779This could be helpful, 780for example, 781in scenarios where users are connecting in from differing IP addresses, 782or to support queue-based bandwidth control, 783since the enc0 interface does not support it. 784.Pp 785The following 786.Xr pf.conf 5 787fragment uses queues for all IPsec traffic with special 788handling for developers and employees: 789.Bd -literal -offset indent 790queue std on ix0 bandwidth 100M 791queue deflt parent std bandwidth 10M default 792queue developers parent std bandwidth 75M 793queue employees parent std bandwidth 5M 794queue ipsec parent std bandwidth 10M 795 796pass out on ix0 proto esp set queue ipsec 797 798pass out on ix0 tagged ipsec-developers.example.com \e 799 set queue developers 800pass out on ix0 tagged ipsec-employees.example.com \e 801 set queue employees 802.Ed 803.Pp 804The following example assigns the tags in the 805.Nm 806configuration and also sets an alternative 807.Xr enc 4 808device: 809.Bd -literal -offset indent 810ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e 811 tag "ipsec-$domain" tap "enc1" 812.Ed 813.Sh OUTGOING NETWORK ADDRESS TRANSLATION 814In some network topologies it is desirable to perform NAT on traffic leaving 815through the VPN tunnel. 816In order to achieve that, 817the 818.Ar src 819argument is used to negotiate the desired network ID with the peer 820and the 821.Ar srcnat 822parameter defines the true local subnet, 823so that a correct SA can be installed on the local side. 824.Pp 825For example, 826if the local subnet is 192.168.1.0/24 and all the traffic 827for a specific VPN peer should appear as coming from 10.10.10.1, 828the following configuration is used: 829.Bd -literal -offset indent 830ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e 831 peer 10.10.20.1 832.Ed 833.Pp 834Naturally, 835a relevant NAT rule is required in 836.Xr pf.conf 5 . 837For the example above, 838this would be: 839.Bd -literal -offset indent 840match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e 841 nat-to 10.10.10.1 842.Ed 843.Pp 844From the peer's point of view, 845the local end of the VPN tunnel is declared to be 10.10.10.1 846and all the traffic arrives with that source address. 847.Sh CRYPTO TRANSFORMS 848The following authentication types are permitted with the 849.Ic auth 850keyword: 851.Bl -column "Authentication" "Key Length" "Truncated Length" "Default" -offset indent 852.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" Ta Em "Default" 853.It Li hmac-md5 Ta "128 bits" Ta "96 bits" Ta "" 854.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" Ta "x" 855.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" Ta "x" 856.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" Ta "" 857.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" Ta "" 858.El 859.Pp 860The following pseudo-random function types are permitted with the 861.Ic prf 862keyword: 863.Bl -column "hmac-sha2-512" "Key Length" "Default" "[IKE only]" -offset indent 864.It Em "PRF" Ta Em "Key Length" Ta Em "Default" Ta "" 865.It Li hmac-md5 Ta "128 bits" Ta "" Ta "[IKE only]" 866.It Li hmac-sha1 Ta "160 bits" Ta "x" Ta "[IKE only]" 867.It Li hmac-sha2-256 Ta "256 bits" Ta "x" Ta "[IKE only]" 868.It Li hmac-sha2-384 Ta "384 bits" Ta "" Ta "[IKE only]" 869.It Li hmac-sha2-512 Ta "512 bits" Ta "" Ta "[IKE only]" 870.El 871.Pp 872The following cipher types are permitted with the 873.Ic enc 874keyword: 875.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 876.It Em "Cipher" Ta Em "Key Length" Ta Em "Default" Ta "" 877.It Li 3des Ta "168 bits" Ta "x" Ta "" 878.It Li aes-128 Ta "128 bits" Ta "x" Ta "" 879.It Li aes-192 Ta "192 bits" Ta "x" Ta "" 880.It Li aes-256 Ta "256 bits" Ta "x" Ta "" 881.It Li aes-128-ctr Ta "160 bits" Ta "" Ta "[ESP only]" 882.It Li aes-192-ctr Ta "224 bits" Ta "" Ta "[ESP only]" 883.It Li aes-256-ctr Ta "288 bits" Ta "" Ta "[ESP only]" 884.It Li aes-128-gcm Ta "160 bits" Ta "x" Ta "" 885.It Li aes-192-gcm Ta "224 bits" Ta "" Ta "[ESP only]" 886.It Li aes-256-gcm Ta "288 bits" Ta "x" Ta "" 887.It Li aes-128-gcm-12 Ta "160 bits" Ta "" Ta "[IKE only]" 888.It Li aes-256-gcm-12 Ta "288 bits" Ta "" Ta "[IKE only]" 889.It Li blowfish Ta "160 bits" Ta "" Ta "[ESP only]" 890.It Li cast Ta "128 bits" Ta "" Ta "[ESP only]" 891.It Li chacha20-poly1305 Ta "288 bits" Ta "" Ta "[ESP only]" 892.El 893.Pp 894The following cipher types provide only authentication, 895not encryption: 896.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent 897.It Li aes-128-gmac Ta "160 bits" Ta "" Ta "[ESP only]" 898.It Li aes-192-gmac Ta "224 bits" Ta "" Ta "[ESP only]" 899.It Li aes-256-gmac Ta "288 bits" Ta "" Ta "[ESP only]" 900.It Li null Ta "" Ta "" Ta "[ESP only]" 901.El 902.Pp 903The Extended Sequence Numbers option can be enabled or disabled with the 904.Ic esn 905or 906.Ic noesn 907keywords: 908.Bl -column "noesn" "Default" "[ESP only]" -offset indent 909.It Em ESN Ta Em "Default" Ta Em "" 910.It Li esn Ta "x" Ta "[ESP only]" 911.It Li noesn Ta "x" Ta "[ESP only]" 912.El 913.Pp 914Transforms followed by 915.Bq IKE only 916can only be used with the 917.Ic ikesa 918keyword, transforms with 919.Bq ESP only 920can only be used with the 921.Ic childsa 922keyword. 923.Pp 9243DES requires 24 bytes to form its 168-bit key. 925This is because the most significant bit of each byte is used for parity. 926.Pp 927The keysize of AES-CTR is actually 128-bit. 928However as well as the key, a 32-bit nonce has to be supplied. 929Thus 160 bits of key material have to be supplied. 930The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305, 931however in the latter case the keysize is 256 bit. 932.Pp 933Using AES-GMAC or NULL with ESP will only provide authentication. 934This is useful in setups where AH cannot be used, e.g. when NAT is involved. 935.Pp 936The following group types are permitted with the 937.Ic group 938keyword: 939.Bl -column "brainpool224" "Group" "Size" "Curve25519" "Default" -offset indent 940.It Em Name Ta Em Group Ta Em Size Ta Em Type Ta Em Default 941.It Li modp768 Ta grp1 Ta 768 Ta "MODP" Ta "" Ta "[insecure]" 942.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" Ta "x" Ta "[weak]" 943.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" Ta "x" Ta "[weak]" 944.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" Ta "x" 945.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" Ta "x" 946.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" Ta "x" 947.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" Ta "" 948.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" Ta "" 949.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" Ta "x" 950.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" Ta "x" 951.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" Ta "x" 952.It Li ecp192 Ta grp25 Ta 192 Ta "ECP" Ta "" 953.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" Ta "" 954.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP" Ta "" 955.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP" Ta "" 956.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP" Ta "" 957.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP" Ta "" 958.It Li curve25519 Ta grp31 Ta 256 Ta "Curve25519" Ta "x" 959.El 960.Pp 961The currently supported group types are either 962MODP (exponentiation groups modulo a prime), 963ECP (elliptic curve groups modulo a prime), 964or Curve25519. 965Please note that MODP groups of less than 2048 bits are considered 966as weak or insecure (see RFC 8247 section 2.4) and only provided for 967backwards compatibility. 968.Sh FILES 969.Bl -tag -width /etc/examples/iked.conf -compact 970.It Pa /etc/iked.conf 971.It Pa /etc/examples/iked.conf 972.El 973.Sh EXAMPLES 974The first example is intended for a server with clients connecting to 975.Xr iked 8 976as an IPsec gateway, or IKEv2 responder, using mutual public key 977authentication and additional challenge-based EAP-MSCHAPv2 password 978authentication: 979.Bd -literal -offset indent 980user "test" "password123" 981 982ikev2 "win7" esp \e 983 from 0.0.0.0/0 to 172.16.2.0/24 \e 984 peer 10.0.0.0/8 local 192.168.56.0/24 \e 985 eap "mschap-v2" \e 986 config address 172.16.2.1 \e 987 tag "$name-$id" 988.Ed 989.Pp 990The next example allows peers to authenticate using a pre-shared key 991.Sq foobar : 992.Bd -literal -offset indent 993ikev2 "big test" \e 994 esp proto tcp \e 995 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e 996 from 192.168.1.1 to 192.168.2.2 \e 997 peer any local any \e 998 ikesa \e 999 enc 3des auth hmac-sha2-256 \e 1000 group ecp256 group modp1024 \e 1001 ikesa \e 1002 enc 3des auth hmac-sha1 \e 1003 group ecp256 group modp1024 \e 1004 childsa enc aes-128 auth hmac-sha2-256 \e 1005 childsa enc aes-128 auth hmac-sha1 \e 1006 srcid host.example.com \e 1007 dstid 192.168.0.254 \e 1008 psk "foobar" 1009.Ed 1010.Pp 1011The following example illustrates the last matching policy 1012evaluation for incoming connections on an IKEv2 gateway. 1013The peer 192.168.1.34 will always match the first policy because of the 1014.Ar quick 1015keyword; 1016connections from the peers 192.168.1.3 and 192.168.1.2 will be matched 1017by one of the last two policies; 1018any other connections from 192.168.1.0/24 will be matched by the 1019.Sq subnet 1020policy; 1021and any other connection will be matched by the 1022.Sq catch all 1023policy. 1024.Bd -literal -offset indent 1025ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e 1026 peer 192.168.1.34 1027ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e 1028 peer any 1029ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e 1030 peer 192.168.1.0/24 1031ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 1032ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 1033.Ed 1034.Pp 1035This example encrypts a 1036.Xr gre 4 1037tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on 1038FQDN-based public key authentication; 1039.Ar transport 1040mode avoids double encapsulation: 1041.Bd -literal -offset indent 1042ikev2 transport \e 1043 proto gre \e 1044 from 2001:db8::aa:1 to 2001:db8::dd:4 \e 1045 peer D.example.com 1046.Ed 1047.Sh SEE ALSO 1048.Xr enc 4 , 1049.Xr ipsec 4 , 1050.Xr ipsec.conf 5 , 1051.Xr pf.conf 5 , 1052.Xr ikectl 8 , 1053.Xr iked 8 1054.Sh HISTORY 1055The 1056.Nm 1057file format first appeared in 1058.Ox 4.8 . 1059.Sh AUTHORS 1060The 1061.Xr iked 8 1062program was written by 1063.An Reyk Floeter Aq Mt reyk@openbsd.org . 1064