xref: /openbsd/sbin/isakmpd/isakmpd.conf.5 (revision c5fe6c4e)

.\" $OpenBSD: isakmpd.conf.5,v 1.7 1999/02/26 03:45:09 niklas Exp $
.\" $EOM: isakmpd.conf.5,v 1.11 1999/02/25 11:09:39 niklas Exp $
.\"
.\" Copyright (c) 1998 Niklas Hallqvist.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by Ericsson Radio Systems.
.\" 4. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" This code was written under funding by Ericsson Radio Systems.
.\"
.\" Manual page, using -mandoc macros
.\"
.Dd October 10, 1998
.Dt ISAKMPD.CONF 5
.Os
.Sh NAME
.Nm isakmpd.conf
.Nd configuration file for isakmpd
.Sh DESCRIPTION
.Nm
is the configuration file for the
.Nm isakmpd
daemon managing security association and key management for the
IPSEC layer of the kernel's networking stack.
.Pp
The file is of a well known type of format called .INI style, named after
the suffix used by an overrated windowing environment for its configuration
files.  This format consists of sections, each beginning with a line looking
like:
.Bd -literal
[Section name]
.Ed
Between the brackets is the name of the section following this section header.
Inside a section many tag/value pairs can be stored, each one looking like:
.Bd -literal
Tag=Value
.Ed
If the value needs more space than fits on a single line it's possible to
continue it on the next by ending the first with a backspace character
immediately before the newline character.  This method can extend a value for
an arbitrary amount of lines.
.Pp
Comments can be put anywhere in the file by using a hash mark
.Pq Sq \&# .
Then the comment goes on to the end of the line.
.Pp
Often the right-hand side values consist of other section names.
This results in a tree structure.
Some values are treated as a list of several scalar values, such lists always
use comma as the separator.  Some values are formated like this: X,Y:Z, which
is an offer/accept syntax, where X is a value we offer and Y:Z is a range of
accepted values, inclusive.
.Pp
.Ss Roots
.Bl -hang -width 12n
.It Em General
Generic global configuration parameters
.Bl -tag -width 12n
.It Em Retransmits
How many times should a message be retransmitted before giving up.
.It Em Exchange-max-time
How many seconds should an exchange maximally take to setup
before we give up.
.It Em Listen-on
A list of IP-addresses OK to listen on.  This list is used as
a filter for the set of addresses the interfaces configured
provides.  This means that we won't see if an address given
here does not exist on this host, thus no error is given for
that case.
.El
.It Em Phase 1
ISAKMP SA negotiation parameter root
.Bl -tag -width 12n
.It Em <IP-address>
A name of the ISAKMP peer at the given IP-address.  This name
is used as the section name for further information to be
found.  Look at <ISAKMP-peer> below.
.El
.It Em Phase 2
IPsec SA negotiation parameter root
.Bl -tag -width 12n
.It Em Connections
A list of directed IPSec "connection" names.  This name
is used as the section name for further information to be
found.  Look at <IPSec-connection> below.
.El
.El
.Ss Referred-to sections
.Bl -hang -width 12n
.It Em <ISAKMP-peer>
Parameters for negotiation with an ISAKMP peer
.Bl -tag -width 12n
.It Em Phase
The constant
.Li 1 ,
as ISAKMP-peers and IPSec-connections
really are handled by the same code inside isakmpd.
.It Em Transport
The name of the transport protocol, normally
.Li udp .
.It Em Address
The IP-address of the peer.
.It Em Port
In case of UDP, the UDP port number to send to.  This is optional, the
default value is 500 which is the IANA-registered number for ISAKMP.
.It Em Configuration
The name of the ISAKMP-configuration section to use.  Look at
<ISAKMP-configuration> below.
.It Em Authentication
Authentication data for this specific peer.  In the case of
preshared key, this is the key value itself.
.El
.It Em <ISAKMP-configuration>
.Bl -tag -width 12n
.It Em DOI
The domain of interpretation as given by the RFCs.  Normally
.Li IPSEC .
.It Em EXCHANGE_TYPE
The exchange type as given by the RFCs.  For main mode this is
.Li ID_PROT .
.It Em Transforms
A list of proposed transforms to use for protecting the
ISAKMP traffic.  These are actually names for sections
further describing the transforms.  Look at <ISAKMP-transform>
below.
.El
.It Em <ISAKMP-transform>
.Bl -tag -width 12n
.It Em ENCRYPTION_ALGORITHM
The encryption algorithm as the RFCs name it.
.It Em KEY_LENGTH
For encryption algorithms with variable key length, this is
where the offered/accepted keylengths are described.  The
value is of the offer-accept kind described above.
.It Em HASH_ALGORITHM
The hash algorithm as the RFCs name it.
.It Em AUTHENTICATION_METHOD
The authentication method as the RFCs name it.
.It Em GROUP_DESCRIPTION
The group used for Diffie-Hellman exponentiations.  The
name are symbolic, like
.Li MODP_768 , MODP_1024 , EC_155
and
.Li EC_185 .
.It Em Life
A list of lifetime descriptions.  Each element is in itself
a name of the section that defines the lifetime.  Look at
<Lifetime> below.
.El
.It Em <Lifetime>
.Bl -tag -width 12n
.It Em LIFE_TYPE
.Li SECONDS
or
.Li BYTES
depending on the type of the duration.
.It Em LIFE_DURATION
An offer/accept kind of value, see above.
.El
.It Em <IPSec-connection>
.Bl -tag -width 12n
.It Em Phase
The constant
.Li 2 ,
as ISAKMP-peers and IPSec-connections
really are handled by the same code inside isakmpd.
.It Em ISAKMP-peer
The name of the ISAKMP-peer which to talk to in order to
set up this connection.  The value is the name of an
<ISAKMP-peer> section.  See above.
.It Em Configuration
The name of the IPSec-configuration section to use.  Look at
<IPSec-configuration> below.
.It Em Local-ID
If existent, the name of the section that describes the
optional local client ID that we should present to our peer.
Look at <IPSec-ID> below.
.It Em Remote-ID
If existent, the name of the section that describes the
optional remote client ID that we should present to our peer.
Look at <IPSec-ID> below.
.El
.It Em <IPSec-configuration>
.Bl -tag -width 12n
.It Em DOI
The domain of interpretation as given by the RFCs.  Normally
.Li IPSEC .
.It Em EXCHANGE_TYPE
The exchange type as given by the RFCs.  For quick mode this is
.Li QUICK_MODE .
.It Em Suites
A list of protection suites (bundles of protocols) useable for
protecting the IP traffic.  Each of the list elements is a
name of	an <IPSec-suite> section.  See below.
.El
.It Em <IPSec-suite>
.Bl -tag -width 12n
.It Em Protocols
A list of the protocols included in this protection suite.
Each of the list elements is a name of an <IPSec-protocol>
section.  See below.
.El
.It Em <IPSec-protocol>
.Bl -tag -width 12n
.It Em PROTOCOL_ID
The protocol as given by the RFCs.  Acceptable values today
are
.Li IPSEC_AH
and
.Li IPSEC_ESP .
.It Em Transforms
A list of transforms useable for implementing the protocol.
Each of the list elements is a name of an <IPSec-transform>
section.  See below.
.It Em ReplayWindow
The size of the window used for replay protection.  Normally this is should
not be touched, unless you do local IPSec setups, i.e. both the sender and
receiver are on the same box.  Then replay protection has to be turned off
which is done by setting this parameter to -1.  Look at the
.Nm ESP
and
.Nm AH
RFCs for a better description.
.El
.It Em <IPSec-transform>
.Bl -tag -width 12n
.It Em TRANSFORM_ID
The transform ID as given by the RFCs.
.It Em ENCAPSULATION_MODE
The encapsulation mode as given by the RFCs.  This means
TRANSPORT or TUNNEL.
.It Em AUTHENTICATION_ALGORITHM
The optional authentication algorithm in the case of this
being an ESP transform.
.It Em GROUP_DESCRIPTION
An optional (provides PFS if present) Diffie-Hellman group
description.  The values are the same as GROUP_DESCRIPTION's
in <ISAKMP-transform> sections shown above.
.It Em Life
List of lifetimes, each element is a <Lifetime> section name.
.El
.It Em <IPSec-ID>
.Bl -tag -width 12n
.It Em ID-type
The ID type as given by the RFCs.  For IPSec this is currently
.Li IPV4_ADDR
or
.Li IPV4_ADDR_SUBNET .
.It Em Address
If the ID-type is
.Li IPV4_ADDR ,
this tag should exist and be an IP-address.
.It Em Network
If the ID-type is
.Li IPV4_ADDR_SUBNET
this tag should exist and
be a network address.
.It Em Netmask
If the ID-type is
.Li IPV4_ADDR_SUBNET
this tag should exist and
be a network subnet mask.
.El
.El
.Sh EXAMPLE
An example of a configuration file:
.Pp
.Bd -literal
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[General]
Retransmits=		3
Exchange-max-time=	120
Listen-on=		10.1.0.2

# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
10.1.0.1=		ISAKMP-peer-west

# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them.  This means we can do on-demand keying.
[Phase 2]
Connections=		IPsec-east-west

[ISAKMP-peer-west]
Phase=			1
Transport=		udp
# XXX Not yet implemented
#Local-address=		10.1.0.2
Address=		10.1.0.1
# Default values for "Port" commented out
#Port=			isakmp
#Port=			500
Configuration=		Default-main-mode
Authentication=		mekmitasdigoat

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-west
Configuration=		Default-quick-mode
Local-ID=		Net-east
Remote-ID=		Net-west

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.1.0
Netmask=		255.255.255.0

[Net-east]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.2.0
Netmask=		255.255.255.0

# Main mode descriptions

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

# Main mode transforms
######################

# DES

[DES-MD5]
ENCRYPTION_ALGORITHM=	DES_CBC
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_768
Life=			LIFE_600_SECS,LIFE_1000_KB

[DES-MD5-NO-VOL-LIFE]
ENCRYPTION_ALGORITHM=	DES_CBC
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_768
Life=			LIFE_600_SECS

[DES-SHA]
ENCRYPTION_ALGORITHM=	DES_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_768
Life=			LIFE_600_SECS,LIFE_1000_KB

# 3DES

[3DES-SHA]
ENCRYPTION_ALGORITHM=	3DES_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_600_SECS,LIFE_1000_KB

# Blowfish

[BLF-SHA-M1024]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,96:192
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_600_SECS,LIFE_1000_KB

[BLF-SHA-EC155]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,96:192
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	EC2N_155
Life=			LIFE_600_SECS,LIFE_1000_KB

[BLF-MD5-EC155]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,96:192
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	EC2N_155
Life=			LIFE_600_SECS,LIFE_1000_KB

[BLF-SHA-EC185]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,96:192
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	EC2N_185
Life=			LIFE_600_SECS,LIFE_1000_KB

# Quick mode description
########################

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE

# Quick mode protection suites
##############################

# DES

[QM-ESP-DES-SUITE]
Protocols=		QM-ESP-DES

[QM-ESP-DES-PFS-SUITE]
Protocols=		QM-ESP-DES-PFS

[QM-ESP-DES-MD5-SUITE]
Protocols=		QM-ESP-DES-MD5

[QM-ESP-DES-MD5-PFS-SUITE]
Protocols=		QM-ESP-DES-MD5-PFS

[QM-ESP-DES-SHA-SUITE]
Protocols=		QM-ESP-DES-SHA

[QM-ESP-DES-SHA-PFS-SUITE]
Protocols=		QM-ESP-DES-SHA-PFS

# 3DES

[QM-ESP-3DES-SHA-SUITE]
Protocols=		QM-ESP-3DES-SHA

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=		QM-ESP-3DES-SHA-PFS

# AH

[QM-AH-MD5-SUITE]
Protocols=		QM-AH-MD5

[QM-AH-MD5-PFS-SUITE]
Protocols=		QM-AH-MD5-PFS

# AH + ESP

[QM-AH-MD5-ESP-DES-SUITE]
Protocols=		QM-AH-MD5,QM-ESP-DES

[QM-AH-MD5-ESP-DES-MD5-SUITE]
Protocols=		QM-AH-MD5,QM-ESP-DES-MD5

[QM-ESP-DES-MD5-AH-MD5-SUITE]
Protocols=		QM-ESP-DES-MD5,QM-AH-MD5

# Quick mode protocols

# DES

[QM-ESP-DES]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-XF

[QM-ESP-DES-MD5]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-MD5-XF

[QM-ESP-DES-MD5-PFS]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-MD5-PFS-XF

[QM-ESP-DES-SHA]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-SHA-XF

# 3DES

[QM-ESP-3DES-SHA]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-XF

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA-TRP]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-TRP-XF

# AH MD5

[QM-AH-MD5]
PROTOCOL_ID=		IPSEC_AH
Transforms=		QM-AH-MD5-XF

[QM-AH-MD5-PFS]
PROTOCOL_ID=		IPSEC_AH
Transforms=		QM-AH-MD5-PFS-XF

# Quick mode transforms

# ESP DES+MD5

[QM-ESP-DES-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
Life=			LIFE_600_SECS

[QM-ESP-DES-MD5-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_MD5
Life=			LIFE_600_SECS

[QM-ESP-DES-MD5-PFS-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
GROUP_DESCRIPTION=	MODP_768
AUTHENTICATION_ALGORITHM=	HMAC_MD5
Life=			LIFE_600_SECS

[QM-ESP-DES-SHA-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
Life=			LIFE_600_SECS

# 3DES

[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID=		3DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
Life=			LIFE_600_SECS

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=		3DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_600_SECS

[QM-ESP-3DES-SHA-TRP-XF]
TRANSFORM_ID=		3DES
ENCAPSULATION_MODE=	TRANSPORT
AUTHENTICATION_ALGORITHM=	HMAC_SHA
Life=			LIFE_600_SECS

# AH

[QM-AH-MD5-XF]
TRANSFORM_ID=		MD5
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_MD5
Life=			LIFE_600_SECS

[QM-AH-MD5-PFS-XF]
TRANSFORM_ID=		MD5
ENCAPSULATION_MODE=	TUNNEL
GROUP_DESCRIPTION=	MODP_768
Life=			LIFE_600_SECS

[LIFE_600_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		600,450:720

[LIFE_3600_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		3600,1800:7200

[LIFE_1000_KB]
LIFE_TYPE=		KILOBYTES
LIFE_DURATION=		1000,768:1536

[LIFE_32_MB]
LIFE_TYPE=		KILOBYTES
LIFE_DURATION=		32768,16384:65536

[LIFE_4.5_GB]
LIFE_TYPE=		KILOBYTES
LIFE_DURATION=		4608000,4096000:8192000

[RSA_SIG]
CERT=			/etc/isakmpd_cert
PRIVKEY=		/etc/isakmpd_key
PUBKEY=			/etc/isakmpd_key.pub
.Ed
.Pp
.Sh SEE ALSO
.Xr isakmpd 8 ,
.Xr ipsec 4 .