unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-3.6)
Page:
Section:
Apropos / Subsearch:
optional field

ISAKMPD.CONF(5)           OpenBSD Programmer's Manual          ISAKMPD.CONF(5)

NAME
     isakmpd.conf - configuration file for isakmpd

DESCRIPTION
     isakmpd.conf is the configuration file for the isakmpd daemon managing
     security association and key management for the IPsec layer of the ker-
     nel's networking stack.

     The file is of a well known type of format called .INI style, named after
     the suffix used by an overrated windowing environment for its configura-
     tion files.  This format consists of sections, each beginning with a line
     looking like:

     [Section name]
     Between the brackets is the name of the section following this section
     header.  Inside a section many tag/value pairs can be stored, each one
     looking like:

     Tag=Value
     If the value needs more space than fits on a single line it's possible to
     continue it on the next by ending the first with a backslash character
     immediately before the newline character.  This method can extend a value
     for an arbitrary number of lines.

     Comments can be put anywhere in the file by using a hash mark (`#').  The
     comment extends to the end of the current line.

     Often the right-hand side values consist of other section names.  This
     results in a tree structure.  Some values are treated as a list of sever-
     al scalar values.  Such lists always use a comma character as the separa-
     tor.  Some values are formatted like this: X,Y:Z, which is an offer/ac-
     cept syntax, where X is a value we offer and Y:Z is a range of accepted
     values, inclusive.

     To activate changes to isakmpd.conf without restarting isakmpd, send a
     SIGHUP signal to the daemon process.

   Auto-generated parts of the configuration

     Some predefined section names are recognized by the daemon, avoiding the
     need to fully specify the Main Mode transforms and Quick Mode suites,
     protocols, and transforms.

     For Main Mode:
     {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}]

     For Quick Mode:
     QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE

       where
         {proto}  is either ESP or AH
         {cipher} is either DES, 3DES, CAST, BLF or AES
         {hash}   is either MD5, SHA, RIPEMD, SHA2-{256,384,512}
         {group}  is either GRP1, GRP2, GRP5 or GRP14

     For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization
     by pre-shared keys.  Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP pro-
     tocol, 3DES encryption, SHA hash, and use Perfect Forward Secrecy.

     Unless explicitly stated with -GRP1, 2, 5 or 14 transforms and PFS suites
     use DH group 2.  There are currently no predefined ESP+AH Quick Mode
     suites.

     The predefinitions include some default values for the special sections
     "General", "Keynote", "X509-certificates", and "Default-phase-1-configu-
     ration".  These default values are presented in the example below.

     All autogenerated values can be overridden by manual entries by using the
     same section and tag names in the configuration file.  In particular, the
     default phase 1 (Main or Aggressive Mode) and phase 2 (Quick Mode) life-
     times can be overridden by these tags under the "General" section;

     [General]
     Default-phase-1-lifetime=       3600,60:86400
     Default-phase-2-lifetime=       1200,60:86400

     The Main Mode lifetime currently defaults to one hour (minimum 60 sec-
     onds, maximum 1 day).  The Quick Mode lifetime defaults to 20 minutes
     (minimum 60 seconds, maximum 1 day).

     Also, the default phase 1 ID can be set by creating a <Phase1-ID> sec-
     tion, as shown below, and adding this tag under the "General" section;

     [General]
     Default-phase-1-ID=             Phase1-ID-name

     [Phase1-ID-name]
     ID-type=                        USER_FQDN
     Name=                           fooATbar.com

   Roots

     General       Generic global configuration parameters

                   Default-phase-1-ID
                                 Optional default phase 1 ID name.

                   Default-phase-1-lifetime
                                 The default lifetime for autogenerated trans-
                                 forms (phase 1).  If unspecified, the value
                                 3600,60:86400 is used as the default.

                   Default-phase-2-lifetime
                                 The default lifetime for autogenerated suites
                                 (phase 2).  If unspecified, the value
                                 1200,60:86400 is used as the default.

                   Default-phase-2-suites
                                 A list of phase 2 suites that will be used
                                 when establishing dynamic SAs.  If left un-
                                 specified, QM-ESP-3DES-SHA-PFS-SUITE is used
                                 as the default.

                   Acquire-Only  If this tag is defined, isakmpd will not set
                                 up flows automatically.  This is useful when
                                 flows are configured with ipsecadm(4) or by
                                 other programs like bgpd(8).  Thus isakmpd
                                 only takes care of the SA establishment.

                   Check-interval
                                 The interval between watchdog checks of con-
                                 nections we want up at all times.

                   DPD-check-interval
                                 The interval between RFC 3706 (Dead Peer De-
                                 tection) messages.  The default value is 0
                                 (zero), which means DPD is disabled.

                   Exchange-max-time
                                 How many seconds should an exchange maximally
                                 take to set up before we give up.

                   Listen-on     A list of IP-addresses OK to listen on.  This
                                 list is used as a filter for the set of ad-
                                 dresses the interfaces configured provides.
                                 This means that we won't see if an address
                                 given here does not exist on this host, and
                                 thus no error is given for that case.

                   Loglevel      A list of the form class=level, where both
                                 class and level are numbers.  This is similar
                                 to the -D command line switch of isakmpd.
                                 See isakmpd(8) for details.

                   Logverbose    If this tag is defined, whatever the value
                                 is, verbose logging is enabled.  This is sim-
                                 ilar to the -v command line switch of
                                 isakmpd.  See isakmpd(8) for details.

                   NAT-T-Keepalive
                                 The number of seconds between NAT-T keepalive
                                 messages, sent by the peer behind NAT to keep
                                 the mapping active.  Defaults to 20.

                   Policy-file   The name of the file that contains keynote(4)
                                 policies.  The default is "/etc/isakm-
                                 pd/isakmpd.policy".

                   Pubkey-directory
                                 The directory in which isakmpd.conf looks for
                                 explicitly trusted public keys.  The default
                                 is "/etc/isakmpd/pubkeys".  Read isakmpd(8)
                                 for the required naming convention of the
                                 files in here.

                   Renegotiate-on-HUP
                                 If this tag is defined, whatever the value
                                 is, isakmpd will renegotiate all current
                                 phase 2 SAs when the daemon receives a SIGHUP
                                 signal, or an `R' is sent to the FIFO inter-
                                 face (see isakmpd(8)).

                   Retransmits   How many times should a message be retrans-
                                 mitted before giving up.

                   Shared-SADB   If this tag is defined, whatever the value
                                 is, some semantics of isakmpd.conf are
                                 changed so that multiple instances can run on
                                 top of one SADB and set up SAs with each oth-
                                 er.  Specifically this means replay protec-
                                 tion will not be asked for, and errors that
                                 can occur when updating an SA with its param-
                                 eters a 2nd time will be ignored.

                   Use-Keynote   This tag controls the use of keynote(4) poli-
                                 cy checking.  The default value is "yes",
                                 which enables the policy checking.  When set
                                 to any other value, policies will not be
                                 checked.  This is useful when policies for
                                 flows and SA establishment are arranged by
                                 other programs like ipsecadm(8) or bgpd(8).

     Phase 1       ISAKMP SA negotiation parameter root

                   &lt;IP-address&gt;  A name of the ISAKMP peer at the given IP-ad-
                                 dress.

                   Default       A name of the default ISAKMP peer.  Incoming
                                 phase 1 connections from other IP-addresses
                                 will use this peer name.

                                 This name is used as the section name for
                                 further information to be found.  Look at
                                 <ISAKMP-peer> below.

     Phase 2       IPsec SA negotiation parameter root

                   Connections   A list of directed IPsec "connection" names
                                 that should be brought up automatically, ei-
                                 ther on first use if the system supports it,
                                 or at startup of the daemon.  These names are
                                 section names where further information can
                                 be found.  Look at <IPsec-connection> below.
                                 Normally any connections mentioned here are
                                 treated as part of the "Passive-connection"
                                 list we present below, however there is a
                                 flag: "Active-only" that disables this be-
                                 haviour.  This too is mentioned in the
                                 <IPsec-connection> section, in the "Flags"
                                 tag.

                   Passive-connections
                                 A list of IPsec "connection" names we recog-
                                 nize and accept initiations for.  These names
                                 are section names where further information
                                 can be found.  Look at <IPsec-connection> be-
                                 low.  Currently only the Local-ID and Remote-
                                 ID tags are looked at in those sections, as
                                 they are matched against the IDs given by the
                                 initiator.

     KeyNote

                   Credential-directory
                                 A directory containing directories named af-
                                 ter IDs (IP addresses, ``user@domain'', or
                                 hostnames) that contain files named
                                 ``credentials'' and ``private_key''.

                                 The credentials file contains keynote(4) cre-
                                 dentials that are sent to a remote IKE daemon
                                 when we use the associated ID, or credentials
                                 that we may want to consider when doing an
                                 exchange with a remote IKE daemon that uses
                                 that ID.  Note that, in the former case, the
                                 last credential in the file MUST contain our
                                 public key in its Licensees field.  More than
                                 one credentials may exist in the file.  They
                                 are separated by whitelines (the format is
                                 essentially the same as that of the policy
                                 file).  The credentials are of the same for-
                                 mat as the policies described in
                                 isakmpd.policy(5).  The only difference is
                                 that the Authorizer field contains a public
                                 key, and the assertion is signed.  Signed as-
                                 sertions can be generated using the
                                 keynote(1) utility.

                                 The private_key file contains the private RSA
                                 key we use for authentication.  If the direc-
                                 tory (and the files) exist, they take prece-
                                 dence over X509-based authentication.

     X509-Certificates

                   Accept-self-signed
                                 If this tag is defined, whatever the value
                                 is, certificates that do not originate from a
                                 trusted CA but are self-signed will be ac-
                                 cepted.

                   Ca-directory  A directory containing PEM certificates of
                                 certification authorities that we trust to
                                 sign other certificates.  Note that for a CA
                                 to be really trusted, it needs to be somehow
                                 referred to by policy, in isakmpd.policy(5).
                                 The certificates in this directory are used
                                 for the actual X.509 authentication and for
                                 cross-referencing policies that refer to Dis-
                                 tinguished Names (DNs).  Keeping a separate
                                 directory (as opposed to integrating policies
                                 and X.509 CA certificates) allows for mainte-
                                 nance of a list of "well known" CAs without
                                 actually having to trust all (or any) of
                                 them.

                   Cert-directory
                                 A directory containing PEM certificates that
                                 we trust to be valid.  These certificates are
                                 used in preference to those passed in mes-
                                 sages and are required to have a subjectAlt-
                                 Name extension containing the certificate
                                 holder identity; usually IP address, FQDN, or
                                 User FQDN, as provided by certpatch(8).

                   Private-key   The private key matching the public key of
                                 our certificate (which should be in the
                                 "Cert-directory", and have an appropriate
                                 subjectAltName field).

   Referred-to sections

     &lt;ISAKMP-peer&gt; Parameters for negotiation with an ISAKMP peer

                   Phase         The constant 1, as ISAKMP-peers and IPsec-
                                 connections really are handled by the same
                                 code inside isakmpd.

                   Transport     The name of the transport protocol, defaults
                                 to UDP.

                   Port          In case of UDP, the UDP port number to send
                                 to.  This is optional, the default value is
                                 500 which is the IANA-registered number for
                                 ISAKMP.

                   Local-address
                                 The Local IP-address to use, if we are multi-
                                 homed, or have aliases.

                   Address       If existent, the IP-address of the peer.

                   Configuration
                                 The name of the ISAKMP-configuration section
                                 to use.  Look at <ISAKMP-configuration> be-
                                 low.  If unspecified, defaults to "Default-
                                 phase-1-configuration".

                   Authentication
                                 If existent, authentication data for this
                                 specific peer.  In the case of preshared key,
                                 this is the key value itself.

                   ID            If existent, the name of the section that de-
                                 scribes the local client ID that we should
                                 present to our peer.  If not present, it de-
                                 faults to the address of the local interface
                                 we are sending packets over to the remote
                                 daemon.  Look at <Phase1-ID> below.

                   Remote-ID     If existent, the name of the section that de-
                                 scribes the remote client ID we expect the
                                 remote daemon to send us.  If not present, it
                                 defaults to the address of the remote daemon.
                                 Look at <Phase1-ID> below.

                   Flags         A comma-separated list of flags controlling
                                 the further handling of the ISAKMP SA.  Cur-
                                 rently there are no specific ISAKMP SA flags
                                 defined.

     &lt;Phase1-ID&gt;

                   ID-type       The ID type as given by the RFC specifica-
                                 tions.  For phase 1 this is currently
                                 IPV4_ADDR, IPV4_ADDR_SUBNET, IPV6_ADDR,
                                 IPV6_ADDR_SUBNET, FQDN, USER_FQDN or KEY_ID.

                   Address       If the ID-type is IPV4_ADDR or IPV6_ADDR,
                                 this tag should exist and be an IP-address.

                   Network       If the ID-type is IPV4_ADDR_SUBNET or
                                 IPV6_ADDR_SUBNET this tag should exist and be
                                 a network address.

                   Netmask       If the ID-type is IPV4_ADDR_SUBNET or
                                 IPV6_ADDR_SUBNET this tag should exist and be
                                 a network subnet mask.

                   Name          If the ID-type is FQDN, USER_FQDN or KEY_ID,
                                 this tag should exist and contain a domain
                                 name, user@domain, or other identifying
                                 string respectively.

                                 In the case of KEY_ID, note that the IKE pro-
                                 tocol allows any octet sequence to be sent or
                                 received under this payload, potentially in-
                                 cluding non-printable ones.  isakmpd(8) can
                                 only transmit printable KEY_ID payloads, but
                                 can receive and process arbitrary KEY_ID pay-
                                 loads.  This effectively means that non-
                                 printable KEY_ID remote identities cannot be
                                 verified through this means, although it is
                                 still possible to do so through
                                 isakmpd.policy(5).

     &lt;ISAKMP-configuration&gt;

                   DOI           The domain of interpretation as given by the
                                 RFCs.  Normally IPSEC.  If unspecified, de-
                                 faults to IPSEC.

                   EXCHANGE_TYPE
                                 The exchange type as given by the RFCs.  For
                                 main mode this is ID_PROT and for aggressive
                                 mode it is AGGRESSIVE.

                   Transforms    A list of proposed transforms to use for pro-
                                 tecting the ISAKMP traffic.  These are actu-
                                 ally names for sections further describing
                                 the transforms.  Look at <ISAKMP-transform>
                                 below.

     &lt;ISAKMP-transform&gt;

                   ENCRYPTION_ALGORITHM
                                 The encryption algorithm as the RFCs name it,
                                 or ANY to denote that any encryption algo-
                                 rithm proposed will be accepted.

                   KEY_LENGTH    For encryption algorithms with variable key
                                 length, this is where the offered/accepted
                                 keylengths are described.  The value is of
                                 the offer-accept kind described above.

                   HASH_ALGORITHM
                                 The hash algorithm as the RFCs name it, or
                                 ANY.

                   AUTHENTICATION_METHOD
                                 The authentication method as the RFCs name
                                 it, or ANY.

                   GROUP_DESCRIPTION
                                 The group used for Diffie-Hellman exponentia-
                                 tions, or ANY.  The names are symbolic, like
                                 MODP_768, MODP_1024, EC_155 and EC_185.

                   PRF           The algorithm to use for the keyed pseudo-
                                 random function (used for key derivation and
                                 authentication in phase 1), or ANY.

                   Life          A list of lifetime descriptions, or ANY.  In
                                 the former case, each element is in itself a
                                 name of the section that defines the life-
                                 time.  Look at <Lifetime> below.  If it is
                                 set to ANY, then any type of proposed life-
                                 time type and value will be accepted.

     &lt;Lifetime&gt;

                   LIFE_TYPE     SECONDS or KILOBYTES depending on the type of
                                 the duration.  Notice that this field may NOT
                                 be set to ANY.

                   LIFE_DURATION
                                 An offer/accept kind of value, see above.
                                 Can also be set to ANY.

     &lt;IPsec-connection&gt;

                   Phase         The constant 2, as ISAKMP-peers and IPsec-
                                 connections really are handled by the same
                                 code inside isakmpd.

                   ISAKMP-peer   The name of the ISAKMP-peer which to talk to
                                 in order to set up this connection.  The val-
                                 ue is the name of an <ISAKMP-peer> section.
                                 See above.

                   Configuration
                                 The name of the IPsec-configuration section
                                 to use.  Look at <IPsec-configuration> below.

                   Local-ID      If existent, the name of the section that de-
                                 scribes the optional local client ID that we
                                 should present to our peer.  It is also used
                                 when we act as responders to find out what
                                 <IPsec-connection> we are dealing with.  Look
                                 at <IPsec-ID> below.

                   Remote-ID     If existent, the name of the section that de-
                                 scribes the optional remote client ID that we
                                 should present to our peer.  It is also used
                                 when we act as responders to find out what
                                 <IPsec-connection> we are dealing with.  Look
                                 at <IPsec-ID> below.

                   Flags         A comma-separated list of flags controlling
                                 the further handling of the IPsec SA.  Cur-
                                 rently only one flag is defined:

                                 Active-only   If this flag is given and this
                                               <IPsec-connection> is part of
                                               the phase 2 connections we au-
                                               tomatically keep up, it will
                                               not automatically be used for
                                               accepting connections from the
                                               peer.

     &lt;IPsec-configuration&gt;

                   DOI           The domain of interpretation as given by the
                                 RFCs.  Normally IPSEC.  If unspecified, de-
                                 faults to IPSEC.

                   EXCHANGE_TYPE
                                 The exchange type as given by the RFCs.  For
                                 quick mode this is QUICK_MODE.

                   Suites        A list of protection suites (bundles of pro-
                                 tocols) usable for protecting the IP traffic.
                                 Each of the list elements is a name of an
                                 <IPsec-suite> section.  See below.

     &lt;IPsec-suite&gt;

                   Protocols     A list of the protocols included in this pro-
                                 tection suite.  Each of the list elements is
                                 a name of an <IPsec-protocol> section.  See
                                 below.

     &lt;IPsec-protocol&gt;

                   PROTOCOL_ID   The protocol as given by the RFCs.  Accept-
                                 able values today are IPSEC_AH and IPSEC_ESP.

                   Transforms    A list of transforms usable for implementing
                                 the protocol.  Each of the list elements is a
                                 name of an <IPsec-transform> section.  See
                                 below.

                   ReplayWindow  The size of the window used for replay pro-
                                 tection.  This is normally left alone.  Look
                                 at the ESP and AH RFCs for a better descrip-
                                 tion.

     &lt;IPsec-transform&gt;

                   TRANSFORM_ID  The transform ID as given by the RFCs.

                   ENCAPSULATION_MODE
                                 The encapsulation mode as given by the RFCs.
                                 This means TRANSPORT or TUNNEL.

                   AUTHENTICATION_ALGORITHM
                                 The optional authentication algorithm in the
                                 case of this being an ESP transform.

                   GROUP_DESCRIPTION
                                 An optional (provides PFS if present) Diffie-
                                 Hellman group description.  The values are
                                 the same as GROUP_DESCRIPTION's in <ISAKMP-
                                 transform> sections shown above.

                   Life          List of lifetimes, each element is a <Life-
                                 time> section name.

     &lt;IPsec-ID&gt;

                   ID-type       The ID type as given by the RFCs.  For IPsec
                                 this is currently IPV4_ADDR, IPV6_ADDR,
                                 IPV4_ADDR_SUBNET or IPV6_ADDR_SUBNET.

                   Address       If the ID-type is IPV4_ADDR or IPV6_ADDR this
                                 tag should exist and be an IP-address.

                   Network       If the ID-type is IPV4_ADDR_SUBNET or
                                 IPV6_ADDR_SUBNET this tag should exist and be
                                 a network address.

                   Netmask       If the ID-type is IPV4_ADDR_SUBNET or
                                 IPV6_ADDR_SUBNET this tag should exist and be
                                 a network subnet mask.

                   Protocol      If the ID-type is IPV4_ADDR,
                                 IPV4_ADDR_SUBNET, IPV6_ADDR or
                                 IPV6_ADDR_SUBNET this tag indicates what
                                 transport protocol should be transmitted over
                                 the SA.  If left unspecified, all transport
                                 protocols between the two address (ranges)
                                 will be sent (or permitted) over that SA.

                   Port          If the ID-type is IPV4_ADDR,
                                 IPV4_ADDR_SUBNET, IPV6_ADDR or
                                 IPV6_ADDR_SUBNET this tag indicates what
                                 source or destination port is allowed to be
                                 transported over the SA (depending on whether
                                 this is a local or remote ID).  If left un-
                                 specified, all ports of the given transport
                                 protocol will be transmitted (or permitted)
                                 over the SA.  The Protocol tag must be speci-
                                 fied in conjunction with this tag.

   Other sections

     &lt;IKECFG-ID&gt;   Parameters to use with IKE mode-config.  One ID per peer.

                   An IKECFG-ID is written as [<ID-type>/<name>].  The follow-
                   ing ID types are supported:

                   IPv4          [ipv4/A.B.C.D]

                   IPv6          [ipv6/abcd:abcd::ab:cd]

                   FQDN          [fqdn/foo.bar.org]

                   UFQDN         [ufqdn/userATfoo.org]

                   ASN1_DN       [asn1_dn//C=aa/O=cc/...] (Note the double
                                 slashes as the DN itself starts with a `/'.)

                   Each section specifies what configuration values to return
                   to the peer requesting IKE mode-config.  Currently support-
                   ed values are:

                   Address       The peer's network address.

                   Netmask       The peer's netmask.

                   Nameserver    The IP address of a DNS nameserver.

                   WINS-server   The IP address of a WINS server.

     &lt;Initiator-ID&gt;

                   During phase 1 negotiation isakmpd looks for a pre-shared
                   key in the <ISAKMP-peer> section.  If no Authentication da-
                   ta is specified in that section, and isakmpd is not the
                   initiator, it looks for Authentication data in a section
                   named after the initiator's phase 1 ID.  This allows mobile
                   users with dynamic IP addresses to have different shared
                   secrets.

                   This only works for aggressive mode because in main mode
                   the remote initiator ID would not yet be known.

                   The name of the <Initiator-ID> section depends on the ID
                   type sent by the initiator.  Currently this can be:

                   IPv4          [A.B.C.D]

                   IPv6          [abcd:abcd::ab:cd]

                   FQDN          [foo.bar.org]

                   UFQDN         [userATfoo.org]

FILES
     /etc/isakmpd/isakmpd.conf  The default isakmpd configuration file.

     /usr/share/ipsec/isakmpd/  A directory containing some sample isakmpd
                                configuration files.

EXAMPLES
     An example of a configuration file:

     # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

     [General]
     Listen-on=              10.1.0.2

     # Incoming phase 1 negotiations are multiplexed on the source IP address
     [Phase 1]
     10.1.0.1=               ISAKMP-peer-west

     # These connections are walked over after config file parsing and told
     # to the application layer so that it will inform us when traffic wants to
     # pass over them.
     This means we can do on-demand keying.
     [Phase 2]
     Connections=            IPsec-east-west

     # Default values are commented out.
     [ISAKMP-peer-west]
     Phase=                  1
     #Transport=             udp
     Local-address=          10.1.0.2
     Address=                10.1.0.1
     #Port=                  isakmp
     #Port=                  500
     #Configuration=         Default-phase-1-configuration
     Authentication=         mekmitasdigoat
     #Flags=

     [IPsec-east-west]
     Phase=                  2
     ISAKMP-peer=            ISAKMP-peer-west
     Configuration=          Default-quick-mode
     Local-ID=               Net-east
     Remote-ID=              Net-west
     #Flags=

     [Net-west]
     ID-type=                IPV4_ADDR_SUBNET
     Network=                192.168.1.0
     Netmask=                255.255.255.0

     [Net-east]
     ID-type=                IPV4_ADDR_SUBNET
     Network=                192.168.2.0
     Netmask=                255.255.255.0

     # Quick mode descriptions

     [Default-quick-mode]
     EXCHANGE_TYPE=          QUICK_MODE
     Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE

     # Data for an IKE mode-config peer
     [asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com]
     Address=                192.168.1.123
     Netmask=                255.255.255.0
     Nameserver=             192.168.1.10
     WINS-server=            192.168.1.11

     # pre-shared key based on initiator's phase 1 ID
     [foo.bar.org]
     Authentication=         mekmitasdigoat

     #
     # #####################################################################
     # All configuration data below this point is not required as the example
     # uses the predefined Main Mode transform and Quick Mode suite names.
     # It is included here for completeness.  Note the default values for the
     # [General] and [X509-certificates] sections just below.
     # #####################################################################
     #

     [General]
     Policy-file=            /etc/isakmpd/isakmpd.policy
     Retransmits=            3
     Exchange-max-time=      120

     # KeyNote credential storage
     [KeyNote]
     Credential-directory=   /etc/isakmpd/keynote/

     # Certificates stored in PEM format
     [X509-certificates]
     CA-directory=           /etc/isakmpd/ca/
     Cert-directory=         /etc/isakmpd/certs/
     CRL-directory=          /etc/isakmpd/crls/
     Private-key=            /etc/isakmpd/private/local.key

     # Default phase 1 description (Main Mode)

     [Default-phase-1-configuration]
     EXCHANGE_TYPE=          ID_PROT
     Transforms=             3DES-SHA

     # Main mode transforms
     ######################

     # DES

     [DES-MD5]
     ENCRYPTION_ALGORITHM=   DES_CBC
     HASH_ALGORITHM=         MD5
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-1-lifetime

     [DES-SHA]
     ENCRYPTION_ALGORITHM=   DES_CBC
     HASH_ALGORITHM=         SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-1-lifetime

     # 3DES

     [3DES-SHA]
     ENCRYPTION_ALGORITHM=   3DES_CBC
     HASH_ALGORITHM=         SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-1-lifetime

     # Blowfish

     [BLF-SHA]
     ENCRYPTION_ALGORITHM=   BLOWFISH_CBC
     KEY_LENGTH=             128,96:192
     HASH_ALGORITHM=         SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-1-lifetime

     # Blowfish, using DH group 4 (non-default)
     [BLF-SHA-EC185]
     ENCRYPTION_ALGORITHM=   BLOWFISH_CBC
     KEY_LENGTH=             128,96:192
     HASH_ALGORITHM=         SHA
     AUTHENTICATION_METHOD=  PRE_SHARED
     GROUP_DESCRIPTION=      EC2N_185
     Life=                   Default-phase-1-lifetime

     # Quick mode protection suites
     ##############################

     # DES

     [QM-ESP-DES-SUITE]
     Protocols=              QM-ESP-DES

     [QM-ESP-DES-PFS-SUITE]
     Protocols=              QM-ESP-DES-PFS

     [QM-ESP-DES-MD5-SUITE]
     Protocols=              QM-ESP-DES-MD5

     [QM-ESP-DES-MD5-PFS-SUITE]
     Protocols=              QM-ESP-DES-MD5-PFS

     [QM-ESP-DES-SHA-SUITE]
     Protocols=              QM-ESP-DES-SHA

     [QM-ESP-DES-SHA-PFS-SUITE]
     Protocols=              QM-ESP-DES-SHA-PFS

     # 3DES

     [QM-ESP-3DES-SHA-SUITE]
     Protocols=              QM-ESP-3DES-SHA

     [QM-ESP-3DES-SHA-PFS-SUITE]
     Protocols=              QM-ESP-3DES-SHA-PFS

     # AES

     [QM-ESP-AES-SHA-SUITE]
     Protocols=              QM-ESP-AES-SHA

     [QM-ESP-AES-SHA-PFS-SUITE]
     Protocols=              QM-ESP-AES-SHA-PFS

     # AH

     [QM-AH-MD5-SUITE]
     Protocols=              QM-AH-MD5

     [QM-AH-MD5-PFS-SUITE]
     Protocols=              QM-AH-MD5-PFS

     # AH + ESP (non-default)

     [QM-AH-MD5-ESP-DES-SUITE]
     Protocols=              QM-AH-MD5,QM-ESP-DES

     [QM-AH-MD5-ESP-DES-MD5-SUITE]
     Protocols=              QM-AH-MD5,QM-ESP-DES-MD5

     [QM-ESP-DES-MD5-AH-MD5-SUITE]
     Protocols=              QM-ESP-DES-MD5,QM-AH-MD5

     # Quick mode protocols

     # DES

     [QM-ESP-DES]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-DES-XF

     [QM-ESP-DES-MD5]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-DES-MD5-XF

     [QM-ESP-DES-MD5-PFS]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-DES-MD5-PFS-XF

     [QM-ESP-DES-SHA]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-DES-SHA-XF

     # 3DES

     [QM-ESP-3DES-SHA]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-3DES-SHA-XF

     [QM-ESP-3DES-SHA-PFS]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-3DES-SHA-PFS-XF

     [QM-ESP-3DES-SHA-TRP]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-3DES-SHA-TRP-XF

     # AES

     [QM-ESP-AES-SHA]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-AES-SHA-XF

     [QM-ESP-AES-SHA-PFS]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-AES-SHA-PFS-XF

     [QM-ESP-AES-SHA-TRP]
     PROTOCOL_ID=            IPSEC_ESP
     Transforms=             QM-ESP-AES-SHA-TRP-XF

     # AH MD5

     [QM-AH-MD5]
     PROTOCOL_ID=            IPSEC_AH
     Transforms=             QM-AH-MD5-XF

     [QM-AH-MD5-PFS]
     PROTOCOL_ID=            IPSEC_AH
     Transforms=             QM-AH-MD5-PFS-XF

     # Quick mode transforms

     # ESP DES+MD5

     [QM-ESP-DES-XF]
     TRANSFORM_ID=           DES
     ENCAPSULATION_MODE=     TUNNEL
     Life=                   Default-phase-2-lifetime

     [QM-ESP-DES-MD5-XF]
     TRANSFORM_ID=           DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_MD5
     Life=                   Default-phase-2-lifetime

     [QM-ESP-DES-MD5-PFS-XF]
     TRANSFORM_ID=           DES
     ENCAPSULATION_MODE=     TUNNEL
     GROUP_DESCRIPTION=      MODP_1024
     AUTHENTICATION_ALGORITHM=       HMAC_MD5
     Life=                   Default-phase-2-lifetime

     [QM-ESP-DES-SHA-XF]
     TRANSFORM_ID=           DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     Life=                   Default-phase-2-lifetime

     # 3DES

     [QM-ESP-3DES-SHA-XF]
     TRANSFORM_ID=           3DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     Life=                   Default-phase-2-lifetime

     [QM-ESP-3DES-SHA-PFS-XF]
     TRANSFORM_ID=           3DES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-2-lifetime

     [QM-ESP-3DES-SHA-TRP-XF]
     TRANSFORM_ID=           3DES
     ENCAPSULATION_MODE=     TRANSPORT
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     Life=                   Default-phase-2-lifetime

     # AES

     [QM-ESP-AES-SHA-XF]
     TRANSFORM_ID=           AES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     Life=                   Default-phase-2-lifetime

     [QM-ESP-AES-SHA-PFS-XF]
     TRANSFORM_ID=           AES
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-2-lifetime

     [QM-ESP-AES-SHA-TRP-XF]
     TRANSFORM_ID=           AES
     ENCAPSULATION_MODE=     TRANSPORT
     AUTHENTICATION_ALGORITHM=       HMAC_SHA
     Life=                   Default-phase-2-lifetime

     # AH

     [QM-AH-MD5-XF]
     TRANSFORM_ID=           MD5
     ENCAPSULATION_MODE=     TUNNEL
     AUTHENTICATION_ALGORITHM=       HMAC_MD5
     Life=                   Default-phase-2-lifetime

     [QM-AH-MD5-PFS-XF]
     TRANSFORM_ID=           MD5
     ENCAPSULATION_MODE=     TUNNEL
     GROUP_DESCRIPTION=      MODP_1024
     Life=                   Default-phase-2-lifetime

     [Sample-Life-Time]
     LIFE_TYPE=              SECONDS
     LIFE_DURATION=          3600,1800:7200

     [Sample-Life-Volume]
     LIFE_TYPE=              KILOBYTES
     LIFE_DURATION=          1000,768:1536

SEE ALSO
     keynote(1), ipsec(4), keynote(4), isakmpd.policy(5), isakmpd(8)

BUGS
     The RFCs do not permit differing DH groups in the same proposal for ag-
     gressive and quick mode exchanges.  Mixing both PFS and non-PFS suites in
     a quick mode proposal is not possible, as PFS implies using a DH group.

OpenBSD 3.6                     August 07, 2002                             16