diff options
author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-02-26 03:55:13 +0000 |
---|---|---|
committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-02-26 03:55:13 +0000 |
commit | 6fb311198906dd9cea4c3ad9a1d3379dcdfdcb75 (patch) | |
tree | 4af54d7c59683aadc45ce4c0276cec29ecb34ae2 | |
parent | 45f0339c447ce5f8b19eafb87980abace251a45b (diff) |
Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 10:21:35; author: niklas; state: Exp; lines: +19 -19
| Replay window changes was done at the wrong level
| ----------------------------
| revision 1.2
| date: 1999/02/25 09:30:31; author: niklas; state: Exp; lines: +21 -1
| Replay protection window configurable
| ----------------------------
| revision 1.1
| date: 1999/02/14 00:49:53; author: niklas; state: Exp;
| An example of a two-node VPN setup
| =============================================================================
-rw-r--r-- | sbin/isakmpd/samples/VPN-east.conf | 333 |
1 files changed, 333 insertions, 0 deletions
diff --git a/sbin/isakmpd/samples/VPN-east.conf b/sbin/isakmpd/samples/VPN-east.conf new file mode 100644 index 00000000000..e671106ac4e --- /dev/null +++ b/sbin/isakmpd/samples/VPN-east.conf @@ -0,0 +1,333 @@ +# $Id: VPN-east.conf,v 1.1 1999/02/26 03:55:12 niklas Exp $ + +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. + +[General] +Retransmits= 3 +Exchange-max-time= 120 +Listen-on= 10.1.0.2 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.1.0.1= ISAKMP-peer-west + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= IPsec-east-west + +[ISAKMP-peer-west] +Phase= 1 +Transport= udp +# XXX Not yet implemented +#Local-address= 10.1.0.2 +Address= 10.1.0.1 +# Default values for "Port" commented out +#Port= isakmp +#Port= 500 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[IPsec-east-west] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-west +Configuration= Default-quick-mode +Local-ID= Net-east +Remote-ID= Net-west +# XXX Not yet implemented +#Attributes= ondemand,teardown + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.1.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.2.0 +Netmask= 255.255.255.0 + +# Main mode descriptions + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS,LIFE_1000_KB + +[DES-MD5-NO-VOL-LIFE] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS,LIFE_1000_KB + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS,LIFE_1000_KB + +# Blowfish + +[BLF-SHA-M1024] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-SHA-EC155] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_155 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-MD5-EC155] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_155 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-SHA-EC185] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_185 +Life= LIFE_600_SECS,LIFE_1000_KB + +# Quick mode description +######################## + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE + +# Quick mode protection suites +############################## + +# DES + +[QM-ESP-DES-SUITE] +Protocols= QM-ESP-DES + +[QM-ESP-DES-PFS-SUITE] +Protocols= QM-ESP-DES-PFS + +[QM-ESP-DES-MD5-SUITE] +Protocols= QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-PFS-SUITE] +Protocols= QM-ESP-DES-MD5-PFS + +[QM-ESP-DES-SHA-SUITE] +Protocols= QM-ESP-DES-SHA + +[QM-ESP-DES-SHA-PFS-SUITE] +Protocols= QM-ESP-DES-SHA-PFS + +# 3DES + +[QM-ESP-3DES-SHA-SUITE] +Protocols= QM-ESP-3DES-SHA + +[QM-ESP-3DES-SHA-PFS-SUITE] +Protocols= QM-ESP-3DES-SHA-PFS + +# AH + +[QM-AH-MD5-SUITE] +Protocols= QM-AH-MD5 + +[QM-AH-MD5-PFS-SUITE] +Protocols= QM-AH-MD5-PFS + +# AH + ESP + +[QM-AH-MD5-ESP-DES-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES + +[QM-AH-MD5-ESP-DES-MD5-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-AH-MD5-SUITE] +Protocols= QM-ESP-DES-MD5,QM-AH-MD5 + +# Quick mode protocols + +# DES + +[QM-ESP-DES] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-ESP-DES-MD5] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-ESP-DES-MD5-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-PFS-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-ESP-DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-SHA-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +# 3DES + +[QM-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-ESP-3DES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-PFS-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-ESP-3DES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-TRP-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +# AH MD5 + +[QM-AH-MD5] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +[QM-AH-MD5-PFS] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-PFS-XF +# Needed in single-host VPN setups as we only have one SADB +ReplayWindow= -1 + +# Quick mode transforms + +# ESP DES+MD5 + +[QM-ESP-DES-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +Life= LIFE_600_SECS + +[QM-ESP-DES-MD5-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-ESP-DES-MD5-PFS-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_768 +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-ESP-DES-SHA-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + +# 3DES + +[QM-ESP-3DES-SHA-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + +[QM-ESP-3DES-SHA-PFS-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS + +[QM-ESP-3DES-SHA-TRP-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + +# AH + +[QM-AH-MD5-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-AH-MD5-PFS-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +[LIFE_1000_KB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 1000,768:1536 + +[LIFE_32_MB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 32768,16384:65536 + +[LIFE_4.5_GB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 4608000,4096000:8192000 + +[RSA_SIG] +CERT= /etc/isakmpd_cert +PRIVKEY= /etc/isakmpd_key +PUBKEY= /etc/isakmpd_key.pub |