summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>1999-02-26 03:55:13 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>1999-02-26 03:55:13 +0000
commit6fb311198906dd9cea4c3ad9a1d3379dcdfdcb75 (patch)
tree4af54d7c59683aadc45ce4c0276cec29ecb34ae2
parent45f0339c447ce5f8b19eafb87980abace251a45b (diff)
Merge from the Ericsson repository
| revision 1.3 | date: 1999/02/25 10:21:35; author: niklas; state: Exp; lines: +19 -19 | Replay window changes was done at the wrong level | ---------------------------- | revision 1.2 | date: 1999/02/25 09:30:31; author: niklas; state: Exp; lines: +21 -1 | Replay protection window configurable | ---------------------------- | revision 1.1 | date: 1999/02/14 00:49:53; author: niklas; state: Exp; | An example of a two-node VPN setup | =============================================================================
-rw-r--r--sbin/isakmpd/samples/VPN-east.conf333
1 files changed, 333 insertions, 0 deletions
diff --git a/sbin/isakmpd/samples/VPN-east.conf b/sbin/isakmpd/samples/VPN-east.conf
new file mode 100644
index 00000000000..e671106ac4e
--- /dev/null
+++ b/sbin/isakmpd/samples/VPN-east.conf
@@ -0,0 +1,333 @@
+# $Id: VPN-east.conf,v 1.1 1999/02/26 03:55:12 niklas Exp $
+
+# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
+
+[General]
+Retransmits= 3
+Exchange-max-time= 120
+Listen-on= 10.1.0.2
+
+# Incoming phase 1 negotiations are multiplexed on the source IP address
+[Phase 1]
+10.1.0.1= ISAKMP-peer-west
+
+# These connections are walked over after config file parsing and told
+# to the application layer so that it will inform us when traffic wants to
+# pass over them. This means we can do on-demand keying.
+[Phase 2]
+Connections= IPsec-east-west
+
+[ISAKMP-peer-west]
+Phase= 1
+Transport= udp
+# XXX Not yet implemented
+#Local-address= 10.1.0.2
+Address= 10.1.0.1
+# Default values for "Port" commented out
+#Port= isakmp
+#Port= 500
+Configuration= Default-main-mode
+Authentication= mekmitasdigoat
+
+[IPsec-east-west]
+Phase= 2
+ISAKMP-peer= ISAKMP-peer-west
+Configuration= Default-quick-mode
+Local-ID= Net-east
+Remote-ID= Net-west
+# XXX Not yet implemented
+#Attributes= ondemand,teardown
+
+[Net-west]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.1.0
+Netmask= 255.255.255.0
+
+[Net-east]
+ID-type= IPV4_ADDR_SUBNET
+Network= 192.168.2.0
+Netmask= 255.255.255.0
+
+# Main mode descriptions
+
+[Default-main-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA
+
+# Main mode transforms
+######################
+
+# DES
+
+[DES-MD5]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= MD5
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_768
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+[DES-MD5-NO-VOL-LIFE]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= MD5
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_768
+Life= LIFE_600_SECS
+
+[DES-SHA]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_768
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+# 3DES
+
+[3DES-SHA]
+ENCRYPTION_ALGORITHM= 3DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+# Blowfish
+
+[BLF-SHA-M1024]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+[BLF-SHA-EC155]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= EC2N_155
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+[BLF-MD5-EC155]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= MD5
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= EC2N_155
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+[BLF-SHA-EC185]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= EC2N_185
+Life= LIFE_600_SECS,LIFE_1000_KB
+
+# Quick mode description
+########################
+
+[Default-quick-mode]
+DOI= IPSEC
+EXCHANGE_TYPE= QUICK_MODE
+Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
+
+# Quick mode protection suites
+##############################
+
+# DES
+
+[QM-ESP-DES-SUITE]
+Protocols= QM-ESP-DES
+
+[QM-ESP-DES-PFS-SUITE]
+Protocols= QM-ESP-DES-PFS
+
+[QM-ESP-DES-MD5-SUITE]
+Protocols= QM-ESP-DES-MD5
+
+[QM-ESP-DES-MD5-PFS-SUITE]
+Protocols= QM-ESP-DES-MD5-PFS
+
+[QM-ESP-DES-SHA-SUITE]
+Protocols= QM-ESP-DES-SHA
+
+[QM-ESP-DES-SHA-PFS-SUITE]
+Protocols= QM-ESP-DES-SHA-PFS
+
+# 3DES
+
+[QM-ESP-3DES-SHA-SUITE]
+Protocols= QM-ESP-3DES-SHA
+
+[QM-ESP-3DES-SHA-PFS-SUITE]
+Protocols= QM-ESP-3DES-SHA-PFS
+
+# AH
+
+[QM-AH-MD5-SUITE]
+Protocols= QM-AH-MD5
+
+[QM-AH-MD5-PFS-SUITE]
+Protocols= QM-AH-MD5-PFS
+
+# AH + ESP
+
+[QM-AH-MD5-ESP-DES-SUITE]
+Protocols= QM-AH-MD5,QM-ESP-DES
+
+[QM-AH-MD5-ESP-DES-MD5-SUITE]
+Protocols= QM-AH-MD5,QM-ESP-DES-MD5
+
+[QM-ESP-DES-MD5-AH-MD5-SUITE]
+Protocols= QM-ESP-DES-MD5,QM-AH-MD5
+
+# Quick mode protocols
+
+# DES
+
+[QM-ESP-DES]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-ESP-DES-MD5]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-MD5-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-ESP-DES-MD5-PFS]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-MD5-PFS-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-ESP-DES-SHA]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-DES-SHA-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+# 3DES
+
+[QM-ESP-3DES-SHA]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-ESP-3DES-SHA-PFS]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-PFS-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-ESP-3DES-SHA-TRP]
+PROTOCOL_ID= IPSEC_ESP
+Transforms= QM-ESP-3DES-SHA-TRP-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+# AH MD5
+
+[QM-AH-MD5]
+PROTOCOL_ID= IPSEC_AH
+Transforms= QM-AH-MD5-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+[QM-AH-MD5-PFS]
+PROTOCOL_ID= IPSEC_AH
+Transforms= QM-AH-MD5-PFS-XF
+# Needed in single-host VPN setups as we only have one SADB
+ReplayWindow= -1
+
+# Quick mode transforms
+
+# ESP DES+MD5
+
+[QM-ESP-DES-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+Life= LIFE_600_SECS
+
+[QM-ESP-DES-MD5-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= LIFE_600_SECS
+
+[QM-ESP-DES-MD5-PFS-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+GROUP_DESCRIPTION= MODP_768
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= LIFE_600_SECS
+
+[QM-ESP-DES-SHA-XF]
+TRANSFORM_ID= DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= LIFE_600_SECS
+
+# 3DES
+
+[QM-ESP-3DES-SHA-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= LIFE_600_SECS
+
+[QM-ESP-3DES-SHA-PFS-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+GROUP_DESCRIPTION= MODP_1024
+Life= LIFE_600_SECS
+
+[QM-ESP-3DES-SHA-TRP-XF]
+TRANSFORM_ID= 3DES
+ENCAPSULATION_MODE= TRANSPORT
+AUTHENTICATION_ALGORITHM= HMAC_SHA
+Life= LIFE_600_SECS
+
+# AH
+
+[QM-AH-MD5-XF]
+TRANSFORM_ID= MD5
+ENCAPSULATION_MODE= TUNNEL
+AUTHENTICATION_ALGORITHM= HMAC_MD5
+Life= LIFE_600_SECS
+
+[QM-AH-MD5-PFS-XF]
+TRANSFORM_ID= MD5
+ENCAPSULATION_MODE= TUNNEL
+GROUP_DESCRIPTION= MODP_768
+Life= LIFE_600_SECS
+
+[LIFE_600_SECS]
+LIFE_TYPE= SECONDS
+LIFE_DURATION= 600,450:720
+
+[LIFE_3600_SECS]
+LIFE_TYPE= SECONDS
+LIFE_DURATION= 3600,1800:7200
+
+[LIFE_1000_KB]
+LIFE_TYPE= KILOBYTES
+LIFE_DURATION= 1000,768:1536
+
+[LIFE_32_MB]
+LIFE_TYPE= KILOBYTES
+LIFE_DURATION= 32768,16384:65536
+
+[LIFE_4.5_GB]
+LIFE_TYPE= KILOBYTES
+LIFE_DURATION= 4608000,4096000:8192000
+
+[RSA_SIG]
+CERT= /etc/isakmpd_cert
+PRIVKEY= /etc/isakmpd_key
+PUBKEY= /etc/isakmpd_key.pub