src - OpenBSD base system

diff options


context:
space:
mode:

author	Hakan Olsson <ho@cvs.openbsd.org>	2005-05-28 18:38:31 +0000
committer	Hakan Olsson <ho@cvs.openbsd.org>	2005-05-28 18:38:31 +0000
commit	3bf54f8a8e16b90ad64f277f9a6d1ad079a43ad1 (patch)
tree	ac46f676b1eea00d8d38f3cbd54f37382fb2fefa
parent	f1a528ab352f5d519df309fc8c48e1791fc2baa4 (diff)

Cleanup sample configurations a bit; more AES, less MD5, remove fields we

no longer require etc. Also add a 9-line "default" config sample.

Diffstat

-rw-r--r--

sbin/isakmpd/samples/VPN-3way-template.conf

-rw-r--r--

sbin/isakmpd/samples/VPN-default.conf

-rw-r--r--

sbin/isakmpd/samples/VPN-east.conf

-rw-r--r--

sbin/isakmpd/samples/VPN-west.conf

-rw-r--r--

sbin/isakmpd/samples/policy

-rw-r--r--

sbin/isakmpd/samples/singlehost-east.conf

-rw-r--r--

sbin/isakmpd/samples/singlehost-west.conf

7 files changed, 29 insertions, 52 deletions

diff --git a/sbin/isakmpd/samples/VPN-3way-template.conf b/sbin/isakmpd/samples/VPN-3way-template.conf
index b64c80110e1..1af58b56683 100644
--- a/sbin/isakmpd/samples/VPN-3way-template.conf
+++ b/sbin/isakmpd/samples/VPN-3way-template.conf

@@ -1,5 +1,4 @@

-# $OpenBSD: VPN-3way-template.conf,v 1.11 2004/02/11 08:55:22 jmc Exp $

-# $EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $

+# $OpenBSD: VPN-3way-template.conf,v 1.12 2005/05/28 18:38:30 ho Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

@@ -33,24 +32,20 @@

Connections= IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ

# ISAKMP Phase 1 peer sections

-##############################

[ISAKMP-peer-node-YYY]

Phase= 1

-Transport= udp

Address= 192.168.YYY.nnn

Configuration= Default-main-mode

Authentication= yoursharedsecretwithYYY

[ISAKMP-peer-node-ZZZ]

Phase= 1

-Transport= udp

Address= 192.168.ZZZ.nnn

Configuration= Default-main-mode

Authentication= yoursharedsecretwithZZZ

# IPsec Phase 2 sections

-########################

[IPsec-Conn-XXX-YYY]

Phase= 2

@@ -67,7 +62,6 @@ Local-ID= MyNet-XXX

Remote-ID= OtherNet-ZZZ

# Client ID sections

-####################

[MyNet-XXX]

ID-type= IPV4_ADDR_SUBNET

@@ -84,33 +78,14 @@ ID-type= IPV4_ADDR_SUBNET

Network= 192.168.ZZZ.0

Netmask= 255.255.255.0

-# There is no more node-specific configuration below this point.

-# Main mode descriptions

+# Main mode description

[Default-main-mode]

-DOI= IPSEC

-EXCHANGE_TYPE= ID_PROT

-Transforms= 3DES-SHA,3DES-MD5

-[Blowfish-main-mode]

-DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

-Transforms= BLF-SHA-M1024

+Transforms= AES-SHA,3DES-SHA

# Quick mode description

-########################

[Default-quick-mode]

-DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-AES-SHA-PFS-SUITE

-[Blowfish-quick-mode]

-DOI= IPSEC

-EXCHANGE_TYPE= QUICK_MODE

-Suites= QM-ESP-BLF-SHA-PFS-SUITE

-#Suites= QM-ESP-BLF-SHA-SUITE

diff --git a/sbin/isakmpd/samples/VPN-default.conf b/sbin/isakmpd/samples/VPN-default.conf
new file mode 100644
index 00000000000..49b08225022
--- /dev/null
+++ b/sbin/isakmpd/samples/VPN-default.conf

@@ -0,0 +1,17 @@

+# $OpenBSD: VPN-default.conf,v 1.1 2005/05/28 18:38:30 ho Exp $

+# This isakmpd configuration accepts incoming negotiations from any IKE

+# peer, such as roaming laptops. The validity of the negotiated SAs can

+# be checked using isakmpd.policy.

+[Phase 1]

+Default= any

+[any]

+Phase= 1

+Configuration= Default-main-mode

+Authentication= mekmitasdigoat

+[Default-main-mode]

+EXCHANGE_TYPE= ID_PROT

+Transforms= AES-SHA,3DES-SHA

diff --git a/sbin/isakmpd/samples/VPN-east.conf b/sbin/isakmpd/samples/VPN-east.conf
index 04d0bb90dfc..335e22cb4e5 100644
--- a/sbin/isakmpd/samples/VPN-east.conf
+++ b/sbin/isakmpd/samples/VPN-east.conf

@@ -1,6 +1,5 @@

-# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $

-# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $

+# $OpenBSD: VPN-east.conf,v 1.14 2005/05/28 18:38:30 ho Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

# The network topology of the example net is like this:

@@ -17,7 +16,6 @@ Connections= IPsec-east-west

[ISAKMP-peer-west]

Phase= 1

-Transport= udp

Address= 10.1.0.11

Configuration= Default-main-mode

Authentication= mekmitasdigoat

@@ -40,11 +38,9 @@ Network= 192.168.12.0

Netmask= 255.255.255.0

[Default-main-mode]

-DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

-Transforms= 3DES-SHA

+Transforms= AES-SHA,3DES-SHA

[Default-quick-mode]

-DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-AES-SHA-PFS-SUITE

diff --git a/sbin/isakmpd/samples/VPN-west.conf b/sbin/isakmpd/samples/VPN-west.conf
index 5b3a8f64694..5ab6b69ea41 100644
--- a/sbin/isakmpd/samples/VPN-west.conf
+++ b/sbin/isakmpd/samples/VPN-west.conf

@@ -1,6 +1,5 @@

-# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $

-# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $

+# $OpenBSD: VPN-west.conf,v 1.15 2005/05/28 18:38:30 ho Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

# The network topology of the example net is like this:

@@ -17,7 +16,6 @@ Connections= IPsec-west-east

[ISAKMP-peer-east]

Phase= 1

-Transport= udp

Address= 10.1.0.12

Configuration= Default-main-mode

Authentication= mekmitasdigoat

@@ -42,7 +40,7 @@ Netmask= 255.255.255.0

[Default-main-mode]

DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

-Transforms= 3DES-SHA

+Transforms= AES-SHA,3DES-SHA

[Default-quick-mode]

DOI= IPSEC

diff --git a/sbin/isakmpd/samples/policy b/sbin/isakmpd/samples/policy
index 0e194aa9c9c..bfb68b7230c 100644
--- a/sbin/isakmpd/samples/policy
+++ b/sbin/isakmpd/samples/policy

@@ -1,7 +1,6 @@

KeyNote-Version: 2

Comment: This policy accepts ESP SAs from a remote that uses the right password

- $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $

- $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $

+ $OpenBSD: policy,v 1.7 2005/05/28 18:38:30 ho Exp $

Authorizer: "POLICY"

Licensees: "passphrase:mekmitasdigoat"

Conditions: app_domain == "IPsec policy" &&

diff --git a/sbin/isakmpd/samples/singlehost-east.conf b/sbin/isakmpd/samples/singlehost-east.conf
index f0afc46f047..7d6fb9aa436 100644
--- a/sbin/isakmpd/samples/singlehost-east.conf
+++ b/sbin/isakmpd/samples/singlehost-east.conf

@@ -1,4 +1,4 @@

-# $OpenBSD: singlehost-east.conf,v 1.10 2000/11/23 12:56:25 niklas Exp $

+# $OpenBSD: singlehost-east.conf,v 1.11 2005/05/28 18:38:30 ho Exp $

# $EOM: singlehost-east.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

@@ -17,7 +17,6 @@ Connections= IPsec-east-west

[ISAKMP-peer-west]

Phase= 1

-Transport= udp

Local-address= 10.1.0.12

Address= 10.1.0.11

Configuration= Default-main-mode

@@ -25,7 +24,6 @@ Authentication= mekmitasdigoat

[ISAKMP-peer-west-aggressive]

Phase= 1

-Transport= udp

Local-address= 10.1.0.12

Address= 10.1.0.11

Configuration= Default-aggressive-mode

@@ -49,12 +47,10 @@ Network= 192.168.12.0

Netmask= 255.255.255.0

[Default-main-mode]

-DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-SHA

[Default-aggressive-mode]

-DOI= IPSEC

EXCHANGE_TYPE= AGGRESSIVE

Transforms= 3DES-SHA-RSA

diff --git a/sbin/isakmpd/samples/singlehost-west.conf b/sbin/isakmpd/samples/singlehost-west.conf
index 40538a3b2f7..b534fde0673 100644
--- a/sbin/isakmpd/samples/singlehost-west.conf
+++ b/sbin/isakmpd/samples/singlehost-west.conf

@@ -1,4 +1,4 @@

-# $OpenBSD: singlehost-west.conf,v 1.11 2003/08/20 14:43:36 ho Exp $

+# $OpenBSD: singlehost-west.conf,v 1.12 2005/05/28 18:38:30 ho Exp $

# $EOM: singlehost-west.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

@@ -17,7 +17,6 @@ Connections= IPsec-west-east

[ISAKMP-peer-east]

Phase= 1

-Transport= udp

Local-address= 10.1.0.11

Address= 10.1.0.12

Configuration= Default-main-mode

@@ -25,7 +24,6 @@ Authentication= mekmitasdigoat

[ISAKMP-peer-east-aggressive]

Phase= 1

-Transport= udp

Local-address= 10.1.0.11

Address= 10.1.0.12

Configuration= Default-aggressive-mode

@@ -49,12 +47,10 @@ Network= 192.168.12.0

Netmask= 255.255.255.0

[Default-main-mode]

-DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-SHA

[Default-aggressive-mode]

-DOI= IPSEC

EXCHANGE_TYPE= AGGRESSIVE

Transforms= 3DES-SHA-RSA