Merge with EOM 1.42

author: ho
Add initial text on auto-generated parts of the configuration.
Reorder example somewhat.

author: niklas
Doc fixes from OpenBSD

1 files changed, 66 insertions, 13 deletions

diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 3f83c1db988..acf92fc1ac3 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,5 +1,5 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.36 2000/04/12 21:47:59 aaron Exp $
-.\" $EOM: isakmpd.conf.5,v 1.40 2000/04/07 22:17:11 niklas Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.37 2000/05/02 14:36:18 niklas Exp $
+.\" $EOM: isakmpd.conf.5,v 1.42 2000/05/02 00:23:27 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
 .\"
@@ -74,6 +74,49 @@ Some values are formatted like this: X,Y:Z, which
 is an offer/accept syntax, where X is a value we offer and Y:Z is a range of
 accepted values, inclusive.
 .Pp
+.Ss Auto-generated parts of the configuration
+.Pp
+Some predefined section names are recognized by the daemon, voiding the need
+to fully specify the Main Mode transforms and Quick Mode suites, protocols 
+and transforms.
+.Pp
+For Main Mode:
+.Bd -filled -offset indent -compact
+.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
+.Ed
+.Pp
+For Quick Mode:
+.Bd -filled -offset indent -compact
+.Ar QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF}[-{MD5,SHA}][-PFS]-SUITE
+.Ed
+.Pp
+Example 1: 3DES-SHA means; 3DES encryption, SHA hash, and authorization by 
+pre-shared keys.
+Example 2: QM-ESP-3DES-SHA-PFS-SUITE means; ESP protocol, 3DES encryption, 
+SHA hash, and use Perfect Forward Security.
+.Pp
+There are two predefined lifetimes used. The Main Mode lifetime,
+named LIFE_MAIN_MODE, currently 
+defaults to one hour (minimum 60 seconds, maximum 1 day). The Quick Mode 
+lifetime,
+LIFE_QUICK_MODE,
+defaults to 20 minutes (minimum 60 seconds, maximum 1 day).
+.Pp
+In addition, the predefinitions include some default values for the special
+sections "General", and "X509-certificates".  These values are presented in
+the example below.
+.Pp
+Note that using the predefined section names imply some minor limitations.
+There are currently no predefined ESP+AH Quick Mode suites, and the 
+Diffie-Hellman group description for Main Mode (and Quick Mode with PFS) is
+set to DH group 1 (MODP_768) when using MD5 hash, and DH group 2 (MODP_1024) 
+when using SHA hash.
+.Pp
+All autogenerated values can be overridden by manual entries by using the 
+same section and tag names in the configuration file.
+.\"XXX Following empty .Ss works around a nroff bug, we want the new line."
+.Ss
+.Pp
 .Ss Roots
 .Bl -hang -width 12n
 .It Em General
@@ -432,9 +475,6 @@ An example of a configuration file:
 # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
 
 [General]
-Policy-File=		/etc/isakmpd/isakmpd.policy
-Retransmits=		5
-Exchange-max-time=	120
 Listen-on=		10.1.0.2
 
 # Incoming phase 1 negotiations are multiplexed on the source IP address
@@ -484,6 +524,27 @@ DOI=			IPSEC
 EXCHANGE_TYPE=		ID_PROT
 Transforms=		3DES-SHA
 
+# Quick mode descriptions
+
+[Default-quick-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		QUICK_MODE
+Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
+
+#
+# #####################################################################
+# All configration data below this point is not required as the example
+# uses the predefined Main Mode transform and Quick Mode suite names.
+# It is included here for completeness. Note the default values for the
+# [General] and [X509-certificates] sections just below.
+# #####################################################################
+#
+
+[General]
+Policy-File=		/etc/isakmpd/isakmpd.policy
+Retransmits=		3
+Exchange-max-time=	120
+
 # Certificates stored in PEM format
 [X509-certificates]
 CA-directory=           /etc/isakmpd/ca/
@@ -559,14 +620,6 @@ AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	EC2N_185
 Life=			LIFE_600_SECS,LIFE_1000_KB
 
-# Quick mode description
-########################
-
-[Default-quick-mode]
-DOI=			IPSEC
-EXCHANGE_TYPE=		QUICK_MODE
-Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
-
 # Quick mode protection suites
 ##############################