diff options
| author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2000-06-08 20:51:01 +0000 |
|---|---|---|
| committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2000-06-08 20:51:01 +0000 |
| commit | eb31dec4e684d462f5d477bf3be79a796ba14ed7 (patch) | |
| tree | bca38679b18ba80ebf24634b33b3b7d3cc001f1e | |
| parent | 5d8339299003ff3347a061eb14e83b1196403f4e (diff) | |
Merge with EOM 1.45
author: angelos
Some more text.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: ho
Update re DOI:IPSEC and default p1/p2 lifetimes.
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 55 |
1 files changed, 50 insertions, 5 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index acf92fc1ac3..a402bb1c8ea 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,5 +1,5 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.37 2000/05/02 14:36:18 niklas Exp $ -.\" $EOM: isakmpd.conf.5,v 1.42 2000/05/02 00:23:27 ho Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.38 2000/06/08 20:51:00 niklas Exp $ +.\" $EOM: isakmpd.conf.5,v 1.45 2000/05/26 21:49:07 angelos Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. .\" @@ -114,6 +114,16 @@ when using SHA hash. .Pp All autogenerated values can be overridden by manual entries by using the same section and tag names in the configuration file. +.Pp +In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 +(Quick Mode) lifetimes can be overridden by these tags under the "General" +section; +.Pp +.Bd -literal +[General] +Default-phase-1-lifetime= 3600,60:86400 +Default-phase-2-lifetime= 1200,60:86400 +.Ed .\"XXX Following empty .Ss works around a nroff bug, we want the new line." .Ss .Pp @@ -180,6 +190,34 @@ Currently only the Local-ID and Remote-ID tags are looked at in those sections, as they are matched against the IDs given by the initiator. .El +.It Em KeyNote +.Bl -tag -width 12n +.It Em Credential-directory +A directory containing directories named after IDs (IP +addresses, ``user@domain'', or hostnames) that contain files named +``credentials'' and ``private_key''. +.Pp +The credentials file contains +.Xr keynote 4 +credentials that are sent to a remote IKE daemon when we use the +associated ID, or credentials that we may want to consider when doing +an exchange with a remote IKE daemon that uses that ID. Note that, in +the former case, the last credential in the file MUST contain our +public key in its Licensees field. More than one credentials may exist +in the file. They are separated by whitelines (the format is +essentially the same as that of the policy file). The credentials are +of the same format as the policies described in +.Xr isakmpd.policy 5 . +The only difference is that the Authorizer field contains a public +key, and the assertion is signed. Signed assertions can be generated +using the +.Xr keynote 1 +utility. +.Pp +The private_key file contains the private RSA key we use for +authentication. If the directory (and the files) exist, they take +precedence over X509-based authentication. +.El .It Em X509-Certificates .Bl -tag -width 12n .It Em Ca-directory @@ -287,6 +325,8 @@ string respectively. The domain of interpretation as given by the RFCs. Normally .Li IPSEC . +If unspecified, defaults to +.Li IPSEC . .It Em EXCHANGE_TYPE The exchange type as given by the RFCs. For main mode this is @@ -385,7 +425,9 @@ accepting connections from the peer. .It Em DOI The domain of interpretation as given by the RFCs. Normally -.Li IPSEC . +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . .It Em EXCHANGE_TYPE The exchange type as given by the RFCs. For quick mode this is @@ -520,14 +562,12 @@ Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] -DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA # Quick mode descriptions [Default-quick-mode] -DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE @@ -545,6 +585,10 @@ Policy-File= /etc/isakmpd/isakmpd.policy Retransmits= 3 Exchange-max-time= 120 +# KeyNote credential storage +[KeyNote] +Credential-directory= /etc/isakmpd/keynote/ + # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ @@ -799,6 +843,7 @@ LIFE_DURATION= 4608000,4096000:8192000 .Ed .Sh SEE ALSO .Xr ipsec 4 , +.Xr keynote 1 , .Xr keynote 4 , .Xr isakmpd.policy 5 , .Xr isakmpd 8 |