Manpage describing policy.

2 files changed, 511 insertions, 2 deletions

diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile
index 356f3f5a5af..bfa32efc27d 100644
--- a/sbin/isakmpd/Makefile
+++ b/sbin/isakmpd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.20 1999/08/26 22:29:19 niklas Exp $
+#	$OpenBSD: Makefile,v 1.21 1999/10/16 20:07:18 angelos Exp $
 #	$EOM: Makefile,v 1.58 1999/08/26 11:21:48 niklas Exp $
 
 #
@@ -66,7 +66,7 @@ GENERATED=	exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \
 CLEANFILES=	exchange_num.c exchange_num.h ipsec_num.c ipsec_num.h \
 		isakmp_num.c isakmp_num.h ipsec_fld.c ipsec_fld.h \
 		isakmp_fld.c isakmp_fld.h
-MAN=		isakmpd.8 isakmpd.conf.5
+MAN=		isakmpd.8 isakmpd.conf.5 isakmp.policy.5
 CFLAGS+=	-Wall -DNEED_SYSDEP_APP \
 		-I${.CURDIR} -I${.CURDIR}/sysdep/${OS} -I.
 
diff --git a/sbin/isakmpd/isakmpd.policy.5 b/sbin/isakmpd/isakmpd.policy.5
new file mode 100644
index 00000000000..f10e308a252
--- /dev/null
+++ b/sbin/isakmpd/isakmpd.policy.5
@@ -0,0 +1,509 @@
+.\" $Id: isakmpd.policy.5,v 1.1 1999/10/16 20:07:18 angelos Exp $
+.\" $OpenBSD: isakmpd.policy.5,v 1.1 1999/10/16 20:07:18 angelos Exp $
+.\"
+.\" Copyright (c) 1999, Angelos D. Keromytis.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by Ericsson Radio Systems.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd October 10, 1998
+.Dt isakmpd.policy 5
+.Os
+.Sh NAME
+.Nm isakmpd.policy
+.Nd policy configuration file for isakmpd
+.Sh DESCRIPTION
+.Nm
+is the policy configuration file for the
+.Nm isakmpd
+daemon managing security association and key management for the
+.Xr ipsec 4
+layer of the kernel's networking stack.
+.Pp
+The
+.Xr isakmpd 1
+daemon (also known as IKE, for Internet Key Exchange) is used when two
+systems need to automatically setup a pair of Security Associations
+(SAs) for securely communicating using IPsec. IKE operates in two
+stages:
+.Pp
+In the first stage (Main or Identity Protection Mode), the two IKE
+daemons establish a secure link between themselves, fully
+authenticating each other and establishing key material for
+encrypting/authenticating future communications between them. This
+step is typically only performed once for every pair of IKE daemons.
+.Pp
+In the second stage (also called Quick Mode), the two IKE daemon
+create the pair of SAs for the parties that wish to communicate using
+IPsec. These parties may be the hosts the IKE daemons run on, a host
+and a network behind a firewall, or two networks behind their
+respective firewalls. At this stage, the exact parameters of the SAs
+(e.g., algorithms to use, encapsulation mode, lifetime) and the
+identities of the communicating parties (hosts, networks, etc.) are
+specified. The reason of existance of Quick Mode is to allow for fast
+SA setup, once the more heavy-weight Main Mode has been completed.
+Generally, Quick Mode uses the key material derived from Main Mode to
+provide keys to the IPsec transforms to be used. Alternatively, a new
+Diffie-Hellman computation may be performed (significantly slowing
+down the exchange, but at the same time providing Perfect Forward
+Secrecy (PFS)). Briefly, this means that even should an attacker
+manage to break long-term keys used in other sessions (or,
+specifically, if an attacker breaks the Diffie-Hellman exchange
+performed during Main Mode), they will not be able to decrypt this
+traffic. Normally, no PFS is provided (the key material used by the
+IPsec SAs established as a result of this exchange will be derived
+from the key material of the Main Mode exchange), allowing for a
+faster Quick Mode exchange (no public key computations).
+.Pp
+IKE proposals are "suggestions" by the initiator of an exchange to the
+responder as to what protocols and attributes should be used on a
+class of packets. For example, a given exchange may ask for ESP with
+3DES and MD5 and AH with SHA1 (applied successively on the same
+packet), or just ESP with Blowfish and RIPEMD-160. The responder
+examines the proposals and determines which of them are acceptable,
+according to policy and any credentials.
+.Pp
+The following paragraphs assume some knowledge of the contents of
+.Xr keynote 4
+and
+.Xr keynote 5
+man pages.
+.Pp
+In the KeyNote policy model for IPsec, no distinction is currently
+made based on the ordering of AH and ESP in the packet. Should this
+change in the future, an appropriate attribute (see below) will be
+added.
+.Pp
+The goal of security policy for IKE is thus to determine, based on
+local policy (provided in the
+.Nm isakmpd.policy
+file), credentials provided during the IKE exchanges (or obtained
+through other means), the SA attributes proposed during the exchange,
+and perhaps other (side-channel) information, whether a pair of SAs
+should be installed in the system (in fact, whether both the IPsec SAs
+and the flows should be installed). For each proposal suggested by or
+to the remote IKE daemon, the KeyNote system is consulted as to
+whether the proposal is acceptable based on local policy (contained in
+.Nm isakmpd.policy ,
+in the form of policy assertions) and remote credentials (e.g.,
+KeyNote credentials or X509 certificates provided by the remote IKE
+daemon).
+.Pp
+.Nm isakmpd.policy
+is simply a flat
+.Xr ascii 7
+file containing KeyNote policy assertions, separated by blank lines
+(note that KeyNote assertions may not contain blank lines).
+.Pp
+For more details on KeyNote assertion format, please see
+.Xr keynote 5 .
+Briefly, KeyNote policy assertions used in IKE have the following
+characteristics:
+
+.nf
+* The Authorizer field is typically "POLICY" (but see the examples
+  below, for use of policy delegation).
+
+* The Licensees field can be an expression of passphrases used for
+  authentication of the Main Mode exchanges and/or public keys
+  (typically, X509 certificates).
+
+* The Conditions field contains an expression of attributes from the
+  IPsec policy action set (see below as well as the keynote syntax man
+  page for more details).
+
+* The ordered return-values set for IPsec policy is "false, true".
+.fi
+
+For an explanation of these fields and their semantics, see
+.Xr keynote 5 .
+
+For example, the following policy assertion:
+.Bd -literal
+    Authorizer: "POLICY"
+    Licensees: "passphrase:foobar" || "x509-base64:abcd=="
+    Conditions: app_domain == "IPsec policy" && esp_present == "yes"
+		&& esp_enc_alg != "null" -> "true";
+.Ed
+
+says that any proposal from a remote host that authenticates using the
+passphrase "foobar" or the public key contained in the X509
+certificate encoded as "abcd==" will be accepted, as long as it
+contains ESP with a non-null algorithm (i.e., the packet will be
+encrypted).
+.Pp
+KeyNote credentials have the same format as policy assertions, with
+one difference: the Authorizer field always contains a public key, and
+the assertion is signed (and thus its integrity can be
+cryptographically verified). Credentials are used to build chains of
+delegation of authority. They can be exchanged during an IKE exchange,
+or can be retrieved through some out-of-band mechanism (no such
+mechanism is currently supported in this implementation however).
+.Pp
+Passphrases that appear in the Licensees field are encoded as the
+string "passphrase:", followed by the passphrase itself
+(case-sensitive).
+.Pp
+When X509-based authentication is performed in Main Mode, any X509
+certificates received from the remote IKE daemon are converted to very
+simple KeyNote credentials. The conversion is straightforward: the
+issuer of the X509 certificate becomes the Authorizer of the KeyNote
+credential, the subject becomes the only Licensees entry, while the
+Conditions field simply asserts that the credential is only valid for
+"IPsec policy" use (see the app_domain action attribute below).
+.Pp
+Similarly, any X509 CA certificates present in the directory pointed
+to by the appropriate
+.Xr isakmpd.conf 5
+entry, are converted to such pseudo-credentials. This allows one to
+write KeyNote policies that delegate specific authority to CAs (and
+the keys those CAs certify, recursively).
+.Pp
+For more details on KeyNote assertion format, see
+.Xr keynote 5 .
+.Pp
+Information about the proposals, the identity of the remote IKE
+daemon, the packet classes to be protected, etc. are encoded in what
+is called an action set. The action set is composed of name-value
+attribute, similar in some way to a shell environment variables. These
+values are initialized by
+.Nm isakmpd
+before each query to the KeyNote system, and can be tested against in
+the Conditions field of assertions. See
+.Xr keynote 4
+and
+.Xr keynote 5
+for more details on the format and semantics of the Conditions field.
+.Pp
+Note that assertions and credentials can make reference to
+non-existant attributes without catastrophic failures (access may be
+denied, depending on the overall structure, but will not be
+accidentally granted). One reason for credentials referencing
+non-existant attributes is that they were defined within a specific
+implementation or network only.
+.Pp
+In the following attribute set, IPv4 addresses are encoded as ASCII
+strings in the usual dotted-quad format. However, all quads are
+three digits long. For example, the IPv4 address
+.Va 10.128.1.12
+would be encoded as
+.Va 010.128.001.012 .
+Similarly, IPv6 addresses are encoded in the standard x:x:x:x:x:x:x:x
+format, where the 'x's are the hexadecimal values of the eight 16-bit
+pieces of the address. All 'x's are four digits long. For example, the
+address
+.Va 1080:0:12:0:8:800:200C:417A
+would be encoded as
+.Va 1080:0000:0012:0000:0008:0800:200C:417A .
+.Pp
+The following attributes are currently defined:
+.Bl -tag -width -indent
+.It app_domain
+Always set to
+.Va IPsec policy .
+.It doi
+Always set to
+.Va ipsec .
+.It pfs
+Set to
+.Va yes
+if a Diffie-Hellman exchange will be performed during this Quick Mode,
+.Va no
+otherwise.
+.It ah_present, esp_present, comp_present
+Set to
+.Va yes
+if an AH, ESP, or compression proposal was received respectively,
+.Va no
+otherwise.
+.It ah_hash_alg
+One of
+.Va md5 ,
+.Va sha ,
+or
+.Va des ,
+based on the hash algorithm specified in the AH proposal. This
+attribute describes the generic transform to be used in the AH
+authentication.
+.It esp_enc_alg
+One of
+.Va des ,
+.Va des-iv64 ,
+.Va 3des ,
+.Va rc4 ,
+.Va idea ,
+.Va cast ,
+.Va blowfish ,
+.Va 3idea ,
+.Va des-iv32 ,
+.Va rc4 ,
+or
+.Va null ,
+based on the encryption algorithm specified in the ESP proposal.
+.It comp_alg
+One of
+.Va oui ,
+.Va deflate ,
+.Va lzs ,
+or
+.Va v42bis ,
+based on the compression algorithm specified in the compression
+proposal.
+.It ah_auth_alg
+One of
+.Va hmac-md5 ,
+.Va hmac-sha ,
+.Va des-mac ,
+or
+.Va kpdk ,
+based on the authentication method specified in the AH proposal.
+.It esp_auth_alg
+One of
+.Va hmac-md5 ,
+.Va hmac-sha ,
+.Va des-mac ,
+or
+.Va kpdk ,
+based on the authentication method specified in the ESP proposal.
+.It ah_life_seconds, esp_life_seconds, comp_life_seconds
+Set to the lifetime of the AH, ESP, and compression proposal, in
+seconds. If no lifetime was proposed for the corresponding protocol
+(e.g., there was no proposal for AH), the corresponding attribute will
+be set to zero.
+.It ah_life_kbytes, esp_life_kbytes, comp_life_kbytes
+Set to the lifetime of the AH, ESP, and compression proposal, in
+kbytes of traffic. If no lifetime was proposed for the corresponding
+protocol (e.g., there was no proposal for AH), the corresponding
+attribute will be set to zero.
+.It ah_encapsulation, esp_encapsulation, comp_encapsulation
+Set to
+.Va tunnel
+or
+.Va transport ,
+based on the AH, ESP, and compression proposal.
+.It comp_dict_size
+Specifies the log2 maximum size of the dictionary, according to the
+compression proposal.
+.It comp_private_alg
+Set to an integer specifying the private algorithm in use, according
+to the compression proposal.
+.It ah_key_length, esp_key_length
+The number of key bits to be used by the authentication and encryption
+algorithms respectively (for variable key-size algorithms).
+.It ah_key_rounds, esp_key length
+The number of rounds of the authentication and encryption algorithms
+respectively (for variable round algorithms).
+.It ah_group_desc, esp_group_desc, comp_group_desc
+The Diffie-Hellman group identifier from the AH, ESP, and compression
+proposal, used for PFS during Quick Mode (see the pfs attribute
+above). If more than one of these attributes are set to a value other
+than zero, they should have the same value (in valid IKE proposals).
+.It remote_filter_type, local_filter_type, remote_id_type
+Set to
+.Va IPv4 address ,
+.Va IPv4 range ,
+.Va IPv4 subnet ,
+.Va IPv6 address ,
+.Va IPv6 range ,
+.Va IPv6 subnet ,
+.Va FQDN ,
+.Va User FQDN ,
+.Va ASN1 DN ,
+.Va ASN1 GN ,
+or
+.Va Key ID ,
+based on the Quick Mode Initiator ID, Quick Mode Responder ID, and
+Main Mode peer ID respectively.
+.It remote_filter_addr_upper, local_filter_addr_upper, remote_id_addr_upper
+When the corresponding filter_type is
+.Va IPv4 address
+or
+.Va IPv6 address ,
+these contain the respective address. For
+.Va IPv4 range
+or
+.Va IPv6 range ,
+they contain the upper end of the address range. For
+.Va IPv4 subnet
+or
+.Va IPv6 subnet ,
+they contain the highest address in the specified subnet.
+.It remote_filter_addr_lower, local_filter_addr_lower, remote_id_addr_lower
+When the corresponding filter_type is
+.Va IPv4 address
+or
+.Va IPv6 address ,
+these contain the respective address. For
+.Va IPv4 range
+or
+.Va IPv6 range ,
+these contain the lower end of the address range. For
+.Va IPv4 subnet
+or
+.Va IPv6 subnet ,
+these contain the lowest address in the specified subnet.
+.It remote_filter, local_filter, remote_id_filter
+When the corresponding filter_type specifies an address (or range, or
+subnet), theseares set to the upper and lower part of the address
+space separated by a dash ('-') character (if the type specifies a
+single address, both parts are set to the same address). For FQDN and
+User FQDN types, these are set to the respective string.
+.It remote_filter_port, local_filter_port, remote_id_port
+Set to the transport protocol port.
+.It remote_filter_proto, local_filter_proto, remote_id_proto
+Set to
+.Va tcp ,
+.Va udp ,
+or nothing, depending on the transport protocol set in the IDci, IDcr,
+and Main Mode peer ID respectively.
+.It remote_ike_address
+Set to the IPv4 address of the remote IKE daemon.
+.It local_ike_address
+Set to the IPv4 address of the local interface used by the local IKE
+daemon for this exchange.
+.It GMTTimeOfDay
+Set to the UTC date/time, in YYYYMMDDHHmmSS format.
+.It LocalTimeOfDay
+Set to the local date/time, in YYYYMMDDHHmmSS format.
+.El
+.Sh EXAMPLES
+.Bd -literal
+    Authorizer: "POLICY"
+    Comment: This bare-bones assertion accepts everything
+
+    Authorizer: "POLICY"
+    Licensees: "passphrase:mekmitasisgoat"
+    Comment: This policy accepts anyone using shared-secret
+	     authentication using the password mekmitasisgoat,
+	     and does ESP with some form of encryption (not null).
+    Conditions: app_domain == "IPsec policy" &&
+                esp_present == "yes" &&
+                esp_enc_alg != "null" -> "true";
+
+    Authorizer: "POLICY"
+    Licensees: "subpolicy1" || "subpolicy2"
+    Comment: Delegate to two other sub-policies, so we
+             can manage our policy better. Since these subpolicies
+             are not "owned" by a key (and are thus unsigned), they
+	     have to be in isakmpd.policy.
+    Conditions: app_domain == "IPsec policy";
+
+    KeyNote-Version: 2
+    Licensees: "passphrase:somepassword"
+    Conditions: esp_present == "yes" -> "true";
+    Authorizer: "subpolicy1"
+
+    Conditions: ah_present == "yes" ->
+                   {
+                       ah_auth_alg == "md5" -> "true";
+                       ah_auth_alg == "sha" &&
+                       esp_present == "no" -> "true";
+                   };
+    Licensees: "passphrase:otherpassword" || "passphrase:thirdpassword"
+    Authorizer: "subpolicy2"
+
+    keynote-version: 2
+    comment: This is an example of a policy delegating to a key.
+    authorizer: "POLICY"
+    licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
+		FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
+		NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
+		m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\
+		MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
+		GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
+		dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
+		QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\
+		3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\
+		PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\
+		MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
+		DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\
+		jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\
+		ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\
+		d1Pn17LbJC1ZVRNjR5"
+    conditions: app_domain == "IPsec policy" && doi == "ipsec" &&
+            pfs == "yes" && esp_present == "yes" && ah_present == "no" &&
+            (esp_enc_alg == "3des" || esp_enc_alg == "idea") -> "true";
+
+    keynote-version: 2
+    comment: This is an example of a credential, the signature does
+	     not really verify (although the keys are real).
+    licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
+		FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
+		NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
+		m91cC5jby51azAeFw05OTEwMTEyMzA2MjJaFw05OTExMTAyMzA2\\
+		MjJaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
+		GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
+		dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
+		QDaCs+JAB6YRKAVkoi1NkOpE1V3syApjBj0Ahjq5HqYAACo1JhM\\
+		+QsPwuSWCNhBT51HX6G6UzfY3mOUz/vou6MJ/wor8EdeTX4nucx\\
+		NSz/r6XI262aXezAp+GdBviuJZx3Q67ON/IWYrB4QtvihI4bMn5\\
+		E55nF6TKtUMJTdATvs/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
+		MaQOSkaiR8id0h6Zo0VSB4HpBnjpWqz1jNG8N4RPN0W8muRA2b9\\
+		85GNP1bkC3fK1ZPpFTB0A76lLn11CfhAf/gV1iz3ELlUHo5J8nx\\
+		Pu6XfsGJm3HsXJOuvOog8Aean4ODo4KInuAsnbLzpGl0d+Jqa5u\\
+		TZUxsyg4QOBwYEU92H"
+    authorizer: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
+		 FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
+		 NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
+		 m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\
+		 MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
+		 GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
+		 dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
+		 QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\
+		 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\
+		 PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\
+		 MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
+		 DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\
+		 jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\
+		 ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\
+		 d1Pn17LbJC1ZVRNjR5"
+conditions: app_domain == "IPsec policy" && doi == "ipsec" &&
+	    pfs == "yes" && esp_present == "yes" && ah_present == "no" &&
+            (esp_enc_alg == "3des" || esp_enc_alg == "idea") -> "true";
+Signature: "sig-x509-sha1-base64:ql+vrUxv14DcBOQHR2jsbXayq6T\\
+            mmtMiUB745a8rjwSrQwh+KIVDlUrghPnqhSIkWSDi9oWWMbfg\\
+            mkdudZ0wjgeTLMI2NI4GibMMsToakOKMex/0q4cpdpln3DKcQ\\
+            IcjzRv4khDws69FT3QfELjcpShvbLrXmh1Z00OFmxjyqDw="
+
+.Ed
+.Sh SEE ALSO
+.Xr ipsec 4 ,
+.Xr keynote 4 ,
+.Xr keynote 5 ,
+.Xr isakmpd 8
+.Sh BUGS
+remote_filter, local_filter, and remote_id are only set for IPv4
+addresses (single, range, or subnet), FQDN, and User FQDN.
+
+The \*_addr_upper and \*_addr_lower attributes are not currently set
+for IPv6 addresses (single, range, or subnet).
+
+No KeyNote credentials can be exchanged during an IKE negotiation yet.
+
+GMTTimeOfDay, LocalTimeOfDay, and pfs attributes are not supported in
+OpenBSD 2.6