diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2002-03-01 15:25:18 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2002-03-01 15:25:18 +0000 |
commit | adefe4994f6b1a914c194242a429593aa1c7e4d3 (patch) | |
tree | b9c968f96c49274c398f238d299100962b2fcd51 | |
parent | 82616195878703555f94ce6b14f0a64f4c933741 (diff) |
Update to reflect recent changes in DH group handling. Remove BUGS
section.
-rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 53 |
1 files changed, 23 insertions, 30 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 67b7b69151c..12f4730b126 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.62 2001/12/21 11:41:50 mpech Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.63 2002/03/01 15:25:17 ho Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -88,12 +88,19 @@ and transforms. .Pp For Main Mode: .Bd -filled -compact -.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}] +.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}] .Ed .Pp For Quick Mode: .Bd -filled -compact -.Ar QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE +.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE +.Ed +.Bd -literal + where + {proto} is either ESP or AH + {cipher} is either DES, 3DES, CAST, BLF or AES + {hash} is either MD5, SHA or RIPEMD + {group} is either GRP1, GRP2 or GRP5 .Ed .Pp Example 1: 3DES-SHA means; 3DES encryption, SHA hash, and authorization by @@ -101,25 +108,16 @@ pre-shared keys. Example 2: QM-ESP-3DES-SHA-PFS-SUITE means; ESP protocol, 3DES encryption, SHA hash, and use Perfect Forward Security. .Pp -There are two predefined lifetimes used. -The Main Mode lifetime, named LIFE_MAIN_MODE, currently -defaults to one hour (minimum 60 seconds, maximum 1 day). -The Quick Mode lifetime, LIFE_QUICK_MODE, -defaults to 20 minutes (minimum 60 seconds, maximum 1 day). .Pp -In addition, the predefinitions include some default values for the special -sections "General", and "X509-certificates". -These values are presented in the example below. +Unless explicitly stated with -GRP1, 2 or 5, transforms and PFS suites +use DH group 2. There are currently no predefined ESP+AH Quick Mode suites. .Pp -Note that using the predefined section names imply some minor limitations. -There are currently no predefined ESP+AH Quick Mode suites, and the -Diffie-Hellman group description for Main Mode (and Quick Mode with PFS) is -set to DH group 1 (MODP_768) when using MD5 hash, and DH group 2 (MODP_1024) -when using SHA hash. +The predefinitions include some default values for the special +sections "General", and "X509-certificates". These default values are +presented in the example below. .Pp All autogenerated values can be overridden by manual entries by using the -same section and tag names in the configuration file. -.Pp +same section and tag names in the configuration file. In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 (Quick Mode) lifetimes can be overridden by these tags under the "General" section; @@ -129,6 +127,10 @@ section; Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 .Ed +.Pp +The Main Mode lifetime currently defaults to one hour (minimum 60 +seconds, maximum 1 day). The Quick Mode lifetime defaults to 20 +minutes (minimum 60 seconds, maximum 1 day). .\"XXX Following empty .Ss works around a nroff bug, we want the new line." .Ss .Pp @@ -708,7 +710,7 @@ Private-key= /etc/isakmpd/private/local.key ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_768 +GROUP_DESCRIPTION= MODP_1024 Life= Default-phase-1-lifetime [DES-SHA] @@ -880,7 +882,7 @@ Life= Default-phase-2-lifetime [QM-ESP-DES-MD5-PFS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_768 +GROUP_DESCRIPTION= MODP_1024 AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= Default-phase-2-lifetime @@ -943,7 +945,7 @@ Life= Default-phase-2-lifetime [QM-AH-MD5-PFS-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_768 +GROUP_DESCRIPTION= MODP_1024 Life= Default-phase-2-lifetime [Sample-Life-Time] @@ -971,12 +973,3 @@ configuration files. .Xr keynote 4 , .Xr isakmpd.policy 5 , .Xr isakmpd 8 -.Sh BUGS -The RFCs does not permit differing DH groups in the same proposal for -aggressive and quick mode exchanges. -As the predefined suites currently uses DH group 1 for MD5 suites and -DH group 2 for SHA suites, combining a MD5 and a SHA suite in a proposal -will cause the exchange to fail. -.Pp -The current recommended workaround is to either use MD5- or SHA-only -suites, or to specify the suites manually. |