Last months worth of work on isakmpd, lots done

1 files changed, 352 insertions, 44 deletions

diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 0b02d3e5e8b..c53c9b3efa2 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,5 +1,5 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.5 1998/11/28 19:56:32 aaron Exp $
-.\" $EOM: isakmpd.conf.5,v 1.5 1998/11/20 23:45:05 niklas Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.6 1998/12/21 01:02:25 niklas Exp $
+.\" $EOM: isakmpd.conf.5,v 1.9 1998/12/21 00:30:02 niklas Exp $
 .\"
 .\" Copyright (c) 1998 Niklas Hallqvist.  All rights reserved.
 .\"
@@ -73,99 +73,408 @@ An example of a configuration file:
 # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
 
 [General]
-Retransmits=		5
+Retransmits=		3
+Exchange-max-time=	120
 
-[Main mode]
-Offered-transforms=	BLF-SHA-M1024,DES-MD5
-#Accepted-transforms=	BLF-SHA-M1024,BLF-SHA-EC185,BLF-SHA-EC155,DES-MD5
-Accepted-transforms=	BLF-SHA-EC185,BLF-SHA-EC155,DES-MD5
+# XXX This double mapping seems rather stupid, but...
+[Phase 1]
+10.1.0.1=		ISAKMP-peer-1
+10.1.0.2=		ISAKMP-peer-2
+Default=		Default-ISAKMP-peer
+
+[ISAKMP-peer-1]
+Phase=			1
+Transport=		udp
+# XXX Not yet implemented
+#Local-address=		10.1.0.2
+Address=		10.1.0.1
+# Default values for "Port" commented out
+#Port=			isakmp
+#Port=			500
+Configuration=		Default-incoming-main-mode
+Authentication=		mekmitasdigoat
+
+[Very-strong-test]
+Phase=			1
+Transport=		udp
+Address=		10.1.0.1
+Configuration=		Very-strong-main-mode
+Authentication=		mekmitasdigoat
+
+[Strong-test]
+Phase=			1
+Transport=		udp
+Address=		10.1.0.1
+Configuration=		Strong-main-mode
+Authentication=		mekmitasdigoat
+
+[Default-test]
+Phase=			1
+Transport=		udp
+Address=		10.1.0.1
+Configuration=		Default-main-mode
+Authentication=		mekmitasdigoat
+
+[Weak-test]
+Phase=			1
+Transport=		udp
+Address=		10.1.0.1
+Configuration=		Weak-main-mode
+Authentication=		mekmitasdigoat
+
+[ISAKMP-peer-2]
+Phase=			1
+Transport=		udp
+# XXX Not yet implemented
+#Local-address=		10.1.0.1
+Address=		10.1.0.2
+# Default values for "Port" commented out
+#Port=			isakmp
+#Port=			500
+Configuration=		Default-incoming-main-mode
+Authentication=		mekmitasdigoat
+
+[ISAKMP-orust.di.eom.crt.se]
+Phase=			1
+Transport=		udp
+# XXX Not yet implemented
+#Local-address=		194.198.196.150
+Address=		193.12.107.84
+# Default values for "Port" commented out
+#Port=			isakmp
+#Port=			500
+Configuration=		Strong-main-mode
+Authentication=		mekmitasdigoat
+
+[Default-ISAKMP-peer]
+Phase=			1
+# XXX Not yet implemented
+#Local-address=		10.1.0.2
+Configuration=		Default-incoming-main-mode
+Authentication=		mekmitasdigoat
+
+[IPsec-2-1]
+Phase=			2
+ISAKMP-peer=		ISAKMP-peer-1
+Configuration=		Default-quick-mode
+Local-ID=		Net-2
+Remote-ID=		Net-1
+
+[IPsec-1-2]
+Phase=			2
+ISAKMP-peer=		ISAKMP-peer-2
+Configuration=		Default-quick-mode
+Local-ID=		Net-1
+Remote-ID=		Net-2
+
+[IPsec-moby-1]
+Phase=			2
+ISAKMP-peer=		ISAKMP-peer-1
+Configuration=		Default-quick-mode
+Local-ID=		moby.appli.se
+Remote-ID=		Net-1
+
+[IPsec-moby-2]
+Phase=			2
+ISAKMP-peer=		ISAKMP-orust.di.eom.crt.se
+Configuration=		Default-quick-mode
+Local-ID=		moby.appli.se
+Remote-ID=		Net-2
+
+[Net-1]
+ID-type=		IPV4_ADDR_SUBNET
+Network=		192.168.1.0
+Netmask=		255.255.255.0
+
+[Net-2]
+ID-type=		IPV4_ADDR_SUBNET
+Network=		192.168.2.0
+Netmask=		255.255.255.0
+
+[moby.appli.se]
+ID-type=		IPV4_ADDR
+Address=		194.198.196.216
+
+# Main mode descriptions
+
+[Default-incoming-main-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		BLF-SHA-EC185,BLF-MD5-EC155,3DES-SHA,DES-MD5
+
+[Very-strong-main-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		BLF-SHA-EC185
+
+[Strong-main-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		BLF-MD5-EC155
+
+[Default-main-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		3DES-SHA
+
+[Weak-main-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		DES-MD5
+
+# Main mode transforms
+######################
+
+# DES
 
 [DES-MD5]
 ENCRYPTION_ALGORITHM=	DES_CBC
 HASH_ALGORITHM=		MD5
 AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	MODP_768
+Life=			LIFE_600_SECS,LIFE_1000_KB
+
+[DES-MD5-NO-VOL-LIFE]
+ENCRYPTION_ALGORITHM=	DES_CBC
+HASH_ALGORITHM=		MD5
+AUTHENTICATION_METHOD=	PRE_SHARED
+GROUP_DESCRIPTION=	MODP_768
 Life=			LIFE_600_SECS
 
+[DES-SHA]
+ENCRYPTION_ALGORITHM=	DES_CBC
+HASH_ALGORITHM=		SHA
+AUTHENTICATION_METHOD=	PRE_SHARED
+GROUP_DESCRIPTION=	MODP_768
+Life=			LIFE_600_SECS,LIFE_1000_KB
+
+# 3DES
+
+[3DES-SHA]
+ENCRYPTION_ALGORITHM=	3DES_CBC
+HASH_ALGORITHM=		SHA
+AUTHENTICATION_METHOD=	PRE_SHARED
+GROUP_DESCRIPTION=	MODP_1024
+Life=			LIFE_600_SECS,LIFE_1000_KB
+
+# Blowfish
+
 [BLF-SHA-M1024]
 ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
-KEY_LENGTH=		128,64:196
+KEY_LENGTH=		128,96:192
 HASH_ALGORITHM=		SHA
 AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	MODP_1024
-Life=			LIFE_600_SECS
+Life=			LIFE_600_SECS,LIFE_1000_KB
 
 [BLF-SHA-EC155]
 ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
-KEY_LENGTH=		128,64:196
+KEY_LENGTH=		128,96:192
 HASH_ALGORITHM=		SHA
 AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	EC2N_155
-Life=			LIFE_600_SECS
+Life=			LIFE_600_SECS,LIFE_1000_KB
+
+[BLF-MD5-EC155]
+ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
+KEY_LENGTH=		128,96:192
+HASH_ALGORITHM=		MD5
+AUTHENTICATION_METHOD=	PRE_SHARED
+GROUP_DESCRIPTION=	EC2N_155
+Life=			LIFE_600_SECS,LIFE_1000_KB
 
 [BLF-SHA-EC185]
 ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
-KEY_LENGTH=		128,64:196
+KEY_LENGTH=		128,96:192
 HASH_ALGORITHM=		SHA
 AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	EC2N_185
-Life=			LIFE_600_SECS
+Life=			LIFE_600_SECS,LIFE_1000_KB
+
+# Quick mode description
+########################
+
+[Default-quick-mode]
+DOI=			IPSEC
+EXCHANGE_TYPE=		QUICK_MODE
+Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
 
-[Quick mode]
-#Offered-suites=		QM-ESP-DES-SUITE,\
-#			QM-ESP-DES-MD5-SUITE,QM-AH-MD5-ESP-DES-SUITE
-Offered-suites=		QM-ESP-DES-SUITE
-# XXX Not yet supported.
-#Accepted-suites=	QM-ESP-DES-MD5-SUITE,QM-AH-MD5-ESP-DES-SUITE
+# Quick mode protection suites
+##############################
+
+# DES
 
 [QM-ESP-DES-SUITE]
 Protocols=		QM-ESP-DES
 
+[QM-ESP-DES-PFS-SUITE]
+Protocols=		QM-ESP-DES-PFS
+
 [QM-ESP-DES-MD5-SUITE]
 Protocols=		QM-ESP-DES-MD5
 
+[QM-ESP-DES-MD5-PFS-SUITE]
+Protocols=		QM-ESP-DES-MD5-PFS
+
+[QM-ESP-DES-SHA-SUITE]
+Protocols=		QM-ESP-DES-SHA
+
+[QM-ESP-DES-SHA-PFS-SUITE]
+Protocols=		QM-ESP-DES-SHA-PFS
+
+# 3DES
+
+[QM-ESP-3DES-SHA-SUITE]
+Protocols=		QM-ESP-3DES-SHA
+
+[QM-ESP-3DES-SHA-PFS-SUITE]
+Protocols=		QM-ESP-3DES-SHA-PFS
+
+# AH
+
+[QM-AH-MD5-SUITE]
+Protocols=		QM-AH-MD5
+
+[QM-AH-MD5-PFS-SUITE]
+Protocols=		QM-AH-MD5-PFS
+
+# AH + ESP
+
+[QM-AH-MD5-ESP-DES-SUITE]
+Protocols=		QM-AH-MD5,QM-ESP-DES
+
+[QM-AH-MD5-ESP-DES-MD5-SUITE]
+Protocols=		QM-AH-MD5,QM-ESP-DES-MD5
+
+[QM-ESP-DES-MD5-AH-MD5-SUITE]
+Protocols=		QM-ESP-DES-MD5,QM-AH-MD5
+
+# Quick mode protocols
+
+# DES
+
+[QM-ESP-DES]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-DES-XF
+
 [QM-ESP-DES-MD5]
 PROTOCOL_ID=		IPSEC_ESP
 Transforms=		QM-ESP-DES-MD5-XF
 
+[QM-ESP-DES-MD5-PFS]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-DES-MD5-PFS-XF
+
+[QM-ESP-DES-SHA]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-DES-SHA-XF
+
+# 3DES
+
+[QM-ESP-3DES-SHA]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-3DES-SHA-XF
+
+[QM-ESP-3DES-SHA-PFS]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-3DES-SHA-PFS-XF
+
+[QM-ESP-3DES-SHA-TRP]
+PROTOCOL_ID=		IPSEC_ESP
+Transforms=		QM-ESP-3DES-SHA-TRP-XF
+
+# AH MD5
+
+[QM-AH-MD5]
+PROTOCOL_ID=		IPSEC_AH
+Transforms=		QM-AH-MD5-XF
+
+[QM-AH-MD5-PFS]
+PROTOCOL_ID=		IPSEC_AH
+Transforms=		QM-AH-MD5-PFS-XF
+
+# Quick mode transforms
+
+# ESP DES+MD5
+
+[QM-ESP-DES-XF]
+TRANSFORM_ID=		DES
+ENCAPSULATION_MODE=	TUNNEL
+Life=			LIFE_600_SECS
+
 [QM-ESP-DES-MD5-XF]
 TRANSFORM_ID=		DES
 ENCAPSULATION_MODE=	TUNNEL
 AUTHENTICATION_ALGORITHM=	HMAC_MD5
-Life=			LIFE_600_SECS,LIFE_32_MB
+Life=			LIFE_600_SECS
 
-[LIFE_600_SECS]
-SA_LIFE_TYPE=		SECONDS
-SA_LIFE_DURATION=	600
+[QM-ESP-DES-MD5-PFS-XF]
+TRANSFORM_ID=		DES
+ENCAPSULATION_MODE=	TUNNEL
+GROUP_DESCRIPTION=	MODP_768
+AUTHENTICATION_ALGORITHM=	HMAC_MD5
+Life=			LIFE_600_SECS
 
-[LIFE_32_MB]
-SA_LIFE_TYPE=		KILOBYTES
-SA_LIFE_DURATION=	32768
+[QM-ESP-DES-SHA-XF]
+TRANSFORM_ID=		DES
+ENCAPSULATION_MODE=	TUNNEL
+AUTHENTICATION_ALGORITHM=	HMAC_SHA
+Life=			LIFE_600_SECS
 
-[QM-AH-MD5-ESP-DES-SUITE]
-Protocols=		QM-AH-MD5,QM-ESP-DES
+# 3DES
 
-[QM-AH-MD5]
-PROTOCOL_ID=		IPSEC_AH
-Transforms=		QM-AH-MD5-XF
+[QM-ESP-3DES-SHA-XF]
+TRANSFORM_ID=		3DES
+ENCAPSULATION_MODE=	TUNNEL
+AUTHENTICATION_ALGORITHM=	HMAC_SHA
+Life=			LIFE_600_SECS
+
+[QM-ESP-3DES-SHA-PFS-XF]
+TRANSFORM_ID=		3DES
+ENCAPSULATION_MODE=	TUNNEL
+AUTHENTICATION_ALGORITHM=	HMAC_SHA
+GROUP_DESCRIPTION=	MODP_1024
+Life=			LIFE_600_SECS
+
+[QM-ESP-3DES-SHA-TRP-XF]
+TRANSFORM_ID=		3DES
+ENCAPSULATION_MODE=	TRANSPORT
+AUTHENTICATION_ALGORITHM=	HMAC_SHA
+Life=			LIFE_600_SECS
+
+# AH
 
 [QM-AH-MD5-XF]
 TRANSFORM_ID=		MD5
 ENCAPSULATION_MODE=	TUNNEL
+AUTHENTICATION_ALGORITHM=	HMAC_MD5
+Life=			LIFE_600_SECS
 
-[QM-ESP-DES]
-PROTOCOL_ID=		IPSEC_ESP
-Transforms=		QM-ESP-DES-XF
-
-[QM-ESP-DES-XF]
-TRANSFORM_ID=		DES
+[QM-AH-MD5-PFS-XF]
+TRANSFORM_ID=		MD5
 ENCAPSULATION_MODE=	TUNNEL
-Life=			LIFE_600_SECS,LIFE_32_MB
+GROUP_DESCRIPTION=	MODP_768
+Life=			LIFE_600_SECS
+
+[LIFE_600_SECS]
+LIFE_TYPE=		SECONDS
+LIFE_DURATION=		600,450:720
+
+[LIFE_3600_SECS]
+LIFE_TYPE=		SECONDS
+LIFE_DURATION=		3600,1800:7200
 
-[PRE_SHARED]
-127.0.0.1=		my_key_to_myself
-# A general pre-shared key used for everyone.
-Default=		mekmitasdigoat
+[LIFE_1000_KB]
+LIFE_TYPE=		KILOBYTES
+LIFE_DURATION=		1000,768:1536
+
+[LIFE_32_MB]
+LIFE_TYPE=		KILOBYTES
+LIFE_DURATION=		32768,16384:65536
+
+[LIFE_4.5_GB]
+LIFE_TYPE=		KILOBYTES
+LIFE_DURATION=		4608000,4096000:8192000
 
 [RSA_SIG]
 CERT=			/etc/isakmpd_cert
@@ -174,5 +483,4 @@ PUBKEY=			/etc/isakmpd_key.pub
 .Ed
 .Pp
 .Sh SEE ALSO
-.Xr isakmpd 8
-
+.Xr isakmpd 8 .