diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2003-01-09 13:12:43 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2003-01-09 13:12:43 +0000 |
commit | 9b1f2d47d30d06332a345726f034ff6344c6b43c (patch) | |
tree | 9ca2823645ffdcdefdb67bbdf292660c144b15e8 /sbin/isakmpd | |
parent | 9f1a0fb32b50d9626651d71e3a63c117dcc0fb4f (diff) |
Document the various "default" settings. Some style and alphabetical
reordering.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 82 |
1 files changed, 44 insertions, 38 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 7a6ec9561b7..7641481cefe 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.70 2002/11/27 14:36:20 ho Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.71 2003/01/09 13:12:42 ho Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -114,7 +114,7 @@ use DH group 2. There are currently no predefined ESP+AH Quick Mode suites. .Pp The predefinitions include some default values for the special sections "General", "Keynote", "X509-certificates", and -"Default-Phase-1-Configuration". +"Default-phase-1-configuration". These default values are presented in the example below. .Pp All autogenerated values can be overridden by manual entries by using the @@ -135,7 +135,7 @@ minutes (minimum 60 seconds, maximum 1 day). .\"XXX Following empty .Ss works around a nroff bug, we want the new line." .Ss .Pp -Also, the default Phase 1 ID can be set by creating a <Phase1-ID> +Also, the default phase 1 ID can be set by creating a <Phase1-ID> section, as shown below, and adding this tag under the "General" section; .Pp @@ -155,38 +155,34 @@ Name= foo@bar.com .It Em General Generic global configuration parameters .Bl -tag -width 12n -.It Em Policy-file -The name of the file that contains -.Xr KeyNote 4 -policies. -The default is "/etc/isakmpd/isakmpd.policy". -.It Em Default-Phase-2-Suites -A list of Phase 2 suites that will be used when establishing dynamic +.It Em Default-phase-1-ID +Optional default phase 1 ID name. +.It Em Default-phase-1-lifetime +The default lifetime for autogenerated transforms (phase 1). +If unspecified, the value 3600,60:86400 is used as the default. +.It Em Default-phase-2-lifetime +The default lifetime for autogenerated suites (phase 2). +If unspecified, the value 1200,60:86400 is used as the default. +.It Em Default-phase-2-suites +A list of phase 2 suites that will be used when establishing dynamic SAs. If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default. -.It Em Retransmits -How many times should a message be retransmitted before giving up. .It Em Check-interval The interval between watchdog checks of connections we want up at all times. .It Em Exchange-max-time -How many seconds should an exchange maximally take to setup -before we give up. +How many seconds should an exchange maximally take to setup before we +give up. .It Em Listen-on A list of IP-addresses OK to listen on. -This list is used as -a filter for the set of addresses the interfaces configured -provides. -This means that we won't see if an address given -here does not exist on this host, and thus no error is given for -that case. -.It Em Shared-SADB -If this tag is defined, whatever the value is, some semantics of -.Nm -are changed so that multiple instances can run on top of one SADB -and setup SAs with eachother. -Specifically this means replay -protection will not be asked for, and errors that can occur when -updating an SA with its parameters a 2nd time will be ignored. +This list is used as a filter for the set of addresses the interfaces +configured provides. +This means that we won't see if an address given here does not exist +on this host, and thus no error is given for that case. +.It Em Policy-file +The name of the file that contains +.Xr KeyNote 4 +policies. +The default is "/etc/isakmpd/isakmpd.policy". .It Em Pubkey-directory The directory in which .Nm @@ -195,6 +191,16 @@ The default is "/etc/isakmpd/pubkeys". Read .Xr isakmpd 8 for the required naming convention of the files in here. +.It Em Retransmits +How many times should a message be retransmitted before giving up. +.It Em Shared-SADB +If this tag is defined, whatever the value is, some semantics of +.Nm +are changed so that multiple instances can run on top of one SADB +and setup SAs with eachother. +Specifically this means replay +protection will not be asked for, and errors that can occur when +updating an SA with its parameters a 2nd time will be ignored. .El .It Em Phase 1 ISAKMP SA negotiation parameter root @@ -203,7 +209,7 @@ ISAKMP SA negotiation parameter root A name of the ISAKMP peer at the given IP-address. .It Em Default A name of the default ISAKMP peer. -Incoming Phase 1 connections from other IP-addresses will use this peer name. +Incoming phase 1 connections from other IP-addresses will use this peer name. .It "" This name is used as the section name for further information to be found. Look at <ISAKMP-peer> below. @@ -261,6 +267,10 @@ authentication. .El .It Em X509-Certificates .Bl -tag -width 12n +.It Em Accept-self-signed +If this tag is defined, whatever the value is, certificates that +do not originate from a trusted CA but are self-signed will be +accepted. .It Em Ca-directory A directory containing PEM certificates of certification authorities that we trust to sign other certificates. @@ -277,10 +287,6 @@ and X.509 CA certificates) allows for maintenance of a list of A directory containing PEM certificates that we trust to be valid. These certificates are used in preference to those passed in messages and are required to have a SubjectAltName extension. -.It Em Accept-self-signed -If this tag is defined, whatever the value is, certificates that -do not originate from a trusted CA but are self-signed will be -accepted. .It Em Private-key The private key matching the public key of our certificate (which should be in the "Cert-directory", and have a subjectAltName matching our ID, so far @@ -315,7 +321,7 @@ If existent, the IP-address of the peer. .It Em Configuration The name of the ISAKMP-configuration section to use. Look at <ISAKMP-configuration> below. -If unspecified, defaults to "Default-Phase-1-Configuration". +If unspecified, defaults to "Default-phase-1-configuration". .It Em Authentication If existent, authentication data for this specific peer. In the case of preshared key, this is the key value itself. @@ -340,7 +346,7 @@ Currently there are no specific ISAKMP SA flags defined. .Bl -tag -width 12n .It Em ID-type The ID type as given by the RFC specifications. -For Phase 1 this is currently +For phase 1 this is currently .Li IPV4_ADDR , .Li IPV4_ADDR_SUBNET , .Li IPV6_ADDR , @@ -437,7 +443,7 @@ and .Li EC_185 . .It Em PRF The algorithm to use for the keyed pseudo-random function (used for key -derivation and authentication in Phase 1), or ANY. +derivation and authentication in phase 1), or ANY. .It Em Life A list of lifetime descriptions, or ANY. In the former case, each @@ -679,7 +685,7 @@ Local-address= 10.1.0.2 Address= 10.1.0.1 #Port= isakmp #Port= 500 -#Configuration= Default-Phase-1-Configuration +#Configuration= Default-phase-1-configuration Authentication= mekmitasdigoat #Flags= @@ -741,7 +747,7 @@ Private-key= /etc/isakmpd/private/local.key # Default phase 1 description (Main Mode) -[Default-Phase-1-Configuration] +[Default-phase-1-configuration] EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA |