summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2003-01-09 13:12:43 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2003-01-09 13:12:43 +0000
commit9b1f2d47d30d06332a345726f034ff6344c6b43c (patch)
tree9ca2823645ffdcdefdb67bbdf292660c144b15e8 /sbin/isakmpd
parent9f1a0fb32b50d9626651d71e3a63c117dcc0fb4f (diff)
Document the various "default" settings. Some style and alphabetical
reordering.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/isakmpd.conf.582
1 files changed, 44 insertions, 38 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 7a6ec9561b7..7641481cefe 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.70 2002/11/27 14:36:20 ho Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.71 2003/01/09 13:12:42 ho Exp $
.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
.\"
.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved.
@@ -114,7 +114,7 @@ use DH group 2. There are currently no predefined ESP+AH Quick Mode suites.
.Pp
The predefinitions include some default values for the special
sections "General", "Keynote", "X509-certificates", and
-"Default-Phase-1-Configuration".
+"Default-phase-1-configuration".
These default values are presented in the example below.
.Pp
All autogenerated values can be overridden by manual entries by using the
@@ -135,7 +135,7 @@ minutes (minimum 60 seconds, maximum 1 day).
.\"XXX Following empty .Ss works around a nroff bug, we want the new line."
.Ss
.Pp
-Also, the default Phase 1 ID can be set by creating a <Phase1-ID>
+Also, the default phase 1 ID can be set by creating a <Phase1-ID>
section, as shown below, and adding this tag under the "General"
section;
.Pp
@@ -155,38 +155,34 @@ Name= foo@bar.com
.It Em General
Generic global configuration parameters
.Bl -tag -width 12n
-.It Em Policy-file
-The name of the file that contains
-.Xr KeyNote 4
-policies.
-The default is "/etc/isakmpd/isakmpd.policy".
-.It Em Default-Phase-2-Suites
-A list of Phase 2 suites that will be used when establishing dynamic
+.It Em Default-phase-1-ID
+Optional default phase 1 ID name.
+.It Em Default-phase-1-lifetime
+The default lifetime for autogenerated transforms (phase 1).
+If unspecified, the value 3600,60:86400 is used as the default.
+.It Em Default-phase-2-lifetime
+The default lifetime for autogenerated suites (phase 2).
+If unspecified, the value 1200,60:86400 is used as the default.
+.It Em Default-phase-2-suites
+A list of phase 2 suites that will be used when establishing dynamic
SAs.
If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default.
-.It Em Retransmits
-How many times should a message be retransmitted before giving up.
.It Em Check-interval
The interval between watchdog checks of connections we want up at all times.
.It Em Exchange-max-time
-How many seconds should an exchange maximally take to setup
-before we give up.
+How many seconds should an exchange maximally take to setup before we
+give up.
.It Em Listen-on
A list of IP-addresses OK to listen on.
-This list is used as
-a filter for the set of addresses the interfaces configured
-provides.
-This means that we won't see if an address given
-here does not exist on this host, and thus no error is given for
-that case.
-.It Em Shared-SADB
-If this tag is defined, whatever the value is, some semantics of
-.Nm
-are changed so that multiple instances can run on top of one SADB
-and setup SAs with eachother.
-Specifically this means replay
-protection will not be asked for, and errors that can occur when
-updating an SA with its parameters a 2nd time will be ignored.
+This list is used as a filter for the set of addresses the interfaces
+configured provides.
+This means that we won't see if an address given here does not exist
+on this host, and thus no error is given for that case.
+.It Em Policy-file
+The name of the file that contains
+.Xr KeyNote 4
+policies.
+The default is "/etc/isakmpd/isakmpd.policy".
.It Em Pubkey-directory
The directory in which
.Nm
@@ -195,6 +191,16 @@ The default is "/etc/isakmpd/pubkeys".
Read
.Xr isakmpd 8
for the required naming convention of the files in here.
+.It Em Retransmits
+How many times should a message be retransmitted before giving up.
+.It Em Shared-SADB
+If this tag is defined, whatever the value is, some semantics of
+.Nm
+are changed so that multiple instances can run on top of one SADB
+and setup SAs with eachother.
+Specifically this means replay
+protection will not be asked for, and errors that can occur when
+updating an SA with its parameters a 2nd time will be ignored.
.El
.It Em Phase 1
ISAKMP SA negotiation parameter root
@@ -203,7 +209,7 @@ ISAKMP SA negotiation parameter root
A name of the ISAKMP peer at the given IP-address.
.It Em Default
A name of the default ISAKMP peer.
-Incoming Phase 1 connections from other IP-addresses will use this peer name.
+Incoming phase 1 connections from other IP-addresses will use this peer name.
.It ""
This name is used as the section name for further information to be found.
Look at <ISAKMP-peer> below.
@@ -261,6 +267,10 @@ authentication.
.El
.It Em X509-Certificates
.Bl -tag -width 12n
+.It Em Accept-self-signed
+If this tag is defined, whatever the value is, certificates that
+do not originate from a trusted CA but are self-signed will be
+accepted.
.It Em Ca-directory
A directory containing PEM certificates of certification authorities
that we trust to sign other certificates.
@@ -277,10 +287,6 @@ and X.509 CA certificates) allows for maintenance of a list of
A directory containing PEM certificates that we trust to be valid.
These certificates are used in preference to those passed in messages and
are required to have a SubjectAltName extension.
-.It Em Accept-self-signed
-If this tag is defined, whatever the value is, certificates that
-do not originate from a trusted CA but are self-signed will be
-accepted.
.It Em Private-key
The private key matching the public key of our certificate (which should be
in the "Cert-directory", and have a subjectAltName matching our ID, so far
@@ -315,7 +321,7 @@ If existent, the IP-address of the peer.
.It Em Configuration
The name of the ISAKMP-configuration section to use.
Look at <ISAKMP-configuration> below.
-If unspecified, defaults to "Default-Phase-1-Configuration".
+If unspecified, defaults to "Default-phase-1-configuration".
.It Em Authentication
If existent, authentication data for this specific peer.
In the case of preshared key, this is the key value itself.
@@ -340,7 +346,7 @@ Currently there are no specific ISAKMP SA flags defined.
.Bl -tag -width 12n
.It Em ID-type
The ID type as given by the RFC specifications.
-For Phase 1 this is currently
+For phase 1 this is currently
.Li IPV4_ADDR ,
.Li IPV4_ADDR_SUBNET ,
.Li IPV6_ADDR ,
@@ -437,7 +443,7 @@ and
.Li EC_185 .
.It Em PRF
The algorithm to use for the keyed pseudo-random function (used for key
-derivation and authentication in Phase 1), or ANY.
+derivation and authentication in phase 1), or ANY.
.It Em Life
A list of lifetime descriptions, or ANY.
In the former case, each
@@ -679,7 +685,7 @@ Local-address= 10.1.0.2
Address= 10.1.0.1
#Port= isakmp
#Port= 500
-#Configuration= Default-Phase-1-Configuration
+#Configuration= Default-phase-1-configuration
Authentication= mekmitasdigoat
#Flags=
@@ -741,7 +747,7 @@ Private-key= /etc/isakmpd/private/local.key
# Default phase 1 description (Main Mode)
-[Default-Phase-1-Configuration]
+[Default-phase-1-configuration]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA