diff options
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 55 |
1 files changed, 50 insertions, 5 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index acf92fc1ac3..a402bb1c8ea 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,5 +1,5 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.37 2000/05/02 14:36:18 niklas Exp $ -.\" $EOM: isakmpd.conf.5,v 1.42 2000/05/02 00:23:27 ho Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.38 2000/06/08 20:51:00 niklas Exp $ +.\" $EOM: isakmpd.conf.5,v 1.45 2000/05/26 21:49:07 angelos Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. .\" @@ -114,6 +114,16 @@ when using SHA hash. .Pp All autogenerated values can be overridden by manual entries by using the same section and tag names in the configuration file. +.Pp +In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 +(Quick Mode) lifetimes can be overridden by these tags under the "General" +section; +.Pp +.Bd -literal +[General] +Default-phase-1-lifetime= 3600,60:86400 +Default-phase-2-lifetime= 1200,60:86400 +.Ed .\"XXX Following empty .Ss works around a nroff bug, we want the new line." .Ss .Pp @@ -180,6 +190,34 @@ Currently only the Local-ID and Remote-ID tags are looked at in those sections, as they are matched against the IDs given by the initiator. .El +.It Em KeyNote +.Bl -tag -width 12n +.It Em Credential-directory +A directory containing directories named after IDs (IP +addresses, ``user@domain'', or hostnames) that contain files named +``credentials'' and ``private_key''. +.Pp +The credentials file contains +.Xr keynote 4 +credentials that are sent to a remote IKE daemon when we use the +associated ID, or credentials that we may want to consider when doing +an exchange with a remote IKE daemon that uses that ID. Note that, in +the former case, the last credential in the file MUST contain our +public key in its Licensees field. More than one credentials may exist +in the file. They are separated by whitelines (the format is +essentially the same as that of the policy file). The credentials are +of the same format as the policies described in +.Xr isakmpd.policy 5 . +The only difference is that the Authorizer field contains a public +key, and the assertion is signed. Signed assertions can be generated +using the +.Xr keynote 1 +utility. +.Pp +The private_key file contains the private RSA key we use for +authentication. If the directory (and the files) exist, they take +precedence over X509-based authentication. +.El .It Em X509-Certificates .Bl -tag -width 12n .It Em Ca-directory @@ -287,6 +325,8 @@ string respectively. The domain of interpretation as given by the RFCs. Normally .Li IPSEC . +If unspecified, defaults to +.Li IPSEC . .It Em EXCHANGE_TYPE The exchange type as given by the RFCs. For main mode this is @@ -385,7 +425,9 @@ accepting connections from the peer. .It Em DOI The domain of interpretation as given by the RFCs. Normally -.Li IPSEC . +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . .It Em EXCHANGE_TYPE The exchange type as given by the RFCs. For quick mode this is @@ -520,14 +562,12 @@ Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] -DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA # Quick mode descriptions [Default-quick-mode] -DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE @@ -545,6 +585,10 @@ Policy-File= /etc/isakmpd/isakmpd.policy Retransmits= 3 Exchange-max-time= 120 +# KeyNote credential storage +[KeyNote] +Credential-directory= /etc/isakmpd/keynote/ + # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ @@ -799,6 +843,7 @@ LIFE_DURATION= 4608000,4096000:8192000 .Ed .Sh SEE ALSO .Xr ipsec 4 , +.Xr keynote 1 , .Xr keynote 4 , .Xr isakmpd.policy 5 , .Xr isakmpd 8 |