diff options
| -rw-r--r-- | sbin/isakmpd/samples/VPN-3way-template.conf | 367 |
1 files changed, 367 insertions, 0 deletions
diff --git a/sbin/isakmpd/samples/VPN-3way-template.conf b/sbin/isakmpd/samples/VPN-3way-template.conf new file mode 100644 index 00000000000..0785f0714cf --- /dev/null +++ b/sbin/isakmpd/samples/VPN-3way-template.conf @@ -0,0 +1,367 @@ +# $Id: VPN-3way-template.conf,v 1.1 1999/07/07 22:06:05 niklas Exp $ +# +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. +# +# This is a template file of a VPN setup beteween three nodes in +# a fully meshed 'three-way' configuration. Suggested use is to copy +# this file to all three nodes and then edit them accordingly. +# +# These nodes are initially called XXX, YYY and ZZZ. +# +# In pseudographics: XXX --- YYY +# \ / +# ZZZ +# +# In cases where IP/network adresses should be defined values like +# 192.168.XXX.nnn have been used. +# + +# Incoming phase 1 negotiations are multiplexed on the source IP +# address. In the three-way VPN, we have two possible peers. + +[Phase 1] +192.168.YYY.nnn= ISAKMP-peer-node-YYY +192.168.ZZZ.nnn= ISAKMP-peer-node-ZZZ + +# These connections are walked over after config file parsing and +# told to the application layer so that it will inform us when +# traffic wants to pass over them. This means we can do on-demand +# keying. In the three-way VPN, each node knows two connections. + +[Phase 2] +Connections= IPSec-Conn-XXX-YYY,IPSec-Conn-XXX-ZZZ + +# ISAKMP Phase 1 peer sections +############################## + +[ISAKMP-peer-node-YYY] +Phase= 1 +Transport= udp +Address= 192.168.YYY.nnn +Configuration= Default-main-mode +Authentication= yoursharedsecretwithYYY + +[ISAKMP-peer-node-ZZZ] +Phase= 1 +Transport= udp +Address= 192.168.ZZZ.nnn +Configuration= Default-main-mode +Authentication= yoursharedsecretwithZZZ + +# IPSec Phase 2 sections +######################## + +[IPSec-Conn-XXX-YYY] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-node-YYY +Configuration= Default-quick-mode +Local-ID= MyNet-XXX +Remote-ID= OtherNet-YYY + +[IPSec-Conn-XXX-ZZZ] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-node-ZZZ +Configuration= Default-quick-mode +Local-ID= MyNet-XXX +Remote-ID= OtherNet-ZZZ + +# Client ID sections +#################### + +[MyNet-XXX] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.XXX.0 +Netmask= 255.255.255.0 + +[OtherNet-YYY] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.YYY.0 +Netmask= 255.255.255.0 + +[OtherNet-ZZZ] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.ZZZ.0 +Netmask= 255.255.255.0 + +# +# There is no more node-specific configuration below this point. +# + +# Miscellaneous configuration parameters +[General] +Retransmits= 3 +Exchange-max-time= 120 + +# Main mode descriptions + +[Default-main-mode] +DOI= IPSEC +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Quick mode description +######################## + +[Default-quick-mode] +DOI= IPSEC +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-3DES-SHA-PFS-SUITE + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS,LIFE_1000_KB + +[DES-MD5-NO-VOL-LIFE] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS,LIFE_1000_KB + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS,LIFE_1000_KB + +# Blowfish + +[BLF-SHA-M1024] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-SHA-EC155] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_155 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-MD5-EC155] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_155 +Life= LIFE_600_SECS,LIFE_1000_KB + +[BLF-SHA-EC185] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_185 +Life= LIFE_600_SECS,LIFE_1000_KB + +# Quick mode protection suites +############################## + +# DES + +[QM-ESP-DES-SUITE] +Protocols= QM-ESP-DES + +[QM-ESP-DES-PFS-SUITE] +Protocols= QM-ESP-DES-PFS + +[QM-ESP-DES-MD5-SUITE] +Protocols= QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-PFS-SUITE] +Protocols= QM-ESP-DES-MD5-PFS + +[QM-ESP-DES-SHA-SUITE] +Protocols= QM-ESP-DES-SHA + +[QM-ESP-DES-SHA-PFS-SUITE] +Protocols= QM-ESP-DES-SHA-PFS + +# 3DES + +[QM-ESP-3DES-SHA-SUITE] +Protocols= QM-ESP-3DES-SHA + +[QM-ESP-3DES-SHA-PFS-SUITE] +Protocols= QM-ESP-3DES-SHA-PFS + +# AH + +[QM-AH-MD5-SUITE] +Protocols= QM-AH-MD5 + +[QM-AH-MD5-PFS-SUITE] +Protocols= QM-AH-MD5-PFS + +# AH + ESP + +[QM-AH-MD5-ESP-DES-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES + +[QM-AH-MD5-ESP-DES-MD5-SUITE] +Protocols= QM-AH-MD5,QM-ESP-DES-MD5 + +[QM-ESP-DES-MD5-AH-MD5-SUITE] +Protocols= QM-ESP-DES-MD5,QM-AH-MD5 + +# Quick mode protocols + +# DES + +[QM-ESP-DES] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-XF + +[QM-ESP-DES-MD5] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-XF + +[QM-ESP-DES-MD5-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-MD5-PFS-XF + +[QM-ESP-DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-DES-SHA-XF + +# 3DES + +[QM-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-XF + +[QM-ESP-3DES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-PFS-XF + +[QM-ESP-3DES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-TRP-XF + +# AH MD5 + +[QM-AH-MD5] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-XF + +[QM-AH-MD5-PFS] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-PFS-XF + +# Quick mode transforms + +# ESP DES+MD5 + +[QM-ESP-DES-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +Life= LIFE_600_SECS + +[QM-ESP-DES-MD5-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-ESP-DES-MD5-PFS-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_768 +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-ESP-DES-SHA-XF] +TRANSFORM_ID= DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + +# 3DES + +[QM-ESP-3DES-SHA-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_200_SECS + +[QM-ESP-3DES-SHA-PFS-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_200_SECS + +[QM-ESP-3DES-SHA-TRP-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_200_SECS + +# AH + +[QM-AH-MD5-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_600_SECS + +[QM-AH-MD5-PFS-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[LIFE_200_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 200,150:320 + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +[LIFE_6_HOURS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 21600,16200:32400 + +[LIFE_1000_KB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 1000,768:1536 + +[LIFE_32_MB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 32768,16384:65536 + +[LIFE_4.5_GB] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 4608000,4096000:8192000 + +[RSA_SIG] +CERT= /etc/isakmpd_cert +PRIVKEY= /etc/isakmpd_key +PUBKEY= /etc/isakmpd_key.pub |