summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/isakmpd.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/isakmpd/isakmpd.conf.5')
-rw-r--r--sbin/isakmpd/isakmpd.conf.5258
1 files changed, 129 insertions, 129 deletions
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index c04badd3e2c..76379a5f893 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.101 2005/05/05 09:00:50 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.102 2005/05/05 09:20:27 jmc Exp $
.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
.\"
.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved.
@@ -37,7 +37,7 @@
.Sh DESCRIPTION
.Nm
is the configuration file for the
-.Xr isakmpad 8
+.Xr isakmpd 8
daemon, managing security association and key management for the
IPsec layer of the kernel's networking stack.
.Pp
@@ -187,18 +187,6 @@ Name= foo@bar.com
.It Sy General
Generic global configuration parameters
.Bl -tag -width Ds
-.It Em Default-phase-1-ID
-Optional default phase 1 ID name.
-.It Em Default-phase-1-lifetime
-The default lifetime for autogenerated transforms (phase 1).
-If unspecified, the value 3600,60:86400 is used as the default.
-.It Em Default-phase-2-lifetime
-The default lifetime for autogenerated suites (phase 2).
-If unspecified, the value 1200,60:86400 is used as the default.
-.It Em Default-phase-2-suites
-A list of phase 2 suites that will be used when establishing dynamic
-SAs.
-If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default.
.It Em Acquire-Only
If this tag is defined,
.Xr isakmpd 8
@@ -214,6 +202,18 @@ only takes care of the SA establishment.
The interval between watchdog checks of connections we want up at all
times, in seconds.
The default value is 60 seconds.
+.It Em Default-phase-1-ID
+Optional default phase 1 ID name.
+.It Em Default-phase-1-lifetime
+The default lifetime for autogenerated transforms (phase 1).
+If unspecified, the value 3600,60:86400 is used as the default.
+.It Em Default-phase-2-lifetime
+The default lifetime for autogenerated suites (phase 2).
+If unspecified, the value 1200,60:86400 is used as the default.
+.It Em Default-phase-2-suites
+A list of phase 2 suites that will be used when establishing dynamic
+SAs.
+If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default.
.It Em DPD-check-interval
The interval between RFC 3706 (Dead Peer Detection) messages, in seconds.
The default value is 0 (zero), which means DPD is disabled.
@@ -299,8 +299,6 @@ or
.It Sy Phase 1
ISAKMP SA negotiation parameter root
.Bl -tag -width Ds
-.It Aq Em IP-address
-A name of the ISAKMP peer at the given IP address.
.It Em Default
A name of the default ISAKMP peer.
Incoming phase 1 connections from other IP addresses will use this peer name.
@@ -308,6 +306,8 @@ This name is used as the section name for further information to be found.
Look at
.Aq Sy ISAKMP-peer
below.
+.It Aq Em IP-address
+A name of the ISAKMP peer at the given IP address.
.El
.It Sy Phase 2
IPsec SA negotiation parameter root
@@ -405,31 +405,21 @@ in the "Cert-directory", and have an appropriate subjectAltName field).
.It Aq Sy ISAKMP-peer
Parameters for negotiation with an ISAKMP peer
.Bl -tag -width Ds
-.It Em Phase
-The constant
-.Sq 1 ,
-as ISAKMP-peers and IPsec-connections
-really are handled by the same code inside
-.Xr isakmpd 8 .
-.It Em Transport
-The name of the transport protocol; defaults to UDP.
-.It Em Port
-For UDP, the UDP port number to send to.
-This is optional;
-the default value is 500 which is the IANA-registered number for ISAKMP.
-.It Em Local-address
-The Local IP address to use, if we are multi-homed, or have aliases.
.It Em Address
If existent, the IP address of the peer.
+.It Em Authentication
+If existent, authentication data for this specific peer.
+In the case of a pre-shared key, this is the key value itself.
.It Em Configuration
The name of the ISAKMP-configuration section to use.
Look at
.Aq Sy ISAKMP-configuration
below.
If unspecified, defaults to "Default-phase-1-configuration".
-.It Em Authentication
-If existent, authentication data for this specific peer.
-In the case of a pre-shared key, this is the key value itself.
+.It Em Flags
+A comma-separated list of flags controlling the further
+handling of the ISAKMP SA.
+Currently there are no specific ISAKMP SA flags defined.
.It Em ID
If existent, the name of the section that describes the
local client ID that we should present to our peer.
@@ -439,6 +429,18 @@ over to the remote daemon.
Look at
.Aq Sy Phase1-ID
below.
+.It Em Local-address
+The Local IP address to use, if we are multi-homed, or have aliases.
+.It Em Phase
+The constant
+.Sq 1 ,
+as ISAKMP-peers and IPsec-connections
+really are handled by the same code inside
+.Xr isakmpd 8 .
+.It Em Port
+For UDP, the UDP port number to send to.
+This is optional;
+the default value is 500 which is the IANA-registered number for ISAKMP.
.It Em Remote-ID
If existent, the name of the section that describes the remote client
ID we expect the remote daemon to send us.
@@ -446,13 +448,17 @@ If not present, it defaults to the address of the remote daemon.
Look at
.Aq Sy Phase1-ID
below.
-.It Em Flags
-A comma-separated list of flags controlling the further
-handling of the ISAKMP SA.
-Currently there are no specific ISAKMP SA flags defined.
+.It Em Transport
+The name of the transport protocol; defaults to UDP.
.El
.It Aq Sy Phase1-ID
.Bl -tag -width Ds
+.It Em Address
+If the ID-type is
+.Li IPV4_ADDR
+or
+.Li IPV6_ADDR ,
+this tag should exist and be an IP address.
.It Em ID-type
The ID type as given by the RFC specifications.
For phase 1 this is currently
@@ -464,26 +470,6 @@ For phase 1 this is currently
.Li USER_FQDN ,
or
.Li KEY_ID .
-.It Em Address
-If the ID-type is
-.Li IPV4_ADDR
-or
-.Li IPV6_ADDR ,
-this tag should exist and be an IP address.
-.It Em Network
-If the ID-type is
-.Li IPV4_ADDR_SUBNET
-or
-.Li IPV6_ADDR_SUBNET ,
-this tag should exist and
-be a network address.
-.It Em Netmask
-If the ID-type is
-.Li IPV4_ADDR_SUBNET
-or
-.Li IPV6_ADDR_SUBNET ,
-this tag should exist and
-be a network subnet mask.
.It Em Name
If the ID-type is
.Li FQDN ,
@@ -509,6 +495,20 @@ This effectively means that non-printable
remote identities cannot be verified through this means, although it
is still possible to do so through
.Xr isakmpd.policy 5 .
+.It Em Netmask
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET ,
+this tag should exist and
+be a network subnet mask.
+.It Em Network
+If the ID-type is
+.Li IPV4_ADDR_SUBNET
+or
+.Li IPV6_ADDR_SUBNET ,
+this tag should exist and
+be a network address.
.El
.It Aq Sy ISAKMP-configuration
.Bl -tag -width Ds
@@ -535,26 +535,23 @@ below.
.El
.It Aq Sy ISAKMP-transform
.Bl -tag -width Ds
+.It Em AUTHENTICATION_METHOD
+The authentication method as the RFCs name it, or ANY.
.It Em ENCRYPTION_ALGORITHM
The encryption algorithm as the RFCs name it, or ANY to denote that any
encryption algorithm proposed will be accepted.
-.It Em KEY_LENGTH
-For encryption algorithms with variable key length, this is
-where the offered/accepted keylengths are described.
-The value is of the offer-accept kind described above.
-.It Em HASH_ALGORITHM
-The hash algorithm as the RFCs name it, or ANY.
-.It Em AUTHENTICATION_METHOD
-The authentication method as the RFCs name it, or ANY.
.It Em GROUP_DESCRIPTION
The group used for Diffie-Hellman exponentiations, or ANY.
The names are symbolic, like
.Li MODP_768 , MODP_1024 , EC_155 ,
and
.Li EC_185 .
-.It Em PRF
-The algorithm to use for the keyed pseudo-random function (used for key
-derivation and authentication in phase 1), or ANY.
+.It Em HASH_ALGORITHM
+The hash algorithm as the RFCs name it, or ANY.
+.It Em KEY_LENGTH
+For encryption algorithms with variable key length, this is
+where the offered/accepted keylengths are described.
+The value is of the offer-accept kind described above.
.It Em Life
A list of lifetime descriptions, or ANY.
In the former case, each
@@ -564,27 +561,41 @@ Look at
below.
If it is set to ANY, then any type of
proposed lifetime type and value will be accepted.
+.It Em PRF
+The algorithm to use for the keyed pseudo-random function (used for key
+derivation and authentication in phase 1), or ANY.
.El
.It Aq Sy Lifetime
.Bl -tag -width Ds
+.It Em LIFE_DURATION
+An offer/accept kind of value; see above.
+Can also be set to ANY.
.It Em LIFE_TYPE
.Li SECONDS
or
.Li KILOBYTES
depending on the type of the duration.
Notice that this field may NOT be set to ANY.
-.It Em LIFE_DURATION
-An offer/accept kind of value; see above.
-Can also be set to ANY.
.El
.It Aq Sy IPsec-connection
.Bl -tag -width Ds
-.It Em Phase
-The constant
-.Sq 2 ,
-as ISAKMP-peers and IPsec-connections
-really are handled by the same code inside
-.Xr isakmpd 8 .
+.It Em Configuration
+The name of the IPsec-configuration section to use.
+Look at
+.Aq Sy IPsec-configuration
+below.
+.It Em Flags
+A comma-separated list of flags controlling the further
+handling of the IPsec SA.
+Currently only one flag is defined:
+.Bl -tag -width 12n
+.It Em Active-only
+If this flag is given and this
+.Aq Sy IPsec-connection
+is part of the phase 2
+connections we automatically keep up, it will not automatically be used for
+accepting connections from the peer.
+.El
.It Em ISAKMP-peer
The name of the ISAKMP-peer which to talk to in order to
set up this connection.
@@ -592,11 +603,6 @@ The value is the name of an
.Aq Sy ISAKMP-peer
section.
See above.
-.It Em Configuration
-The name of the IPsec-configuration section to use.
-Look at
-.Aq Sy IPsec-configuration
-below.
.It Em Local-ID
If existent, the name of the section that describes the
optional local client ID that we should present to our peer.
@@ -606,6 +612,12 @@ we are dealing with.
Look at
.Aq Sy IPsec-ID
below.
+.It Em Phase
+The constant
+.Sq 2 ,
+as ISAKMP-peers and IPsec-connections
+really are handled by the same code inside
+.Xr isakmpd 8 .
.It Em Remote-ID
If existent, the name of the section that describes the
optional remote client ID that we should present to our peer.
@@ -615,18 +627,6 @@ we are dealing with.
Look at
.Aq Sy IPsec-ID
below.
-.It Em Flags
-A comma-separated list of flags controlling the further
-handling of the IPsec SA.
-Currently only one flag is defined:
-.Bl -tag -width 12n
-.It Em Active-only
-If this flag is given and this
-.Aq Sy IPsec-connection
-is part of the phase 2
-connections we automatically keep up, it will not automatically be used for
-accepting connections from the peer.
-.El
.El
.It Aq Sy IPsec-configuration
.Bl -tag -width Ds
@@ -665,27 +665,25 @@ Acceptable values are currently
.Li IPSEC_AH
and
.Li IPSEC_ESP .
+.It Em ReplayWindow
+The size of the window used for replay protection.
+This is normally left alone.
+Look at the ESP and AH RFCs for a better description.
.It Em Transforms
A list of transforms usable for implementing the protocol.
Each of the list elements is a name of an
.Aq Sy IPsec-transform
section.
See below.
-.It Em ReplayWindow
-The size of the window used for replay protection.
-This is normally left alone.
-Look at the ESP and AH RFCs for a better description.
.El
.It Aq Sy IPsec-transform
.Bl -tag -width Ds
-.It Em TRANSFORM_ID
-The transform ID as given by the RFCs.
-.It Em ENCAPSULATION_MODE
-The encapsulation mode as given by the RFCs.
-This means TRANSPORT or TUNNEL.
.It Em AUTHENTICATION_ALGORITHM
The optional authentication algorithm in the case of this
being an ESP transform.
+.It Em ENCAPSULATION_MODE
+The encapsulation mode as given by the RFCs.
+This means TRANSPORT or TUNNEL.
.It Em GROUP_DESCRIPTION
An optional (provides PFS if present) Diffie-Hellman group
description.
@@ -696,17 +694,11 @@ sections shown above.
List of lifetimes, each element is a
.Aq Sy Lifetime
section name.
+.It Em TRANSFORM_ID
+The transform ID as given by the RFCs.
.El
.It Aq Sy IPsec-ID
.Bl -tag -width Ds
-.It Em ID-type
-The ID type as given by the RFCs.
-For IPsec this is currently
-.Li IPV4_ADDR ,
-.Li IPV6_ADDR ,
-.Li IPV4_ADDR_SUBNET ,
-or
-.Li IPV6_ADDR_SUBNET .
.It Em Address
If the ID-type is
.Li IPV4_ADDR
@@ -726,17 +718,14 @@ If the address on the interface changes
.Xr isakmpd 8
will not track the change.
The configuration must be reloaded to learn the new address.
-.It Em Network
-If the ID-type is
-.Li IPV4_ADDR_SUBNET
+.It Em ID-type
+The ID type as given by the RFCs.
+For IPsec this is currently
+.Li IPV4_ADDR ,
+.Li IPV6_ADDR ,
+.Li IPV4_ADDR_SUBNET ,
or
-.Li IPV6_ADDR_SUBNET ,
-this tag should exist and be a network address, an interface, or the
-.Em default
-keyword.
-When an interface is specified, the network is selected as with the
-.Em Address
-tag.
+.Li IPV6_ADDR_SUBNET .
.It Em Netmask
If the ID-type is
.Li IPV4_ADDR_SUBNET
@@ -749,17 +738,17 @@ When an interface is specified, the netmask is the mask associated with the
The
.Em default
keyword uses the interface associated with the default route.
-.It Em Protocol
+.It Em Network
If the ID-type is
-.Li IPV4_ADDR ,
-.Li IPV4_ADDR_SUBNET ,
-.Li IPV6_ADDR ,
+.Li IPV4_ADDR_SUBNET
or
.Li IPV6_ADDR_SUBNET ,
-this tag indicates what transport protocol should be transmitted over
-the SA.
-If left unspecified, all transport protocols between the two address
-(ranges) will be sent (or permitted) over that SA.
+this tag should exist and be a network address, an interface, or the
+.Em default
+keyword.
+When an interface is specified, the network is selected as with the
+.Em Address
+tag.
.It Em Port
If the ID-type is
.Li IPV4_ADDR ,
@@ -775,6 +764,17 @@ will be transmitted (or permitted) over the SA.
The
.Em Protocol
tag must be specified in conjunction with this tag.
+.It Em Protocol
+If the ID-type is
+.Li IPV4_ADDR ,
+.Li IPV4_ADDR_SUBNET ,
+.Li IPV6_ADDR ,
+or
+.Li IPV6_ADDR_SUBNET ,
+this tag indicates what transport protocol should be transmitted over
+the SA.
+If left unspecified, all transport protocols between the two address
+(ranges) will be sent (or permitted) over that SA.
.El
.El
.Sh OTHER SECTIONS
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:48:35 +0000