#	$OpenBSD: isakmpd.conf.sample,v 1.5 1998/11/20 23:42:29 niklas Exp $
#	$EOM: isakmpd.conf.sample,v 1.17 1998/11/20 23:34:57 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[General]
Retransmits=		5

[Main mode]
Offered-transforms=	BLF-SHA-M1024,DES-MD5
#Accepted-transforms=	BLF-SHA-M1024,BLF-SHA-EC185,BLF-SHA-EC155,DES-MD5
Accepted-transforms=	BLF-SHA-EC185,BLF-SHA-EC155,DES-MD5

[DES-MD5]
ENCRYPTION_ALGORITHM=	DES_CBC
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_768
Life=			LIFE_600_SECS

[BLF-SHA-M1024]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,64:196
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_600_SECS

[BLF-SHA-EC155]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,64:196
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	EC2N_155
Life=			LIFE_600_SECS

[BLF-SHA-EC185]
ENCRYPTION_ALGORITHM=	BLOWFISH_CBC
KEY_LENGTH=		128,64:196
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	EC2N_185
Life=			LIFE_600_SECS

[Quick mode]
#Offered-suites=		QM-ESP-DES-SUITE,\
#			QM-ESP-DES-MD5-SUITE,QM-AH-MD5-ESP-DES-SUITE
Offered-suites=		QM-ESP-DES-SUITE
# XXX Not yet supported.
#Accepted-suites=	QM-ESP-DES-MD5-SUITE,QM-AH-MD5-ESP-DES-SUITE

[QM-ESP-DES-SUITE]
Protocols=		QM-ESP-DES

[QM-ESP-DES-MD5-SUITE]
Protocols=		QM-ESP-DES-MD5

[QM-ESP-DES-MD5]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-MD5-XF

[QM-ESP-DES-MD5-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_MD5
Life=			LIFE_600_SECS,LIFE_32_MB

[LIFE_600_SECS]
SA_LIFE_TYPE=		SECONDS
SA_LIFE_DURATION=	600

[LIFE_32_MB]
SA_LIFE_TYPE=		KILOBYTES
SA_LIFE_DURATION=	32768

[QM-AH-MD5-ESP-DES-SUITE]
Protocols=		QM-AH-MD5,QM-ESP-DES

[QM-AH-MD5]
PROTOCOL_ID=		IPSEC_AH
Transforms=		QM-AH-MD5-XF

[QM-AH-MD5-XF]
TRANSFORM_ID=		MD5
ENCAPSULATION_MODE=	TUNNEL

[QM-ESP-DES]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-DES-XF

[QM-ESP-DES-XF]
TRANSFORM_ID=		DES
ENCAPSULATION_MODE=	TUNNEL
Life=			LIFE_600_SECS,LIFE_32_MB

[PRE_SHARED]
127.0.0.1=		my_key_to_myself
# A general pre-shared key used for everyone.
Default=		mekmitasdigoat

[RSA_SIG]
CERT=			/etc/isakmpd_cert
PRIVKEY=		/etc/isakmpd_key
PUBKEY=			/etc/isakmpd_key.pub