# $OpenBSD: isakmpd.conf.sample,v 1.7 1999/02/26 03:45:30 niklas Exp $ # $EOM: isakmpd.conf.sample,v 1.26 1999/02/24 15:48:51 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 3 Exchange-max-time= 120 #Listen-on= 10.1.0.2 # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] 10.1.0.1= ISAKMP-peer-1 10.1.0.2= ISAKMP-peer-2 Default= Default-ISAKMP-peer # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= IPsec-1-2 [ISAKMP-peer-1] Phase= 1 Transport= udp # XXX Not yet implemented #Local-address= 10.1.0.2 Address= 10.1.0.1 # Default values for "Port" commented out #Port= isakmp #Port= 500 Configuration= Default-incoming-main-mode Authentication= mekmitasdigoat [Very-strong-test] Phase= 1 Transport= udp Address= 10.1.0.1 Configuration= Very-strong-main-mode Authentication= mekmitasdigoat [Strong-test] Phase= 1 Transport= udp Address= 10.1.0.1 Configuration= Strong-main-mode Authentication= mekmitasdigoat [Default-test] Phase= 1 Transport= udp Address= 10.1.0.1 Configuration= Default-main-mode Authentication= mekmitasdigoat [Weak-test] Phase= 1 Transport= udp Address= 10.1.0.1 Configuration= Weak-main-mode Authentication= mekmitasdigoat [ISAKMP-peer-2] Phase= 1 Transport= udp # XXX Not yet implemented #Local-address= 10.1.0.1 Address= 10.1.0.2 # Default values for "Port" commented out #Port= isakmp #Port= 500 Configuration= Default-incoming-main-mode Authentication= mekmitasdigoat [ISAKMP-orust.di.eom.crt.se] Phase= 1 Transport= udp # XXX Not yet implemented #Local-address= 194.198.196.150 Address= 193.12.107.84 # Default values for "Port" commented out #Port= isakmp #Port= 500 Configuration= Strong-main-mode Authentication= mekmitasdigoat [Default-ISAKMP-peer] Phase= 1 # XXX Not yet implemented #Local-address= 10.1.0.2 Configuration= Default-incoming-main-mode Authentication= mekmitasdigoat [IPsec-2-1] Phase= 2 ISAKMP-peer= ISAKMP-peer-1 Configuration= Default-quick-mode Local-ID= Net-2 Remote-ID= Net-1 [IPsec-1-2] Phase= 2 ISAKMP-peer= ISAKMP-peer-2 Configuration= Default-quick-mode Local-ID= Net-1 Remote-ID= Net-2 [IPsec-moby-1] Phase= 2 ISAKMP-peer= ISAKMP-peer-1 Configuration= Default-quick-mode Local-ID= moby.appli.se Remote-ID= Net-1 [IPsec-moby-2] Phase= 2 ISAKMP-peer= ISAKMP-orust.di.eom.crt.se Configuration= Default-quick-mode Local-ID= moby.appli.se Remote-ID= Net-2 [Net-1] ID-type= IPV4_ADDR_SUBNET Network= 192.168.1.0 Netmask= 255.255.255.0 [Net-2] ID-type= IPV4_ADDR_SUBNET Network= 192.168.2.0 Netmask= 255.255.255.0 [moby.appli.se] ID-type= IPV4_ADDR Address= 194.198.196.216 # Main mode descriptions [Default-incoming-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= BLF-SHA-EC185,BLF-MD5-EC155,3DES-SHA,DES-MD5 [Very-strong-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= BLF-SHA-EC185 [Strong-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= BLF-MD5-EC155 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Weak-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-MD5 # Main mode transforms ###################### # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE # Quick mode protection suites ############################## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols= QM-ESP-DES-MD5 [QM-ESP-DES-MD5-PFS-SUITE] Protocols= QM-ESP-DES-MD5-PFS [QM-ESP-DES-SHA-SUITE] Protocols= QM-ESP-DES-SHA [QM-ESP-DES-SHA-PFS-SUITE] Protocols= QM-ESP-DES-SHA-PFS # 3DES [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS # AH [QM-AH-MD5-SUITE] Protocols= QM-AH-MD5 [QM-AH-MD5-PFS-SUITE] Protocols= QM-AH-MD5-PFS # AH + ESP [QM-AH-MD5-ESP-DES-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES [QM-AH-MD5-ESP-DES-MD5-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES-MD5 [QM-ESP-DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-DES-MD5,QM-AH-MD5 # Quick mode protocols # DES [QM-ESP-DES] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-XF [QM-ESP-DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-XF [QM-ESP-DES-MD5-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-PFS-XF [QM-ESP-DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-SHA-XF # 3DES [QM-ESP-3DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-TRP-XF # AH MD5 [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF [QM-AH-MD5-PFS] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-PFS-XF # Quick mode transforms # ESP DES+MD5 [QM-ESP-DES-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL Life= LIFE_600_SECS [QM-ESP-DES-MD5-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-MD5-PFS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-SHA-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # 3DES [QM-ESP-3DES-SHA-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # AH [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-AH-MD5-PFS-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [LIFE_600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 600,450:720 [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_1000_KB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 1000,768:1536 [LIFE_32_MB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 32768,16384:65536 [LIFE_4.5_GB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 4608000,4096000:8192000 [RSA_SIG] CERT= /etc/isakmpd_cert PRIVKEY= /etc/isakmpd_key PUBKEY= /etc/isakmpd_key.pub