# $OpenBSD: VPN-3way-template.conf,v 1.4 1999/08/05 22:41:22 niklas Exp $ # $EOM: VPN-3way-template.conf,v 1.4 1999/07/18 09:25:34 niklas Exp $ # # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # # This is a template file of a VPN setup beteween three nodes in # a fully meshed 'three-way' configuration. Suggested use is to copy # this file to all three nodes and then edit them accordingly. # # These nodes are initially called XXX, YYY and ZZZ. # # In pseudographics: XXX --- YYY # \ / # ZZZ # # In cases where IP/network adresses should be defined values like # 192.168.XXX.nnn have been used. # # Incoming phase 1 negotiations are multiplexed on the source IP # address. In the three-way VPN, we have two possible peers. [Phase 1] 192.168.YYY.nnn= ISAKMP-peer-node-YYY 192.168.ZZZ.nnn= ISAKMP-peer-node-ZZZ # These connections are walked over after config file parsing and # told to the application layer so that it will inform us when # traffic wants to pass over them. This means we can do on-demand # keying. In the three-way VPN, each node knows two connections. [Phase 2] Connections= IPSec-Conn-XXX-YYY,IPSec-Conn-XXX-ZZZ # ISAKMP Phase 1 peer sections ############################## [ISAKMP-peer-node-YYY] Phase= 1 Transport= udp Address= 192.168.YYY.nnn Configuration= Default-main-mode Authentication= yoursharedsecretwithYYY [ISAKMP-peer-node-ZZZ] Phase= 1 Transport= udp Address= 192.168.ZZZ.nnn Configuration= Default-main-mode Authentication= yoursharedsecretwithZZZ # IPSec Phase 2 sections ######################## [IPSec-Conn-XXX-YYY] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-YYY Configuration= Default-quick-mode Local-ID= MyNet-XXX Remote-ID= OtherNet-YYY [IPSec-Conn-XXX-ZZZ] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-ZZZ Configuration= Default-quick-mode Local-ID= MyNet-XXX Remote-ID= OtherNet-ZZZ # Client ID sections #################### [MyNet-XXX] ID-type= IPV4_ADDR_SUBNET Network= 192.168.XXX.0 Netmask= 255.255.255.0 [OtherNet-YYY] ID-type= IPV4_ADDR_SUBNET Network= 192.168.YYY.0 Netmask= 255.255.255.0 [OtherNet-ZZZ] ID-type= IPV4_ADDR_SUBNET Network= 192.168.ZZZ.0 Netmask= 255.255.255.0 # # There is no more node-specific configuration below this point. # # Miscellaneous configuration parameters [General] Retransmits= 3 Exchange-max-time= 120 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE # Main mode transforms ###################### # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB # Quick mode protection suites ############################## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols= QM-ESP-DES-MD5 [QM-ESP-DES-MD5-PFS-SUITE] Protocols= QM-ESP-DES-MD5-PFS [QM-ESP-DES-SHA-SUITE] Protocols= QM-ESP-DES-SHA [QM-ESP-DES-SHA-PFS-SUITE] Protocols= QM-ESP-DES-SHA-PFS # 3DES [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS # AH [QM-AH-MD5-SUITE] Protocols= QM-AH-MD5 [QM-AH-MD5-PFS-SUITE] Protocols= QM-AH-MD5-PFS # AH + ESP [QM-AH-MD5-ESP-DES-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES [QM-AH-MD5-ESP-DES-MD5-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES-MD5 [QM-ESP-DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-DES-MD5,QM-AH-MD5 # Quick mode protocols # DES [QM-ESP-DES] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-XF [QM-ESP-DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-XF [QM-ESP-DES-MD5-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-PFS-XF [QM-ESP-DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-SHA-XF # 3DES [QM-ESP-3DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-TRP-XF # AH MD5 [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF [QM-AH-MD5-PFS] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-PFS-XF # Quick mode transforms # ESP DES+MD5 [QM-ESP-DES-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL Life= LIFE_600_SECS [QM-ESP-DES-MD5-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-MD5-PFS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-SHA-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # 3DES [QM-ESP-3DES-SHA-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_200_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life= LIFE_200_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_200_SECS # AH [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-AH-MD5-PFS-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [LIFE_200_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 200,150:320 [LIFE_600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 600,450:720 [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_6_HOURS] LIFE_TYPE= SECONDS LIFE_DURATION= 21600,16200:32400 [LIFE_1000_KB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 1000,768:1536 [LIFE_32_MB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 32768,16384:65536 [LIFE_4.5_GB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 4608000,4096000:8192000 # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ #Accept-self-signed= defined Private-key= /etc/isakmpd/private/local.key