# $OpenBSD: singlehost-west.conf,v 1.4 1999/07/18 09:33:33 niklas Exp $ # $EOM: singlehost-west.conf,v 1.4 1999/07/18 09:25:35 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= 10.1.0.1 Shared-SADB= Defined # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] 10.1.0.2= ISAKMP-peer-east Default= ISAKMP-peer-east-aggressive # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= IPsec-west-east [ISAKMP-peer-east] Phase= 1 Transport= udp Local-address= 10.1.0.1 Address= 10.1.0.2 # Default values for "Port" commented out #Port= isakmp #Port= 500 Configuration= Default-main-mode Identification= IPV4_ADDR/10.1.0.1 Authentication= mekmitasdigoat Flags= Stayalive [ISAKMP-peer-east-aggressive] Phase= 1 Transport= udp Local-address= 10.1.0.1 Address= 10.1.0.2 # Default values for "Port" commented out #Port= isakmp #Port= 500 Configuration= Default-aggressive-mode Identification= FQDN/diego.niklas.hallqvist.se Authentication= mekmitasdigoat Flags= Stayalive [IPsec-west-east] Phase= 2 ISAKMP-peer= ISAKMP-peer-east Configuration= Default-quick-mode Local-ID= Net-west Remote-ID= Net-east Flags= Stayalive [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 192.168.1.0 Netmask= 255.255.255.0 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 192.168.2.0 Netmask= 255.255.255.0 # Phase 1 descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA-RSA # Main mode transforms ###################### # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_180_SECS [3DES-SHA-RSA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= RSA_SIG GROUP_DESCRIPTION= MODP_1024 Life= LIFE_180_SECS # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE # Quick mode protection suites ############################## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols= QM-ESP-DES-MD5 [QM-ESP-DES-MD5-PFS-SUITE] Protocols= QM-ESP-DES-MD5-PFS [QM-ESP-DES-SHA-SUITE] Protocols= QM-ESP-DES-SHA [QM-ESP-DES-SHA-PFS-SUITE] Protocols= QM-ESP-DES-SHA-PFS # 3DES [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS # AH [QM-AH-MD5-SUITE] Protocols= QM-AH-MD5 [QM-AH-MD5-PFS-SUITE] Protocols= QM-AH-MD5-PFS # AH + ESP [QM-AH-MD5-ESP-DES-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES [QM-AH-MD5-ESP-DES-MD5-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES-MD5 [QM-ESP-DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-DES-MD5,QM-AH-MD5 # Quick mode protocols # DES [QM-ESP-DES] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-XF [QM-ESP-DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-XF [QM-ESP-DES-MD5-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-PFS-XF [QM-ESP-DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-SHA-XF # 3DES [QM-ESP-3DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-TRP-XF # AH MD5 [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF [QM-AH-MD5-PFS] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-PFS-XF # Quick mode transforms # ESP DES+MD5 [QM-ESP-DES-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL Life= LIFE_600_SECS [QM-ESP-DES-MD5-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-MD5-PFS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_1024 AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-SHA-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # 3DES [QM-ESP-3DES-SHA-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_60_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life= LIFE_60_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_60_SECS # AH [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-AH-MD5-PFS-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [LIFE_60_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 60,45:120 [LIFE_180_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 180,120:240 [LIFE_600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 600,450:720 [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_1000_KB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 1000,768:1536 [LIFE_32_MB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 32768,16384:65536 [LIFE_4.5_GB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 4608000,4096000:8192000 # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ #Accept-self-signed= defined Private-key= /etc/isakmpd/private/local.key