summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/isakmpd.policy.5
blob: a65cf5e63753f4c4839ac1bffce7ad6b311eca7c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
.\" $OpenBSD: isakmpd.policy.5,v 1.26 2002/06/15 19:27:06 angelos Exp $
.\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $
.\"
.\" Copyright (c) 1999-2001, Angelos D. Keromytis.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by Ericsson Radio Systems.
.\" 4. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
.\" Manual page, using -mandoc macros
.\"
.Dd October 10, 1998
.Dt ISAKMPD.POLICY 5
.Os
.Sh NAME
.Nm isakmpd.policy
.Nd policy configuration file for isakmpd
.Sh DESCRIPTION
.Nm
is the policy configuration file for the
.Nm isakmpd
daemon managing security association and key management for the
.Xr ipsec 4
layer of the kernel's networking stack.
.Pp
The
.Xr isakmpd 1
daemon (also known as IKE, for Internet Key Exchange) is used when two
systems need to automatically setup a pair of Security Associations
(SAs) for securely communicating using IPsec.
IKE operates in two stages:
.Pp
In the first stage (Main or Identity Protection Mode), the two IKE
daemons establish a secure link between themselves, fully
authenticating each other and establishing key material for
encrypting/authenticating future communications between them.
This step is typically only performed once for every pair of IKE daemons.
.Pp
In the second stage (also called Quick Mode), the two IKE daemon
create the pair of SAs for the parties that wish to communicate using
IPsec.
These parties may be the hosts the IKE daemons run on, a host
and a network behind a firewall, or two networks behind their
respective firewalls.
At this stage, the exact parameters of the SAs
(e.g., algorithms to use, encapsulation mode, lifetime) and the
identities of the communicating parties (hosts, networks, etc.) are
specified.
The reason of existance of Quick Mode is to allow for fast
SA setup, once the more heavy-weight Main Mode has been completed.
Generally, Quick Mode uses the key material derived from Main Mode to
provide keys to the IPsec transforms to be used.
Alternatively, a new
Diffie-Hellman computation may be performed (significantly slowing
down the exchange, but at the same time providing Perfect Forward
Secrecy (PFS)).
Briefly, this means that even should an attacker
manage to break long-term keys used in other sessions (or,
specifically, if an attacker breaks the Diffie-Hellman exchange
performed during Main Mode), they will not be able to decrypt this
traffic.
Normally, no PFS is provided (the key material used by the
IPsec SAs established as a result of this exchange will be derived
from the key material of the Main Mode exchange), allowing for a
faster Quick Mode exchange (no public key computations).
.Pp
IKE proposals are "suggestions" by the initiator of an exchange to the
responder as to what protocols and attributes should be used on a
class of packets.
For example, a given exchange may ask for ESP with
3DES and MD5 and AH with SHA1 (applied successively on the same
packet), or just ESP with Blowfish and RIPEMD-160.
The responder
examines the proposals and determines which of them are acceptable,
according to policy and any credentials.
.Pp
The following paragraphs assume some knowledge of the contents of
.Xr keynote 4
and
.Xr keynote 5
man pages.
.Pp
In the KeyNote policy model for IPsec, no distinction is currently
made based on the ordering of AH and ESP in the packet.
Should this
change in the future, an appropriate attribute (see below) will be
added.
.Pp
The goal of security policy for IKE is thus to determine, based on
local policy (provided in the
.Nm isakmpd.policy
file), credentials provided during the IKE exchanges (or obtained
through other means), the SA attributes proposed during the exchange,
and perhaps other (side-channel) information, whether a pair of SAs
should be installed in the system (in fact, whether both the IPsec SAs
and the flows should be installed).
For each proposal suggested by or
to the remote IKE daemon, the KeyNote system is consulted as to
whether the proposal is acceptable based on local policy (contained in
.Nm isakmpd.policy ,
in the form of policy assertions) and remote credentials (e.g.,
KeyNote credentials or X509 certificates provided by the remote IKE
daemon).
.Pp
.Nm isakmpd.policy
is simply a flat
.Xr ascii 7
file containing KeyNote policy assertions, separated by blank lines
(note that KeyNote assertions may not contain blank lines).
.Nm isakmpd.policy
is read when
.Xr isakmpd 8
is first started, and every time it receives a
.Dv SIGHUP
signal.
The new policies read will be used for all new Phase 2 (IPsec)
SAs established from that point on (even if the associated Phase 1 SA
was already established when the new policies were loaded).
The policy change will not affect already established Phase 2 SAs.
.Pp
For more details on KeyNote assertion format, please see
.Xr keynote 5 .
Briefly, KeyNote policy assertions used in IKE have the following
characteristics:
.Pp
.nf
* The Authorizer field is typically "POLICY" (but see the examples
  below, for use of policy delegation).

* The Licensees field can be an expression of passphrases used for
  authentication of the Main Mode exchanges, and/or public keys
  (typically, X509 certificates), and/or X509 distinguished names.

* The Conditions field contains an expression of attributes from the
  IPsec policy action set (see below as well as the keynote syntax man
  page for more details).

* The ordered return-values set for IPsec policy is "false, true".
.fi
.Pp
For an explanation of these fields and their semantics, see
.Xr keynote 5 .
.Pp
For example, the following policy assertion:
.Bd -literal
    Authorizer: "POLICY"
    Licensees: "passphrase:foobar" || "x509-base64:abcd==" ||
      "passphrase-md5-hex:3858f62230ac3c915f300c664312c63f" ||
      "passphrase-sha1-hex:8843d7f92416211de9ebb963ff4ce28125932878"
    Conditions: app_domain == "IPsec policy" && esp_present == "yes"
		&& esp_enc_alg != "null" -> "true";
.Ed
.Pp
says that any proposal from a remote host that authenticates using the
passphrase "foobar" or the public key contained in the X509
certificate encoded as "abcd==" will be accepted, as long as it
contains ESP with a non-null algorithm (i.e., the packet will be
encrypted).
The last two authorizers are the MD5 and SHA1 hashes respectively of
the passphrase "foobar".
This form may be used instead of the "passphrase:..." one to protect
the passphrase as included in the policy file (or as distributed in a
signed credential).
.Pp
The following policy assertion:
.Bd -literal
    Authorizer: "POLICY"
    Licensees: "DN:/CN=CA Certificate"
    Conditions: app_domain == "IPsec policy" && esp_present == "yes"
		&& esp_enc_alg != "null" -> "true";
.Ed
.Pp
is similar to the previous one, but instead of including a complete
X509 credential in the Licensees field, only the X509 certificate's
Subject Canonical Name need to be specified (note that the "DN:"
prefix is necessary).
.Pp
KeyNote credentials have the same format as policy assertions, with
one difference: the Authorizer field always contains a public key, and
the assertion is signed (and thus its integrity can be
cryptographically verified).
Credentials are used to build chains of delegation of authority.
They can be exchanged during an IKE exchange,
or can be retrieved through some out-of-band mechanism (no such
mechanism is currently supported in this implementation however).
See
.Xr isakmpd.conf 5
on how to specify what credentials to send in an IKE exchange.
.Pp
Passphrases that appear in the Licensees field are encoded as the
string "passphrase:", followed by the passphrase itself
(case-sensitive).
Alternately (and preferably), they may be encoded using the
"passphrase-md5-hex:" or "passphrase-sha1-hex:" prefixes, followed
by the
.Xr md5 1
or
.Xr sha1 1
hash of the passphrase itself, encoded as a hexadecimal string (using
lower-case letters only).
.Pp
When X509-based authentication is performed in Main Mode, any X509
certificates received from the remote IKE daemon are converted to very
simple KeyNote credentials.
The conversion is straightforward: the
issuer of the X509 certificate becomes the Authorizer of the KeyNote
credential, the subject becomes the only Licensees entry, while the
Conditions field simply asserts that the credential is only valid for
"IPsec policy" use (see the app_domain action attribute below).
.Pp
Similarly, any X509 CA certificates present in the directory pointed
to by the appropriate
.Xr isakmpd.conf 5
entry, are converted to such pseudo-credentials.
This allows one to
write KeyNote policies that delegate specific authority to CAs (and
the keys those CAs certify, recursively).
.Pp
For more details on KeyNote assertion format, see
.Xr keynote 5 .
.Pp
Information about the proposals, the identity of the remote IKE
daemon, the packet classes to be protected, etc. are encoded in what
is called an action set.
The action set is composed of name-value
attribute, similar in some way to a shell environment variables.
These values are initialized by
.Nm isakmpd
before each query to the KeyNote system, and can be tested against in
the Conditions field of assertions.
See
.Xr keynote 4
and
.Xr keynote 5
for more details on the format and semantics of the Conditions field.
.Pp
Note that assertions and credentials can make reference to
non-existant attributes without catastrophic failures (access may be
denied, depending on the overall structure, but will not be
accidentally granted).
One reason for credentials referencing
non-existant attributes is that they were defined within a specific
implementation or network only.
.Pp
In the following attribute set, IPv4 addresses are encoded as ASCII
strings in the usual dotted-quad format.
However, all quads are three digits long.
For example, the IPv4 address
.Va 10.128.1.12
would be encoded as
.Va 010.128.001.012 .
Similarly, IPv6 addresses are encoded in the standard x:x:x:x:x:x:x:x
format, where the 'x's are the hexadecimal values of the eight 16-bit
pieces of the address.
All 'x's are four digits long.
For example, the address
.Va 1080:0:12:0:8:800:200C:417A
would be encoded as
.Va 1080:0000:0012:0000:0008:0800:200C:417A .
.Pp
The following attributes are currently defined:
.Bl -tag -width -indent
.It app_domain
Always set to
.Va IPsec policy .
.It doi
Always set to
.Va ipsec .
.It initiator
Set to
.Va yes
if the local daemon is initiating the Phase 2 SA,
.Va no
otherwise.
.It phase_1
Set to
.Va aggressive
if aggressive mode was used to establish the Phase 1 SA, or
.Va main
if main mode was used instead.
.It pfs
Set to
.Va yes
if a Diffie-Hellman exchange will be performed during this Quick Mode,
.Va no
otherwise.
.It ah_present, esp_present, comp_present
Set to
.Va yes
if an AH, ESP, or compression proposal was received respectively,
.Va no
otherwise.
.It ah_hash_alg
One of
.Va md5 ,
.Va sha ,
.Va ripemd ,
or
.Va des ,
based on the hash algorithm specified in the AH proposal.
This attribute describes the generic transform to be used in the AH
authentication.
.It esp_enc_alg
One of
.Va des ,
.Va des-iv64 ,
.Va 3des ,
.Va rc4 ,
.Va idea ,
.Va cast ,
.Va blowfish ,
.Va 3idea ,
.Va des-iv32 ,
.Va rc4 ,
.Va null ,
or
.Va aes ,
based on the encryption algorithm specified in the ESP proposal.
.It comp_alg
One of
.Va oui ,
.Va deflate ,
.Va lzs ,
or
.Va v42bis ,
based on the compression algorithm specified in the compression
proposal.
.It ah_auth_alg
One of
.Va hmac-md5 ,
.Va hmac-sha ,
.Va des-mac ,
.Va kpdk ,
or
.Va hmac-ripemd .
based on the authentication method specified in the AH proposal.
.It esp_auth_alg
One of
.Va hmac-md5 ,
.Va hmac-sha ,
.Va des-mac ,
.Va kpdk ,
or
.Va hmac-ripemd
based on the authentication method specified in the ESP proposal.
.It ah_life_seconds, esp_life_seconds, comp_life_seconds
Set to the lifetime of the AH, ESP, and compression proposal, in
seconds.
If no lifetime was proposed for the corresponding protocol
(e.g., there was no proposal for AH), the corresponding attribute will
be set to zero.
.It ah_life_kbytes, esp_life_kbytes, comp_life_kbytes
Set to the lifetime of the AH, ESP, and compression proposal, in
kbytes of traffic.
If no lifetime was proposed for the corresponding
protocol (e.g., there was no proposal for AH), the corresponding
attribute will be set to zero.
.It ah_encapsulation, esp_encapsulation, comp_encapsulation
Set to
.Va tunnel
or
.Va transport ,
based on the AH, ESP, and compression proposal.
.It ah_ecn, esp_ecn, comp_ecn
Set to
.Va yes
or
.Va no ,
based on whether ECN was requested for the IPsec tunnel.
.It comp_dict_size
Specifies the log2 maximum size of the dictionary, according to the
compression proposal.
.It comp_private_alg
Set to an integer specifying the private algorithm in use, according
to the compression proposal.
.It ah_key_length, esp_key_length
The number of key bits to be used by the authentication and encryption
algorithms respectively (for variable key-size algorithms).
.It ah_key_rounds, esp_key length
The number of rounds of the authentication and encryption algorithms
respectively (for variable round algorithms).
.It ah_group_desc, esp_group_desc, comp_group_desc
The Diffie-Hellman group identifier from the AH, ESP, and compression
proposal, used for PFS during Quick Mode (see the pfs attribute
above).
If more than one of these attributes are set to a value other
than zero, they should have the same value (in valid IKE proposals).
Valid values are 1 (768-bit MODP), 2 (1024-bit MODP), 3 (155-bit EC),
4 (185-bit EC), and 5 (1536-bit MODP).
.It phase1_group_desc
The Diffie-Hellman group identifier used in IKE Phase 1.
Takes the same values as
.Va ah_group_desc .
.It remote_filter_type, local_filter_type, remote_id_type
Set to
.Va IPv4 address ,
.Va IPv4 range ,
.Va IPv4 subnet ,
.Va IPv6 address ,
.Va IPv6 range ,
.Va IPv6 subnet ,
.Va FQDN ,
.Va User FQDN ,
.Va ASN1 DN ,
.Va ASN1 GN ,
or
.Va Key ID ,
based on the Quick Mode Initiator ID, Quick Mode Responder ID, and
Main Mode peer ID respectively.
.It remote_filter_addr_upper, local_filter_addr_upper, remote_id_addr_upper
When the corresponding filter_type is
.Va IPv4 address
or
.Va IPv6 address ,
these contain the respective address.
For
.Va IPv4 range
or
.Va IPv6 range ,
they contain the upper end of the address range.
For
.Va IPv4 subnet
or
.Va IPv6 subnet ,
they contain the highest address in the specified subnet.
.It remote_filter_addr_lower, local_filter_addr_lower, remote_id_addr_lower
When the corresponding filter_type is
.Va IPv4 address
or
.Va IPv6 address ,
these contain the respective address.
For
.Va IPv4 range
or
.Va IPv6 range ,
these contain the lower end of the address range.
For
.Va IPv4 subnet
or
.Va IPv6 subnet ,
these contain the lowest address in the specified subnet.
.It remote_filter, local_filter, remote_id
When the corresponding filter_type specifies an address range or
subnet, these are set to the upper and lower part of the address
space separated by a dash ('-') character (if the type specifies a
single address, they are set to that address).
.Pp
For FQDN and User FQDN types, these are set to the respective string.
For Key ID, these are set to the hexadecimal representation of the
associated byte string (lower-case letters used) if the Key ID payload
contains non-printable characters.
Otherwise, they are set to the respective string.
.Pp
For ASN1 DN, these are set to the text encoding of the Distinguished
Name in the payload sent or received.
The format is the same as that used in the Licensees field.
.It remote_filter_port, local_filter_port, remote_id_port
Set to the transport protocol port.
.It remote_filter_proto, local_filter_proto, remote_id_proto
Set to
.Va etherip ,
.Va tcp ,
.Va udp ,
or the transport protocol number, depending on the transport protocol set
in the IDci, IDcr, and Main Mode peer ID respectively.
.It remote_negotiation_address
Set to the IPv4 or IPv6 address of the remote IKE daemon.
.It local_negotiation_address
Set to the IPv4 or IPv6 address of the local interface used by the local IKE
daemon for this exchange.
.It GMTTimeOfDay
Set to the UTC date/time, in YYYYMMDDHHmmSS format.
.It LocalTimeOfDay
Set to the local date/time, in YYYYMMDDHHmmSS format.
.El
.Sh EXAMPLES
.Bd -literal
    Authorizer: "POLICY"
    Comment: This bare-bones assertion accepts everything



    Authorizer: "POLICY"
    Licensees: "passphrase-md5-hex:10838982612aff543e2e62a67c786550"
    Comment: This policy accepts anyone using shared-secret
	     authentication using the password mekmitasisgoat,
	     and does ESP with some form of encryption (not null).
    Conditions: app_domain == "IPsec policy" &&
                esp_present == "yes" &&
                esp_enc_alg != "null" -> "true";



    Authorizer: "POLICY"
    Licensees: "subpolicy1" || "subpolicy2"
    Comment: Delegate to two other sub-policies, so we
             can manage our policy better. Since these subpolicies
             are not "owned" by a key (and are thus unsigned), they
	     have to be in isakmpd.policy.
    Conditions: app_domain == "IPsec policy";



    KeyNote-Version: 2
    Licensees: "passphrase-md5-hex:9c42a1346e333a770904b2a2b37fa7d3"
    Conditions: esp_present == "yes" -> "true";
    Authorizer: "subpolicy1"



    Conditions: ah_present == "yes" ->
                   {
                       ah_auth_alg == "md5" -> "true";
                       ah_auth_alg == "sha" &&
                       esp_present == "no" -> "true";
                   };
    Licensees: "passphrase:otherpassword" ||
       "passphrase-sha1-hex:f5ed6e4abd30c36a89409b5da7ecb542c9fbf00f"
    Authorizer: "subpolicy2"



    keynote-version: 2
    comment: this is an example of a policy delegating to a CN.
    authorizer: "POLICY"
    licensees: "DN:/CN=CA Certificate/Email=ca@foo.bar.com"



    keynote-version: 2
    comment: This is an example of a policy delegating to a key.
    authorizer: "POLICY"
    licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
		FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
		NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
		m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\
		MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
		GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
		dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
		QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\
		3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\
		PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\
		MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
		DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\
		jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\
		ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\
		d1Pn17LbJC1ZVRNjR5"
    conditions: app_domain == "IPsec policy" && doi == "ipsec" &&
            pfs == "yes" && esp_present == "yes" && ah_present == "no" &&
            (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true";



    keynote-version: 2
    comment: This is an example of a credential, the signature does
	     not really verify (although the keys are real).
    licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
		FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
		NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
		m91cC5jby51azAeFw05OTEwMTEyMzA2MjJaFw05OTExMTAyMzA2\\
		MjJaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
		GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
		dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
		QDaCs+JAB6YRKAVkoi1NkOpE1V3syApjBj0Ahjq5HqYAACo1JhM\\
		+QsPwuSWCNhBT51HX6G6UzfY3mOUz/vou6MJ/wor8EdeTX4nucx\\
		NSz/r6XI262aXezAp+GdBviuJZx3Q67ON/IWYrB4QtvihI4bMn5\\
		E55nF6TKtUMJTdATvs/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
		MaQOSkaiR8id0h6Zo0VSB4HpBnjpWqz1jNG8N4RPN0W8muRA2b9\\
		85GNP1bkC3fK1ZPpFTB0A76lLn11CfhAf/gV1iz3ELlUHo5J8nx\\
		Pu6XfsGJm3HsXJOuvOog8Aean4ODo4KInuAsnbLzpGl0d+Jqa5u\\
		TZUxsyg4QOBwYEU92H"
    authorizer: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\
		 FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\
		 NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\
		 m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\
		 MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\
		 GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\
		 dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\
		 QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\
		 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\
		 PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\
		 MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\
		 DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\
		 jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\
		 ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\
		 d1Pn17LbJC1ZVRNjR5"
conditions: app_domain == "IPsec policy" && doi == "ipsec" &&
	    pfs == "yes" && esp_present == "yes" && ah_present == "no" &&
            (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true";
Signature: "sig-x509-sha1-base64:ql+vrUxv14DcBOQHR2jsbXayq6T\\
            mmtMiUB745a8rjwSrQwh+KIVDlUrghPnqhSIkWSDi9oWWMbfg\\
            mkdudZ0wjgeTLMI2NI4GibMMsToakOKMex/0q4cpdpln3DKcQ\\
            IcjzRv4khDws69FT3QfELjcpShvbLrXmh1Z00OFmxjyqDw="
.Ed
.Sh BUGS
A more sane way of expressing IPv6 address ranges is needed.
.Sh FILES
.Bl -tag -width /etc/isakmpd/isakmpd.policy
.It Pa /etc/isakmpd/isakmpd.policy
The default
.Nm isakmpd
policy configuration file.
.It Pa /usr/share/ipsec/isakmpd/policy
A sample
.Nm isakmpd
policy configuration file.
.El
.Sh SEE ALSO
.Xr ipsec 4 ,
.Xr keynote 4 ,
.Xr keynote 5 ,
.Xr isakmpd 8