1IKED(8) BSD System Manager's Manual IKED(8)
2
4 iked.conf — Internet Key Exchange Daemon Configuration File
5
7 The iked.conf file is used to configure iked(8) ( Internet Key Exchange
8 Daemon ). The parameters supplied are used to negotiate ISAKMP ( phase1 )
9 and IPsec ( phase2 ) SAs for IPsec capable hosts.
10
12 The configuration parameters are expressed as a series of sections con‐
13 taining a number of statements. Sections begin with a keyword optionally
14 followed by a parameter list. All statements for a section are enclosed
15 using the ‘{’ and ‘}’ charachters. Statements begin with a keyword
16 optionally followed by a parameter list and are terminated with the ‘;’
17 charachter. Lines that begin with the ‘#’ charachter are treated as com‐
18 ments.
19 This document denotes keywords using this font and user supplied parame‐
21 ters using this font. Optional parameters are enclosed using the ‘[’ and
22 ‘]’ charachters. Multiple keywords that may be valid for a single parame‐
23 ter are enclosed using the ‘(’ and ‘)’ charachters and separated using
24 the ‘|’ charachter.
25 The defined parameter types are as follows ...
27 number A decimal number
29 label A string comprised of alphanumeric charachters
30 quoted A quoted string enclosed in ‘"’ charachters
31 address An IP address expressed as x.x.x.x
32 network An IP network and prefix length expressed as x.x.x.x/y
33 Daemon Section
35 daemon { statements }
36 Specifies the general configuration for iked(8) operation. This
37 includes parameters related to the basic network configuration,
38 log file and debug output. Only one daemon section should be
39 defined.
40 socket (ike | natt) [address] number;
42 An address and port number that should be used for ike or
43 natt communications. If the address parameter is omit‐
44 ted, the daemon will attempt to bind to any address for
45 the given port number. If no socket statements are speci‐
46 fied, the daemon will attempt to bind to all interfaces
47 for both ike and natt using the default port numbers (
48 500 & 4500 respectively ). Note, the natt keyword can
49 only be specified if the daemon was compiled with natt
50 support.
51 retry_count number;
52 The number of times an exchange packet should be resent
53 to a peer. The default value for this parameter is 2.
54 retry_delay number;
55 The number of seconds to wait between packet resend
56 attempts. The default value for this parameter is 10.
57 log_file quoted;
58 The path and file name that should be used for log out‐
59 put.
60 log_level (none | error | info | debug | loud | decode);
61 The log output detail level. The default value for this
62 parameter is none.
63 pcap_decrypt quoted;
64 The path and file name that should be used to dump
65 decrypted ike packets in pcap format. If no pcap_decrypt
66 statement is specified, this feature is disabled.
67 pcap_encrypt quoted;
68 The path and file name that should be used to dump
69 encrypted ike packets in pcap format. If no pcap_encrypt
70 statement is specified, this feature is disabled.
71 dhcp_file quoted;
72 The path and file name that should be used to store a
73 dhcp mac address seed value for dhcp over ipsec negotia‐
74 tion. If no file is present, the file will be created.
75 Network Group Section
77 netgroup label { statements }
78 Specifies a group of networks that can be refferred to by the
79 assigned label. Multiple netgroup sections may be defined.
80 network;
82 A network to be associated with this network group.
83 XAuth LDAP Section
85 xauth_ldap { statements }
86 Specifies the LDAP configuration to be used for when the
87 xauth_source is set to ldap for a given peer section. Only one
88 xauth_ldap section should be defined. Note, an xauth_ldap section
89 can only be defined if the daemon was compiled with LDAP support.
90 version number;
92 The LDAP protocol version to be used ( 2 or 3 ). The
93 default value for this parameter is 3.
94 url quoted;
95 The LDAP server url. For example, a url may look like
96 "ldap://ldap.shrew.net:389".
97 base quoted;
98 The base dn to be used for LDAP searches. For example, a
99 base dn may look like "ou=users,dc=shrew,dc=net".
100 subtree (enable | disable);
101 The search scope to be used for LDAP searches. If
102 enabled, searches will be performed using the subtree
103 search scope. If disabled, searches will be performed
104 using the one level search scope. The default value for
105 this parameter is disable.
106 bind_dn quoted;
107 The dn to bind as before performing LDAP searches. If
108 this parameter is omitted, searches will be performed
109 using anonymous binds.
110 bind_pw quoted;
111 The password to use when a bind_dn is specified.
112 attr_user quoted;
113 The attribute used to specify a user name in the LDAP
114 directory. For example, if a user dn is
115 "cn=user,dc=shrew,dc=net" then the attribute would be
116 "cn". The default value for this parameter is "cn".
117 attr_group quoted;
118 The attribute used to specify a group name in the LDAP
119 directory. For example, if a group dn is
120 "cn=group,dc=shrew,dc=net" then the attribute would be
121 "cn". The default value for this parameter is "cn".
122 attr_member quoted;
123 The attribute used to specify a group member in the LDAP
124 directory. The default value for this parameter is "mem‐
125 ber".
126 XConf Local Section
128 xconf_local { statements }
129 Specifies the Configuration Exchange settings to be used when the
130 xconf_source is set to local for a given peer section. Only one
131 xconf_local section should be defined.
132 network4 network [number];
134 The network that will be used to define a local address
135 pool. An optional number can be specified to restrict the
136 pool to a specific size. An address from this pool along
137 with the network mask are passed to a peer when
138 requested.
139 dnss4 address;
140 The dns server address to be passed to a peer when
141 requested.
142 nbns4 address;
143 The netbios name server address to be passed to a peer
144 when requested.
145 dns_suffix quoted;
146 The dns suffix to be passed to a peer when requested.
147 dns_list quoted quoted ...;
148 A list of split dns suffixes to be passed to a peer when
149 requested. A peer can use this list to selectivly forward
150 dns requests to the dnss4 server when a query matches one
151 of the supplied split dns suffixes.
152 banner quoted;
153 The path to a file that contains a login banner to be
154 passed to a peer when requested.
155 pfs_group number;
156 The pfs group number to be passed to a peer when
157 requested.
158 Peer Section
160 peer address [number] { statements }
161 Specifies the parameters used to communicate with a given peer by
162 address and optional port number. If the port value is omitted,
163 the default isakmp port number will be used ( 500 ). If an
164 address of 0.0.0.0 is used, the peer section can be used for any
165 remote host. Multiple peer sections may be defined.
166 contact (initiator | responder | both);
168 Specifies the contact type when establishing phase1 nego‐
169 tiations with a peer. If initiator is used, the daemon
170 will initiate contact but deny contact initiated by the
171 peer. If responder is used, the daemon will allow contact
172 initiated by the peer but will not initiate contact. If
173 both is specified, the daemon will initiate contact and
174 allow the peer to initiate contact.
175 exchange (main | aggressive);
176 Specifies the exchange type to be used for phase1 negoti‐
177 ations with a peer. The default value for this paramater
178 is main.
179 natt_mode (disable | enable | force [draft | rfc]);
180 Specifies the NAT Traversal mode to be used for phase1
181 negotiations with a peer. If disable is used, natt nego‐
182 tiations will not be attempted. If enable is used, the
183 daemon will attempt to negotiate and use NAT Traversal
184 when appropriate. If force is used, the daemon will use
185 NAT Traversal even if the peer does not negotiate support
186 for this feature. When force is used, the draft or rfc
187 modifiers can optionally be specified to select the
188 required method with rfc being the default if omitted.
189 The default value for this parameter is disable.
190 natt_port number;
191 Specifies the NAT Traversal port number to be used for
192 phase1 negotiations with a peer when acting as an initia‐
193 tor. The default value for this parameter is 4500.
194 natt_rate number;
195 Specifies the number of seconds between sending NAT Tra‐
196 versal keep-alive messages. The default value for this
197 parameter is 15.
198 dpd_mode (disable | enable | force);
199 Specifies the Dead Peer Detection mode to be used with a
200 peer. If disable is used, DPD negotiations will not be
201 attempted. If enable is used, the daemon will attempt to
202 negotiate and use DPD when appropriate. If force is used,
203 the daemon will use DPD even if the peer does not negoti‐
204 ate support for this feature. The default value for this
205 parameter is disable.
206 dpd_delay number;
207 Specifies the number of seconds between sending DPD are-
208 you-there messages. The default value for this parameter
209 is 15.
210 dpd_retry number;
211 Specifies the number times a DPD are-you-there message
212 will be retransmitted when no response is received. The
213 default value for this parameter is 5.
214 frag_ike_mode (disable | enable | force);
215 Specifies the IKE Fragmentation mode to be used with a
216 peer. If disable is used, IKE Fragmentation negotiations
217 will not be attemted. If enable is used, the daemon will
218 attempt to negotiate and use IKE Fragmentation when
219 appropriate. If force is used, the daemon will use IKE
220 Fragmentation even if the peer does not negotiate support
221 for this feature. The default value for this parameter is
222 disable.
223 frag_ike_size number;
224 Specifies the maximum number of bytes for an IKE Frag‐
225 ment. The default value for this parameter is 520.
226 frag_esp_mode (disable | enable);
227 Specifies the ESP Fragmentation mode to be used with a
228 peer. If disable is used, the daemon will create IPsec
229 SAs without the ESP Fragmentation option. If enable is
230 used, the daemon will create IPsec SAs with the ESP Frag‐
231 mentation option. The default value for this parameter
232 is disable. Note, ESP Fragmentation is only valid for
233 IPsec SAs using NAT Traversal. The operating system must
234 also have support for this feature. ( NetBSD Only )
235 frag_esp_size number;
236 Specifies the maximum number of bytes for an ESP Frag‐
237 ment. The default value for this parameter is 520.
238 peerid (local | remote) type ...;
239 Specifies either the local identity to be sent to a peer
240 or the remote identity to be compared with the value
241 recieved from a peer during phase1 negotiations. The
242 valid identity types are as follows ...
243 address [address];
244 An IP Address. If the address value is omitted,
245 the network address used during phase1 negotia‐
246 tions is used.
247 fqdn quoted;
248 A Fully Qualified Domain Name string.
249 ufqdn quoted;
250 A User Fully Qualified Domain Name string.
251 asn1dn [quoted];
252 An ASN.1 Distinguished Name string. If the quoted
253 value is omitted, the daemon will aquire the DN
254 from the subject field contained within the cer‐
255 tificate.
256 authdata type ...;
257 Specifies the authentication data to use during phase1
258 negotiations. The valid authentication data types are as
259 follows ...
260 psk quoted;
261 A Pre Shared Secret.
262 ca quoted [quoted];
263 A path to a OpenSSL PEM or PSK12 file that con‐
264 tains the Remote Certificate Autority. In the
265 case where a PSK12 file is encrypted, the second
266 quoted parameter specifies the file password.
267 cert quoted [quoted];
268 A path to a OpenSSL PEM or PSK12 file that con‐
269 tains the Local Public Certificate. In the case
270 where a PSK12 file is encrypted, the second
271 quoted parameter specifies the file password.
272 pkey quoted [quoted];
273 A path to a OpenSSL PEM or PSK12 file that con‐
274 tains the Local Private Key. In the case where a
275 PSK12 file is encrypted, the second quoted param‐
276 eter specifies the password.
277 life_check level;
278 Specifies the behavior when validating peer lifetime pro‐
279 posal values. The default level is claim. The valid lev‐
280 els are as follows ...
281 obey A responder will always use the initiators value.
282 strict A responder will use the initiators value if it
283 is shorter than the responders. A responder will
284 reject the proposal if the initiators value is
285 greater than the responders.
286 claim A responder will use the initiators value if it
287 is shorter than the responders. A responder will
288 use its own value if it is shorter than the ini‐
289 tiators. In the second case, the responder will
290 send a RESPONDER-LIFETIME notification to the
291 initiator when responding to phase2 proposals.
292 exact; A responder will reject the proposal if the ini‐
293 tiators value is not equal to the responders.
294 xauth_source (local | ldap) [quoted];
295 Sepcifies the Extended Authentication source to be used
296 for user authentication post phase1 negotitations. The
297 optional quoted value specifies a group name that can be
298 used to restrict access to only users that are valid mem‐
299 bers of the group. If local is used, the peer supplied
300 credentials will be compared to the local account data‐
301 base. If ldap is used, the peer supplied credentials will
302 be compared to an LDAP account database. The LDAP source
303 configuration is defined in the xauth_ldap section. The
304 default value for this parameter is local.
305 xconf_source local [(push | pull)];
306 Sepcifies the Configuration Exchange source to be used
307 when responding to peer configuration requests. If local
308 is used, the daemon will supply configuration information
309 defined in the xconf_local section. The default value for
310 this parameter is local.
311 plcy_mode (disable | config | compat);
312 Specifies the policy generation mode. When disable is
313 used, no policy generation is performed. When config mode
314 is used, policy generation is performed during Configura‐
315 tion Exchange. This allows the daemon to generate
316 polices using the peers private tunnel address. When
317 compat mode is used, policy generation is performed post
318 phase1 negotiations. This allows the daemon to interoper‐
319 ate with peers that do not support Configuration
320 Exchanges.
321 plcy_list { statements }
322 Specifies a list of network groups and parameters that
323 can be used to perform policy generation. If no plcy_list
324 is defined but plcy_mode is set to config or compat, the
325 daemon operates as if a single include statement was used
326 that specified a netmap defining all networks.
327 (include | exclude) label [quoted];
328 Specifies a netgroup by label for use with policy
329 generation. When include is used, the daemon will
330 generate appropriate IPsec policies and pass all
331 netgroup defined networks during the Configura‐
332 tion Exchange if requested. A peer would use this
333 configuration information to selectively tunnel
334 all traffic destined for any one of these net‐
335 works. If exlcude is used, the daemon will gener‐
336 ate appropriate discard policies and pass all
337 netgroup defined networks during the Configura‐
338 tion Exchange if requested. A peer would use this
339 configuration information to selectively bypass
340 IPsec processing for all traffic destined to any
341 one of these networks. The optional quoted string
342 specifies a group name that can be used to
343 restrict processing of this netgroup to only
344 users that are valid members of the group. If
345 XAuth is not performed, statements that define a
346 group name are skipped.
347 proposal type { statements }
348 Specifies a proposal to be used during SA negotiations
349 with a peer. The valid proposal types are as follows ...
350 isakmp An ISAKMP proposal supports the following ...
352 auth type;
353 Define the authentication mechanism for
354 the ISAKMP proposal. The accepted types
355 are hybrid_xauth_rsa, mutual_xauth_rsa,
356 mutual_xauth_psk, mutual_rsa and
357 mutual_psk.
358 ciph type [number];
359 Define the cipher algorithm for this pro‐
360 posal. The optional number specifies the
361 keylength for algorithms that support it.
362 The accepted types are aes, blowfish,
363 3des, cast and des.
364 hash type;
365 Define the hash algorithm for this pro‐
366 posal. The accepted types are md5 and
367 sha1.
368 dhgr number;
369 Define the DH group for this proposal.
370 The accepted values are 1, 2, 5, 14, 15,
371 16, 17, 18 and 16.
372 ah An AH proposal supports the following ...
374 hash type;
375 Define the hash algorithm for this pro‐
376 posal. The accepted types are md5 and
377 sha1.
378 dhgr number;
379 Define the DH group for this proposal.
380 The accepted values are 1, 2, 5, 14, 15,
381 16, 17, 18 and 16.
382 esp An ESP proposal supports the following ...
384 ciph type [number];
385 Define the cipher algorithm for this pro‐
386 posal. The optional number specifies the
387 keylength for algorithms that support it.
388 The accepted types are aes, blowfish,
389 3des, cast and des.
390 hmac type;
391 Define the message authentication algo‐
392 rithm for this proposal. The accepted
393 types are md5 and sha1.
394 dhgr number;
395 Define the DH group for this proposal.
396 The accepted values are 1, 2, 5, 14, 15,
397 16, 17, 18 and 16.
398 ipcomp An IPCOMP proposal supports the following ...
400 comp type;
401 Define the compression algorithm for this
402 proposal. The accepted types are deflate
403 and lzs.
404 All proposals types support the following ...
406 life_sec number;
408 Define the lifetime in seconds for this proposal.
409 life_kbs number;
410 Define the lifetime in kilobytes for this pro‐
411 posal.
412
414 This section contains a few iked configuration examples.
415 The first example shows a configuration that only defines the parameters
417 required to support client connectivity mode with NATT and debug options
418 enabled.
419 daemon
421 {
422 socket ike 500;
423 socket natt 4500;
424 log_level debug;
426 log_file "/var/log/iked.log";
427 pcap_decrypt "/var/log/ike-decrypt.pcap";
429 pcap_encrypt "/var/log/ike-encrypt.pcap";
430 retry_delay 10;
432 retry_count 2;
433 }
434 The second example shows a configuration that supports simple peer to
436 peer negotiations using mutual preshared key authentication.
437 daemon
439 {
440 socket ike 500;
441 log_level debug;
443 log_file "/var/log/iked.log";
444 }
445 peer 1.2.3.4
447 {
448 exchange main;
449 peerid local address;
451 peerid remote address;
452 authdata psk "sharedsecret";
454 life_check claim;
456 proposal isakmp
458 {
459 auth mutual_psk;
460 life_sec 28800;
461 life_kbs 0;
462 }
463 proposal esp
465 {
466 life_sec 3800;
467 life_kbs 0;
468 }
469 }
470 The third example shows a configuration that supports client gateway
472 negotiations using mutual preshared key authentication with xauth, nat
473 traversal, dead peer detection, ike fragmentation and policy generation.
474 The daemon would allow xauth users that are members of the "remote" group
475 to connect to the gateway. Policies would be generated to allow a peer
476 access to the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of
477 1.1.1.15/32 which be accessed directly ( not via IPsec ). Peers that use
478 an xauth user account that is a member of the "netadmin" group would have
479 additional policies generated to allow access to the 10.4.4.0/24 network.
480 daemon
482 {
483 socket ike 500;
484 socket natt 4500;
485 log_level debug;
487 log_file "/var/log/iked.log";
488 pcap_decrypt "/var/log/ike-decrypt.pcap";
490 pcap_encrypt "/var/log/ike-encrypt.pcap";
491 }
492 netgroup allow
494 {
495 10.1.1.0/24;
496 10.3.3.0/24;
497 }
498 netgroup deny
500 {
501 1.1.1.15/32;
502 }
503 netgroup protect
505 {
506 10.4.4.0/24;
507 }
508 xconf_local
510 {
511 network4 10.2.1.0/24;
512 dnss4 10.1.1.1;
513 nbns4 10.1.1.1;
514 dns_suffix "foo.com";
515 dns_list "foo.com" "bar.com";
516 banner "/usr/local/etc/iked.motd";
517 pfs_group 2;
518 }
519 peer 0.0.0.0
521 {
522 contact responder;
523 exchange main;
524 natt_mode enable;
526 dpd_mode enable;
527 frag_ike_mode enable;
528 peerid local address;
530 peerid remote address;
531 authdata psk "sharedsecret";
533 life_check claim;
535 xauth_source local "remote";
537 xconf_source local;
538 plcy_mode config;
540 plcy_list
541 {
542 include allow;
543 exclude deny;
544 include protect "netadmin";
545 }
546 proposal isakmp
548 {
549 auth mutual_xauth_psk;
550 ciph 3des;
551 hash md5;
552 dhgr 2;
553 life_sec 28800;
554 life_kbs 0;
555 }
556 proposal esp
558 {
559 life_sec 3800;
560 life_kbs 0;
561 }
562 }
563
565 ipsec(4), iked(8), setkey(8)
566
568 The iked.conf parser was written by Matthew Grooms ( mgrooms@shrew.net )
569 as part of the Shrew Soft ( http://www.shrew.net ) family of IPsec prod‐
570 ucts.
571BSD Febuary 2, 2007 BSD