1IKED(8)                   BSD System Manager's Manual                  IKED(8)
2

NAME

4     iked.conf — Internet Key Exchange Daemon Configuration File
5

DESCRIPTION

7     The iked.conf file is used to configure iked(8) ( Internet Key Exchange
8     Daemon ). The parameters supplied are used to negotiate ISAKMP ( phase1 )
9     and IPsec ( phase2 ) SAs for IPsec capable hosts.
10

SYNTAX

12     The configuration parameters are expressed as a series of sections con‐
13     taining a number of statements. Sections begin with a keyword optionally
14     followed by a parameter list. All statements for a section are enclosed
15     using the ‘{’ and ‘}’ charachters. Statements begin with a keyword
16     optionally followed by a parameter list and are terminated with the ‘;’
17     charachter. Lines that begin with the ‘#’ charachter are treated as com‐
18     ments.
19
20     This document denotes keywords using this font and user supplied parame‐
21     ters using this font. Optional parameters are enclosed using the ‘[’ and
22     ‘]’ charachters. Multiple keywords that may be valid for a single parame‐
23     ter are enclosed using the ‘(’ and ‘)’ charachters and separated using
24     the ‘|’ charachter.
25
26     The defined parameter types are as follows ...
27
28     number    A decimal number
29     label     A string comprised of alphanumeric charachters
30     quoted    A quoted string enclosed in ‘"’ charachters
31     address   An IP address expressed as x.x.x.x
32     network   An IP network and prefix length expressed as x.x.x.x/y
33
34   Daemon Section
35     daemon { statements }
36             Specifies the general configuration for iked(8) operation. This
37             includes parameters related to the basic network configuration,
38             log file and debug output. Only one daemon section should be
39             defined.
40
41             socket (ike | natt) [address] number;
42                     An address and port number that should be used for ike or
43                     natt communications.  If the address parameter is omit‐
44                     ted, the daemon will attempt to bind to any address for
45                     the given port number. If no socket statements are speci‐
46                     fied, the daemon will attempt to bind to all interfaces
47                     for both ike and natt using the default port numbers (
48                     500 & 4500 respectively ). Note, the natt keyword can
49                     only be specified if the daemon was compiled with natt
50                     support.
51             retry_count number;
52                     The number of times an exchange packet should be resent
53                     to a peer. The default value for this parameter is 2.
54             retry_delay number;
55                     The number of seconds to wait between packet resend
56                     attempts. The default value for this parameter is 10.
57             log_file quoted;
58                     The path and file name that should be used for log out‐
59                     put.
60             log_level (none | error | info | debug | loud | decode);
61                     The log output detail level. The default value for this
62                     parameter is none.
63             pcap_decrypt quoted;
64                     The path and file name that should be used to dump
65                     decrypted ike packets in pcap format. If no pcap_decrypt
66                     statement is specified, this feature is disabled.
67             pcap_encrypt quoted;
68                     The path and file name that should be used to dump
69                     encrypted ike packets in pcap format. If no pcap_encrypt
70                     statement is specified, this feature is disabled.
71             dhcp_file quoted;
72                     The path and file name that should be used to store a
73                     dhcp mac address seed value for dhcp over ipsec negotia‐
74                     tion. If no file is present, the file will be created.
75
76   Network Group Section
77     netgroup label { statements }
78             Specifies a group of networks that can be refferred to by the
79             assigned label.  Multiple netgroup sections may be defined.
80
81             network;
82                     A network to be associated with this network group.
83
84   XAuth LDAP Section
85     xauth_ldap { statements }
86             Specifies the LDAP configuration to be used for when the
87             xauth_source is set to ldap for a given peer section. Only one
88             xauth_ldap section should be defined. Note, an xauth_ldap section
89             can only be defined if the daemon was compiled with LDAP support.
90
91             version number;
92                     The LDAP protocol version to be used ( 2 or 3 ). The
93                     default value for this parameter is 3.
94             url quoted;
95                     The LDAP server url. For example, a url may look like
96                     "ldap://ldap.shrew.net:389".
97             base quoted;
98                     The base dn to be used for LDAP searches. For example, a
99                     base dn may look like "ou=users,dc=shrew,dc=net".
100             subtree (enable | disable);
101                     The search scope to be used for LDAP searches. If
102                     enabled, searches will be performed using the subtree
103                     search scope. If disabled, searches will be performed
104                     using the one level search scope. The default value for
105                     this parameter is disable.
106             bind_dn quoted;
107                     The dn to bind as before performing LDAP searches. If
108                     this parameter is omitted, searches will be performed
109                     using anonymous binds.
110             bind_pw quoted;
111                     The password to use when a bind_dn is specified.
112             attr_user quoted;
113                     The attribute used to specify a user name in the LDAP
114                     directory.  For example, if a user dn is
115                     "cn=user,dc=shrew,dc=net" then the attribute would be
116                     "cn".  The default value for this parameter is "cn".
117             attr_group quoted;
118                     The attribute used to specify a group name in the LDAP
119                     directory.  For example, if a group dn is
120                     "cn=group,dc=shrew,dc=net" then the attribute would be
121                     "cn".  The default value for this parameter is "cn".
122             attr_member quoted;
123                     The attribute used to specify a group member in the LDAP
124                     directory. The default value for this parameter is "mem‐
125                     ber".
126
127   XConf Local Section
128     xconf_local { statements }
129             Specifies the Configuration Exchange settings to be used when the
130             xconf_source is set to local for a given peer section. Only one
131             xconf_local section should be defined.
132
133             network4 network [number];
134                     The network that will be used to define a local address
135                     pool. An optional number can be specified to restrict the
136                     pool to a specific size. An address from this pool along
137                     with the network mask are passed to a peer when
138                     requested.
139             dnss4 address;
140                     The dns server address to be passed to a peer when
141                     requested.
142             nbns4 address;
143                     The netbios name server address to be passed to a peer
144                     when requested.
145             dns_suffix quoted;
146                     The dns suffix to be passed to a peer when requested.
147             dns_list quoted quoted ...;
148                     A list of split dns suffixes to be passed to a peer when
149                     requested. A peer can use this list to selectivly forward
150                     dns requests to the dnss4 server when a query matches one
151                     of the supplied split dns suffixes.
152             banner quoted;
153                     The path to a file that contains a login banner to be
154                     passed to a peer when requested.
155             pfs_group number;
156                     The pfs group number to be passed to a peer when
157                     requested.
158
159   Peer Section
160     peer address [number] { statements }
161             Specifies the parameters used to communicate with a given peer by
162             address and optional port number. If the port value is omitted,
163             the default isakmp port number will be used ( 500 ). If an
164             address of 0.0.0.0 is used, the peer section can be used for any
165             remote host. Multiple peer sections may be defined.
166
167             contact (initiator | responder | both);
168                     Specifies the contact type when establishing phase1 nego‐
169                     tiations with a peer. If initiator is used, the daemon
170                     will initiate contact but deny contact initiated by the
171                     peer. If responder is used, the daemon will allow contact
172                     initiated by the peer but will not initiate contact. If
173                     both is specified, the daemon will initiate contact and
174                     allow the peer to initiate contact.
175             exchange (main | aggressive);
176                     Specifies the exchange type to be used for phase1 negoti‐
177                     ations with a peer.  The default value for this paramater
178                     is main.
179             natt_mode (disable | enable | force [draft | rfc]);
180                     Specifies the NAT Traversal mode to be used for phase1
181                     negotiations with a peer. If disable is used, natt nego‐
182                     tiations will not be attempted. If enable is used, the
183                     daemon will attempt to negotiate and use NAT Traversal
184                     when appropriate. If force is used, the daemon will use
185                     NAT Traversal even if the peer does not negotiate support
186                     for this feature. When force is used, the draft or rfc
187                     modifiers can optionally be specified to select the
188                     required method with rfc being the default if omitted.
189                     The default value for this parameter is disable.
190             natt_port number;
191                     Specifies the NAT Traversal port number to be used for
192                     phase1 negotiations with a peer when acting as an initia‐
193                     tor. The default value for this parameter is 4500.
194             natt_rate number;
195                     Specifies the number of seconds between sending NAT Tra‐
196                     versal keep-alive messages. The default value for this
197                     parameter is 15.
198             dpd_mode (disable | enable | force);
199                     Specifies the Dead Peer Detection mode to be used with a
200                     peer. If disable is used, DPD negotiations will not be
201                     attempted. If enable is used, the daemon will attempt to
202                     negotiate and use DPD when appropriate. If force is used,
203                     the daemon will use DPD even if the peer does not negoti‐
204                     ate support for this feature. The default value for this
205                     parameter is disable.
206             dpd_delay number;
207                     Specifies the number of seconds between sending DPD are-
208                     you-there messages. The default value for this parameter
209                     is 15.
210             dpd_retry number;
211                     Specifies the number times a DPD are-you-there message
212                     will be retransmitted when no response is received. The
213                     default value for this parameter is 5.
214             frag_ike_mode (disable | enable | force);
215                     Specifies the IKE Fragmentation mode to be used with a
216                     peer. If disable is used, IKE Fragmentation negotiations
217                     will not be attemted. If enable is used, the daemon will
218                     attempt to negotiate and use IKE Fragmentation when
219                     appropriate. If force is used, the daemon will use IKE
220                     Fragmentation even if the peer does not negotiate support
221                     for this feature. The default value for this parameter is
222                     disable.
223             frag_ike_size number;
224                     Specifies the maximum number of bytes for an IKE Frag‐
225                     ment. The default value for this parameter is 520.
226             frag_esp_mode (disable | enable);
227                     Specifies the ESP Fragmentation mode to be used with a
228                     peer. If disable is used, the daemon will create IPsec
229                     SAs without the ESP Fragmentation option.  If enable is
230                     used, the daemon will create IPsec SAs with the ESP Frag‐
231                     mentation option.  The default value for this parameter
232                     is disable.  Note, ESP Fragmentation is only valid for
233                     IPsec SAs using NAT Traversal. The operating system must
234                     also have support for this feature. ( NetBSD Only )
235             frag_esp_size number;
236                     Specifies the maximum number of bytes for an ESP Frag‐
237                     ment. The default value for this parameter is 520.
238             peerid (local | remote) type ...;
239                     Specifies either the local identity to be sent to a peer
240                     or the remote identity to be compared with the value
241                     recieved from a peer during phase1 negotiations. The
242                     valid identity types are as follows ...
243                     address [address];
244                             An IP Address. If the address value is omitted,
245                             the network address used during phase1 negotia‐
246                             tions is used.
247                     fqdn quoted;
248                             A Fully Qualified Domain Name string.
249                     ufqdn quoted;
250                             A User Fully Qualified Domain Name string.
251                     asn1dn [quoted];
252                             An ASN.1 Distinguished Name string. If the quoted
253                             value is omitted, the daemon will aquire the DN
254                             from the subject field contained within the cer‐
255                             tificate.
256             authdata type ...;
257                     Specifies the authentication data to use during phase1
258                     negotiations. The valid authentication data types are as
259                     follows ...
260                     psk quoted;
261                             A Pre Shared Secret.
262                     ca quoted [quoted];
263                             A path to a OpenSSL PEM or PSK12 file that con‐
264                             tains the Remote Certificate Autority. In the
265                             case where a PSK12 file is encrypted, the second
266                             quoted parameter specifies the file password.
267                     cert quoted [quoted];
268                             A path to a OpenSSL PEM or PSK12 file that con‐
269                             tains the Local Public Certificate. In the case
270                             where a PSK12 file is encrypted, the second
271                             quoted parameter specifies the file password.
272                     pkey quoted [quoted];
273                             A path to a OpenSSL PEM or PSK12 file that con‐
274                             tains the Local Private Key. In the case where a
275                             PSK12 file is encrypted, the second quoted param‐
276                             eter specifies the password.
277             life_check level;
278                     Specifies the behavior when validating peer lifetime pro‐
279                     posal values. The default level is claim.  The valid lev‐
280                     els are as follows ...
281                     obey    A responder will always use the initiators value.
282                     strict  A responder will use the initiators value if it
283                             is shorter than the responders.  A responder will
284                             reject the proposal if the initiators value is
285                             greater than the responders.
286                     claim   A responder will use the initiators value if it
287                             is shorter than the responders.  A responder will
288                             use its own value if it is shorter than the ini‐
289                             tiators. In the second case, the responder will
290                             send a RESPONDER-LIFETIME notification to the
291                             initiator when responding to phase2 proposals.
292                     exact;  A responder will reject the proposal if the ini‐
293                             tiators value is not equal to the responders.
294             xauth_source (local | ldap) [quoted];
295                     Sepcifies the Extended Authentication source to be used
296                     for user authentication post phase1 negotitations. The
297                     optional quoted value specifies a group name that can be
298                     used to restrict access to only users that are valid mem‐
299                     bers of the group. If local is used, the peer supplied
300                     credentials will be compared to the local account data‐
301                     base. If ldap is used, the peer supplied credentials will
302                     be compared to an LDAP account database. The LDAP source
303                     configuration is defined in the xauth_ldap section. The
304                     default value for this parameter is local.
305             xconf_source local [(push | pull)];
306                     Sepcifies the Configuration Exchange source to be used
307                     when responding to peer configuration requests. If local
308                     is used, the daemon will supply configuration information
309                     defined in the xconf_local section. The default value for
310                     this parameter is local.
311             plcy_mode (disable | config | compat);
312                     Specifies the policy generation mode. When disable is
313                     used, no policy generation is performed. When config mode
314                     is used, policy generation is performed during Configura‐
315                     tion Exchange.  This allows the daemon to generate
316                     polices using the peers private tunnel address. When
317                     compat mode is used, policy generation is performed post
318                     phase1 negotiations. This allows the daemon to interoper‐
319                     ate with peers that do not support Configuration
320                     Exchanges.
321             plcy_list { statements }
322                     Specifies a list of network groups and parameters that
323                     can be used to perform policy generation. If no plcy_list
324                     is defined but plcy_mode is set to config or compat, the
325                     daemon operates as if a single include statement was used
326                     that specified a netmap defining all networks.
327                     (include | exclude) label [quoted];
328                             Specifies a netgroup by label for use with policy
329                             generation. When include is used, the daemon will
330                             generate appropriate IPsec policies and pass all
331                             netgroup defined networks during the Configura‐
332                             tion Exchange if requested. A peer would use this
333                             configuration information to selectively tunnel
334                             all traffic destined for any one of these net‐
335                             works. If exlcude is used, the daemon will gener‐
336                             ate appropriate discard policies and pass all
337                             netgroup defined networks during the Configura‐
338                             tion Exchange if requested. A peer would use this
339                             configuration information to selectively bypass
340                             IPsec processing for all traffic destined to any
341                             one of these networks. The optional quoted string
342                             specifies a group name that can be used to
343                             restrict processing of this netgroup to only
344                             users that are valid members of the group. If
345                             XAuth is not performed, statements that define a
346                             group name are skipped.
347             proposal type { statements }
348                     Specifies a proposal to be used during SA negotiations
349                     with a peer. The valid proposal types are as follows ...
350
351                     isakmp  An ISAKMP proposal supports the following ...
352                             auth type;
353                                     Define the authentication mechanism for
354                                     the ISAKMP proposal. The accepted types
355                                     are hybrid_xauth_rsa, mutual_xauth_rsa,
356                                     mutual_xauth_psk, mutual_rsa and
357                                     mutual_psk.
358                             ciph type [number];
359                                     Define the cipher algorithm for this pro‐
360                                     posal. The optional number specifies the
361                                     keylength for algorithms that support it.
362                                     The accepted types are aes, blowfish,
363                                     3des, cast and des.
364                             hash type;
365                                     Define the hash algorithm for this pro‐
366                                     posal. The accepted types are md5 and
367                                     sha1.
368                             dhgr number;
369                                     Define the DH group for this proposal.
370                                     The accepted values are 1, 2, 5, 14, 15,
371                                     16, 17, 18 and 16.
372
373                     ah      An AH proposal supports the following ...
374                             hash type;
375                                     Define the hash algorithm for this pro‐
376                                     posal. The accepted types are md5 and
377                                     sha1.
378                             dhgr number;
379                                     Define the DH group for this proposal.
380                                     The accepted values are 1, 2, 5, 14, 15,
381                                     16, 17, 18 and 16.
382
383                     esp     An ESP proposal supports the following ...
384                             ciph type [number];
385                                     Define the cipher algorithm for this pro‐
386                                     posal. The optional number specifies the
387                                     keylength for algorithms that support it.
388                                     The accepted types are aes, blowfish,
389                                     3des, cast and des.
390                             hmac type;
391                                     Define the message authentication algo‐
392                                     rithm for this proposal. The accepted
393                                     types are md5 and sha1.
394                             dhgr number;
395                                     Define the DH group for this proposal.
396                                     The accepted values are 1, 2, 5, 14, 15,
397                                     16, 17, 18 and 16.
398
399                     ipcomp  An IPCOMP proposal supports the following ...
400                             comp type;
401                                     Define the compression algorithm for this
402                                     proposal. The accepted types are deflate
403                                     and lzs.
404
405                     All proposals types support the following ...
406
407                     life_sec number;
408                             Define the lifetime in seconds for this proposal.
409                     life_kbs number;
410                             Define the lifetime in kilobytes for this pro‐
411                             posal.
412

EXAMPLES

414     This section contains a few iked configuration examples.
415
416     The first example shows a configuration that only defines the parameters
417     required to support client connectivity mode with NATT and debug options
418     enabled.
419
420     daemon
421     {
422         socket ike 500;
423         socket natt 4500;
424
425         log_level debug;
426         log_file "/var/log/iked.log";
427
428         pcap_decrypt "/var/log/ike-decrypt.pcap";
429         pcap_encrypt "/var/log/ike-encrypt.pcap";
430
431         retry_delay 10;
432         retry_count 2;
433     }
434
435     The second example shows a configuration that supports simple peer to
436     peer negotiations using mutual preshared key authentication.
437
438     daemon
439     {
440         socket ike 500;
441
442         log_level debug;
443         log_file "/var/log/iked.log";
444     }
445
446     peer 1.2.3.4
447     {
448         exchange main;
449
450         peerid local address;
451         peerid remote address;
452
453         authdata psk "sharedsecret";
454
455         life_check claim;
456
457         proposal isakmp
458         {
459             auth mutual_psk;
460             life_sec 28800;
461             life_kbs 0;
462         }
463
464         proposal esp
465         {
466             life_sec 3800;
467             life_kbs 0;
468         }
469     }
470
471     The third example shows a configuration that supports client gateway
472     negotiations using mutual preshared key authentication with xauth, nat
473     traversal, dead peer detection, ike fragmentation and policy generation.
474     The daemon would allow xauth users that are members of the "remote" group
475     to connect to the gateway. Policies would be generated to allow a peer
476     access to the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of
477     1.1.1.15/32 which be accessed directly ( not via IPsec ). Peers that use
478     an xauth user account that is a member of the "netadmin" group would have
479     additional policies generated to allow access to the 10.4.4.0/24 network.
480
481     daemon
482     {
483         socket ike 500;
484         socket natt 4500;
485
486         log_level debug;
487         log_file "/var/log/iked.log";
488
489         pcap_decrypt "/var/log/ike-decrypt.pcap";
490         pcap_encrypt "/var/log/ike-encrypt.pcap";
491     }
492
493     netgroup allow
494     {
495         10.1.1.0/24;
496         10.3.3.0/24;
497     }
498
499     netgroup deny
500     {
501         1.1.1.15/32;
502     }
503
504     netgroup protect
505     {
506         10.4.4.0/24;
507     }
508
509     xconf_local
510     {
511         network4 10.2.1.0/24;
512         dnss4 10.1.1.1;
513         nbns4 10.1.1.1;
514         dns_suffix "foo.com";
515         dns_list "foo.com" "bar.com";
516         banner "/usr/local/etc/iked.motd";
517         pfs_group 2;
518     }
519
520     peer 0.0.0.0
521     {
522         contact responder;
523         exchange main;
524
525         natt_mode enable;
526         dpd_mode enable;
527         frag_ike_mode enable;
528
529         peerid local address;
530         peerid remote address;
531
532         authdata psk "sharedsecret";
533
534         life_check claim;
535
536         xauth_source local "remote";
537         xconf_source local;
538
539         plcy_mode config;
540         plcy_list
541         {
542             include allow;
543             exclude deny;
544             include protect "netadmin";
545         }
546
547         proposal isakmp
548         {
549             auth mutual_xauth_psk;
550             ciph 3des;
551             hash md5;
552             dhgr 2;
553             life_sec 28800;
554             life_kbs 0;
555         }
556
557         proposal esp
558         {
559             life_sec 3800;
560             life_kbs 0;
561         }
562     }
563

SEE ALSO

565     ipsec(4), iked(8), setkey(8)
566

HISTORY

568     The iked.conf parser was written by Matthew Grooms ( mgrooms@shrew.net )
569     as part of the Shrew Soft ( http://www.shrew.net ) family of IPsec prod‐
570     ucts.
571
572BSD                             Febuary 2, 2007                            BSD
Impressum