1IKED.CONF(5) BSD File Formats Manual IKED.CONF(5)
2
4 iked.conf — IKEv2 configuration file
5
7 iked.conf is the configuration file for iked(8), the Internet Key Ex‐
8 change version 2 (IKEv2) daemon for IPsec. IPsec itself is a pair of
9 protocols: Encapsulating Security Payload (ESP), which provides integrity
10 and confidentiality; and Authentication Header (AH), which provides in‐
11 tegrity. The IPsec protocol itself is described in ipsec(4).
12
13 In its most basic form, a flow is established between hosts and/or net‐
14 works, and then Security Associations (SA) are established, which detail
15 how the desired protection will be achieved. IPsec uses flows to deter‐
16 mine whether to apply security services to an IP packet or not. iked(8)
17 is used to set up flows and establish SAs automatically, by specifying
18 ‘ikev2’ policies in iked.conf (see AUTOMATIC KEYING POLICIES, below).
19
20 Alternative methods of setting up flows and SAs are also possible using
21 manual keying or automatic keying using the older ISAKMP/Oakley a.k.a.
22 IKEv1 protocol. Manual keying is not recommended, but can be convenient
23 for quick setups and testing. See ipsec.conf(5) and isakmpd(8) for more
24 information about manual keying and ISAKMP support.
25
27 iked.conf is divided into three main sections:
28
29 Macros
30 User-defined macros may be defined and used later, simplifying the
31 configuration file.
32
33 Global Configuration
34 Global settings for iked(8).
35
36 Automatic Keying Policies
37 Policies to set up IPsec flows and SAs automatically.
38
39 Lines beginning with ‘#’ and empty lines are regarded as comments, and
40 ignored. Lines may be split using the ‘\’ character.
41
42 Argument names not beginning with a letter, digit, or underscore must be
43 quoted.
44
45 Addresses can be specified in CIDR notation (matching netblocks), as sym‐
46 bolic host names, interface names, or interface group names.
47
48 Additional configuration files can be included with the include keyword,
49 for example:
50
51 include "/etc/macros.conf"
52
54 Macros can be defined that will later be expanded in context. Macro
55 names must start with a letter, digit, or underscore, and may contain any
56 of those characters. Macro names may not be reserved words (for example
57 flow, from, esp). Macros are not expanded inside quotes.
58
59 For example:
60
61 remote_gw = "192.168.3.12"
62 ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw
63
65 Here are the settings that can be set globally:
66
67 set active
68 Set iked(8) to global active mode. In active mode the per-policy
69 mode setting is respected. iked(8) will initiate policies set to
70 active and wait for incoming requests for policies set to passive.
71 This is the default.
72
73 set passive
74 Set iked(8) to global passive mode. In passive mode no packets are
75 sent to peers and no connections are initiated by iked(8), even for
76 active policies. This option is used for setups using sasyncd(8)
77 and carp(4) to provide redundancy. iked(8) will run in passive
78 mode until sasyncd has determined that the host is the master and
79 can switch to active mode.
80
81 set couple
82 Load the negotiated security associations (SAs) and flows into the
83 kernel. This is the default.
84
85 set decouple
86 Don't load the negotiated SAs and flows from the kernel. This mode
87 is only useful for testing and debugging.
88
89 set dpd_check_interval time
90 Specify the liveness check interval, in seconds. Setting time to 0
91 disables DPD. The default value is 60 seconds.
92
93 set enforcesingleikesa
94 Allow only a single active IKE SA for each dstid. When a new SA
95 with the same dstid is established, it replaces the old SA.
96
97 set noenforcesingleikesa
98 Don't limit the number of IKE SAs per dstid. This is the default.
99
100 set fragmentation
101 Enable IKEv2 Message Fragmentation (RFC 7383) support. This allows
102 IKEv2 to operate in environments that might block IP fragments.
103
104 set nofragmentation
105 Disables IKEv2 Message Fragmentation support. This is the default.
106
107 set mobike
108 Enable MOBIKE (RFC 4555) support. This is the default. MOBIKE al‐
109 lows the peer IP address to be changed for IKE and IPsec SAs. Cur‐
110 rently iked(8) only supports MOBIKE when acting as a responder.
111
112 set nomobike
113 Disables MOBIKE support.
114
115 set cert_partial_chain
116 Allow partial certificate chain if at least one certificate is a
117 trusted CA from /etc/iked/ca/.
118
119 set ocsp URL [tolerate time [maxage time]]
120 Enable OCSP and set the fallback URL of the OCSP responder. This
121 fallback will be used if the trusted CA from /etc/iked/ca/ does not
122 have an OCSP-URL extension. Please note that the matching respon‐
123 der certificates have to be placed in /etc/iked/ocsp/responder.crt.
124
125 The optional tolerate parameter specifies how much the OCSP re‐
126 sponse attribute ‘thisUpdate’ may be in the future and how much
127 ‘nextUpdate’ may be in the past, with respect to the local time.
128 The optional maxage parameter specifies how much ‘thisUpdate’ may
129 be in the past. If tolerate is set to 0 then the times are not
130 verified at all. This is the default setting.
131
132 user name password
133 iked(8) supports user-based authentication by tunneling the Exten‐
134 sible Authentication Protocol (EAP) over IKEv2. In its most basic
135 form, the users will be authenticated against a local, integrated
136 password database that is configured with the user lines in
137 iked.conf and the name and password arguments. Note that the pass‐
138 word has to be specified in plain text which is required to support
139 different challenge-based EAP methods like EAP-MD5 or EAP-MSCHAPv2.
140
142 This section is used to configure policies that will be used by iked(8)
143 to set up flows and SAs automatically. Some examples of setting up auto‐
144 matic keying:
145
146 # Set up a VPN:
147 # First between the gateway machines 192.168.3.1 and 192.168.3.2
148 # Second between the networks 10.1.1.0/24 and 10.1.2.0/24
149 ikev2 esp from 192.168.3.1 to 192.168.3.2
150 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2
151
152 For incoming connections from remote peers, the policies are evaluated in
153 sequential order, from first to last. The last matching policy decides
154 what action is taken; if no policy matches the connection, the default
155 action is to ignore the connection attempt or to use the default policy,
156 if set. Please also see the EXAMPLES section for a detailed example of
157 the policy evaluation.
158
159 The first time an IKEv2 connection matches a policy, an IKE SA is cre‐
160 ated; for subsequent packets the connection is identified by the IKEv2
161 parameters that are stored in the SA without evaluating any policies.
162 After the connection is closed or times out, the IKE SA is automatically
163 removed.
164
165 The commands are as follows:
166 ikev2 [name]
167 The mandatory ikev2 keyword will identify an IKEv2 automatic keying
168 policy. name is an optional arbitrary string identifying the pol‐
169 icy. The name should only occur once in iked.conf or any included
170 files. If omitted, a name will be generated automatically for the
171 policy.
172
173 [eval]
174 The eval option modifies the policy evaluation for this policy. It
175 can be one of quick, skip or default. If a new incoming connection
176 matches a policy with the quick option set, that policy is consid‐
177 ered the last matching policy, and evaluation of subsequent poli‐
178 cies is skipped. The skip option will disable evaluation of this
179 policy for incoming connections. The default option sets the de‐
180 fault policy and should only be specified once.
181
182 [mode]
183 mode specifies the IKEv2 mode to use: one of passive or active.
184 When passive is specified, iked(8) will not immediately start nego‐
185 tiation of this tunnel, but wait for an incoming request from the
186 remote peer. When active is specified, negotiation will be started
187 at once. If omitted, passive mode will be used.
188
189 [ipcomp]
190 The keyword ipcomp specifies that ipcomp(4), the IP Payload Com‐
191 pression protocol, is negotiated in addition to encapsulation. The
192 optional compression is applied before packets are encapsulated.
193 IPcomp must be enabled in the kernel:
194
195 # sysctl net.inet.ipcomp.enable=1
196
197 [tmode]
198 tmode describes the encapsulation mode to be used. Possible modes
199 are tunnel and transport; the default is tunnel.
200
201 [encap]
202 encap specifies the encapsulation protocol to be used. Possible
203 protocols are esp and ah; the default is esp.
204
205 [af] This policy only applies to endpoints of the specified address fam‐
206 ily which can be either inet or inet6. Note that this only matters
207 for IKEv2 endpoints and does not restrict the traffic selectors to
208 negotiate flows with different address families, e.g. IPv6 flows
209 negotiated by IPv4 endpoints.
210
211 proto protocol
212 The optional proto parameter restricts the flow to a specific IP
213 protocol. Common protocols are icmp(4), tcp(4), and udp(4). For a
214 list of all the protocol name to number mappings used by iked(8),
215 see the file /etc/protocols.
216
217 rdomain number
218 Specify a different routing domain for unencrypted traffic. The
219 resulting IPsec SAs will match outgoing packets in the specified
220 rdomain number and move the encrypted packets to the rdomain the
221 iked(8) instance is running in. Vice versa, incoming ipsec(4)
222 traffic is moved to rdomain number after decryption.
223
224 from src [port sport] [(srcnat)] to dst [port dport]
225 Specify one or more traffic selectors for this policy which will be
226 used to negotiate the IPsec flows between the IKEv2 peers. During
227 the negotiation, the peers may decide to narrow a flow to a subset
228 of the configured traffic selector networks to match the policies
229 on each side.
230
231 Each traffic selector will apply for packets with source address
232 src and destination address dst. If the src argument specifies a
233 fictional source ID, the srcnat parameter can be used to specify
234 the actual source address. This can be used in outgoing NAT/BINAT
235 scenarios as described below. The keyword any will match any ad‐
236 dress (i.e. 0.0.0.0/0 and ::/0). If the config address option is
237 specified, the dynamic keyword can be used to create flows from or
238 to the dynamically assigned address.
239
240 The optional port modifiers restrict the traffic selectors to the
241 specified ports. They are only valid in conjunction with the
242 tcp(4) and udp(4) protocols. Ports can be specified by number or
243 by name. For a list of all port name to number mappings used by
244 ipsecctl(8), see the file /etc/services.
245
246 local localip peer remote
247 The local parameter specifies the address or FQDN of the local end‐
248 point. Unless the gateway is multi-homed or uses address aliases,
249 this option is generally not needed.
250
251 The peer parameter specifies the address or FQDN of the remote end‐
252 point. For host-to-host connections where dst is identical to
253 remote, this option is generally not needed as it will be set to
254 dst automatically. If it is not specified or if the keyword any is
255 given, the default peer is used.
256
257 ikesa auth algorithm enc algorithm prf algorithm group group
258 These parameters define the mode and cryptographic transforms to be
259 used for the IKE SA negotiation, also known as phase 1. The IKE SA
260 will be used to authenticate the machines and to set up an en‐
261 crypted channel for the IKEv2 protocol.
262
263 Possible values for auth, enc, prf, group, and the default propos‐
264 als are described below in CRYPTO TRANSFORMS. If omitted, iked(8)
265 will use the default proposals for the IKEv2 protocol.
266
267 The keyword ikesa can be used multiple times as a delimiter between
268 IKE SA proposals. The order of the proposals depend on the order
269 in the configuration. The keywords auth, enc, prf and group can be
270 used multiple times within a single proposal to configure multiple
271 crypto transforms.
272
273 childsa auth algorithm enc algorithm group group esn
274 These parameters define the cryptographic transforms to be used for
275 the Child SA negotiation, also known as phase 2. Each Child SA
276 will be used to negotiate the actual IPsec SAs. The initial Child
277 SA is always negotiated with the initial IKEv2 key exchange; addi‐
278 tional Child SAs may be negotiated with additional Child SA key ex‐
279 changes for an established IKE SA.
280
281 Possible values for auth, enc, group, esn, and the default propos‐
282 als are described below in CRYPTO TRANSFORMS. If omitted, iked(8)
283 will use the default proposals for the ESP or AH protocol.
284
285 The group option will only be used to enable Perfect Forward Se‐
286 crecy (PFS) for additional Child SAs exchanges that are not part of
287 the initial key exchange.
288
289 The keyword childsa can be used multiple times as a delimiter be‐
290 tween Child SA proposals. The order of the proposals depend on the
291 order in the configuration. The keywords auth, enc and group can
292 be used multiple times within a single proposal to configure multi‐
293 ple crypto transforms.
294
295 srcid string dstid string
296 srcid defines an ID of type “FQDN”, “ASN1_DN”, “IPV4”, “IPV6”, or
297 “UFQDN” that will be used by iked(8) as the identity of the local
298 peer. If the argument is an email address (reyk@example.com),
299 iked(8) will use UFQDN as the ID type. The ASN1_DN type will be
300 used if the string starts with a slash ‘/’
301 (/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). If the argu‐
302 ment is an IPv4 address or a compressed IPv6 address, the ID types
303 IPV4 or IPV6 will be used. Anything else is considered to be an
304 FQDN.
305
306 If srcid is omitted, the default is to use the hostname of the lo‐
307 cal machine, see hostname(1) to set or print the hostname.
308
309 dstid is similar to srcid, but instead specifies the ID to be used
310 by the remote peer.
311
312 ikelifetime time
313 The optional ikelifetime parameter defines the IKE SA expiration
314 timeout by the time SA was created. A zero value disables active
315 IKE SA rekeying. This is the default.
316
317 The accepted format of the time specification is described below.
318
319 lifetime time [bytes bytes]
320 The optional lifetime parameter defines the Child SA expiration
321 timeout by the time SA was in use and by the number of bytes that
322 were processed using the SA. Default values are 3 hours and 4 gi‐
323 gabytes which means that SA will be rekeyed before reaching the
324 time limit or 4 gigabytes of data will pass through. Zero values
325 disable rekeying.
326
327 Several unit specifiers are recognized (ignoring case): ‘m’ and ‘h’
328 for minutes and hours, and ‘K’, ‘M’ and ‘G’ for kilo-, mega- and
329 gigabytes accordingly.
330
331 Please note that rekeying must happen at least several times a day
332 as IPsec security heavily depends on frequent key renewals.
333
334 [ikeauth]
335 Specify a method to be used to authenticate the remote peer.
336 iked(8) will automatically determine a method based on public keys
337 or certificates configured for the peer. ikeauth can be used to
338 override this behaviour. Non-psk modes will require setting up
339 certificates and RSA or ECDSA public keys; see iked(8) for more in‐
340 formation.
341
342 eap type
343 Use EAP to authenticate the initiator. The only
344 supported EAP type is currently MSCHAP-V2. The re‐
345 sponder will use RSA public key authentication.
346 ecdsa256
347 Use ECDSA with a 256-bit elliptic curve key and
348 SHA2-256 for authentication.
349 ecdsa384
350 Use ECDSA with a 384-bit elliptic curve key and
351 SHA2-384 for authentication.
352 ecdsa521
353 Use ECDSA with a 521-bit elliptic curve key and
354 SHA2-512 for authentication.
355 psk string
356 Use a pre-shared key string or hex value (starting
357 with 0x) for authentication.
358 rfc7427 Only use RFC 7427 signatures for authentication.
359 RFC 7427 signatures currently only support SHA2-256
360 as the hash.
361 rsa Use RSA public key authentication with SHA1 as the
362 hash.
363
364 The default is to allow any signature authentication.
365
366 config option address
367 request option address
368 Request or serve one or more optional configuration payloads (CP).
369 The configuration option can be one of the following with the ex‐
370 pected address format:
371
372 address address
373 Assign a static address on the internal network.
374 address address/prefix
375 Assign a dynamic address on the internal network.
376 The address will be assigned from an address pool
377 with the size specified by prefix.
378 netmask netmask
379 The IPv4 netmask of the internal network.
380 name-server address
381 The DNS server address within the internal network.
382 netbios-server address
383 The NetBIOS name server (WINS) within the internal
384 network. This option is provided for compatibility
385 with legacy clients.
386 dhcp-server address
387 The address of an internal DHCP server for further
388 configuration.
389 protected-subnet address/prefix
390 The address of an additional IPv4 or IPv6 subnet
391 reachable over the gateway. This option is used to
392 notify the peer of a subnet behind the gateway (that
393 might require a second SA). Networks specified in
394 this SA's "from" or "to" options do not need to be
395 included.
396 access-server address
397 The address of an internal remote access server.
398
399 iface interface
400 Configure requested addresses and routes on the specified
401 interface.
402
403 tag string
404 Add a pf(4) tag to all packets of IPsec SAs created for this con‐
405 nection. This will allow matching packets for this connection by
406 defining rules in pf.conf(5) using the tagged keyword.
407
408 The following variables can be used in tags to include information
409 from the remote peer on runtime:
410
411 $id The dstid that was proposed by the remote peer to
412 identify itself. It will be expanded to id-value,
413 e.g. FQDN/foo.example.com. To limit the size of the
414 derived tag, iked(8) will extract the common name
415 ‘CN=’ from ASN1_DN IDs, for example
416 ASN1_ID//C=DE/../CN=10.1.1.1/.. will be expanded to
417 10.1.1.1.
418 $eapid For a connection using EAP, the identity (username)
419 used by the remote peer.
420 $domain Extract the domain from IDs of type FQDN, UFQDN or
421 ASN1_DN.
422 $name The name of the IKEv2 policy that was configured in
423 iked.conf or automatically generated by iked(8).
424
425 For example, if the ID is FQDN/foo.example.com or
426 UFQDN/user@example.com, “ipsec-$domain” expands to
427 “ipsec-example.com”. The variable expansion for the tag directive
428 occurs only at runtime (not when the file is parsed) and must be
429 quoted, or it will be interpreted as a macro.
430
431 tap interface
432 Send the decapsulated IPsec traffic to the specified enc(4)
433 interface instead of enc0 for filtering and monitoring. The traf‐
434 fic will be blocked if the specified interface does not exist.
435
437 IPsec traffic appears unencrypted on the enc(4) interface and can be fil‐
438 tered accordingly using the OpenBSD packet filter, pf(4). The grammar
439 for the packet filter is described in pf.conf(5).
440
441 The following components are relevant to filtering IPsec traffic:
442
443 external interface
444 Interface for IKE traffic and encapsulated IPsec traffic.
445
446 proto udp port 500
447 IKE traffic on the external interface.
448
449 proto udp port 4500
450 IKE NAT-Traversal traffic on the external interface.
451
452 proto ah | esp
453 Encapsulated IPsec traffic on the external interface.
454
455 enc0
456 Default interface for outgoing traffic before it's been encapsu‐
457 lated, and incoming traffic after it's been decapsulated. State on
458 this interface should be interface bound; see enc(4) for further
459 information.
460
461 proto ipencap
462 [tunnel mode only] IP-in-IP traffic flowing between gateways on the
463 enc0 interface.
464
465 tagged ipsec-example.org
466 Match traffic of IPsec SAs using the tag keyword.
467
468 If the filtering rules specify to block everything by default, the fol‐
469 lowing rule would ensure that IPsec traffic never hits the packet filter‐
470 ing engine, and is therefore passed:
471
472 set skip on enc0
473
474 In the following example, all traffic is blocked by default. IPsec-re‐
475 lated traffic from gateways {192.168.3.1, 192.168.3.2} and networks
476 {10.0.1.0/24, 10.0.2.0/24} is permitted.
477
478 block on ix0
479 block on enc0
480
481 pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \
482 port {500, 4500}
483 pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \
484 port {500, 4500}
485
486 pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1
487 pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2
488
489 pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \
490 keep state (if-bound)
491 pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \
492 keep state (if-bound)
493 pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \
494 keep state (if-bound)
495 pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \
496 keep state (if-bound)
497
498 pf(4) has the ability to filter IPsec-related packets based on an arbi‐
499 trary tag specified within a ruleset. The tag is used as an internal
500 marker which can be used to identify the packets later on. This could be
501 helpful, for example, in scenarios where users are connecting in from
502 differing IP addresses, or to support queue-based bandwidth control,
503 since the enc0 interface does not support it.
504
505 The following pf.conf(5) fragment uses queues for all IPsec traffic with
506 special handling for developers and employees:
507
508 queue std on ix0 bandwidth 100M
509 queue deflt parent std bandwidth 10M default
510 queue developers parent std bandwidth 75M
511 queue employees parent std bandwidth 5M
512 queue ipsec parent std bandwidth 10M
513
514 pass out on ix0 proto esp set queue ipsec
515
516 pass out on ix0 tagged ipsec-developers.example.com \
517 set queue developers
518 pass out on ix0 tagged ipsec-employees.example.com \
519 set queue employees
520
521 The following example assigns the tags in the iked.conf configuration and
522 also sets an alternative enc(4) device:
523
524 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
525 tag "ipsec-$domain" tap "enc1"
526
528 In some network topologies it is desirable to perform NAT on traffic
529 leaving through the VPN tunnel. In order to achieve that, the src argu‐
530 ment is used to negotiate the desired network ID with the peer and the
531 srcnat parameter defines the true local subnet, so that a correct SA can
532 be installed on the local side.
533
534 For example, if the local subnet is 192.168.1.0/24 and all the traffic
535 for a specific VPN peer should appear as coming from 10.10.10.1, the fol‐
536 lowing configuration is used:
537
538 ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \
539 peer 10.10.20.1
540
541 Naturally, a relevant NAT rule is required in pf.conf(5). For the exam‐
542 ple above, this would be:
543
544 match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \
545 nat-to 10.10.10.1
546
547 From the peer's point of view, the local end of the VPN tunnel is de‐
548 clared to be 10.10.10.1 and all the traffic arrives with that source ad‐
549 dress.
550
552 The following authentication types are permitted with the auth keyword:
553
554 Authentication Key Length Truncated Length Default
555 hmac-md5 128 bits 96 bits
556 hmac-sha1 160 bits 96 bits x
557 hmac-sha2-256 256 bits 128 bits x
558 hmac-sha2-384 384 bits 192 bits x
559 hmac-sha2-512 512 bits 256 bits x
560
561 The following pseudo-random function types are permitted with the prf
562 keyword:
563
564 PRF Key Length Default
565 hmac-md5 128 bits [IKE only]
566 hmac-sha1 160 bits x [IKE only]
567 hmac-sha2-256 256 bits x [IKE only]
568 hmac-sha2-384 384 bits x [IKE only]
569 hmac-sha2-512 512 bits x [IKE only]
570
571 The following cipher types are permitted with the enc keyword:
572
573 Cipher Key Length Default
574 3des 168 bits x
575 aes-128 128 bits x
576 aes-192 192 bits x
577 aes-256 256 bits x
578 aes-128-ctr 160 bits [ESP only]
579 aes-192-ctr 224 bits [ESP only]
580 aes-256-ctr 288 bits [ESP only]
581 aes-128-gcm 160 bits x
582 aes-192-gcm 224 bits [ESP only]
583 aes-256-gcm 288 bits x
584 aes-128-gcm-12 160 bits [IKE only]
585 aes-256-gcm-12 288 bits [IKE only]
586 blowfish 160 bits [ESP only]
587 cast 128 bits [ESP only]
588 chacha20-poly1305 288 bits [ESP only]
589
590 The following cipher types provide only authentication, not encryption:
591
592 aes-128-gmac 160 bits [ESP only]
593 aes-192-gmac 224 bits [ESP only]
594 aes-256-gmac 288 bits [ESP only]
595 null [ESP only]
596
597 The Extended Sequence Numbers option can be enabled or disabled with the
598 esn or noesn keywords:
599
600 ESN Default
601 esn x [ESP only]
602 noesn x [ESP only]
603
604 Transforms followed by [IKE only] can only be used with the ikesa key‐
605 word, transforms with [ESP only] can only be used with the childsa key‐
606 word.
607
608 3DES requires 24 bytes to form its 168-bit key. This is because the most
609 significant bit of each byte is used for parity.
610
611 The keysize of AES-CTR is actually 128-bit. However as well as the key,
612 a 32-bit nonce has to be supplied. Thus 160 bits of key material have to
613 be supplied. The same applies to AES-GCM, AES-GMAC and
614 Chacha20-Poly1305, however in the latter case the keysize is 256 bit.
615
616 Using AES-GMAC or NULL with ESP will only provide authentication. This
617 is useful in setups where AH cannot be used, e.g. when NAT is involved.
618
619 The following group types are permitted with the group keyword:
620
621 Name Group Size Type Default
622 modp768 grp1 768 MODP [insecure]
623 modp1024 grp2 1024 MODP x [weak]
624 modp1536 grp5 1536 MODP x [weak]
625 modp2048 grp14 2048 MODP x
626 modp3072 grp15 3072 MODP x
627 modp4096 grp16 4096 MODP x
628 modp6144 grp17 6144 MODP
629 modp8192 grp18 8192 MODP
630 ecp256 grp19 256 ECP x
631 ecp384 grp20 384 ECP x
632 ecp521 grp21 521 ECP x
633 ecp192 grp25 192 ECP
634 ecp224 grp26 224 ECP
635 brainpool224 grp27 224 ECP
636 brainpool256 grp28 256 ECP
637 brainpool384 grp29 384 ECP
638 brainpool512 grp30 512 ECP
639 curve25519 grp31 256 Curve25519 x
640
641 The currently supported group types are either MODP (exponentiation
642 groups modulo a prime), ECP (elliptic curve groups modulo a prime), or
643 Curve25519. Please note that MODP groups of less than 2048 bits are con‐
644 sidered as weak or insecure (see RFC 8247 section 2.4) and only provided
645 for backwards compatibility.
646
648 /etc/iked.conf
649 /etc/examples/iked.conf
650
652 The first example is intended for a server with clients connecting to
653 iked(8) as an IPsec gateway, or IKEv2 responder, using mutual public key
654 authentication and additional challenge-based EAP-MSCHAPv2 password au‐
655 thentication:
656
657 user "test" "password123"
658
659 ikev2 "win7" esp \
660 from dynamic to 172.16.2.0/24 \
661 peer 10.0.0.0/8 local 192.168.56.0/24 \
662 eap "mschap-v2" \
663 config address 172.16.2.1 \
664 tag "$name-$id"
665
666 The next example allows peers to authenticate using a pre-shared key
667 ‘foobar’:
668
669 ikev2 "big test" \
670 esp proto tcp \
671 from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \
672 from 192.168.1.1 to 192.168.2.2 \
673 peer any local any \
674 ikesa \
675 enc 3des auth hmac-sha2-256 \
676 group ecp256 group modp1024 \
677 ikesa \
678 enc 3des auth hmac-sha1 \
679 group ecp256 group modp1024 \
680 childsa enc aes-128 auth hmac-sha2-256 \
681 childsa enc aes-128 auth hmac-sha1 \
682 srcid host.example.com \
683 dstid 192.168.0.254 \
684 psk "foobar"
685
686 The following example illustrates the last matching policy evaluation for
687 incoming connections on an IKEv2 gateway. The peer 192.168.1.34 will al‐
688 ways match the first policy because of the quick keyword; connections
689 from the peers 192.168.1.3 and 192.168.1.2 will be matched by one of the
690 last two policies; any other connections from 192.168.1.0/24 will be
691 matched by the ‘subnet’ policy; and any other connection will be matched
692 by the ‘catch all’ policy.
693
694 ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \
695 peer 192.168.1.34
696 ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \
697 peer any
698 ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \
699 peer 192.168.1.0/24
700 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2
701 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3
702
703 This example encrypts a gre(4) tunnel from local machine A
704 (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on FQDN-based public
705 key authentication; transport mode avoids double encapsulation:
706
707 ikev2 transport \
708 proto gre \
709 from 2001:db8::aa:1 to 2001:db8::dd:4 \
710 peer D.example.com
711
713 enc(4), ipsec(4), ipsec.conf(5), pf.conf(5), ikectl(8), iked(8)
714
716 The iked.conf file format first appeared in OpenBSD 4.8.
717
719 The iked(8) program was written by Reyk Floeter <reyk@openbsd.org>.
720
721BSD August 3, 2021 BSD