1IKED.CONF(5)                BSD File Formats Manual               IKED.CONF(5)
2

NAME

4     iked.conf — IKEv2 configuration file
5

DESCRIPTION

7     iked.conf is the configuration file for iked(8), the Internet Key Ex‐
8     change version 2 (IKEv2) daemon for IPsec.  IPsec itself is a pair of
9     protocols: Encapsulating Security Payload (ESP), which provides integrity
10     and confidentiality; and Authentication Header (AH), which provides in‐
11     tegrity.  The IPsec protocol itself is described in ipsec(4).
12
13     In its most basic form, a flow is established between hosts and/or net‐
14     works, and then Security Associations (SA) are established, which detail
15     how the desired protection will be achieved.  IPsec uses flows to deter‐
16     mine whether to apply security services to an IP packet or not.  iked(8)
17     is used to set up flows and establish SAs automatically, by specifying
18     ‘ikev2’ policies in iked.conf (see AUTOMATIC KEYING POLICIES, below).
19
20     Alternative methods of setting up flows and SAs are also possible using
21     manual keying or automatic keying using the older ISAKMP/Oakley a.k.a.
22     IKEv1 protocol.  Manual keying is not recommended, but can be convenient
23     for quick setups and testing.  See ipsec.conf(5) and isakmpd(8) for more
24     information about manual keying and ISAKMP support.
25

IKED.CONF FILE FORMAT

27     iked.conf is divided into three main sections:
28
29     Macros
30           User-defined macros may be defined and used later, simplifying the
31           configuration file.
32
33     Global Configuration
34           Global settings for iked(8).
35
36     Automatic Keying Policies
37           Policies to set up IPsec flows and SAs automatically.
38
39     Lines beginning with ‘#’ and empty lines are regarded as comments, and
40     ignored.  Lines may be split using the ‘\’ character.
41
42     Argument names not beginning with a letter, digit, or underscore must be
43     quoted.
44
45     Addresses can be specified in CIDR notation (matching netblocks), as sym‐
46     bolic host names, interface names, or interface group names.
47
48     Additional configuration files can be included with the include keyword,
49     for example:
50
51           include "/etc/macros.conf"
52

MACROS

54     Macros can be defined that will later be expanded in context.  Macro
55     names must start with a letter, digit, or underscore, and may contain any
56     of those characters.  Macro names may not be reserved words (for example
57     flow, from, esp).  Macros are not expanded inside quotes.
58
59     For example:
60
61           remote_gw = "192.168.3.12"
62           ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw
63

GLOBAL CONFIGURATION

65     Here are the settings that can be set globally:
66
67     set active
68           Set iked(8) to global active mode.  In active mode the per-policy
69           mode setting is respected.  iked(8) will initiate policies set to
70           active and wait for incoming requests for policies set to passive.
71           This is the default.
72
73     set passive
74           Set iked(8) to global passive mode.  In passive mode no packets are
75           sent to peers and no connections are initiated by iked(8), even for
76           active policies.  This option is used for setups using sasyncd(8)
77           and carp(4) to provide redundancy.  iked(8) will run in passive
78           mode until sasyncd has determined that the host is the master and
79           can switch to active mode.
80
81     set couple
82           Load the negotiated security associations (SAs) and flows into the
83           kernel.  This is the default.
84
85     set decouple
86           Don't load the negotiated SAs and flows from the kernel.  This mode
87           is only useful for testing and debugging.
88
89     set dpd_check_interval time
90           Specify the liveness check interval, in seconds.  Setting time to 0
91           disables DPD.  The default value is 60 seconds.
92
93     set enforcesingleikesa
94           Allow only a single active IKE SA for each dstid.  When a new SA
95           with the same dstid is established, it replaces the old SA.
96
97     set noenforcesingleikesa
98           Don't limit the number of IKE SAs per dstid.  This is the default.
99
100     set fragmentation
101           Enable IKEv2 Message Fragmentation (RFC 7383) support.  This allows
102           IKEv2 to operate in environments that might block IP fragments.
103
104     set nofragmentation
105           Disables IKEv2 Message Fragmentation support.  This is the default.
106
107     set mobike
108           Enable MOBIKE (RFC 4555) support.  This is the default.  MOBIKE al‐
109           lows the peer IP address to be changed for IKE and IPsec SAs.  Cur‐
110           rently iked(8) only supports MOBIKE when acting as a responder.
111
112     set nomobike
113           Disables MOBIKE support.
114
115     set cert_partial_chain
116           Allow partial certificate chain if at least one certificate is a
117           trusted CA from /etc/iked/ca/.
118
119     set ocsp URL [tolerate time [maxage time]]
120           Enable OCSP and set the fallback URL of the OCSP responder.  This
121           fallback will be used if the trusted CA from /etc/iked/ca/ does not
122           have an OCSP-URL extension.  Please note that the matching respon‐
123           der certificates have to be placed in /etc/iked/ocsp/responder.crt.
124
125           The optional tolerate parameter specifies how much the OCSP re‐
126           sponse attribute ‘thisUpdate’ may be in the future and how much
127           ‘nextUpdate’ may be in the past, with respect to the local time.
128           The optional maxage parameter specifies how much ‘thisUpdate’ may
129           be in the past.  If tolerate is set to 0 then the times are not
130           verified at all.  This is the default setting.
131
132     user name password
133           iked(8) supports user-based authentication by tunneling the Exten‐
134           sible Authentication Protocol (EAP) over IKEv2.  In its most basic
135           form, the users will be authenticated against a local, integrated
136           password database that is configured with the user lines in
137           iked.conf and the name and password arguments.  Note that the pass‐
138           word has to be specified in plain text which is required to support
139           different challenge-based EAP methods like EAP-MD5 or EAP-MSCHAPv2.
140

AUTOMATIC KEYING POLICIES

142     This section is used to configure policies that will be used by iked(8)
143     to set up flows and SAs automatically.  Some examples of setting up auto‐
144     matic keying:
145
146        # Set up a VPN:
147        # First between the gateway machines 192.168.3.1 and 192.168.3.2
148        # Second between the networks 10.1.1.0/24 and 10.1.2.0/24
149        ikev2 esp from 192.168.3.1 to 192.168.3.2
150        ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2
151
152     For incoming connections from remote peers, the policies are evaluated in
153     sequential order, from first to last.  The last matching policy decides
154     what action is taken; if no policy matches the connection, the default
155     action is to ignore the connection attempt or to use the default policy,
156     if set.  Please also see the EXAMPLES section for a detailed example of
157     the policy evaluation.
158
159     The first time an IKEv2 connection matches a policy, an IKE SA is cre‐
160     ated; for subsequent packets the connection is identified by the IKEv2
161     parameters that are stored in the SA without evaluating any policies.
162     After the connection is closed or times out, the IKE SA is automatically
163     removed.
164
165     The commands are as follows:
166     ikev2 [name]
167           The mandatory ikev2 keyword will identify an IKEv2 automatic keying
168           policy.  name is an optional arbitrary string identifying the pol‐
169           icy.  The name should only occur once in iked.conf or any included
170           files.  If omitted, a name will be generated automatically for the
171           policy.
172
173     [eval]
174           The eval option modifies the policy evaluation for this policy.  It
175           can be one of quick, skip or default.  If a new incoming connection
176           matches a policy with the quick option set, that policy is consid‐
177           ered the last matching policy, and evaluation of subsequent poli‐
178           cies is skipped.  The skip option will disable evaluation of this
179           policy for incoming connections.  The default option sets the de‐
180           fault policy and should only be specified once.
181
182     [mode]
183           mode specifies the IKEv2 mode to use: one of passive or active.
184           When passive is specified, iked(8) will not immediately start nego‐
185           tiation of this tunnel, but wait for an incoming request from the
186           remote peer.  When active is specified, negotiation will be started
187           at once.  If omitted, passive mode will be used.
188
189     [ipcomp]
190           The keyword ipcomp specifies that ipcomp(4), the IP Payload Com‐
191           pression protocol, is negotiated in addition to encapsulation.  The
192           optional compression is applied before packets are encapsulated.
193           IPcomp must be enabled in the kernel:
194
195                 # sysctl net.inet.ipcomp.enable=1
196
197     [tmode]
198           tmode describes the encapsulation mode to be used.  Possible modes
199           are tunnel and transport; the default is tunnel.
200
201     [encap]
202           encap specifies the encapsulation protocol to be used.  Possible
203           protocols are esp and ah; the default is esp.
204
205     [af]  This policy only applies to endpoints of the specified address fam‐
206           ily which can be either inet or inet6.  Note that this only matters
207           for IKEv2 endpoints and does not restrict the traffic selectors to
208           negotiate flows with different address families, e.g. IPv6 flows
209           negotiated by IPv4 endpoints.
210
211     proto protocol
212           The optional proto parameter restricts the flow to a specific IP
213           protocol.  Common protocols are icmp(4), tcp(4), and udp(4).  For a
214           list of all the protocol name to number mappings used by iked(8),
215           see the file /etc/protocols.
216
217     rdomain number
218           Specify a different routing domain for unencrypted traffic.  The
219           resulting IPsec SAs will match outgoing packets in the specified
220           rdomain number and move the encrypted packets to the rdomain the
221           iked(8) instance is running in.  Vice versa, incoming ipsec(4)
222           traffic is moved to rdomain number after decryption.
223
224     from src [port sport] [(srcnat)] to dst [port dport]
225           Specify one or more traffic selectors for this policy which will be
226           used to negotiate the IPsec flows between the IKEv2 peers.  During
227           the negotiation, the peers may decide to narrow a flow to a subset
228           of the configured traffic selector networks to match the policies
229           on each side.
230
231           Each traffic selector will apply for packets with source address
232           src and destination address dst.  If the src argument specifies a
233           fictional source ID, the srcnat parameter can be used to specify
234           the actual source address.  This can be used in outgoing NAT/BINAT
235           scenarios as described below.  The keyword any will match any ad‐
236           dress (i.e. 0.0.0.0/0 and ::/0).  If the config address option is
237           specified, the dynamic keyword can be used to create flows from or
238           to the dynamically assigned address.
239
240           The optional port modifiers restrict the traffic selectors to the
241           specified ports.  They are only valid in conjunction with the
242           tcp(4) and udp(4) protocols.  Ports can be specified by number or
243           by name.  For a list of all port name to number mappings used by
244           ipsecctl(8), see the file /etc/services.
245
246     local localip peer remote
247           The local parameter specifies the address or FQDN of the local end‐
248           point.  Unless the gateway is multi-homed or uses address aliases,
249           this option is generally not needed.
250
251           The peer parameter specifies the address or FQDN of the remote end‐
252           point.  For host-to-host connections where dst is identical to
253           remote, this option is generally not needed as it will be set to
254           dst automatically.  If it is not specified or if the keyword any is
255           given, the default peer is used.
256
257     ikesa auth algorithm enc algorithm prf algorithm group group
258           These parameters define the mode and cryptographic transforms to be
259           used for the IKE SA negotiation, also known as phase 1.  The IKE SA
260           will be used to authenticate the machines and to set up an en‐
261           crypted channel for the IKEv2 protocol.
262
263           Possible values for auth, enc, prf, group, and the default propos‐
264           als are described below in CRYPTO TRANSFORMS.  If omitted, iked(8)
265           will use the default proposals for the IKEv2 protocol.
266
267           The keyword ikesa can be used multiple times as a delimiter between
268           IKE SA proposals.  The order of the proposals depend on the order
269           in the configuration.  The keywords auth, enc, prf and group can be
270           used multiple times within a single proposal to configure multiple
271           crypto transforms.
272
273     childsa auth algorithm enc algorithm group group esn
274           These parameters define the cryptographic transforms to be used for
275           the Child SA negotiation, also known as phase 2.  Each Child SA
276           will be used to negotiate the actual IPsec SAs.  The initial Child
277           SA is always negotiated with the initial IKEv2 key exchange; addi‐
278           tional Child SAs may be negotiated with additional Child SA key ex‐
279           changes for an established IKE SA.
280
281           Possible values for auth, enc, group, esn, and the default propos‐
282           als are described below in CRYPTO TRANSFORMS.  If omitted, iked(8)
283           will use the default proposals for the ESP or AH protocol.
284
285           The group option will only be used to enable Perfect Forward Se‐
286           crecy (PFS) for additional Child SAs exchanges that are not part of
287           the initial key exchange.
288
289           The keyword childsa can be used multiple times as a delimiter be‐
290           tween Child SA proposals.  The order of the proposals depend on the
291           order in the configuration.  The keywords auth, enc and group can
292           be used multiple times within a single proposal to configure multi‐
293           ple crypto transforms.
294
295     srcid string dstid string
296           srcid defines an ID of type “FQDN”, “ASN1_DN”, “IPV4”, “IPV6”, or
297           “UFQDN” that will be used by iked(8) as the identity of the local
298           peer.  If the argument is an email address (reyk@example.com),
299           iked(8) will use UFQDN as the ID type.  The ASN1_DN type will be
300           used if the string starts with a slash ‘/’
301           (/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com).  If the argu‐
302           ment is an IPv4 address or a compressed IPv6 address, the ID types
303           IPV4 or IPV6 will be used.  Anything else is considered to be an
304           FQDN.
305
306           If srcid is omitted, the default is to use the hostname of the lo‐
307           cal machine, see hostname(1) to set or print the hostname.
308
309           dstid is similar to srcid, but instead specifies the ID to be used
310           by the remote peer.
311
312     ikelifetime time
313           The optional ikelifetime parameter defines the IKE SA expiration
314           timeout by the time SA was created.  A zero value disables active
315           IKE SA rekeying.  This is the default.
316
317           The accepted format of the time specification is described below.
318
319     lifetime time [bytes bytes]
320           The optional lifetime parameter defines the Child SA expiration
321           timeout by the time SA was in use and by the number of bytes that
322           were processed using the SA.  Default values are 3 hours and 4 gi‐
323           gabytes which means that SA will be rekeyed before reaching the
324           time limit or 4 gigabytes of data will pass through.  Zero values
325           disable rekeying.
326
327           Several unit specifiers are recognized (ignoring case): ‘m’ and ‘h’
328           for minutes and hours, and ‘K’, ‘M’ and ‘G’ for kilo-, mega- and
329           gigabytes accordingly.
330
331           Please note that rekeying must happen at least several times a day
332           as IPsec security heavily depends on frequent key renewals.
333
334     [ikeauth]
335           Specify a method to be used to authenticate the remote peer.
336           iked(8) will automatically determine a method based on public keys
337           or certificates configured for the peer.  ikeauth can be used to
338           override this behaviour.  Non-psk modes will require setting up
339           certificates and RSA or ECDSA public keys; see iked(8) for more in‐
340           formation.
341
342                 eap type
343                          Use EAP to authenticate the initiator.  The only
344                          supported EAP type is currently MSCHAP-V2.  The re‐
345                          sponder will use RSA public key authentication.
346                 ecdsa256
347                          Use ECDSA with a 256-bit elliptic curve key and
348                          SHA2-256 for authentication.
349                 ecdsa384
350                          Use ECDSA with a 384-bit elliptic curve key and
351                          SHA2-384 for authentication.
352                 ecdsa521
353                          Use ECDSA with a 521-bit elliptic curve key and
354                          SHA2-512 for authentication.
355                 psk string
356                          Use a pre-shared key string or hex value (starting
357                          with 0x) for authentication.
358                 rfc7427  Only use RFC 7427 signatures for authentication.
359                          RFC 7427 signatures currently only support SHA2-256
360                          as the hash.
361                 rsa      Use RSA public key authentication with SHA1 as the
362                          hash.
363
364           The default is to allow any signature authentication.
365
366     config option address
367     request option address
368           Request or serve one or more optional configuration payloads (CP).
369           The configuration option can be one of the following with the ex‐
370           pected address format:
371
372                 address address
373                         Assign a static address on the internal network.
374                 address address/prefix
375                         Assign a dynamic address on the internal network.
376                         The address will be assigned from an address pool
377                         with the size specified by prefix.
378                 netmask netmask
379                         The IPv4 netmask of the internal network.
380                 name-server address
381                         The DNS server address within the internal network.
382                 netbios-server address
383                         The NetBIOS name server (WINS) within the internal
384                         network.  This option is provided for compatibility
385                         with legacy clients.
386                 dhcp-server address
387                         The address of an internal DHCP server for further
388                         configuration.
389                 protected-subnet address/prefix
390                         The address of an additional IPv4 or IPv6 subnet
391                         reachable over the gateway.  This option is used to
392                         notify the peer of a subnet behind the gateway (that
393                         might require a second SA).  Networks specified in
394                         this SA's "from" or "to" options do not need to be
395                         included.
396                 access-server address
397                         The address of an internal remote access server.
398
399     iface interface
400           Configure requested addresses and routes on the specified
401           interface.
402
403     tag string
404           Add a pf(4) tag to all packets of IPsec SAs created for this con‐
405           nection.  This will allow matching packets for this connection by
406           defining rules in pf.conf(5) using the tagged keyword.
407
408           The following variables can be used in tags to include information
409           from the remote peer on runtime:
410
411                 $id      The dstid that was proposed by the remote peer to
412                          identify itself.  It will be expanded to id-value,
413                          e.g. FQDN/foo.example.com.  To limit the size of the
414                          derived tag, iked(8) will extract the common name
415                          ‘CN=’ from ASN1_DN IDs, for example
416                          ASN1_ID//C=DE/../CN=10.1.1.1/.. will be expanded to
417                          10.1.1.1.
418                 $eapid   For a connection using EAP, the identity (username)
419                          used by the remote peer.
420                 $domain  Extract the domain from IDs of type FQDN, UFQDN or
421                          ASN1_DN.
422                 $name    The name of the IKEv2 policy that was configured in
423                          iked.conf or automatically generated by iked(8).
424
425           For example, if the ID is FQDN/foo.example.com or
426           UFQDN/user@example.com, “ipsec-$domain” expands to
427           “ipsec-example.com”.  The variable expansion for the tag directive
428           occurs only at runtime (not when the file is parsed) and must be
429           quoted, or it will be interpreted as a macro.
430
431     tap interface
432           Send the decapsulated IPsec traffic to the specified enc(4)
433           interface instead of enc0 for filtering and monitoring.  The traf‐
434           fic will be blocked if the specified interface does not exist.
435

PACKET FILTERING

437     IPsec traffic appears unencrypted on the enc(4) interface and can be fil‐
438     tered accordingly using the OpenBSD packet filter, pf(4).  The grammar
439     for the packet filter is described in pf.conf(5).
440
441     The following components are relevant to filtering IPsec traffic:
442
443           external interface
444           Interface for IKE traffic and encapsulated IPsec traffic.
445
446           proto udp port 500
447           IKE traffic on the external interface.
448
449           proto udp port 4500
450           IKE NAT-Traversal traffic on the external interface.
451
452           proto ah | esp
453           Encapsulated IPsec traffic on the external interface.
454
455           enc0
456           Default interface for outgoing traffic before it's been encapsu‐
457           lated, and incoming traffic after it's been decapsulated.  State on
458           this interface should be interface bound; see enc(4) for further
459           information.
460
461           proto ipencap
462           [tunnel mode only] IP-in-IP traffic flowing between gateways on the
463           enc0 interface.
464
465           tagged ipsec-example.org
466           Match traffic of IPsec SAs using the tag keyword.
467
468     If the filtering rules specify to block everything by default, the fol‐
469     lowing rule would ensure that IPsec traffic never hits the packet filter‐
470     ing engine, and is therefore passed:
471
472           set skip on enc0
473
474     In the following example, all traffic is blocked by default.  IPsec-re‐
475     lated traffic from gateways {192.168.3.1, 192.168.3.2} and networks
476     {10.0.1.0/24, 10.0.2.0/24} is permitted.
477
478           block on ix0
479           block on enc0
480
481           pass  in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \
482                   port {500, 4500}
483           pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \
484                   port {500, 4500}
485
486           pass  in on ix0 proto esp from 192.168.3.2 to 192.168.3.1
487           pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2
488
489           pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \
490                   keep state (if-bound)
491           pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \
492                   keep state (if-bound)
493           pass  in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \
494                   keep state (if-bound)
495           pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \
496                   keep state (if-bound)
497
498     pf(4) has the ability to filter IPsec-related packets based on an arbi‐
499     trary tag specified within a ruleset.  The tag is used as an internal
500     marker which can be used to identify the packets later on.  This could be
501     helpful, for example, in scenarios where users are connecting in from
502     differing IP addresses, or to support queue-based bandwidth control,
503     since the enc0 interface does not support it.
504
505     The following pf.conf(5) fragment uses queues for all IPsec traffic with
506     special handling for developers and employees:
507
508           queue std on ix0 bandwidth 100M
509           queue   deflt parent std bandwidth 10M default
510           queue   developers parent std bandwidth 75M
511           queue   employees parent std bandwidth 5M
512           queue   ipsec parent std bandwidth 10M
513
514           pass out on ix0 proto esp set queue ipsec
515
516           pass out on ix0 tagged ipsec-developers.example.com \
517                   set queue developers
518           pass out on ix0 tagged ipsec-employees.example.com \
519                   set queue employees
520
521     The following example assigns the tags in the iked.conf configuration and
522     also sets an alternative enc(4) device:
523
524           ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
525                   tag "ipsec-$domain" tap "enc1"
526

OUTGOING NETWORK ADDRESS TRANSLATION

528     In some network topologies it is desirable to perform NAT on traffic
529     leaving through the VPN tunnel.  In order to achieve that, the src argu‐
530     ment is used to negotiate the desired network ID with the peer and the
531     srcnat parameter defines the true local subnet, so that a correct SA can
532     be installed on the local side.
533
534     For example, if the local subnet is 192.168.1.0/24 and all the traffic
535     for a specific VPN peer should appear as coming from 10.10.10.1, the fol‐
536     lowing configuration is used:
537
538           ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \
539                   peer 10.10.20.1
540
541     Naturally, a relevant NAT rule is required in pf.conf(5).  For the exam‐
542     ple above, this would be:
543
544           match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \
545                   nat-to 10.10.10.1
546
547     From the peer's point of view, the local end of the VPN tunnel is de‐
548     clared to be 10.10.10.1 and all the traffic arrives with that source ad‐
549     dress.
550

CRYPTO TRANSFORMS

552     The following authentication types are permitted with the auth keyword:
553
554           Authentication    Key Length    Truncated Length    Default
555           hmac-md5          128 bits      96 bits
556           hmac-sha1         160 bits      96 bits             x
557           hmac-sha2-256     256 bits      128 bits            x
558           hmac-sha2-384     384 bits      192 bits            x
559           hmac-sha2-512     512 bits      256 bits            x
560
561     The following pseudo-random function types are permitted with the prf
562     keyword:
563
564           PRF              Key Length    Default
565           hmac-md5         128 bits                 [IKE only]
566           hmac-sha1        160 bits      x          [IKE only]
567           hmac-sha2-256    256 bits      x          [IKE only]
568           hmac-sha2-384    384 bits      x          [IKE only]
569           hmac-sha2-512    512 bits      x          [IKE only]
570
571     The following cipher types are permitted with the enc keyword:
572
573           Cipher               Key Length    Default
574           3des                 168 bits      x
575           aes-128              128 bits      x
576           aes-192              192 bits      x
577           aes-256              256 bits      x
578           aes-128-ctr          160 bits                 [ESP only]
579           aes-192-ctr          224 bits                 [ESP only]
580           aes-256-ctr          288 bits                 [ESP only]
581           aes-128-gcm          160 bits      x
582           aes-192-gcm          224 bits                 [ESP only]
583           aes-256-gcm          288 bits      x
584           aes-128-gcm-12       160 bits                 [IKE only]
585           aes-256-gcm-12       288 bits                 [IKE only]
586           blowfish             160 bits                 [ESP only]
587           cast                 128 bits                 [ESP only]
588           chacha20-poly1305    288 bits                 [ESP only]
589
590     The following cipher types provide only authentication, not encryption:
591
592           aes-128-gmac         160 bits                 [ESP only]
593           aes-192-gmac         224 bits                 [ESP only]
594           aes-256-gmac         288 bits                 [ESP only]
595           null                                          [ESP only]
596
597     The Extended Sequence Numbers option can be enabled or disabled with the
598     esn or noesn keywords:
599
600           ESN      Default
601           esn      x          [ESP only]
602           noesn    x          [ESP only]
603
604     Transforms followed by [IKE only] can only be used with the ikesa key‐
605     word, transforms with [ESP only] can only be used with the childsa key‐
606     word.
607
608     3DES requires 24 bytes to form its 168-bit key.  This is because the most
609     significant bit of each byte is used for parity.
610
611     The keysize of AES-CTR is actually 128-bit.  However as well as the key,
612     a 32-bit nonce has to be supplied.  Thus 160 bits of key material have to
613     be supplied.  The same applies to AES-GCM, AES-GMAC and
614     Chacha20-Poly1305, however in the latter case the keysize is 256 bit.
615
616     Using AES-GMAC or NULL with ESP will only provide authentication.  This
617     is useful in setups where AH cannot be used, e.g. when NAT is involved.
618
619     The following group types are permitted with the group keyword:
620
621           Name           Group   Size   Type         Default
622           modp768        grp1    768    MODP                   [insecure]
623           modp1024       grp2    1024   MODP         x         [weak]
624           modp1536       grp5    1536   MODP         x         [weak]
625           modp2048       grp14   2048   MODP         x
626           modp3072       grp15   3072   MODP         x
627           modp4096       grp16   4096   MODP         x
628           modp6144       grp17   6144   MODP
629           modp8192       grp18   8192   MODP
630           ecp256         grp19   256    ECP          x
631           ecp384         grp20   384    ECP          x
632           ecp521         grp21   521    ECP          x
633           ecp192         grp25   192    ECP
634           ecp224         grp26   224    ECP
635           brainpool224   grp27   224    ECP
636           brainpool256   grp28   256    ECP
637           brainpool384   grp29   384    ECP
638           brainpool512   grp30   512    ECP
639           curve25519     grp31   256    Curve25519   x
640
641     The currently supported group types are either MODP (exponentiation
642     groups modulo a prime), ECP (elliptic curve groups modulo a prime), or
643     Curve25519.  Please note that MODP groups of less than 2048 bits are con‐
644     sidered as weak or insecure (see RFC 8247 section 2.4) and only provided
645     for backwards compatibility.
646

FILES

648     /etc/iked.conf
649     /etc/examples/iked.conf
650

EXAMPLES

652     The first example is intended for a server with clients connecting to
653     iked(8) as an IPsec gateway, or IKEv2 responder, using mutual public key
654     authentication and additional challenge-based EAP-MSCHAPv2 password au‐
655     thentication:
656
657           user "test" "password123"
658
659           ikev2 "win7" esp \
660                   from dynamic to 172.16.2.0/24 \
661                   peer 10.0.0.0/8 local 192.168.56.0/24 \
662                   eap "mschap-v2" \
663                   config address 172.16.2.1 \
664                   tag "$name-$id"
665
666     The next example allows peers to authenticate using a pre-shared key
667     ‘foobar’:
668
669           ikev2 "big test" \
670                   esp proto tcp \
671                   from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \
672                   from 192.168.1.1 to 192.168.2.2 \
673                   peer any local any \
674                   ikesa \
675                           enc 3des auth hmac-sha2-256 \
676                           group ecp256 group modp1024 \
677                   ikesa \
678                           enc 3des auth hmac-sha1 \
679                           group ecp256 group modp1024 \
680                   childsa enc aes-128 auth hmac-sha2-256 \
681                   childsa enc aes-128 auth hmac-sha1 \
682                   srcid host.example.com \
683                   dstid 192.168.0.254 \
684                   psk "foobar"
685
686     The following example illustrates the last matching policy evaluation for
687     incoming connections on an IKEv2 gateway.  The peer 192.168.1.34 will al‐
688     ways match the first policy because of the quick keyword; connections
689     from the peers 192.168.1.3 and 192.168.1.2 will be matched by one of the
690     last two policies; any other connections from 192.168.1.0/24 will be
691     matched by the ‘subnet’ policy; and any other connection will be matched
692     by the ‘catch all’ policy.
693
694           ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \
695                   peer 192.168.1.34
696           ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \
697                   peer any
698           ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \
699                   peer 192.168.1.0/24
700           ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2
701           ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3
702
703     This example encrypts a gre(4) tunnel from local machine A
704     (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on FQDN-based public
705     key authentication; transport mode avoids double encapsulation:
706
707           ikev2 transport \
708                   proto gre \
709                   from 2001:db8::aa:1 to 2001:db8::dd:4 \
710                   peer D.example.com
711

SEE ALSO

713     enc(4), ipsec(4), ipsec.conf(5), pf.conf(5), ikectl(8), iked(8)
714

HISTORY

716     The iked.conf file format first appeared in OpenBSD 4.8.
717

AUTHORS

719     The iked(8) program was written by Reyk Floeter <reyk@openbsd.org>.
720
721BSD                             August 3, 2021                             BSD
Impressum