NAME¶
iked.conf
—
Internet Key Exchange Daemon Configuration File
DESCRIPTION¶
The
iked.conf
file is used to configure
iked(8) ( Internet Key Exchange Daemon ). The
parameters supplied are used to negotiate ISAKMP ( phase1 ) and IPsec ( phase2
) SAs for IPsec capable hosts.
SYNTAX¶
The configuration parameters are expressed as a series of sections containing a
number of statements. Sections begin with a keyword optionally followed by a
parameter list. All statements for a section are enclosed using the
‘
{
’ and
‘
}
’ characters. Statements begin with a
keyword optionally followed by a parameter list and are terminated with the
‘
;
’ character. Lines that begin with the
‘
#
’ character are treated as comments.
This document denotes keywords using
this
font and user supplied parameters using
this
font. Optional parameters are enclosed using the
‘
[
’ and
‘
]
’ characters. Multiple keywords that
may be valid for a single parameter are enclosed using the
‘
(
’ and
‘
)
’ characters and separated using the
‘
|
’ character.
The defined parameter types are as follows ...
- number
- A decimal number
- label
- A string comprised of alphanumeric characters
- quoted
- A quoted string enclosed in ‘
"
’
characters
- address
- An IP address expressed as x.x.x.x
- network
- An IP network and prefix length expressed as x.x.x.x/y
Daemon Section¶
daemon
{
statements
}
- Specifies the general configuration for
iked(8) operation. This includes parameters
related to the basic network configuration, log file and debug output.
Only one
daemon
section should be
defined.
socket
(ike
|
natt
)
[address]
number;
- An address and port number that should be used for ike or natt
communications. If the address parameter is omitted, the daemon will
attempt to bind to any address for the given port number. If no socket
statements are specified, the daemon will attempt to bind to all
interfaces for both ike and natt using the default port numbers ( 500
& 4500 respectively ). Note, the
natt keyword can only be specified if
the daemon was compiled with natt support.
retry_count
number;
- The number of times an exchange packet should be resent to a peer. The
default value for this parameter is 2.
retry_delay
number;
- The number of seconds to wait between packet resend attempts. The
default value for this parameter is 10.
log_file
quoted;
- The path and file name that should be used for log output.
log_level
(none
|
error
|
info
|
debug
|
loud
|
decode)
;
- The log output detail level. The default value for this parameter is
none
.
pcap_decrypt
quoted;
- The path and file name that should be used to dump decrypted ike
packets in pcap format. If no
pcap_decrypt
statement is
specified, this feature is disabled.
pcap_encrypt
quoted;
- The path and file name that should be used to dump encrypted ike
packets in pcap format. If no
pcap_encrypt
statement is
specified, this feature is disabled.
dhcp_file
quoted;
- The path and file name that should be used to store a dhcp mac address
seed value for dhcp over ipsec negotiation. If no file is present, the
file will be created.
Network Group Section¶
netgroup
label {
statements
}
- Specifies a group of networks that can be refferred to by the assigned
label. Multiple
netgroup
sections may
be defined.
network
;
- A network to be associated with this network group.
XAuth LDAP Section¶
xauth_ldap
{
statements
}
- Specifies the LDAP configuration to be used for when the
xauth_source
is set to
ldap
for a given peer section. Only one
xauth_ldap
section should be defined.
Note, an xauth_ldap
section can only be
defined if the daemon was compiled with LDAP support.
version
number;
- The LDAP protocol version to be used ( 2 or 3 ). The default value for
this parameter is 3.
url
quoted;
- The LDAP server url. For example, a url may look like
"ldap://ldap.shrew.net:389".
base
quoted;
- The base dn to be used for LDAP searches. For example, a base dn may
look like "ou=users,dc=shrew,dc=net".
subtree
(enable
|
disable);
- The search scope to be used for LDAP searches. If enabled, searches
will be performed using the subtree search scope. If disabled,
searches will be performed using the one level search scope. The
default value for this parameter is
disable
.
bind_dn
quoted;
- The dn to bind as before performing LDAP searches. If this parameter
is omitted, searches will be performed using anonymous binds.
bind_pw
quoted;
- The password to use when a
bind_dn
is specified.
attr_user
quoted;
- The attribute used to specify a user name in the LDAP directory. For
example, if a user dn is "cn=user,dc=shrew,dc=net" then the
attribute would be "cn". The default value for this
parameter is "cn".
attr_group
quoted;
- The attribute used to specify a group name in the LDAP directory. For
example, if a group dn is "cn=group,dc=shrew,dc=net" then
the attribute would be "cn". The default value for this
parameter is "cn".
attr_member
quoted;
- The attribute used to specify a group member in the LDAP directory.
The default value for this parameter is "member".
XConf Local Section¶
xconf_local
{
statements
}
- Specifies the Configuration Exchange settings to be used when the
xconf_source
is set to
local
for a given peer section. Only
one xconf_local
section should be
defined.
network4
network [number];
- The network that will be used to define a local address pool. An
optional number can be specified to restrict the pool to a specific
size. An address from this pool along with the network mask are passed
to a peer when requested.
dnss4
address;
- The dns server address to be passed to a peer when requested.
nbns4
address;
- The netbios name server address to be passed to a peer when
requested.
dns_suffix
quoted;
- The dns suffix to be passed to a peer when requested.
dns_list
quoted quoted ...;
- A list of split dns suffixes to be passed to a peer when requested. A
peer can use this list to selectivly forward dns requests to the
dnss4
server when a query matches
one of the supplied split dns suffixes.
banner
quoted;
- The path to a file that contains a login banner to be passed to a peer
when requested.
pfs_group
number;
- The pfs group number to be passed to a peer when requested.
Peer Section¶
peer
address
[number]
{
statements
}
- Specifies the parameters used to communicate with a given peer by address
and optional port number. If the port value is omitted, the default isakmp
port number will be used ( 500 ). If an address of 0.0.0.0 is used, the
peer section can be used for any remote host. Multiple
peer
sections may be defined.
contact
(initiator
|
responder
|
both)
;
- Specifies the contact type when establishing phase1 negotiations with
a peer. If
initiator
is used, the
daemon will initiate contact but deny contact initiated by the peer.
If responder
is used, the daemon
will allow contact initiated by the peer but will not initiate
contact. If both
is specified, the
daemon will initiate contact and allow the peer to initiate
contact.
exchange
(main
|
aggressive)
;
- Specifies the exchange type to be used for phase1 negotiations with a
peer. The default value for this parameter is
main
.
natt_mode
(disable
|
enable
|
force
[draft
|
rfc
]);
- Specifies the NAT Traversal mode to be used for phase1 negotiations
with a peer. If
disable
is used,
natt negotiations will not be attempted. If
enable
is used, the daemon will
attempt to negotiate and use NAT Traversal when appropriate. If
force
is used, the daemon will use
NAT Traversal even if the peer does not negotiate support for this
feature. When force is used, the
draft
or
rfc
modifiers can optionally be
specified to select the required method with
rfc
being the default if omitted.
The default value for this parameter is
disable
.
natt_port
number;
- Specifies the NAT Traversal port number to be used for phase1
negotiations with a peer when acting as an initiator. The default
value for this parameter is 4500.
natt_rate
number;
- Specifies the number of seconds between sending NAT Traversal
keep-alive messages. The default value for this parameter is 15.
dpd_mode
(disable
|
enable
|
force)
;
- Specifies the Dead Peer Detection mode to be used with a peer. If
disable
is used, DPD negotiations
will not be attempted. If enable
is
used, the daemon will attempt to negotiate and use DPD when
appropriate. If force
is used, the
daemon will use DPD even if the peer does not negotiate support for
this feature. The default value for this parameter is
disable
.
dpd_delay
number;
- Specifies the number of seconds between sending DPD are-you-there
messages. The default value for this parameter is 15.
dpd_retry
number;
- Specifies the number times a DPD are-you-there message will be
retransmitted when no response is received. The default value for this
parameter is 5.
frag_ike_mode
(disable
|
enable
|
force)
;
- Specifies the IKE Fragmentation mode to be used with a peer. If
disable
is used, IKE Fragmentation
negotiations will not be attemted. If
enable
is used, the daemon will
attempt to negotiate and use IKE Fragmentation when appropriate. If
force
is used, the daemon will use
IKE Fragmentation even if the peer does not negotiate support for this
feature. The default value for this parameter is
disable
.
frag_ike_size
number;
- Specifies the maximum number of bytes for an IKE Fragment. The default
value for this parameter is 520.
frag_esp_mode
(disable
|
enable)
;
- Specifies the ESP Fragmentation mode to be used with a peer. If
disable
is used, the daemon will
create IPsec SAs without the ESP Fragmentation option. If
enable
is used, the daemon will
create IPsec SAs with the ESP Fragmentation option. The default value
for this parameter is disable
.
Note, ESP Fragmentation is only valid for IPsec SAs using NAT
Traversal. The operating system must also have support for this
feature. ( NetBSD Only )
frag_esp_size
number;
- Specifies the maximum number of bytes for an ESP Fragment. The default
value for this parameter is 520.
peerid
(local
|
remote)
type ...;
- Specifies either the
local
identity
to be sent to a peer or the remote
identity to be compared with the value received from a peer during
phase1 negotiations. The valid identity
types are as follows ...
address
[address];
- An IP Address. If the address value is omitted, the network
address used during phase1 negotiations is used.
fqdn
quoted;
- A Fully Qualified Domain Name string.
ufqdn
quoted;
- A User Fully Qualified Domain Name string.
asn1dn
[quoted];
- An ASN.1 Distinguished Name string. If the quoted value is
omitted, the daemon will aquire the DN from the subject field
contained within the certificate.
authdata
type ...;
- Specifies the authentication data to use during phase1 negotiations.
The valid authentication data types
are as follows ...
psk
quoted;
- A Pre Shared Secret.
ca
quoted [quoted];
- A path to a OpenSSL PEM or PSK12 file that contains the Remote
Certificate Autority. In the case where a PSK12 file is encrypted,
the second quoted parameter specifies the file password.
cert
quoted [quoted];
- A path to a OpenSSL PEM or PSK12 file that contains the Local
Public Certificate. In the case where a PSK12 file is encrypted,
the second quoted parameter specifies the file password.
pkey
quoted [quoted];
- A path to a OpenSSL PEM or PSK12 file that contains the Local
Private Key. In the case where a PSK12 file is encrypted, the
second quoted parameter specifies the password.
life_check
level;
- Specifies the behavior when validating peer lifetime proposal values.
The default level is
claim
. The
valid levels are as follows ...
obey
- A responder will always use the initiators value.
strict
- A responder will use the initiators value if it is shorter than
the responders. A responder will reject the proposal if the
initiators value is greater than the responders.
claim
- A responder will use the initiators value if it is shorter than
the responders. A responder will use its own value if it is
shorter than the initiators. In the second case, the responder
will send a RESPONDER-LIFETIME notification to the initiator when
responding to phase2 proposals.
exact
;
- A responder will reject the proposal if the initiators value is
not equal to the responders.
xauth_source
(local
|
ldap)
[quoted];
- Sepcifies the Extended Authentication source to be used for user
authentication post phase1 negotitations. The optional quoted value
specifies a group name that can be used to restrict access to only
users that are valid members of the group. If
local
is used, the peer supplied
credentials will be compared to the local account database. If
ldap
is used, the peer supplied
credentials will be compared to an LDAP account database. The LDAP
source configuration is defined in the
xauth_ldap
section. The default
value for this parameter is
local
.
xconf_source
local
[(push
|
pull)];
- Sepcifies the Configuration Exchange source to be used when responding
to peer configuration requests. If
local
is used, the daemon will
supply configuration information defined in the
xconf_local
section. The default
value for this parameter is
local
.
plcy_mode
(disable
|
config
|
compat)
;
- Specifies the policy generation mode. When
disable
is used, no policy
generation is performed. When
config
mode is used, policy
generation is performed during Configuration Exchange. This allows the
daemon to generate polices using the peers private tunnel address.
When compat
mode is used, policy
generation is performed post phase1 negotiations. This allows the
daemon to interoperate with peers that do not support Configuration
Exchanges.
plcy_list
{
statements
}
- Specifies a list of network groups and parameters that can be used to
perform policy generation. If no
plcy_list
is defined but
plcy_mode
is set to
config
or
compat
, the daemon operates as if a
single include
statement was used
that specified a netmap defining all networks.
(include
|
exclude)
label [quoted];
- Specifies a
netgroup
by label
for use with policy generation. When
include
is used, the daemon
will generate appropriate IPsec policies and pass all
netgroup
defined networks
during the Configuration Exchange if requested. A peer would use
this configuration information to selectively tunnel all traffic
destined for any one of these networks. If
exclude
is used, the daemon
will generate appropriate discard policies and pass all
netgroup
defined networks
during the Configuration Exchange if requested. A peer would use
this configuration information to selectively bypass IPsec
processing for all traffic destined to any one of these networks.
The optional quoted string specifies a group name that can be used
to restrict processing of this netgroup to only users that are
valid members of the group. If XAuth is not performed, statements
that define a group name are skipped.
proposal
type { statements }
- Specifies a proposal to be used during SA negotiations with a peer.
The valid proposal types are as follows ...
isakmp
- An ISAKMP proposal supports the following ...
auth
type;
- Define the authentication mechanism for the ISAKMP proposal.
The accepted types are
hybrid_xauth_rsa
,
mutual_xauth_rsa
,
mutual_xauth_psk
,
mutual_rsa
and
mutual_psk
.
ciph
type [number];
- Define the cipher algorithm for this proposal. The optional
number specifies the keylength for algorithms that support it.
The accepted types are
aes
,
blowfish
,
3des
,
cast
and
des
.
hash
type;
- Define the hash algorithm for this proposal. The accepted
types are
md5
and
sha1
.
dhgr
number;
- Define the DH group for this proposal. The accepted values are
1
,
2
,
5
,
14
,
15, 16, 17, 18
and
16
.
ah
- An AH proposal supports the following ...
hash
type;
- Define the hash algorithm for this proposal. The accepted
types are
md5
and
sha1
.
dhgr
number;
- Define the DH group for this proposal. The accepted values are
1
,
2
,
5
,
14
,
15, 16, 17, 18
and
16
.
esp
- An ESP proposal supports the following ...
ciph
type [number];
- Define the cipher algorithm for this proposal. The optional
number specifies the keylength for algorithms that support it.
The accepted types are
aes
,
blowfish
,
3des
,
cast
and
des
.
hmac
type;
- Define the message authentication algorithm for this proposal.
The accepted types are
md5
and sha1
.
dhgr
number;
- Define the DH group for this proposal. The accepted values are
1
,
2
,
5
,
14
,
15, 16, 17, 18
and
16
.
ipcomp
- An IPCOMP proposal supports the following ...
comp
type;
- Define the compression algorithm for this proposal. The
accepted types are
deflate
and lzs
.
All proposals types support the following ...
life_sec
number;
- Define the lifetime in seconds for this proposal.
life_kbs
number;
- Define the lifetime in kilobytes for this proposal.
EXAMPLES¶
This section contains a few iked configuration examples.
The first example shows a configuration that only defines the parameters
required to support client connectivity mode with NATT and debug options
enabled.
daemon
{
socket ike 500;
socket natt 4500;
log_level debug;
log_file "/var/log/iked.log";
pcap_decrypt "/var/log/ike-decrypt.pcap";
pcap_encrypt "/var/log/ike-encrypt.pcap";
retry_delay 10;
retry_count 2;
}
The second example shows a configuration that supports simple peer to peer
negotiations using mutual preshared key authentication.
daemon
{
socket ike 500;
log_level debug;
log_file "/var/log/iked.log";
}
peer 1.2.3.4
{
exchange main;
peerid local address;
peerid remote address;
authdata psk "sharedsecret";
life_check claim;
proposal isakmp
{
auth mutual_psk;
life_sec 28800;
life_kbs 0;
}
proposal esp
{
life_sec 3800;
life_kbs 0;
}
}
The third example shows a configuration that supports client gateway
negotiations using mutual preshared key authentication with xauth, nat
traversal, dead peer detection, ike fragmentation and policy generation. The
daemon would allow xauth users that are members of the "remote"
group to connect to the gateway. Policies would be generated to allow a peer
access to the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of
1.1.1.15/32 which be accessed directly ( not via IPsec ). Peers that use an
xauth user account that is a member of the "netadmin" group would
have additional policies generated to allow access to the 10.4.4.0/24 network.
daemon
{
socket ike 500;
socket natt 4500;
log_level debug;
log_file "/var/log/iked.log";
pcap_decrypt "/var/log/ike-decrypt.pcap";
pcap_encrypt "/var/log/ike-encrypt.pcap";
}
netgroup allow
{
10.1.1.0/24;
10.3.3.0/24;
}
netgroup deny
{
1.1.1.15/32;
}
netgroup protect
{
10.4.4.0/24;
}
xconf_local
{
network4 10.2.1.0/24;
dnss4 10.1.1.1;
nbns4 10.1.1.1;
dns_suffix "foo.com";
dns_list "foo.com" "bar.com";
banner "/etc/iked.motd";
pfs_group 2;
}
peer 0.0.0.0
{
contact responder;
exchange main;
natt_mode enable;
dpd_mode enable;
frag_ike_mode enable;
peerid local address;
peerid remote address;
authdata psk "sharedsecret";
life_check claim;
xauth_source local "remote";
xconf_source local;
plcy_mode config;
plcy_list
{
include allow;
exclude deny;
include protect "netadmin";
}
proposal isakmp
{
auth mutual_xauth_psk;
ciph 3des;
hash md5;
dhgr 2;
life_sec 28800;
life_kbs 0;
}
proposal esp
{
life_sec 3800;
life_kbs 0;
}
}
SEE ALSO¶
ipsec(4),
iked(8),
setkey(8)
HISTORY¶
The
iked.conf
parser was written by Matthew
Grooms ( mgrooms@shrew.net ) as part of the Shrew Soft (
http://www.shrew.net
) family of IPsec products.