.\"
.\" Copyright (c) 2007
.\"      Shrew Soft Inc.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Redistributions in any form must be accompanied by information on
.\"    how to obtain complete source code for the software and any
.\"    accompanying software that uses the software.  The source code
.\"    must either be included in the distribution or be available for no
.\"    more than the cost of distribution plus a nominal fee, and must be
.\"    freely redistributable under reasonable conditions.  For an
.\"    executable file, complete source code means the source code for all
.\"    modules it contains.  It does not include source code for modules or
.\"    files that typically accompany the major components of the operating
.\"    system on which the executable file runs.
.\"
.\" THIS SOFTWARE IS PROVIDED BY SHREW SOFT INC ``AS IS'' AND ANY EXPRESS
.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
.\" NON-INFRINGEMENT, ARE DISCLAIMED.  IN NO EVENT SHALL SHREW SOFT INC
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" AUTHOR : Matthew Grooms
.\"          mgrooms@shrew.net
.\"
.\"
.Dd Febuary 2, 2007
.Dt IKED 8
.Os
.Sh NAME
.Nm iked.conf
.Nd Internet Key Exchange Daemon Configuration File
.Sh DESCRIPTION
The
.Nm
file is used to configure
.Xr iked 8
( Internet Key Exchange Daemon ). The parameters supplied are used to
negotiate ISAKMP ( phase1 ) and IPsec ( phase2 ) SAs for IPsec capable
hosts.
.Sh SYNTAX
.Pp
The configuration parameters are expressed as a series of sections
containing a number of statements. Sections begin with a keyword
optionally followed by a parameter list. All statements for a section
are enclosed using the
.Ql \&{
and
.Ql \&}
characters. Statements begin with a keyword optionally followed by
a parameter list and are terminated with the
.Ql \&;
character. Lines that begin with the
.Ql \&#
character are treated as comments.
.Pp
.Lp
This document denotes keywords using
.Ic this
font and user supplied parameters using
.Ar this
font. Optional parameters are enclosed using the
.Ql \&[
and
.Ql \&]
characters. Multiple keywords that may be valid for a single parameter are
enclosed using the 
.Ql \&(
and
.Ql \&)
characters and separated using the
.Ql \&|
character.
.Pp
The defined parameter types are as follows ...
.Pp
.Bl -tag -width addressx -compact
.It Ar number
A decimal number
.It Ar label
A string comprised of alphanumeric characters
.It Ar quoted
A quoted string enclosed in
.Ql \&"
characters
.It Ar address
An IP address expressed as x.x.x.x
.It Ar network
An IP network and prefix length expressed as x.x.x.x/y
.El
.Ss Daemon Section
.Bl -tag -width Ds -compact
.It Ic daemon { Ar statements Ic }
Specifies the general configuration for
.Xr iked 8
operation. This includes parameters related to the basic network configuration,
log file and debug output. Only one
.Ic daemon
section should be defined.
.Pp
.Bl -tag -width Ds -compact
.It Ic socket ( ike | natt ) Ar [ address ] number ;
An address and port number that should be used for ike or natt communications.
If the address parameter is omitted, the daemon will attempt to bind to any
address for the given port number. If no socket statements are specified, the
daemon will attempt to bind to all interfaces for both ike and natt using the
default port numbers ( 500 & 4500 respectively ). Note, the
.Ar natt
keyword can only be specified if the daemon was compiled with natt support.
.It Ic retry_count Ar number;
The number of times an exchange packet should be resent to a peer. The default
value for this parameter is 2.
.It Ic retry_delay Ar number;
The number of seconds to wait between packet resend attempts. The default
value for this parameter is 10.
.It Ic log_file Ar quoted ;
The path and file name that should be used for log output.
.It Ic log_level (none | error | info | debug | loud | decode) ;
The log output detail level. The default value for this parameter is
.Ic none .
.It Ic pcap_decrypt Ar quoted;
The path and file name that should be used to dump decrypted ike packets in
pcap format. If no 
.Ic pcap_decrypt
statement is specified, this feature is disabled.
.It Ic pcap_encrypt Ar quoted;
The path and file name that should be used to dump encrypted ike packets in
pcap format. If no 
.Ic pcap_encrypt
statement is specified, this feature is disabled.
.It Ic dhcp_file Ar quoted;
The path and file name that should be used to store a dhcp mac address seed
value for dhcp over ipsec negotiation. If no file is present, the file will
be created.
.El
.El
.Ss Network Group Section
.Bl -tag -width Ds -compact
.It Ic netgroup Ar label Ic { Ar statements Ic }
Specifies a group of networks that can be refferred to by the assigned label.
Multiple
.Ic netgroup
sections may be defined.
.Pp
.Bl -tag -width Ds -compact
.It Ic network ;
A network to be associated with this network group.
.El
.El
.Ss XAuth LDAP Section
.Bl -tag -width Ds -compact
.It Ic xauth_ldap { Ar statements Ic }
Specifies the LDAP configuration to be used for when the
.Ic xauth_source
is set to
.Ic ldap
for a given peer section. Only one
.Ic xauth_ldap
section should be defined. Note, an
.Ic xauth_ldap
section can only be defined if the daemon was compiled with LDAP support.
.Pp
.Bl -tag -width Ds -compact
.It Ic version Ar number ;
The LDAP protocol version to be used ( 2 or 3 ). The default value for this
parameter is 3.
.It Ic url Ar quoted ;
The LDAP server url. For example, a url may look like
"ldap://ldap.shrew.net:389".
.It Ic base Ar quoted ;
The base dn to be used for LDAP searches. For example, a base dn may look like
"ou=users,dc=shrew,dc=net".
.It Ic subtree (enable | disable);
The search scope to be used for LDAP searches. If enabled, searches will be
performed using the subtree search scope. If disabled, searches will be
performed using the one level search scope. The default value for this
parameter is
.Ic disable .
.It Ic bind_dn Ar quoted;
The dn to bind as before performing LDAP searches. If this parameter is omitted,
searches will be performed using anonymous binds.
.It Ic bind_pw Ar quoted;
The password to use when a
.Ic bind_dn
is specified.
.It Ic attr_user Ar quoted;
The attribute used to specify a user name in the LDAP directory.  For example,
if a user dn is "cn=user,dc=shrew,dc=net" then the attribute would be "cn".
The default value for this parameter is "cn".
.It Ic attr_group Ar quoted;
The attribute used to specify a group name in the LDAP directory.  For example,
if a group dn is "cn=group,dc=shrew,dc=net" then the attribute would be "cn".
The default value for this parameter is "cn".
.It Ic attr_member Ar quoted;
The attribute used to specify a group member in the LDAP directory. The default
value for this parameter is "member".
.El
.El
.Ss XConf Local Section
.Bl -tag -width Ds -compact
.It Ic xconf_local { Ar statements Ic }
Specifies the Configuration Exchange settings to be used when the
.Ic xconf_source
is set to
.Ic local
for a given peer section. Only one
.Ic xconf_local
section should be defined.
.Pp
.Bl -tag -width Ds -compact
.It Ic network4 Ar network [number];
The network that will be used to define a local address pool. An optional number
can be specified to restrict the pool to a specific size. An address from this
pool along with the network mask are passed to a peer when requested.
.It Ic dnss4 Ar address;
The dns server address to be passed to a peer when requested.
.It Ic nbns4 Ar address;
The netbios name server address to be passed to a peer when requested.
.It Ic dns_suffix Ar quoted;
The dns suffix to be passed to a peer when requested.
.It Ic dns_list Ar quoted quoted ... ;
A list of split dns suffixes to be passed to a peer when requested. A peer can
use this list to selectivly forward dns requests to the
.Ic dnss4
server when a query matches one of the supplied split dns suffixes.
.It Ic banner Ar quoted;
The path to a file that contains a login banner to be passed to a peer when
requested.
.It Ic pfs_group Ar number;
The pfs group number to be passed to a peer when requested.
.El
.El
.Ss Peer Section
.Bl -tag -width Ds -compact
.It Ic peer Ar address [ number ] Ic { Ar statements Ic }
Specifies the parameters used to communicate with a given peer by address and
optional port number. If the port value is omitted, the default isakmp port
number will be used ( 500 ). If an address of 0.0.0.0 is used, the peer
section can be used for any remote host. Multiple 
.Ic peer
sections may be defined.
.Pp
.Bl -tag -width Ds -compact
.It Ic contact (initiator | responder | both) ;
Specifies the contact type when establishing phase1 negotiations with a peer. If
.Ic initiator
is used, the daemon will initiate contact but deny contact initiated by the
peer. If
.Ic responder
is used, the daemon will allow contact initiated by the peer but will not
initiate contact. If
.Ic both
is specified, the daemon will initiate contact and allow the peer to initiate
contact.
.It Ic exchange (main | aggressive) ;
Specifies the exchange type to be used for phase1 negotiations with a peer.
The default value for this parameter is
.Ic main .
.It Ic natt_mode (disable | enable | force [ draft | rfc ] ) ;
Specifies the NAT Traversal mode to be used for phase1 negotiations with a
peer. If
.Ic disable
is used, natt negotiations will not be attempted. If
.Ic enable
is used, the daemon will attempt to negotiate and use NAT Traversal when
appropriate. If
.Ic force
is used, the daemon will use NAT Traversal even if the peer does not negotiate
support for this feature. When force is used, the
.Ic draft
or
.Ic rfc
modifiers can optionally be specified to select the required method with
.Ic rfc
being the default if omitted. The default value for this parameter is
.Ic disable .
.It Ic natt_port Ar number ;
Specifies the NAT Traversal port number to be used for phase1 negotiations
with a peer when acting as an initiator. The default value for this parameter
is 4500.
.It Ic natt_rate Ar number ;
Specifies the number of seconds between sending NAT Traversal keep-alive
messages. The default value for this parameter is 15.
.It Ic dpd_mode (disable | enable | force) ;
Specifies the Dead Peer Detection mode to be used with a peer. If
.Ic disable
is used, DPD negotiations will not be attempted. If
.Ic enable
is used, the daemon will attempt to negotiate and use DPD when appropriate. If
.Ic force
is used, the daemon will use DPD even if the peer does not negotiate support
for this feature. The default value for this parameter is
.Ic disable .
.It Ic dpd_delay Ar number ;
Specifies the number of seconds between sending DPD are-you-there messages. The
default value for this parameter is 15.
.It Ic dpd_retry Ar number ;
Specifies the number times a DPD are-you-there message will be retransmitted
when no response is received. The default value for this parameter is 5.
.It Ic frag_ike_mode (disable | enable | force) ;
Specifies the IKE Fragmentation mode to be used with a peer. If
.Ic disable
is used, IKE Fragmentation negotiations will not be attemted. If 
.Ic enable
is used, the daemon will attempt to negotiate and use IKE Fragmentation when
appropriate. If
.Ic force
is used, the daemon will use IKE Fragmentation even if the peer does not
negotiate support for this feature. The default value for this parameter is
.Ic disable .
.It Ic frag_ike_size Ar number ;
Specifies the maximum number of bytes for an IKE Fragment. The default value
for this parameter is 520.
.It Ic frag_esp_mode (disable | enable) ;
Specifies the ESP Fragmentation mode to be used with a peer. If
.Ic disable
is used, the daemon will create IPsec SAs without the ESP Fragmentation option.
If 
.Ic enable
is used, the daemon will create IPsec SAs with the ESP Fragmentation option.
The default value for this parameter is
.Ic disable .
Note, ESP Fragmentation is only valid for IPsec SAs using NAT Traversal. The
operating system must also have support for this feature. ( NetBSD Only )
.It Ic frag_esp_size Ar number ;
Specifies the maximum number of bytes for an ESP Fragment. The default value
for this parameter is 520.
.It Ic peerid (local | remote) Ar type ... ;
Specifies either the
.Ic local
identity to be sent to a peer or the
.Ic remote
identity to be compared with the value received from a peer during phase1
negotiations. The valid identity
.Ar types
are as follows ...
.Bl -tag -width Ds -compact
.It Ic address Ar [address] ;
An IP Address. If the address value is omitted, the network address used
during phase1 negotiations is used.
.It Ic fqdn Ar quoted ;
A Fully Qualified Domain Name string.
.It Ic ufqdn Ar quoted ;
A User Fully Qualified Domain Name string.
.It Ic asn1dn Ar [quoted] ;
An ASN.1 Distinguished Name string. If the quoted value is omitted, the daemon
will aquire the DN from the subject field contained within the certificate.
.El
.It Ic authdata Ar type ... ;
Specifies the authentication data to use during phase1 negotiations. The valid
authentication data
.Ar types
are as follows ...
.Bl -tag -width Ds -compact
.It Ic psk Ar quoted ;
A Pre Shared Secret.
.It Ic ca Ar quoted [quoted];
A path to a OpenSSL PEM or PSK12 file that contains the Remote Certificate
Autority. In the case where a PSK12 file is encrypted, the second quoted
parameter specifies the file password.
.It Ic cert Ar quoted [quoted];
A path to a OpenSSL PEM or PSK12 file that contains the Local Public
Certificate. In the case where a PSK12 file is encrypted, the second quoted
parameter specifies the file password.
.It Ic pkey Ar quoted [quoted];
A path to a OpenSSL PEM or PSK12 file that contains the Local Private Key. In
the case where a PSK12 file is encrypted, the second quoted parameter specifies
the password.
.El
.It Ic life_check Ar level ;
Specifies the behavior when validating peer lifetime proposal values. The
default level is
.Ic claim .
The valid levels are as follows ...
.Bl -tag -width Ds -compact
.It Ic obey
A responder will always use the initiators value.
.It Ic strict
A responder will use the initiators value if it is shorter than the responders.
A responder will reject the proposal if the initiators value is greater than
the responders.
.It Ic claim
A responder will use the initiators value if it is shorter than the responders.
A responder will use its own value if it is shorter than the initiators. In
the second case, the responder will send a RESPONDER-LIFETIME notification to
the initiator when responding to phase2 proposals.
.It Ic exact ;
A responder will reject the proposal if the initiators value is not equal to
the responders.
.El
.It Ic xauth_source (local | ldap) Ar [quoted] ;
Sepcifies the Extended Authentication source to be used for user authentication
post phase1 negotitations. The optional quoted value specifies a group name
that can be used to restrict access to only users that are valid members of the
group. If
.Ic local
is used, the peer supplied credentials will be compared to the local account
database. If
.Ic ldap
is used, the peer supplied credentials will be compared to an LDAP account
database. The LDAP source configuration is defined in the
.Ic xauth_ldap
section. The default value for this parameter is
.Ic local .
.It Ic xconf_source local Ic [(push | pull)];
Sepcifies the Configuration Exchange source to be used when responding to peer
configuration requests. If
.Ic local
is used, the daemon will supply configuration information defined in the
.Ic xconf_local
section. The default value for this parameter is
.Ic local .
.It Ic plcy_mode (disable | config | compat) ;
Specifies the policy generation mode. When
.Ic disable
is used, no policy generation is performed. When
.Ic config
mode is used, policy generation is performed during Configuration Exchange.
This allows the daemon to generate polices using the peers private tunnel
address. When
.Ic compat
mode is used, policy generation is performed post phase1 negotiations. This
allows the daemon to interoperate with peers that do not support Configuration
Exchanges.
.It Ic plcy_list { Ar statements Ic }
Specifies a list of network groups and parameters that can be used to perform
policy generation. If no
.Ic plcy_list
is defined but
.Ic plcy_mode
is set to 
.Ic config
or
.Ic compat ,
the daemon operates as if a single
.Ic include
statement was used that specified a netmap defining all networks.
.Bl -tag -width Ds -compact
.It Ic (include | exclude) Ar label [quoted] ;
Specifies a
.Ic netgroup
by label for use with policy generation. When
.Ic include
is used, the daemon will generate appropriate IPsec policies and pass all
.Ic netgroup
defined networks during the Configuration Exchange if requested. A peer would
use this configuration information to selectively tunnel all traffic destined
for any one of these networks. If
.Ic exclude
is used, the daemon will generate appropriate discard policies and pass all
.Ic netgroup
defined networks during the Configuration Exchange if requested. A peer would
use this configuration information to selectively bypass IPsec processing for
all traffic destined to any one of these networks. The optional quoted string
specifies a group name that can be used to restrict processing of this
netgroup to only users that are valid members of the group. If XAuth is not
performed, statements that define a group name are skipped.
.El
.It Ic proposal Ar type { statements }
Specifies a proposal to be used during SA negotiations with a peer. The valid
proposal types are as follows ...
.Bl -tag -width Ds -compact
.Pp
.It Ic isakmp
An ISAKMP proposal supports the following ...
.Bl -tag -width Ds -compact
.It Ic auth Ar type ;
Define the authentication mechanism for the ISAKMP proposal. The accepted types
are
.Ic hybrid_xauth_rsa , mutual_xauth_rsa , mutual_xauth_psk , mutual_rsa
and
.Ic mutual_psk .
.It Ic ciph Ar type [number] ;
Define the cipher algorithm for this proposal. The optional number specifies
the keylength for algorithms that support it. The accepted types are
.Ic aes , blowfish , 3des , cast
and
.Ic des .
.It Ic hash Ar type ;
Define the hash algorithm for this proposal. The accepted types are
.Ic md5
and
.Ic sha1 .
.It Ic dhgr Ar number ;
Define the DH group for this proposal. The accepted values are
.Ic 1 , 2 , 5 , 14 , 15, 16, 17, 18
and
.Ic 16 .
.El
.Pp
.It Ic ah
An AH proposal supports the following ...
.Bl -tag -width Ds -compact
.It Ic hash Ar type ;
Define the hash algorithm for this proposal. The accepted types are
.Ic md5
and
.Ic sha1 .
.It Ic dhgr Ar number ;
Define the DH group for this proposal. The accepted values are
.Ic 1 , 2 , 5 , 14 , 15, 16, 17, 18
and
.Ic 16 .
.El
.Pp
.It Ic esp
An ESP proposal supports the following ...
.Bl -tag -width Ds -compact
.It Ic ciph Ar type [number] ;
Define the cipher algorithm for this proposal. The optional number specifies
the keylength for algorithms that support it. The accepted types are
.Ic aes , blowfish , 3des , cast
and
.Ic des .
.It Ic hmac Ar type ;
Define the message authentication algorithm for this proposal. The accepted
types are
.Ic md5
and
.Ic sha1 .
.It Ic dhgr Ar number ;
Define the DH group for this proposal. The accepted values are
.Ic 1 , 2 , 5 , 14 , 15, 16, 17, 18
and
.Ic 16 .
.El
.Pp
.It Ic ipcomp
An IPCOMP proposal supports the following ...
.Bl -tag -width Ds -compact
.It Ic comp Ar type ;
Define the compression algorithm for this proposal. The accepted types are
.Ic deflate
and
.Ic lzs .
.El
.El
.Pp
All proposals types support the following ...
.Pp
.Bl -tag -width Ds -compact
.It Ic life_sec Ar number ;
Define the lifetime in seconds for this proposal.
.It Ic life_kbs Ar number ;
Define the lifetime in kilobytes for this proposal.
.El
.El
.El
.Pp
.Sh EXAMPLES
.Pp
This section contains a few iked configuration examples.
.Pp
The first example shows a configuration that only defines the parameters
required to support client connectivity mode with NATT and debug options
enabled.
.Bd -literal -offset
daemon
{
    socket ike 500;
    socket natt 4500;

    log_level debug;
    log_file "/var/log/iked.log";

    pcap_decrypt "/var/log/ike-decrypt.pcap";
    pcap_encrypt "/var/log/ike-encrypt.pcap";

    retry_delay 10;
    retry_count 2;
}
.Ed
.Pp
The second example shows a configuration that supports simple peer to peer
negotiations using mutual preshared key authentication.
.Bd -literal -offset
daemon
{
    socket ike 500;

    log_level debug;
    log_file "/var/log/iked.log";
}

peer 1.2.3.4
{
    exchange main;

    peerid local address;
    peerid remote address;

    authdata psk "sharedsecret";

    life_check claim;

    proposal isakmp
    {
        auth mutual_psk;
        life_sec 28800;
        life_kbs 0;
    }

    proposal esp
    {
        life_sec 3800;
        life_kbs 0;
    }
}
.Ed
.Pp
The third example shows a configuration that supports client gateway
negotiations using mutual preshared key authentication with xauth, nat
traversal, dead peer detection, ike fragmentation and policy generation. The
daemon would allow xauth users that are members of the "remote" group to
connect to the gateway. Policies would be generated to allow a peer access to
the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of 1.1.1.15/32
which be accessed directly ( not via IPsec ). Peers that use an xauth user
account that is a member of the "netadmin" group would have additional
policies generated to allow access to the 10.4.4.0/24 network.
.Bd -literal -offset
daemon
{
    socket ike 500;
    socket natt 4500;

    log_level debug;
    log_file "/var/log/iked.log";

    pcap_decrypt "/var/log/ike-decrypt.pcap";
    pcap_encrypt "/var/log/ike-encrypt.pcap";
}

netgroup allow
{
    10.1.1.0/24;
    10.3.3.0/24;
}

netgroup deny
{
    1.1.1.15/32;
}

netgroup protect
{
    10.4.4.0/24;
}

xconf_local
{
    network4 10.2.1.0/24;
    dnss4 10.1.1.1;
    nbns4 10.1.1.1;
    dns_suffix "foo.com";
    dns_list "foo.com" "bar.com";
    banner "/etc/iked.motd";
    pfs_group 2;
}

peer 0.0.0.0
{
    contact responder;
    exchange main;

    natt_mode enable;
    dpd_mode enable;
    frag_ike_mode enable;

    peerid local address;
    peerid remote address;

    authdata psk "sharedsecret";

    life_check claim;

    xauth_source local "remote";
    xconf_source local;

    plcy_mode config;
    plcy_list
    {
        include allow;
        exclude deny;
        include protect "netadmin";
    }

    proposal isakmp
    {
        auth mutual_xauth_psk;
        ciph 3des;
        hash md5;
        dhgr 2;
        life_sec 28800;
        life_kbs 0;
    }

    proposal esp
    {
        life_sec 3800;
        life_kbs 0;
    }
}
.Ed
.Sh SEE ALSO
.Xr ipsec 4 ,
.Xr iked 8 ,
.Xr setkey 8
.Sh HISTORY
The
.Nm
parser was written by Matthew Grooms ( mgrooms@shrew.net ) as part
of the Shrew Soft ( http://www.shrew.net ) family of IPsec products.