Provided by: ike_2.1.7+dfsg-1.1_i386 bug

NAME

     iked.conf -- Internet Key Exchange Daemon Configuration File

DESCRIPTION

     The iked.conf file is used to configure iked(8) ( Internet Key Exchange
     Daemon ). The parameters supplied are used to negotiate ISAKMP ( phase1 )
     and IPsec ( phase2 ) SAs for IPsec capable hosts.

SYNTAX

     The configuration parameters are expressed as a series of sections
     containing a number of statements. Sections begin with a keyword
     optionally followed by a parameter list. All statements for a section are
     enclosed using the '{' and '}' charachters. Statements begin with a
     keyword optionally followed by a parameter list and are terminated with
     the ';' charachter. Lines that begin with the '#' charachter are treated
     as comments.

     This document denotes keywords using this font and user supplied
     parameters using this font. Optional parameters are enclosed using the
     '[' and ']' charachters. Multiple keywords that may be valid for a single
     parameter are enclosed using the '(' and ')' charachters and separated
     using the '|' charachter.

     The defined parameter types are as follows ...

     number    A decimal number
     label     A string comprised of alphanumeric charachters
     quoted    A quoted string enclosed in '"' charachters
     address   An IP address expressed as x.x.x.x
     network   An IP network and prefix length expressed as x.x.x.x/y

   Daemon Section
     daemon { statements }
             Specifies the general configuration for iked(8) operation. This
             includes parameters related to the basic network configuration,
             log file and debug output. Only one deamon section should be
             defined.

             socket (ike | natt) [address] number;
                     An address and port number that should be used for ike or
                     natt communications.  If the address parameter is
                     omitted, the daemon will attempt to bind to any address
                     for the given port number. If no socket statements are
                     specified, the daemon will attempt to bind to all
                     interfaces for both ike and natt using the default port
                     numbers ( 500 & 4500 respectively ). Note, the natt
                     keyword can only be specified if the daemon was compiled
                     with natt support.
             retry_count number;
                     The number of times an exchange packet should be resent
                     to a peer. The default value for this parameter is 2.
             retry_delay number;
                     The number of seconds to wait between packet resend
                     attempts. The default value for this parameter is 10.
             log_file quoted;
                     The path and file name that should be used for log
                     output.
             log_level (none | error | info | debug | loud | decode);
                     The log output detail level. The default value for this
                     parameter is none.
             pcap_decrypt quoted;
                     The path and file name that should be used to dump
                     decrypted ike packets in pcap format. If no pcap_ike
                     statement is specified, this feature is disabled.
             pcap_encrypt quoted;
                     The path and file name that should be used to dump
                     encrypted ike packets in pcap format. If no pcap_pub
                     statement is specified, this feature is disabled.
             dhcp_file quoted;
                     The path and file name that should be used to store a
                     dhcp mac address seed value for dhcp over ipsec
                     negotiation. If no file is present, the file will be
                     created.

   Network Group Section
     netgroup label { statements }
             Specifies a group of networks that can be refferred to by the
             assigned label.  Multiple netgroup sections may be defined.

             network;
                     A network to be associated with this network group.

   XAuth LDAP Section
     xauth_ldap { statements }
             Specifies the LDAP configuration to be used for when the
             xauth_source is set to ldap for a given peer section. Only one
             xauth_ldap section should be defined. Note, an xauth_ldap section
             can only be defined if the daemon was compiled with LDAP support.

             version number;
                     The LDAP protocol version to be used ( 2 or 3 ). The
                     default value for this parameter is 3.
             url quoted;
                     The LDAP server url. For example, a url may look like
                     "ldap://ldap.shrew.net:389".
             base quoted;
                     The base dn to be used for LDAP searches. For example, a
                     base dn may look like "ou=users,dc=shrew,dc=net".
             subtree (enable | disable);
                     The search scope to be used for LDAP searches. If
                     enabled, searches will be performed using the subtree
                     search scope. If disabled, searches will be performed
                     using the one level search scope. The default value for
                     this parameter is disable.
             bind_dn quoted;
                     The dn to bind as before performing LDAP searches. If
                     this parameter is omitted, searches will be performed
                     using anonymous binds.
             bind_pw quoted;
                     The password to use when a bind_dn is specified.
             attr_user quoted;
                     The attribute used to specify a user name in the LDAP
                     directory.  For example, if a user dn is
                     "cn=user,dc=shrew,dc=net" then the attribute would be
                     "cn".  The default value for this parameter is "cn".
             attr_group quoted;
                     The attribute used to specify a group name in the LDAP
                     directory.  For example, if a group dn is
                     "cn=group,dc=shrew,dc=net" then the attribute would be
                     "cn".  The default value for this parameter is "cn".
             attr_member quoted;
                     The attribute used to specify a group member in the LDAP
                     directory. The default value for this parameter is
                     "member".

   XConf Local Section
     xconf_local { statements }
             Specifies the Configuration Exchange settings to be used when the
             xconf_source is set to local for a given peer section. Only one
             xconf_local section should be defined.

             network4 network [number];
                     The network that will be used to define a local address
                     pool. An optional number can be specified to restrict the
                     pool to a specific size. An address from this pool along
                     with the network mask are passed to a peer when
                     requested.
             dnss4 address;
                     The dns server address to be passed to a peer when
                     requested.
             nbns4 address;
                     The netbios name server address to be passed to a peer
                     when requested.
             dns_suffix quoted;
                     The dns suffix to be passed to a peer when requested.
             dns_list quoted quoted ...;
                     A list of split dns suffixes to be passed to a peer when
                     requested. A peer can use this list to selectivly forward
                     dns requests to the dnss4 server when a query matches one
                     of the supplied split dns suffixes.
             banner quoted;
                     The path to a file that contains a login banner to be
                     passed to a peer when requested.
             pfs_group number;
                     The pfs group number to be passed to a peer when
                     requested.

   Peer Section
     peer address [number] { statements }
             Specifies the parameters used to communicate with a given peer by
             address and optional port number. If the port value is omitted,
             the default isakmp port number will be used ( 500 ). If an
             address of 0.0.0.0 is used, the peer section can be used for any
             remote host. Multiple peer sections may be defined.

             contact (initiator | responder | both);
                     Specifies the contact type when establishing phase1
                     negotiations with a peer. If initiator is used, the
                     daemon will initiate contact but deny contact initiated
                     by the peer. If responder is used, the deamon will allow
                     contact initiated by the peer but will not initiate
                     contact. If both is specified, the daemon will initiate
                     contact and allow the peer to initiate contact.
             exchange (main | aggressive);
                     Specifies the exchange type to be used for phase1
                     negotiations with a peer.  The default value for this
                     paramater is main.
             natt_mode (disable | enable | force [draft | rfc]);
                     Specifies the NAT Traversal mode to be used for phase1
                     negotiations with a peer. If disable is used, natt
                     negotiations will not be attempted. If enable is used,
                     the daemon will attempt to negotiate and use NAT
                     Traversal when appropriate. If force is used, the daemon
                     will use NAT Traversal even if the peer does not
                     negotiate support for this feature. When force is used,
                     the draft or rfc modifiers can optionally be specified to
                     select the required method with rfc being the default if
                     omitted. The default value for this parameter is disable.
             natt_port number;
                     Specifies the NAT Traversal port number to be used for
                     phase1 negotiations with a peer when acting as an
                     initiator. The default value for this parameter is 4500.
             natt_rate number;
                     Specifies the number of seconds between sending NAT
                     Traversal keep-alive messages. The default value for this
                     parameter is 15.
             dpd_mode (disable | enable | force);
                     Specifies the Dead Peer Detection mode to be used with a
                     peer. If disable is used, DPD negotiations will not be
                     attempted. If enable is used, the daemon will attempt to
                     negotiate and use DPD when appropriate. If force is used,
                     the daemon will use DPD even if the peer does not
                     negotiate support for this feature. The default value for
                     this parameter is disable.
             dpd_delay number;
                     Specifies the number of seconds between sending DPD are-
                     you-there messages. The default value for this parameter
                     is 15.
             dpd_retry number;
                     Specifies the number times a DPD are-you-there message
                     will be retransmitted when no response is received. The
                     default value for this parameter is 5.
             frag_ike_mode (disable | enable | force);
                     Specifies the IKE Fragmentation mode to be used with a
                     peer. If disable is used, IKE Fragmentation negotiations
                     will not be attemted. If enable is used, the daemon will
                     attempt to negotiate and use IKE Fragmentation when
                     appropriate. If force is used, the daemon will use IKE
                     Fragmentation even if the peer does not negotiate support
                     for this feature. The default value for this parameter is
                     disable.
             frag_ike_size number;
                     Specifies the maximum number of bytes for an IKE
                     Fragment. The default value for this parameter is 520.
             frag_esp_mode (disable | enable);
                     Specifies the ESP Fragmentation mode to be used with a
                     peer. If disable is used, the daemon will create IPsec
                     SAs without the ESP Fragmentation option.  If enable is
                     used, the daemon will create IPsec SAs with the ESP
                     Fragmentation option.  The default value for this
                     parameter is disable.  Note, ESP Fragmentation is only
                     valid for IPsec SAs using NAT Traversal. The operating
                     system must also have support for this feature. ( NetBSD
                     Only )
             frag_esp_size number;
                     Specifies the maximum number of bytes for an ESP
                     Fragment. The default value for this parameter is 520.
             peerid (local | remote) type ...;
                     Specifies either the local identity to be sent to a peer
                     or the remote identity to be compared with the value
                     recieved from a peer during phase1 negotiations. The
                     valid identity types are as follows ...
                     address [address];
                             An IP Address. If the address value is omitted,
                             the network address used during phase1
                             negotiations is used.
                     fqdn quoted;
                             A Fully Qualified Domain Name string.
                     ufqdn quoted;
                             A User Fully Qualified Domain Name string.
                     asn1dn [quoted];
                             An ASN.1 Distinguished Name string. If the quoted
                             value is omitted, the daemon will aquire the DN
                             from the subject field contained within the
                             certificate.
             authdata type ...;
                     Specifies the authentication data to use during phase1
                     negotiations. The valid authentication data types are as
                     follows ...
                     psk quoted;
                             A Pre Shared Secret.
                     ca quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that
                             contains the Remote Certificate Autority. In the
                             case where a PSK12 file is encrypted, the second
                             quoted parameter specifies the file password.
                     cert quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that
                             contains the Local Public Certificate. In the
                             case where a PSK12 file is encrypted, the second
                             quoted parameter specifies the file password.
                     pkey quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that
                             contains the Local Private Key. In the case where
                             a PSK12 file is encrypted, the second quoted
                             parameter specifies the password.
             life_check level;
                     Specifies the behavior when validating peer lifetime
                     proposal values. The default level is claim.  The valid
                     levels are as follows ...
                     obey    A responder will always use the initiators value.
                     strict  A responder will use the initiators value if it
                             is shorter than the responders.  A responder will
                             reject the proposal if the initiators value is
                             greater than the responders.
                     claim   A responder will use the initiators value if it
                             is shorter than the responders.  A responder will
                             use its own value if it is shorter than the
                             initiators. In the second case, the responder
                             will send a RESPONDER-LIFETIME notification to
                             the initiator when responding to phase2
                             proposals.
                     exact;  A responder will reject the proposal if the
                             initiators value is not equal to the responders.
             xauth_source (local | ldap) [quoted];
                     Sepcifies the Extended Authentication source to be used
                     for user authentication post phase1 negotitations. The
                     optional quoted value specifies a group name that can be
                     used to restrict access to only users that are valid
                     members of the group. If local is used, the peer supplied
                     credentials will be compared to the local account
                     database. If ldap is used, the peer supplied credentials
                     will be compared to an LDAP account database. The LDAP
                     source configuration is defined in the xauth_ldap
                     section. The default value for this parameter is local.
             xconf_source local [(push | pull)];
                     Sepcifies the Configuration Exchange source to be used
                     when responding to peer configuration requests. If local
                     is used, the daemon will supply configuration information
                     defined in the xconf_local section. The default value for
                     this parameter is local.
             plcy_mode (disable | config | compat);
                     Specifies the policy generation mode. When disable is
                     used, no policy generation is performed. When config mode
                     is used, policy generation is performed during
                     Configuration Exchange.  This allows the daemon to
                     generate polices using the peers private tunnel address.
                     When compat mode is used, policy generation is performed
                     post phase1 negotiations. This allows the daemon to
                     interoperate with peers that do not support Configuration
                     Exchanges.
             plcy_list { statements }
                     Specifies a list of network groups and parameters that
                     can be used to perform policy generation. If no plcy_list
                     is defined but plcy_mode is set to config or compat, the
                     daemon operates as if a single include statement was used
                     that specified a netmap defining all networks.
                     (include | exclude) label [quoted];
                             Specifies a netgroup by label for use with policy
                             generation. When include is used, the daemon will
                             generate appropriate IPsec policies and pass all
                             netgroup defined networks during the
                             Configuration Exchange if requested. A peer would
                             use this configuration information to selectively
                             tunnel all traffic destined for any one of these
                             networks. If exlcude is used, the daemon will
                             generate appropriate discard policies and pass
                             all netgroup defined networks during the
                             Configuration Exchange if requested. A peer would
                             use this configuration information to selectively
                             bypass IPsec processing for all traffic destined
                             to any one of these networks. The optional quoted
                             string specifies a group name that can be used to
                             restrict processing of this netgroup to only
                             users that are valid members of the group. If
                             XAuth is not performed, statements that define a
                             group name are skipped.
             proposal type { statements }
                     Specifies a proposal to be used during SA negotiations
                     with a peer. The valid proposal types are as follows ...

                     isakmp  An ISAKMP proposal supports the following ...
                             auth type;
                                     Define the authentication mechanism for
                                     the ISAKMP proposal. The accepted types
                                     are hybrid_xauth_rsa, mutual_xauth_rsa,
                                     mutual_xauth_psk, mutual_rsa and
                                     mutual_psk.
                             ciph type [number];
                                     Define the cipher algorithm for this
                                     proposal. The optional number specifies
                                     the keylength for algorithms that support
                                     it. The accepted types are aes, blowfish,
                                     3des, cast and des.
                             hash type;
                                     Define the hash algorithm for this
                                     proposal. The accepted types are md5 and
                                     sha1.
                             dhgr number;
                                     Define the DH group for this proposal.
                                     The accepted values are 1, 2, 5, 14, 15
                                     and 16.

                     ah      An AH proposal supports the following ...
                             hash type;
                                     Define the hash algorithm for this
                                     proposal. The accepted types are md5 and
                                     sha1.
                             dhgr number;
                                     Define the DH group for this proposal.
                                     The accepted values are 1, 2, 5, 14, 15
                                     and 16.

                     esp     An ESP proposal supports the following ...
                             ciph type [number];
                                     Define the cipher algorithm for this
                                     proposal. The optional number specifies
                                     the keylength for algorithms that support
                                     it. The accepted types are aes, blowfish,
                                     3des, cast and des.
                             hmac type;
                                     Define the message authentication
                                     algorithm for this proposal. The accepted
                                     types are md5 and sha1.
                             dhgr number;
                                     Define the DH group for this proposal.
                                     The accepted values are 1, 2, 5, 14, 15
                                     and 16.

                     ipcomp  An IPCOMP proposal supports the following ...
                             comp type;
                                     Define the compression algorithm for this
                                     proposal. The accepted types are deflate
                                     and lzs.

                     All proposals types support the following ...

                     life_sec number;
                             Define the lifetime in seconds for this proposal.
                     life_kbs number;
                             Define the lifetime in kilobytes for this
                             proposal.

EXAMPLES

     This section contains a few iked configuration examples.

     The first example shows a configuration that only defines the parameters
     required to support client connectivity mode with NATT and debug options
     enabled.

     daemon
     {
         socket ike 500;
         socket natt 4500;

         log_level debug;
         log_file "/var/log/iked.log";

         pcap_decrypt "/var/log/ike-decrypt.pcap";
         pcap_encrypt "/var/log/ike-encrypt.pcap";

         retry_delay 10;
         retry_count 2;
     }

     The second example shows a configuration that supports simple peer to
     peer negotiations using mutual preshared key authentication.

     daemon
     {
         socket ike 500;

         log_level debug;
         log_file "/var/log/iked.log";
     }

     peer 1.2.3.4
     {
         exchange main;

         peerid local address;
         peerid remote address;

         authdata psk "sharedsecret";

         life_check claim;

         proposal isakmp
         {
             auth mutual_psk;
             life_sec 28800;
             life_kbs 0;
         }

         proposal esp
         {
             life_sec 3800;
             life_kbs 0;
         }
     }

     The third example shows a configuration that supports client gateway
     negotiations using mutual preshared key authentication with xauth, nat
     traversal, dead peer detection, ike fragmentation and policy generation.
     The daemon would allow xauth users that are members of the "remote" group
     to connect to the gateway. Policies would be generated to allow a peer
     access to the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of
     1.1.1.15/32 which be accessed directly ( not via IPsec ). Peers that use
     an xauth user account that is a member of the "netadmin" group would have
     additional policies generated to allow access to the 10.4.4.0/24 network.

     daemon
     {
         socket ike 500;
         socket natt 4500;

         log_level debug;
         log_file "/var/log/iked.log";

         pcap_decrypt "/var/log/ike-decrypt.pcap";
         pcap_encrypt "/var/log/ike-encrypt.pcap";
     }

     netgroup allow
     {
         10.1.1.0/24;
         10.3.3.0/24;
     }

     netgroup deny
     {
         1.1.1.15/32;
     }

     netgroup protect
     {
         10.4.4.0/24;
     }

     xconf_local
     {
         network4 10.2.1.0/24;
         dnss4 10.1.1.1;
         nbns4 10.1.1.1;
         dns_suffix "foo.com";
         dns_list "foo.com" "bar.com";
         banner "/etc/iked.motd";
         pfs_group 2;
     }

     peer 0.0.0.0
     {
         contact responder;
         exchange main;

         natt_mode enable;
         dpd_mode enable;
         frag_ike_mode enable;

         peerid local address;
         peerid remote address;

         authdata psk "sharedsecret";

         life_check claim;

         xauth_source local "remote";
         xconf_source local;

         plcy_mode config;
         plcy_list
         {
             include allow;
             exclude deny;
             include protect "netadmin";
         }

         proposal isakmp
         {
             auth mutual_xauth_psk;
             ciph 3des;
             hash md5;
             dhgr 2;
             life_sec 28800;
             life_kbs 0;
         }

         proposal esp
         {
             life_sec 3800;
             life_kbs 0;
         }
     }

SEE ALSO

     ipsec(4), iked(8), setkey(8)

HISTORY

     The iked.conf parser was written by Matthew Grooms ( mgrooms@shrew.net )
     as part of the Shrew Soft ( http://www.shrew.net ) family of IPsec
     products.