Provided by: ike_2.2.1+dfsg-2ubuntu1_amd64 bug

NAME

     iked.conf — Internet Key Exchange Daemon Configuration File

DESCRIPTION

     The iked.conf file is used to configure iked(8) ( Internet Key Exchange Daemon ). The
     parameters supplied are used to negotiate ISAKMP ( phase1 ) and IPsec ( phase2 ) SAs for
     IPsec capable hosts.

SYNTAX

     The configuration parameters are expressed as a series of sections containing a number of
     statements. Sections begin with a keyword optionally followed by a parameter list. All
     statements for a section are enclosed using the ‘{’ and ‘}’ characters. Statements begin
     with a keyword optionally followed by a parameter list and are terminated with the ‘;’
     character. Lines that begin with the ‘#’ character are treated as comments.

     This document denotes keywords using this font and user supplied parameters using this font.
     Optional parameters are enclosed using the ‘[’ and ‘]’ characters. Multiple keywords that
     may be valid for a single parameter are enclosed using the ‘(’ and ‘)’ characters and
     separated using the ‘|’ character.

     The defined parameter types are as follows ...

     number    A decimal number
     label     A string comprised of alphanumeric characters
     quoted    A quoted string enclosed in ‘"’ characters
     address   An IP address expressed as x.x.x.x
     network   An IP network and prefix length expressed as x.x.x.x/y

   Daemon Section
     daemon { statements }
             Specifies the general configuration for iked(8) operation. This includes parameters
             related to the basic network configuration, log file and debug output. Only one
             daemon section should be defined.

             socket (ike | natt) [address] number;
                     An address and port number that should be used for ike or natt
                     communications.  If the address parameter is omitted, the daemon will
                     attempt to bind to any address for the given port number. If no socket
                     statements are specified, the daemon will attempt to bind to all interfaces
                     for both ike and natt using the default port numbers ( 500 & 4500
                     respectively ). Note, the natt keyword can only be specified if the daemon
                     was compiled with natt support.
             retry_count number;
                     The number of times an exchange packet should be resent to a peer. The
                     default value for this parameter is 2.
             retry_delay number;
                     The number of seconds to wait between packet resend attempts. The default
                     value for this parameter is 10.
             log_file quoted;
                     The path and file name that should be used for log output.
             log_level (none | error | info | debug | loud | decode);
                     The log output detail level. The default value for this parameter is none.
             pcap_decrypt quoted;
                     The path and file name that should be used to dump decrypted ike packets in
                     pcap format. If no pcap_decrypt statement is specified, this feature is
                     disabled.
             pcap_encrypt quoted;
                     The path and file name that should be used to dump encrypted ike packets in
                     pcap format. If no pcap_encrypt statement is specified, this feature is
                     disabled.
             dhcp_file quoted;
                     The path and file name that should be used to store a dhcp mac address seed
                     value for dhcp over ipsec negotiation. If no file is present, the file will
                     be created.

   Network Group Section
     netgroup label { statements }
             Specifies a group of networks that can be refferred to by the assigned label.
             Multiple netgroup sections may be defined.

             network;
                     A network to be associated with this network group.

   XAuth LDAP Section
     xauth_ldap { statements }
             Specifies the LDAP configuration to be used for when the xauth_source is set to ldap
             for a given peer section. Only one xauth_ldap section should be defined. Note, an
             xauth_ldap section can only be defined if the daemon was compiled with LDAP support.

             version number;
                     The LDAP protocol version to be used ( 2 or 3 ). The default value for this
                     parameter is 3.
             url quoted;
                     The LDAP server url. For example, a url may look like
                     "ldap://ldap.shrew.net:389".
             base quoted;
                     The base dn to be used for LDAP searches. For example, a base dn may look
                     like "ou=users,dc=shrew,dc=net".
             subtree (enable | disable);
                     The search scope to be used for LDAP searches. If enabled, searches will be
                     performed using the subtree search scope. If disabled, searches will be
                     performed using the one level search scope. The default value for this
                     parameter is disable.
             bind_dn quoted;
                     The dn to bind as before performing LDAP searches. If this parameter is
                     omitted, searches will be performed using anonymous binds.
             bind_pw quoted;
                     The password to use when a bind_dn is specified.
             attr_user quoted;
                     The attribute used to specify a user name in the LDAP directory.  For
                     example, if a user dn is "cn=user,dc=shrew,dc=net" then the attribute would
                     be "cn".  The default value for this parameter is "cn".
             attr_group quoted;
                     The attribute used to specify a group name in the LDAP directory.  For
                     example, if a group dn is "cn=group,dc=shrew,dc=net" then the attribute
                     would be "cn".  The default value for this parameter is "cn".
             attr_member quoted;
                     The attribute used to specify a group member in the LDAP directory. The
                     default value for this parameter is "member".

   XConf Local Section
     xconf_local { statements }
             Specifies the Configuration Exchange settings to be used when the xconf_source is
             set to local for a given peer section. Only one xconf_local section should be
             defined.

             network4 network [number];
                     The network that will be used to define a local address pool. An optional
                     number can be specified to restrict the pool to a specific size. An address
                     from this pool along with the network mask are passed to a peer when
                     requested.
             dnss4 address;
                     The dns server address to be passed to a peer when requested.
             nbns4 address;
                     The netbios name server address to be passed to a peer when requested.
             dns_suffix quoted;
                     The dns suffix to be passed to a peer when requested.
             dns_list quoted quoted ...;
                     A list of split dns suffixes to be passed to a peer when requested. A peer
                     can use this list to selectivly forward dns requests to the dnss4 server
                     when a query matches one of the supplied split dns suffixes.
             banner quoted;
                     The path to a file that contains a login banner to be passed to a peer when
                     requested.
             pfs_group number;
                     The pfs group number to be passed to a peer when requested.

   Peer Section
     peer address [number] { statements }
             Specifies the parameters used to communicate with a given peer by address and
             optional port number. If the port value is omitted, the default isakmp port number
             will be used ( 500 ). If an address of 0.0.0.0 is used, the peer section can be used
             for any remote host. Multiple peer sections may be defined.

             contact (initiator | responder | both);
                     Specifies the contact type when establishing phase1 negotiations with a
                     peer. If initiator is used, the daemon will initiate contact but deny
                     contact initiated by the peer. If responder is used, the daemon will allow
                     contact initiated by the peer but will not initiate contact. If both is
                     specified, the daemon will initiate contact and allow the peer to initiate
                     contact.
             exchange (main | aggressive);
                     Specifies the exchange type to be used for phase1 negotiations with a peer.
                     The default value for this parameter is main.
             natt_mode (disable | enable | force [draft | rfc]);
                     Specifies the NAT Traversal mode to be used for phase1 negotiations with a
                     peer. If disable is used, natt negotiations will not be attempted. If enable
                     is used, the daemon will attempt to negotiate and use NAT Traversal when
                     appropriate. If force is used, the daemon will use NAT Traversal even if the
                     peer does not negotiate support for this feature. When force is used, the
                     draft or rfc modifiers can optionally be specified to select the required
                     method with rfc being the default if omitted. The default value for this
                     parameter is disable.
             natt_port number;
                     Specifies the NAT Traversal port number to be used for phase1 negotiations
                     with a peer when acting as an initiator. The default value for this
                     parameter is 4500.
             natt_rate number;
                     Specifies the number of seconds between sending NAT Traversal keep-alive
                     messages. The default value for this parameter is 15.
             dpd_mode (disable | enable | force);
                     Specifies the Dead Peer Detection mode to be used with a peer. If disable is
                     used, DPD negotiations will not be attempted. If enable is used, the daemon
                     will attempt to negotiate and use DPD when appropriate. If force is used,
                     the daemon will use DPD even if the peer does not negotiate support for this
                     feature. The default value for this parameter is disable.
             dpd_delay number;
                     Specifies the number of seconds between sending DPD are-you-there messages.
                     The default value for this parameter is 15.
             dpd_retry number;
                     Specifies the number times a DPD are-you-there message will be retransmitted
                     when no response is received. The default value for this parameter is 5.
             frag_ike_mode (disable | enable | force);
                     Specifies the IKE Fragmentation mode to be used with a peer. If disable is
                     used, IKE Fragmentation negotiations will not be attemted. If enable is
                     used, the daemon will attempt to negotiate and use IKE Fragmentation when
                     appropriate. If force is used, the daemon will use IKE Fragmentation even if
                     the peer does not negotiate support for this feature. The default value for
                     this parameter is disable.
             frag_ike_size number;
                     Specifies the maximum number of bytes for an IKE Fragment. The default value
                     for this parameter is 520.
             frag_esp_mode (disable | enable);
                     Specifies the ESP Fragmentation mode to be used with a peer. If disable is
                     used, the daemon will create IPsec SAs without the ESP Fragmentation option.
                     If enable is used, the daemon will create IPsec SAs with the ESP
                     Fragmentation option.  The default value for this parameter is disable.
                     Note, ESP Fragmentation is only valid for IPsec SAs using NAT Traversal. The
                     operating system must also have support for this feature. ( NetBSD Only )
             frag_esp_size number;
                     Specifies the maximum number of bytes for an ESP Fragment. The default value
                     for this parameter is 520.
             peerid (local | remote) type ...;
                     Specifies either the local identity to be sent to a peer or the remote
                     identity to be compared with the value received from a peer during phase1
                     negotiations. The valid identity types are as follows ...
                     address [address];
                             An IP Address. If the address value is omitted, the network address
                             used during phase1 negotiations is used.
                     fqdn quoted;
                             A Fully Qualified Domain Name string.
                     ufqdn quoted;
                             A User Fully Qualified Domain Name string.
                     asn1dn [quoted];
                             An ASN.1 Distinguished Name string. If the quoted value is omitted,
                             the daemon will aquire the DN from the subject field contained
                             within the certificate.
             authdata type ...;
                     Specifies the authentication data to use during phase1 negotiations. The
                     valid authentication data types are as follows ...
                     psk quoted;
                             A Pre Shared Secret.
                     ca quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that contains the Remote
                             Certificate Autority. In the case where a PSK12 file is encrypted,
                             the second quoted parameter specifies the file password.
                     cert quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that contains the Local Public
                             Certificate. In the case where a PSK12 file is encrypted, the second
                             quoted parameter specifies the file password.
                     pkey quoted [quoted];
                             A path to a OpenSSL PEM or PSK12 file that contains the Local
                             Private Key. In the case where a PSK12 file is encrypted, the second
                             quoted parameter specifies the password.
             life_check level;
                     Specifies the behavior when validating peer lifetime proposal values. The
                     default level is claim.  The valid levels are as follows ...
                     obey    A responder will always use the initiators value.
                     strict  A responder will use the initiators value if it is shorter than the
                             responders.  A responder will reject the proposal if the initiators
                             value is greater than the responders.
                     claim   A responder will use the initiators value if it is shorter than the
                             responders.  A responder will use its own value if it is shorter
                             than the initiators. In the second case, the responder will send a
                             RESPONDER-LIFETIME notification to the initiator when responding to
                             phase2 proposals.
                     exact;  A responder will reject the proposal if the initiators value is not
                             equal to the responders.
             xauth_source (local | ldap) [quoted];
                     Sepcifies the Extended Authentication source to be used for user
                     authentication post phase1 negotitations. The optional quoted value
                     specifies a group name that can be used to restrict access to only users
                     that are valid members of the group. If local is used, the peer supplied
                     credentials will be compared to the local account database. If ldap is used,
                     the peer supplied credentials will be compared to an LDAP account database.
                     The LDAP source configuration is defined in the xauth_ldap section. The
                     default value for this parameter is local.
             xconf_source local [(push | pull)];
                     Sepcifies the Configuration Exchange source to be used when responding to
                     peer configuration requests. If local is used, the daemon will supply
                     configuration information defined in the xconf_local section. The default
                     value for this parameter is local.
             plcy_mode (disable | config | compat);
                     Specifies the policy generation mode. When disable is used, no policy
                     generation is performed. When config mode is used, policy generation is
                     performed during Configuration Exchange.  This allows the daemon to generate
                     polices using the peers private tunnel address. When compat mode is used,
                     policy generation is performed post phase1 negotiations. This allows the
                     daemon to interoperate with peers that do not support Configuration
                     Exchanges.
             plcy_list { statements }
                     Specifies a list of network groups and parameters that can be used to
                     perform policy generation. If no plcy_list is defined but plcy_mode is set
                     to config or compat, the daemon operates as if a single include statement
                     was used that specified a netmap defining all networks.
                     (include | exclude) label [quoted];
                             Specifies a netgroup by label for use with policy generation. When
                             include is used, the daemon will generate appropriate IPsec policies
                             and pass all netgroup defined networks during the Configuration
                             Exchange if requested. A peer would use this configuration
                             information to selectively tunnel all traffic destined for any one
                             of these networks. If exclude is used, the daemon will generate
                             appropriate discard policies and pass all netgroup defined networks
                             during the Configuration Exchange if requested. A peer would use
                             this configuration information to selectively bypass IPsec
                             processing for all traffic destined to any one of these networks.
                             The optional quoted string specifies a group name that can be used
                             to restrict processing of this netgroup to only users that are valid
                             members of the group. If XAuth is not performed, statements that
                             define a group name are skipped.
             proposal type { statements }
                     Specifies a proposal to be used during SA negotiations with a peer. The
                     valid proposal types are as follows ...

                     isakmp  An ISAKMP proposal supports the following ...
                             auth type;
                                     Define the authentication mechanism for the ISAKMP proposal.
                                     The accepted types are hybrid_xauth_rsa, mutual_xauth_rsa,
                                     mutual_xauth_psk, mutual_rsa and mutual_psk.
                             ciph type [number];
                                     Define the cipher algorithm for this proposal. The optional
                                     number specifies the keylength for algorithms that support
                                     it. The accepted types are aes, blowfish, 3des, cast and
                                     des.
                             hash type;
                                     Define the hash algorithm for this proposal. The accepted
                                     types are md5 and sha1.
                             dhgr number;
                                     Define the DH group for this proposal. The accepted values
                                     are 1, 2, 5, 14, 15, 16, 17, 18 and 16.

                     ah      An AH proposal supports the following ...
                             hash type;
                                     Define the hash algorithm for this proposal. The accepted
                                     types are md5 and sha1.
                             dhgr number;
                                     Define the DH group for this proposal. The accepted values
                                     are 1, 2, 5, 14, 15, 16, 17, 18 and 16.

                     esp     An ESP proposal supports the following ...
                             ciph type [number];
                                     Define the cipher algorithm for this proposal. The optional
                                     number specifies the keylength for algorithms that support
                                     it. The accepted types are aes, blowfish, 3des, cast and
                                     des.
                             hmac type;
                                     Define the message authentication algorithm for this
                                     proposal. The accepted types are md5 and sha1.
                             dhgr number;
                                     Define the DH group for this proposal. The accepted values
                                     are 1, 2, 5, 14, 15, 16, 17, 18 and 16.

                     ipcomp  An IPCOMP proposal supports the following ...
                             comp type;
                                     Define the compression algorithm for this proposal. The
                                     accepted types are deflate and lzs.

                     All proposals types support the following ...

                     life_sec number;
                             Define the lifetime in seconds for this proposal.
                     life_kbs number;
                             Define the lifetime in kilobytes for this proposal.

EXAMPLES

     This section contains a few iked configuration examples.

     The first example shows a configuration that only defines the parameters required to support
     client connectivity mode with NATT and debug options enabled.

     daemon
     {
         socket ike 500;
         socket natt 4500;

         log_level debug;
         log_file "/var/log/iked.log";

         pcap_decrypt "/var/log/ike-decrypt.pcap";
         pcap_encrypt "/var/log/ike-encrypt.pcap";

         retry_delay 10;
         retry_count 2;
     }

     The second example shows a configuration that supports simple peer to peer negotiations
     using mutual preshared key authentication.

     daemon
     {
         socket ike 500;

         log_level debug;
         log_file "/var/log/iked.log";
     }

     peer 1.2.3.4
     {
         exchange main;

         peerid local address;
         peerid remote address;

         authdata psk "sharedsecret";

         life_check claim;

         proposal isakmp
         {
             auth mutual_psk;
             life_sec 28800;
             life_kbs 0;
         }

         proposal esp
         {
             life_sec 3800;
             life_kbs 0;
         }
     }

     The third example shows a configuration that supports client gateway negotiations using
     mutual preshared key authentication with xauth, nat traversal, dead peer detection, ike
     fragmentation and policy generation. The daemon would allow xauth users that are members of
     the "remote" group to connect to the gateway. Policies would be generated to allow a peer
     access to the 10.1.1.0/24 and 1.3.3.0/24 networks with the exception of 1.1.1.15/32 which be
     accessed directly ( not via IPsec ). Peers that use an xauth user account that is a member
     of the "netadmin" group would have additional policies generated to allow access to the
     10.4.4.0/24 network.

     daemon
     {
         socket ike 500;
         socket natt 4500;

         log_level debug;
         log_file "/var/log/iked.log";

         pcap_decrypt "/var/log/ike-decrypt.pcap";
         pcap_encrypt "/var/log/ike-encrypt.pcap";
     }

     netgroup allow
     {
         10.1.1.0/24;
         10.3.3.0/24;
     }

     netgroup deny
     {
         1.1.1.15/32;
     }

     netgroup protect
     {
         10.4.4.0/24;
     }

     xconf_local
     {
         network4 10.2.1.0/24;
         dnss4 10.1.1.1;
         nbns4 10.1.1.1;
         dns_suffix "foo.com";
         dns_list "foo.com" "bar.com";
         banner "/etc/iked.motd";
         pfs_group 2;
     }

     peer 0.0.0.0
     {
         contact responder;
         exchange main;

         natt_mode enable;
         dpd_mode enable;
         frag_ike_mode enable;

         peerid local address;
         peerid remote address;

         authdata psk "sharedsecret";

         life_check claim;

         xauth_source local "remote";
         xconf_source local;

         plcy_mode config;
         plcy_list
         {
             include allow;
             exclude deny;
             include protect "netadmin";
         }

         proposal isakmp
         {
             auth mutual_xauth_psk;
             ciph 3des;
             hash md5;
             dhgr 2;
             life_sec 28800;
             life_kbs 0;
         }

         proposal esp
         {
             life_sec 3800;
             life_kbs 0;
         }
     }

SEE ALSO

     ipsec(4), iked(8), setkey(8)

HISTORY

     The iked.conf parser was written by Matthew Grooms ( mgrooms@shrew.net ) as part of the
     Shrew Soft ( http://www.shrew.net ) family of IPsec products.