IKE.CONFIG(5) | File Formats and Configurations | IKE.CONFIG(5) |
ike.config - configuration file for IKE policy
/etc/inet/ike/config
The /etc/inet/ike/config file contains rules for matching inbound IKE requests. It also contains rules for preparing outbound IKE requests.
You can test the syntactic correctness of an /etc/inet/ike/config file by using the -c or -f options of in.iked(8). You must use the -c option to test a config file. You might need to use the -f option if it is not in /etc/inet/ike/config.
On any line, an unquoted # character introduces a comment. The remainder of that line is ignored. Additionally, on any line, an unquoted // sequence introduces a comment. The remainder of that line is ignored.
There are several types of lexical tokens in the ike.config file:
num
IPaddr/prefix/range
XXX | YYY | ZZZ
p1-id-type
"string"
Examples include:"Label foo", or "C=US, OU=Sun Microsystems\, Inc., N=olemcd@eng.example.com"
A backslash (\) is an escape character. If the string needs an actual backslash, two must be specified.
cert-sel
A cert-sel can also use various shortcuts to match either subject alternative names, the filename or slot of a certificate in /etc/inet/ike/publickeys, or even the ISSUER. For example:
"SLOT=0" "EMAIL=postmaster@example.org" "webmaster@example.org" # Some just work w/o TYPE= "IP=10.0.0.1" "10.21.11.11" # Some just work w/o TYPE= "DNS=www.example.org" "mailhost.example.org" # Some just work w/o TYPE= "ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
Any cert-sel preceded by the character ! indicates a negative match, that is, not matching this specifier. These are the same kind of strings used in ikecert(8).
ldap-list
For example, "ldap1.example.com", "ldap1.example.com:389", "ldap1.example.com:389,ldap2.example.com".
The default port for LDAP is 389.
parameter-list
There are four main types of entries:
The global parameter entries are as follows:
cert_root cert-sel
cert_trust cert-sel
expire_timer integer
ignore_crls
ldap_server ldap-list
pkcs11_path string
If this setting is not present, the default value is set to libpkcs11.so. Most cryptographic providers go through the default library, and this parameter should only be used if a specialized provider of IKE-useful cryptographic services cannot interface with the Solaris Cryptographic Framework. See cryptoadm(8).
This option is now deprecated, and may be removed in a future release.
retry_limit integer
retry_timer_init integer or float
retry_timer_max integer or float
Note -
proxy string
socks string
use_http
The following IKE phase 1 transform parameters can be prefigured using file-level defaults. Values specified within any given transform override these defaults.
The IKE phase 1 transform defaults are as follows:
p1_lifetime_secs num
p1_nonce_len num
The following IKE rule parameters can be prefigured using file-level defaults. Values specified within any given rule override these defaults, unless a rule cannot.
p2_lifetime_secs num
p2_softlife_secs num
This value is optional, if omitted soft expiry occurs after 90% of the lifetime specified by p2_lifetime_secs. The value specified by p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
Setting p2_softlife_secs to the same value as p2_lifetime_secs disables soft expires.
p2_idletime_secs num
p2_lifetime_kb num
p2_softlife_kb num
This value is optional. If omitted, soft expiry occurs after 90% of the lifetime specified by p2_lifetime_kb. The value specified by p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
p2_nonce_len num
local_id_type p1-id-type
p1_xform '{' parameter-list '}
oakley_group number
encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes, aes-cbc}
auth_alg {md5, sha, sha1, sha256, sha384, sha512}
Use ipsecalgs(8) with the -l option to list the IPsec protocols and algorithms currently defined on a system. The cryptoadm list command displays a list of installed providers and their mechanisms. See cryptoadm(8).
auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
p1_lifetime_secs num
p2_lifetime_secs num
p2_pfs num
An IKE rule starts with a right-curly-brace ({), ends with a left-curly-brace (}), and has the following parameters in between:
label string
local_addr <IPaddr/prefix/range>
remote_addr <IPaddr/prefix/range>
local_id_type p1-id-type
local_id cert-sel
remote_id cert-sel
p2_lifetime_secs num
p2_pfs num
p1_xform { parameter-list }
oakley_group number
encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes, aes-cbc}
auth_alg {md5, sha, sha1}
auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
p1_lifetime_secs num
Example 1 A Sample ike.config File
The following is an example of an ike.config file:
### BEGINNING OF FILE ### First some global parameters... ### certificate parameters... # Root certificates. I SHOULD use a full Distinguished Name. # I must have this certificate in my local filesystem, see ikecert(8). cert_root "C=US, O=Sun Microsystems\, Inc., CN=Sun CA" # Explicitly trusted certs that need no signatures, or perhaps # self-signed ones. Like root certificates, use full DNs for them # for now. cert_trust "EMAIL=root@example.org" # Where do I send LDAP requests? ldap_server "ldap1.example.org,ldap2.example.org:389" ## phase 1 transform defaults... p1_lifetime_secs 14400 p1_nonce_len 20 ## Parameters that might also show up in rules. p1_xform { auth_method preshared oakley_group 5 auth_alg sha
encr_alg 3des } p2_pfs 2 ### Now some rules... {
label "simple inheritor"
local_id_type ip
local_addr 10.1.1.1
remote_addr 10.1.1.2 } {
label "simple inheritor IPv6"
local_id_type ipv6
local_addr fe80::a00:20ff:fe7d:6
remote_addr fe80::a00:20ff:fefb:3780 } {
# an index-only rule. If I'm a receiver, and all I
# have are index-only rules, what do I do about inbound IKE requests?
# Answer: Take them all!
label "default rule"
# Use whatever "host" (e.g. IP address) identity is appropriate
local_id_type ipv4
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p2_pfs 5
# Now I'm going to have the p1_xforms
p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
blowfish } p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
# After said list, another keyword (or a '}') stops xform
# parsing. } {
# Let's try something a little more conventional.
label "host to .80 subnet"
local_id_type ip
local_id "10.1.86.51"
remote_id "" # Take any, use remote_addr for access control.
local_addr 10.1.86.51
remote_addr 10.1.80.0/24
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
blowfish }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
blowfish } } {
# Let's try something a little more conventional, but with ipv6.
label "host to fe80::/10 subnet"
local_id_type ip
local_id "fe80::a00:20ff:fe7d:6"
remote_id "" # Take any, use remote_addr for access control.
local_addr fe80::a00:20ff:fe7d:6
remote_addr fe80::/10
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
blowfish }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg \
blowfish } } {
# How 'bout something with a different cert type and name?
label "punchin-point"
local_id_type mbox
local_id "ipsec-wizard@example.org"
remote_id "10.5.5.128"
local_addr 0.0.0.0/0
remote_addr 10.5.5.128
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg \
blowfish } } {
label "receiver side"
remote_id "ipsec-wizard@example.org"
local_id_type ip
local_id "10.5.5.128"
local_addr 10.5.5.128
remote_addr 0.0.0.0/0
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
# NOTE: Specifying preshared null-and-voids the remote_id/local_id
# fields.
p1_xform
{ auth_method preshared oakley_group 5 auth_alg md5 encr_alg \
blowfish} }
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Committed |
dlopen(3C), random(4D), attributes(7), cryptoadm(8), ikeadm(8), ikecert(8), in.iked(8), ipsecalgs(8), ipsecconf(8), ipseckey(8), svccfg(8)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE). Cisco Systems, November 1998.
Maughan, Douglas et. al. RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade, MD. November 1998.
Piper, Derrell. RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Network Alchemy. Santa Cruz, California. November 1998.
Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups for Internet Key Exchange (IKE). The Internet Society, Network Working Group. May 2003.
Lepinksi, M. and Kent, S. RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards. BBN Technologies, January 2008.
Fu, D. and Solinas, J. RFC 5903, Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2. NSA, June 2010.
November 22, 2021 | OmniOS |