ike.config(4)
NAME
ike.config - configuration file for IKE policy
SYNOPSIS
/etc/inet/ike/config
DESCRIPTION
The /etc/inet/ike/config file contains rules for matching
inbound IKE requests. It also contains rules for preparing
outbound IKE requests.
You can test the syntactic correctness of an
/etc/inet/ike/config file by using the -c or -f options of
in.iked(1M). You must use the -c option to test a config
file. You may need to use the -f option if it is not in
/etc/inet/ike/config.
Lexical Components
On any line, an unquoted # character introduces a comment.
The remainder of that line is ignored. Additionally, on any
line, an unquoted // sequence introduces a comment. The
remainder of that line is ignored.
There are several types of lexical tokens in the ike.config
file:
num A decimal, hex, or octal number representation is as
in 'C'.
IPaddr/prefix/range
An IPv4 or IPv6 address with an optional /NNN suffix,
(where NNN is a num) that indicates an address (CIDR)
prefix (for example, 10.1.2.0/24). An optional /ADDR
suffix (where ADDR is a second IP address) indicates
an address/mask pair (for example,
10.1.2.0/255.255.255.0). An optional -ADDR suffix
(where ADDR is a second IPv4 address) indicates an
inclusive range of addresses (for example, 10.1.2.0-
10.1.2.255). The / or - can be surrounded by an arbi-
trary amount of white space.
XXX | YYY | ZZZ
Either the words XXX, YYY, or ZZZ, for example,
{yes,no}.
p1-id-type
An IKE phase 1 identity type. IKE phase 1 identity
types include:
dn, DN
dns, DNS
fqdn, FQDN
gn, GN
ip, IP
ipv4
ipv4_prefix
ipv4_range
ipv6
ipv6_prefix
ipv6_range
mbox, MBOX
user_fqdn
"string"
A quoted string.
Examples include:"Label foo", or "C=US, OU=Sun
Microsystems\, Inc., N=danmcd@eng.sun.com"
A backslash (\) is an escape character. If the string
needs an actual backslash, two must be specified.
cert-sel
A certificate selector, a string which specifies the
identities of zero or more certificates. The specif-
iers can conform to X.509 naming conventions.
A cert-sel can also use various shortcuts to match
either subject alternative names, the filename or slot
of a certificate in /etc/inet/ike/publickeys, or even
the ISSUER. For example:
"SLOT=0"
"EMAIL=postmaster@domain.org"
"webmaster@domain.org" # Some just work w/o TYPE=
"IP=10.0.0.1"
"10.21.11.11" # Some just work w/o TYPE=
"DNS=www.domain.org"
"mailhost.domain.org" # Some just work w/o TYPE=
"ISSUER=C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
Any cert-sel preceded by the character ! indicates a
negative match, that is, not matching this specifier.
These are the same kind of strings used in
ikecert(1M).
ldap-list
A quoted, comma-separated list of LDAP servers and
ports.
For example, "ldap1.sun.com", "ldap1.sun.com:389",
"ldap1.sun.com:389,ldap2.sun.com".
The default port for LDAP is 389.
parameter-list
A list of parameters.
File Body Entries
There are four main types of entries:
o global parameters
o IKE phase 1 transform defaults
o IKE rule defaults
o IKE rules
The global parameter entries are as follows:
cert_root cert-sel
The X.509 distinguished name of a certificate that is
a trusted root CA certificate.It must be encoded in a
file in the /etc/inet/ike/publickeys directory. It
must have a CRL in /etc/inet/ike/crls. Multiple
cert_root parameters aggregate.
cert_trust cert-sel
Specifies an X.509 distinguished name of a certificate
that is self-signed, or has otherwise been verified as
trustworthy for signing IKE exchanges. It must be
encoded in a file in /etc/inet/ike/publickeys. Multi-
ple cert_trust parameters aggregate.
ignore_crls
If this keyword is present in the file, in.iked(1M)
ignores Certificate Revocation Lists (CRLs) for root
CAs (as given in cert_root)
ldap_server ldap-list
A list of LDAP servers to query for certificates. The
list can be additive.
pkcs11_path string
The string that follows is a pathname to a shared
object (.so) that implements the PKCS#11 standard. It
is assumed the PKCS#11 library will provide faster
public-key operations than in.iked or other SunOS
built-in functionality. For example, the Sun Crypto
Accelerator 1000 has such a library in
/opt/SUNWconn/lib/libpkcs11.so.
proxy string
The string following this keyword must be a URL for an
HTTP proxy, for example, http://proxy:8080.
socks string
The string following this keyword must be a URL for a
SOCKS proxy, for example, socks://socks-proxy.
use_http
If this keyword is present in the file, in.iked(1M)
uses HTTP to retrieve Certificate Revocation Lists
(CRLs).
The following IKE phase 1 transform parameters can be pre-
figured using file-level defaults. Values specified within
any given transform override these defaults.
The IKE phase 1 transform defaults are as follows:
p1_lifetime_secs num
The proposed default lifetime, in seconds, of an IKE
phase 1 security association (SA).
p1_nonce_len num
The length in bytes of the phase 1 (quick mode) nonce
data. This cannot be specified on a per-rule basis.
The following IKE rule parameters can be prefigured using
file-level defaults. Values specified within any given rule
override these defaults, unless a rule cannot.
p2_nonce_len num
The length in bytes of the phase 2 (quick mode) nonce
data. This cannot be specified on a per-rule basis.
local_id_type p1-id-type
The local identity for IKE requires a type. This iden-
tity type is reflected in the IKE exchange. The type
can be one of the following:
o an IP address (for example, 10.1.1.2)
o DNS name (for example, test.domain.com)
o MBOX RFC 822 name (for example, root@domain.com)
o DNX.509 distinguished name (for example, C=US,
O=Sun Microsystems, Inc., CN=Sun Test cert)
p1_xform '{' parameter-list '}
A phase 1 transform specifies a method for protecting
an IKE phase 1 exchange. An initiator offers up lists
of phase 1 transforms, and a receiver is expected to
only accept such an entry if it matches one in a phase
1 rule. There can be several of these, and they are
additive. There must be either at least one phase 1
transform in a rule or a global default phase 1
transform list. In a configuration file without a glo-
bal default phase 1 transform list and a rule without
a phase, transform list is an invalid file. Unless
specified as optional, elements in the parameter-list
must occur exactly once within a given transform's
parameter-list:
oakley_group number
The Oakley Diffie-Hellman group used for IKE SA
key derivation. Acceptable values are currently
1 (768-bit), 2 (1024-bit), or 5 (1536-bit).
encr_alg {3des, 3des-cbc, blowfish, des, des-cbc}
An encryption algorithm, as in ipsecconf(1M).
auth_alg {md5, sha, sha1}
An authentication algorithm, as in
ipsecconf(1M).
auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
The authentication method used for IKE phase 1.
p1_lifetime_secs num
Optional. The lifetime for a phase 1 SA.
p2_lifetime_secs num
If configuring the kernel defaults is not sufficient
for different tasks, this parameter can be used on a
per-rule basis to set the IPsec SA lifetimes in
seconds.
p2_pfs num
The Oakley Diffie-Hellman group used for IPsec SA key
derivation. Acceptable values are 0 (do not use Per-
fect Forward Secrecy for IPsec SAs), 1 (768-bit), 2
(1024-bit), and 5 (1536-bit).
An IKE rule starts with a right-curly-brace ({), ends with a
left-curly-brace (}), and has the following parameters in
between:
label string
Required parameter. The administrative interface to
in.iked looks up phase 1 policy rules with the label
as the search string. The administrative interface
also converts the label into an index, suitable for an
extended ACQUIRE message from PF_KEY - effectively
tying IPsec policy to IKE policy in the case of a node
initiating traffic. Only one label parameter is
allowed per rule.
local_addr <IPaddr/prefix/range>
Required parameter. The local address, address prefix,
or address range for this phase 1 rule. Multiple
local_addr parameters accumulate within a given rule.
remote_addr <IPaddr/prefix/range>
Required parameter. The remote address, address pre-
fix, or address range for this phase 1 rule. Multiple
remote_addr parameters accumulate within a given rule.
local_id_type p1-id-type
Which phase 1 identity type I uses. This is needed
because a single certificate can contain multiple
values for use in IKE phase 1. Within a given rule,
all phase 1 transforms must either use preshared or
non-preshared authentication (they cannot be mixed).
For rules with preshared authentication, the
local_id_type parameter is optional, and defaults to
IP. For rules which use non-preshared authentication,
the 'local_id_type' parameter is required. Multiple
'local_id_type' parameters within a rule are not
allowed.
local_id cert-sel
Disallowed for preshared authentication method;
required parameter for non-preshared authentication
method. The local identity string or certificate
selector. Multiple local_id parameters accumulate
within a given rule.
remote_id cert-sel
Disallowed for preshared authentication method;
required parameter for non-preshared authentication
method. Selector for which remote phase 1 identities
are allowed by this rule. Multiple remote_id parame-
ters accumulate within a given rule. If a single empty
string ("") is given, then this accepts any remote ID
for phase 1. It is recommended that certificate trust
chains or address enforcement be configured strictly
to prevent a breakdown in security if this value for
remote_id is used.
p2_lifetime_secs num
If configuring the kernel defaults is not sufficient
for different tasks, this parameter can be used on a
per-rule basis to set the IPsec SA lifetimes in
seconds.
p2_pfs num
Use perfect forward secrecy for phase 2 (quick mode).
If selected, the oakley group specified is used for
phase 2 PFS. Acceptable values are 0 (do not use Per-
fect Forward Secrecy for IPsec SAs), 1 (768-bit), 2
(1024-bit), and 5 (1536-bit).
p1_xform { parameter-list }
A phase 1 transform specifies a method for protecting
an IKE phase 1 exchange. An initiator offers up lists
of phase 1 transforms, and a receiver is expected to
only accept such an entry if it matches one in a phase
1 rule. There can be several of these, and they are
additive. There must be either at least one phase 1
transform in a rule or a global default phase 1
transform list. A ike.config file without a global
default phase 1transform list and a rule without a
phase 1 transform list is an invalid file. Elements
within the parameter-list; unless specified as
optional, must occur exactly once within a given
transform's parameter-list:
oakley_group number
The Oakley Diffie-Hellman group used for IKE SA
key derivation. Acceptable values are currently
1 (768-bit), 2 (1024-bit), or 5 (1536-bit).
encr_alg {3des, 3des-cbc, blowfish, des, des-cbc}
An encryption algorithm, as in ipsecconf(1M).
auth_alg {md5, sha, sha1}
An authentication algorithm, as specified in
ipseckey(1M).
auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
The authentication method used for IKE phase 1.
p1_lifetime_secs num
Optional. The lifetime for a phase 1 SA.
EXAMPLES
Example 1: A Sample ike.config File
The following is an example of an ike.config file:
### BEGINNING OF FILE
### First some global parameters...
### certificate parameters...
# Root certificates. I SHOULD use a full Distinguished Name.
# I must have this certificate in my local filesystem, see ikecert(1m).
cert_root "C=US, O=Sun Microsystems\, Inc., CN=Sun CA"
# Explicitly trusted certs that need no signatures, or perhaps self-signed
# ones. Like root certificates, use full DNs for them for now.
cert_trust "EMAIL=root@domain.org"
# Where do I send LDAP requests?
ldap_server "ldap1.domain.org,ldap2.domain.org:389"
## phase 1 transform defaults...
p1_lifetime_secs 14400
p1_nonce_len 20
## Parameters that may also show up in rules.
p1_xform { auth_method preshared oakley_group 5 auth_alg sha
encr_alg 3des }
p2_pfs 2
# Use the Sun Crypto Accelerator 1000 to speed up public key operations.
pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"
### Now some rules...
{
label "simple inheritor"
local_id_type ip
local_addr 10.1.1.1
remote_addr 10.1.1.2
}
{
label "simple inheritor IPv6"
local_id_type ipv6
local_addr fe80::a00:20ff:fe7d:6
remote_addr fe80::a00:20ff:fefb:3780
}
{
# an index-only rule. If I'm a receiver, and all I
# have are index-only rules, what do I do about inbound IKE requests?
# Answer: Take them all!
label "default rule"
# Use whatever "host" (e.g. IP address) identity is appropriate
local_id_type ipv4
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p2_pfs 5
# Now I'm going to have the p1_xforms
p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish }
p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
# After said list, another keyword (or a '}') will stop xform parsing.
}
{
# Let's try something a little more conventional.
label "host to .80 subnet"
local_id_type ip
local_id "10.1.86.51"
remote_id "" # Take any, use remote_addr for access control.
local_addr 10.1.86.51
remote_addr 10.1.80.0/24
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg blowfish }
}
{
# Let's try something a little more conventional, but with ipv6.
label "host to fe80::/10 subnet"
local_id_type ip
local_id "fe80::a00:20ff:fe7d:6"
remote_id "" # Take any, use remote_addr for access control.
local_addr fe80::a00:20ff:fe7d:6
remote_addr fe80::/10
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg blowfish }
}
{
# How 'bout something with a different cert type and name?
label "punchin-point"
local_id_type mbox
local_id "ipsec-wizard@domain.org"
remote_id "10.5.5.128"
local_addr 0.0.0.0/0
remote_addr 10.5.5.128
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
}
{
label "receiver side"
remote_id "ipsec-wizard@domain.org"
local_id_type ip
local_id "10.5.5.128"
local_addr 10.5.5.128
remote_addr 0.0.0.0/0
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
# NOTE: Specifying preshared null-and-voids the remote_id/local_id
# fields.
p1_xform
{ auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish}
}
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsr |
|_____________________________|_____________________________|
SEE ALSO
ikeadm(1M), in.iked(1M), ikecert(1M), ipseckey(1M),
ipsecconf(1M), attributes(5), random(7D)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key
Exchange (IKE). Cisco Systems., November 1998.
Maughan, Douglas et. al. RFC 2408, Internet Security Associ-
ation and Key Management Protocol (ISAKMP). National Secu-
rity Agency, Ft. Meade, MD. November 1998.
Piper, Derrell. RFC 2407, The Internet IP Security Domain of
Interpretation for ISAKMP. Network Alchemy. Santa Cruz, Cal-
ifornia. November 1998.
Man(1) output converted with
man2html