ike.config.5 - OpenGrok cross reference for /illumos-gate/usr/src/man/man5/ike.config.5

Lines Matching +full:library +full:- +full:sel
9 ike.config \- configuration file for IKE policy
21 using the \fB-c\fR or \fB-f\fR options of \fBin.iked\fR(8). You must use the
22 \fB-c\fR option to test a \fBconfig\fR file. You might need to use the \fB-f\fR
52 \fB10.1.2.0/255.255.255.0\fR). An optional -\fIADDR\fR suffix (where \fIADDR\fR
54 example, \fB10.1.2.0-10.1.2.255\fR). The \fB/\fR or \fB-\fR can be surrounded
71 \fBp1-id-type\fR
149 \fB\fIcert-sel\fR\fR
157 A \fIcert-sel\fR can also use various shortcuts to match either subject
175 Any \fIcert-sel\fR preceded by the character \fB!\fR indicates a negative
183 \fB\fIldap-list\fR\fR
187 A quoted, comma-separated list of LDAP servers and ports.
198 \fB\fIparameter-list\fR\fR
237 \fBcert_root \fIcert-sel\fR\fR
250 \fBcert_trust \fIcert-sel\fR\fR
254 Specifies an X.509 distinguished name of a certificate that is self-signed, or
267 The number of seconds to let a not-yet-complete IKE Phase I (Main Mode)
285 \fBldap_server \fIldap-list\fR\fR
301 \fBdlopen\fR(3C) for linking, with all of the semantics of that library call.
303 library specified using \fBpkcs11_path\fR and an absolute pathname \fBmust\fR
308 Most cryptographic providers go through the default library, and this parameter
309 should only be used if a specialized provider of IKE-useful cryptographic
349 Note -
353 interval is 8 (0.5 * 2 ^ (5 - 1)) seconds.
376 \fBsocks://socks-proxy\fR.
393 file-level defaults. Values specified within any given transform override these
417 specified on a per-rule basis.
422 The following IKE rule parameters can be prefigured using file-level defaults.
504 specified on a per-rule basis.
510 \fBlocal_id_type \fIp1-id-type\fR\fR
546 \fBp1_xform '{' parameter-list '}\fR
557 optional, elements in the parameter-list must occur exactly once within a given
558 transform's parameter-list:
566 The Oakley Diffie-Hellman group used for IKE SA key derivation. The group
571 1 (MODP 768-bit)
575 2 (MODP 1024-bit)
579 3 (EC2N 155-bit)
583 4 (EC2N 185-bit)
587 5 (MODP 1536-bit)
591 14 (MODP 2048-bit)
595 15 (MODP 3072-bit)
599 16 (MODP 4096-bit)
603 17 (MODP 6144-bit)
607 18 (MODP 8192-bit)
611 19 (ECP 256-bit)
615 20 (ECP 384-bit)
619 21 (ECP 521-bit)
623 22 (MODP 1024-bit, with 160-bit Prime Order Subgroup)
627 23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
631 24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
635 25 (ECP 192-bit)
639 26 (ECP 224-bit)
646 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
647 aes-cbc}\fR
652 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
653 using the "low value-to-high value" syntax. To specify a single AES key size,
667 Use \fBipsecalgs\fR(8) with the \fB-l\fR option to list the IPsec protocols
703 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
722 1 (768-bit)
726 2 (1024-bit)
730 5 (1536-bit)
734 14 (2048-bit)
738 15 (3072-bit)
742 16 (4096-bit)
748 An IKE rule starts with a right-curly-brace (\fB{\fR), ends with a
749 left-curly-brace (\fB}\fR), and has the following parameters in between:
760 ACQUIRE message from PF_KEY - effectively tying IPsec policy to IKE policy in
792 \fBlocal_id_type \fIp1-id-type\fR\fR
798 phase 1 transforms must either use preshared or non-preshared authentication
801 which use non-preshared authentication, the 'local_id_type' parameter is
808 \fBlocal_id \fIcert-sel\fR\fR
813 non-preshared authentication method. The local identity string or certificate
820 \fBremote_id \fIcert-sel\fR\fR
825 non-preshared authentication method. Selector for which remote phase 1
841 parameter can be used on a per-rule basis to set the IPsec \fBSA\fR lifetimes
860 1 (768-bit)
864 2 (1024-bit)
868 5 (1536-bit)
872 14 (2048-bit)
876 15 (3072-bit)
880 16 (4096-bit)
887 \fBp1_xform \fB{\fR \fIparameter-list\fR \fB}\fR\fR
898 parameter-list; unless specified as optional, must occur exactly once within a
899 given transform's parameter-list:
907 The Oakley Diffie-Hellman group used for \fBIKE SA\fR key derivation.
911 1 (768-bit)
915 2 (1024-bit)
919 5 (1536-bit)
923 14 (2048-bit)
927 15 (3072-bit)
931 16 (4096-bit)
938 \fBencr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc, aes,
939 aes-cbc}\fR
944 listed above, only \fBaes\fR and \fBaes-cbc\fR allow optional key-size setting,
945 using the "low value-to-high value" syntax. To specify a single AES key size,
1003 # self-signed ones. Like root certificates, use full DNs for them
1039    # an index-only rule.  If I'm a receiver, and all I
1040    # have are index-only rules, what do I do about inbound IKE requests?
1114     label "punchin-point"
1116     local_id "ipsec-wizard@example.org"
1131    remote_id "ipsec-wizard@example.org"
1141    # NOTE:  Specifying preshared null-and-voids the remote_id/local_id
1192 Kivinen, T. \fIRFC 3526, More Modular Exponential (MODP) Diffie-Hellman Groups
1197 Lepinksi, M. and Kent, S. \fIRFC 5114, Additional Diffie-Hellman Groups for Use