xref: /illumos-gate/usr/src/cmd/cmd-inet/etc/ike/config.sample (revision 20a7641f9918de8574b8b3b47dbe35c4bfc78df1)
1#
2# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# CDDL HEADER START
6#
7# The contents of this file are subject to the terms of the
8# Common Development and Distribution License, Version 1.0 only
9# (the "License").  You may not use this file except in compliance
10# with the License.
11#
12# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
13# or http://www.opensolaris.org/os/licensing.
14# See the License for the specific language governing permissions
15# and limitations under the License.
16#
17# When distributing Covered Code, include this CDDL HEADER in each
18# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
19# If applicable, add the following below this CDDL HEADER, with the
20# fields enclosed by brackets "[]" replaced with your own identifying
21# information: Portions Copyright [yyyy] [name of copyright owner]
22#
23# CDDL HEADER END
24#
25
26##
27## This file should be copied into /etc/inet/ike/config to enable the
28## launch of the IKE daemon, in.iked(8), at boot time.  You can also
29## launch the IKE daemon after creating this file without rebooting by
30## invoking /usr/lib/inet/in.iked with a root shell.
31##
32
33# Consult the ike.config(5) man page for further details.  Here is a small
34# example from the man page.
35
36### BEGINNING OF FILE
37
38### First some global parameters...
39
40## Optional hardware acceleration parameters...
41## Use the pathname of a library that supports PKCS#11 in quotes.
42## The example path is for the Sun Crypto Accelerator 1000.
43# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"
44
45## certificate parameters...
46
47# Root certificates.  I SHOULD use a full Distinguished Name.
48# I MUST have this certificate in my local filesystem, see ikecert(8).
49cert_root    "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
50
51# Explicitly trusted certs that need no signatures, or perhaps self-signed
52# ones.  Like root certificates, use full DNs for them for now.
53cert_trust    "EMAIL=root@domain.org"
54
55# Where do I send LDAP requests?
56ldap_server   "ldap1.domain.org,ldap2.domain.org:389"
57
58# Some PKI-specific tweaks...
59# If you wish to ignore CRLs, uncomment this:
60#ignore_crls
61# If you wish to use HTTP (with name resolution) for URLs inside certs,
62# uncomment this:
63#use_http
64# HTTP proxy and socks URLs should also be indicated if needed...
65socks "socks://socks-relay.domain.org"
66#proxy "http://http-proxy.domain.org:8080"
67
68## Phase 1 transform defaults...
69
70p1_lifetime_secs 14400
71p1_nonce_len 20
72
73## Parameters that may also show up in rules.
74
75p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
76p2_pfs 2
77
78### Now some rules...
79
80{
81   label "simple inheritor"
82   local_id_type ip
83   local_addr 10.1.1.1
84   remote_addr 10.1.1.2
85}
86
87{
88   # an index-only rule.  If I'm a receiver, and all I
89   # have are index-only rules, what do I do about inbound IKE requests?
90   # Answer:  Take them all!
91
92   label "default rule"
93   # Use whatever "host" (e.g. IP address) identity is appropriate
94   local_id_type ipv4
95
96   local_addr 0.0.0.0/0
97   remote_addr 0.0.0.0/0
98
99   p2_pfs 5
100
101   # Now I'm going to have the p1_xforms
102   p1_xform
103   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg blowfish }
104   p1_xform
105   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }
106
107   # After said list, another keyword (or a '}') will stop xform parsing.
108}
109
110{
111   # Let's try something a little more conventional.
112
113   label "host to .80 subnet"
114   local_id_type ip
115   local_id "10.1.86.51"
116
117   remote_id ""    # Take any, use remote_addr for access control.
118
119   local_addr 10.1.86.51
120   remote_addr 10.1.80.0/24
121
122   p1_xform
123   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
124   p1_xform
125   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg blowfish }
126   p1_xform
127   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }
128   p1_xform
129   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg blowfish }
130}
131
132