1# 2# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 3# Use is subject to license terms. 4# 5# CDDL HEADER START 6# 7# The contents of this file are subject to the terms of the 8# Common Development and Distribution License, Version 1.0 only 9# (the "License"). You may not use this file except in compliance 10# with the License. 11# 12# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 13# or http://www.opensolaris.org/os/licensing. 14# See the License for the specific language governing permissions 15# and limitations under the License. 16# 17# When distributing Covered Code, include this CDDL HEADER in each 18# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 19# If applicable, add the following below this CDDL HEADER, with the 20# fields enclosed by brackets "[]" replaced with your own identifying 21# information: Portions Copyright [yyyy] [name of copyright owner] 22# 23# CDDL HEADER END 24# 25 26## 27## This file should be copied into /etc/inet/ike/config to enable the 28## launch of the IKE daemon, in.iked(8), at boot time. You can also 29## launch the IKE daemon after creating this file without rebooting by 30## invoking /usr/lib/inet/in.iked with a root shell. 31## 32 33# Consult the ike.config(5) man page for further details. Here is a small 34# example from the man page. 35 36### BEGINNING OF FILE 37 38### First some global parameters... 39 40## Optional hardware acceleration parameters... 41## Use the pathname of a library that supports PKCS#11 in quotes. 42## The example path is for the Sun Crypto Accelerator 1000. 43# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so" 44 45## certificate parameters... 46 47# Root certificates. I SHOULD use a full Distinguished Name. 48# I MUST have this certificate in my local filesystem, see ikecert(8). 49cert_root "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA" 50 51# Explicitly trusted certs that need no signatures, or perhaps self-signed 52# ones. Like root certificates, use full DNs for them for now. 53cert_trust "EMAIL=root@domain.org" 54 55# Where do I send LDAP requests? 56ldap_server "ldap1.domain.org,ldap2.domain.org:389" 57 58# Some PKI-specific tweaks... 59# If you wish to ignore CRLs, uncomment this: 60#ignore_crls 61# If you wish to use HTTP (with name resolution) for URLs inside certs, 62# uncomment this: 63#use_http 64# HTTP proxy and socks URLs should also be indicated if needed... 65socks "socks://socks-relay.domain.org" 66#proxy "http://http-proxy.domain.org:8080" 67 68## Phase 1 transform defaults... 69 70p1_lifetime_secs 14400 71p1_nonce_len 20 72 73## Parameters that may also show up in rules. 74 75p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des } 76p2_pfs 2 77 78### Now some rules... 79 80{ 81 label "simple inheritor" 82 local_id_type ip 83 local_addr 10.1.1.1 84 remote_addr 10.1.1.2 85} 86 87{ 88 # an index-only rule. If I'm a receiver, and all I 89 # have are index-only rules, what do I do about inbound IKE requests? 90 # Answer: Take them all! 91 92 label "default rule" 93 # Use whatever "host" (e.g. IP address) identity is appropriate 94 local_id_type ipv4 95 96 local_addr 0.0.0.0/0 97 remote_addr 0.0.0.0/0 98 99 p2_pfs 5 100 101 # Now I'm going to have the p1_xforms 102 p1_xform 103 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish } 104 p1_xform 105 {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des } 106 107 # After said list, another keyword (or a '}') will stop xform parsing. 108} 109 110{ 111 # Let's try something a little more conventional. 112 113 label "host to .80 subnet" 114 local_id_type ip 115 local_id "10.1.86.51" 116 117 remote_id "" # Take any, use remote_addr for access control. 118 119 local_addr 10.1.86.51 120 remote_addr 10.1.80.0/24 121 122 p1_xform 123 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des } 124 p1_xform 125 { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish } 126 p1_xform 127 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des } 128 p1_xform 129 { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg blowfish } 130} 131 132