xref: /illumos-gate/usr/src/cmd/cmd-inet/etc/ike/config.sample (revision 89b2a9fbeabf42fa54594df0e5927bcc50a07cc9)
1#
2#ident	"%Z%%M%	%I%	%E% SMI"
3#
4# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
5# Use is subject to license terms.
6#
7# CDDL HEADER START
8#
9# The contents of this file are subject to the terms of the
10# Common Development and Distribution License, Version 1.0 only
11# (the "License").  You may not use this file except in compliance
12# with the License.
13#
14# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15# or http://www.opensolaris.org/os/licensing.
16# See the License for the specific language governing permissions
17# and limitations under the License.
18#
19# When distributing Covered Code, include this CDDL HEADER in each
20# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21# If applicable, add the following below this CDDL HEADER, with the
22# fields enclosed by brackets "[]" replaced with your own identifying
23# information: Portions Copyright [yyyy] [name of copyright owner]
24#
25# CDDL HEADER END
26#
27
28##
29## This file should be copied into /etc/inet/ike/config to enable the
30## launch of the IKE daemon, in.iked(1m), at boot time.  You can also
31## launch the IKE daemon after creating this file without rebooting by
32## invoking /usr/lib/inet/in.iked with a root shell.
33##
34
35# Consult the ike.config(4) man page for further details.  Here is a small
36# example from the man page.
37
38### BEGINNING OF FILE
39
40### First some global parameters...
41
42## Optional hardware acceleration parameters...
43## Use the pathname of a library that supports PKCS#11 in quotes.
44## The example path is for the Sun Crypto Accelerator 1000.
45# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"
46
47## certificate parameters...
48
49# Root certificates.  I SHOULD use a full Distinguished Name.
50# I MUST have this certificate in my local filesystem, see ikecert(1m).
51cert_root    "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
52
53# Explicitly trusted certs that need no signatures, or perhaps self-signed
54# ones.  Like root certificates, use full DNs for them for now.
55cert_trust    "EMAIL=root@domain.org"
56
57# Where do I send LDAP requests?
58ldap_server   "ldap1.domain.org,ldap2.domain.org:389"
59
60# Some PKI-specific tweaks...
61# If you wish to ignore CRLs, uncomment this:
62#ignore_crls
63# If you wish to use HTTP (with name resolution) for URLs inside certs,
64# uncomment this:
65#use_http
66# HTTP proxy and socks URLs should also be indicated if needed...
67socks "socks://socks-relay.domain.org"
68#proxy "http://http-proxy.domain.org:8080"
69
70## Phase 1 transform defaults...
71
72p1_lifetime_secs 14400
73p1_nonce_len 20
74
75## Parameters that may also show up in rules.
76
77p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
78p2_pfs 2
79
80### Now some rules...
81
82{
83   label "simple inheritor"
84   local_id_type ip
85   local_addr 10.1.1.1
86   remote_addr 10.1.1.2
87}
88
89{
90   # an index-only rule.  If I'm a receiver, and all I
91   # have are index-only rules, what do I do about inbound IKE requests?
92   # Answer:  Take them all!
93
94   label "default rule"
95   # Use whatever "host" (e.g. IP address) identity is appropriate
96   local_id_type ipv4
97
98   local_addr 0.0.0.0/0
99   remote_addr 0.0.0.0/0
100
101   p2_pfs 5
102
103   # Now I'm going to have the p1_xforms
104   p1_xform
105   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg blowfish }
106   p1_xform
107   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }
108
109   # After said list, another keyword (or a '}') will stop xform parsing.
110}
111
112{
113   # Let's try something a little more conventional.
114
115   label "host to .80 subnet"
116   local_id_type ip
117   local_id "10.1.86.51"
118
119   remote_id ""    # Take any, use remote_addr for access control.
120
121   local_addr 10.1.86.51
122   remote_addr 10.1.80.0/24
123
124   p1_xform
125   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
126   p1_xform
127   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg blowfish }
128   p1_xform
129   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }
130   p1_xform
131   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg blowfish }
132}
133
134