xref: /titanic_44/usr/src/cmd/cmd-inet/etc/ike/config.sample (revision 7c478bd95313f5f23a4c958a745db2134aa03244) 
1*7c478bd9Sstevel@tonic-gate#
2*7c478bd9Sstevel@tonic-gate#ident	"%Z%%M%	%I%	%E% SMI"
3*7c478bd9Sstevel@tonic-gate#
4*7c478bd9Sstevel@tonic-gate# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
5*7c478bd9Sstevel@tonic-gate# Use is subject to license terms.
6*7c478bd9Sstevel@tonic-gate#
7*7c478bd9Sstevel@tonic-gate# CDDL HEADER START
8*7c478bd9Sstevel@tonic-gate#
9*7c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the
10*7c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only
11*7c478bd9Sstevel@tonic-gate# (the "License").  You may not use this file except in compliance
12*7c478bd9Sstevel@tonic-gate# with the License.
13*7c478bd9Sstevel@tonic-gate#
14*7c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15*7c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing.
16*7c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions
17*7c478bd9Sstevel@tonic-gate# and limitations under the License.
18*7c478bd9Sstevel@tonic-gate#
19*7c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each
20*7c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21*7c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the
22*7c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying
23*7c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner]
24*7c478bd9Sstevel@tonic-gate#
25*7c478bd9Sstevel@tonic-gate# CDDL HEADER END
26*7c478bd9Sstevel@tonic-gate#
27*7c478bd9Sstevel@tonic-gate
28*7c478bd9Sstevel@tonic-gate##
29*7c478bd9Sstevel@tonic-gate## This file should be copied into /etc/inet/ike/config to enable the
30*7c478bd9Sstevel@tonic-gate## launch of the IKE daemon, in.iked(1m), at boot time.  You can also
31*7c478bd9Sstevel@tonic-gate## launch the IKE daemon after creating this file without rebooting by
32*7c478bd9Sstevel@tonic-gate## invoking /usr/lib/inet/in.iked with a root shell.
33*7c478bd9Sstevel@tonic-gate##
34*7c478bd9Sstevel@tonic-gate
35*7c478bd9Sstevel@tonic-gate# Consult the ike.config(4) man page for further details.  Here is a small
36*7c478bd9Sstevel@tonic-gate# example from the man page.
37*7c478bd9Sstevel@tonic-gate
38*7c478bd9Sstevel@tonic-gate### BEGINNING OF FILE
39*7c478bd9Sstevel@tonic-gate
40*7c478bd9Sstevel@tonic-gate### First some global parameters...
41*7c478bd9Sstevel@tonic-gate
42*7c478bd9Sstevel@tonic-gate## Optional hardware acceleration parameters...
43*7c478bd9Sstevel@tonic-gate## Use the pathname of a library that supports PKCS#11 in quotes.
44*7c478bd9Sstevel@tonic-gate## The example path is for the Sun Crypto Accelerator 1000.
45*7c478bd9Sstevel@tonic-gate# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"
46*7c478bd9Sstevel@tonic-gate
47*7c478bd9Sstevel@tonic-gate## certificate parameters...
48*7c478bd9Sstevel@tonic-gate
49*7c478bd9Sstevel@tonic-gate# Root certificates.  I SHOULD use a full Distinguished Name.
50*7c478bd9Sstevel@tonic-gate# I MUST have this certificate in my local filesystem, see ikecert(1m).
51*7c478bd9Sstevel@tonic-gatecert_root    "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
52*7c478bd9Sstevel@tonic-gate
53*7c478bd9Sstevel@tonic-gate# Explicitly trusted certs that need no signatures, or perhaps self-signed
54*7c478bd9Sstevel@tonic-gate# ones.  Like root certificates, use full DNs for them for now.
55*7c478bd9Sstevel@tonic-gatecert_trust    "EMAIL=root@domain.org"
56*7c478bd9Sstevel@tonic-gate
57*7c478bd9Sstevel@tonic-gate# Where do I send LDAP requests?
58*7c478bd9Sstevel@tonic-gateldap_server   "ldap1.domain.org,ldap2.domain.org:389"
59*7c478bd9Sstevel@tonic-gate
60*7c478bd9Sstevel@tonic-gate# Some PKI-specific tweaks...
61*7c478bd9Sstevel@tonic-gate# If you wish to ignore CRLs, uncomment this:
62*7c478bd9Sstevel@tonic-gate#ignore_crls
63*7c478bd9Sstevel@tonic-gate# If you wish to use HTTP (with name resolution) for URLs inside certs,
64*7c478bd9Sstevel@tonic-gate# uncomment this:
65*7c478bd9Sstevel@tonic-gate#use_http
66*7c478bd9Sstevel@tonic-gate# HTTP proxy and socks URLs should also be indicated if needed...
67*7c478bd9Sstevel@tonic-gatesocks "socks://socks-relay.domain.org"
68*7c478bd9Sstevel@tonic-gate#proxy "http://http-proxy.domain.org:8080"
69*7c478bd9Sstevel@tonic-gate
70*7c478bd9Sstevel@tonic-gate## Phase 1 transform defaults...
71*7c478bd9Sstevel@tonic-gate
72*7c478bd9Sstevel@tonic-gatep1_lifetime_secs 14400
73*7c478bd9Sstevel@tonic-gatep1_nonce_len 20
74*7c478bd9Sstevel@tonic-gate
75*7c478bd9Sstevel@tonic-gate## Parameters that may also show up in rules.
76*7c478bd9Sstevel@tonic-gate
77*7c478bd9Sstevel@tonic-gatep1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
78*7c478bd9Sstevel@tonic-gatep2_pfs 2
79*7c478bd9Sstevel@tonic-gate
80*7c478bd9Sstevel@tonic-gate### Now some rules...
81*7c478bd9Sstevel@tonic-gate
82*7c478bd9Sstevel@tonic-gate{
83*7c478bd9Sstevel@tonic-gate   label "simple inheritor"
84*7c478bd9Sstevel@tonic-gate   local_id_type ip
85*7c478bd9Sstevel@tonic-gate   local_addr 10.1.1.1
86*7c478bd9Sstevel@tonic-gate   remote_addr 10.1.1.2
87*7c478bd9Sstevel@tonic-gate}
88*7c478bd9Sstevel@tonic-gate
89*7c478bd9Sstevel@tonic-gate{
90*7c478bd9Sstevel@tonic-gate   # an index-only rule.  If I'm a receiver, and all I
91*7c478bd9Sstevel@tonic-gate   # have are index-only rules, what do I do about inbound IKE requests?
92*7c478bd9Sstevel@tonic-gate   # Answer:  Take them all!
93*7c478bd9Sstevel@tonic-gate
94*7c478bd9Sstevel@tonic-gate   label "default rule"
95*7c478bd9Sstevel@tonic-gate   # Use whatever "host" (e.g. IP address) identity is appropriate
96*7c478bd9Sstevel@tonic-gate   local_id_type ipv4
97*7c478bd9Sstevel@tonic-gate
98*7c478bd9Sstevel@tonic-gate   local_addr 0.0.0.0/0
99*7c478bd9Sstevel@tonic-gate   remote_addr 0.0.0.0/0
100*7c478bd9Sstevel@tonic-gate
101*7c478bd9Sstevel@tonic-gate   p2_pfs 5
102*7c478bd9Sstevel@tonic-gate
103*7c478bd9Sstevel@tonic-gate   # Now I'm going to have the p1_xforms
104*7c478bd9Sstevel@tonic-gate   p1_xform
105*7c478bd9Sstevel@tonic-gate   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg blowfish }
106*7c478bd9Sstevel@tonic-gate   p1_xform
107*7c478bd9Sstevel@tonic-gate   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }
108*7c478bd9Sstevel@tonic-gate
109*7c478bd9Sstevel@tonic-gate   # After said list, another keyword (or a '}') will stop xform parsing.
110*7c478bd9Sstevel@tonic-gate}
111*7c478bd9Sstevel@tonic-gate
112*7c478bd9Sstevel@tonic-gate{
113*7c478bd9Sstevel@tonic-gate   # Let's try something a little more conventional.
114*7c478bd9Sstevel@tonic-gate
115*7c478bd9Sstevel@tonic-gate   label "host to .80 subnet"
116*7c478bd9Sstevel@tonic-gate   local_id_type ip
117*7c478bd9Sstevel@tonic-gate   local_id "10.1.86.51"
118*7c478bd9Sstevel@tonic-gate
119*7c478bd9Sstevel@tonic-gate   remote_id ""    # Take any, use remote_addr for access control.
120*7c478bd9Sstevel@tonic-gate
121*7c478bd9Sstevel@tonic-gate   local_addr 10.1.86.51
122*7c478bd9Sstevel@tonic-gate   remote_addr 10.1.80.0/24
123*7c478bd9Sstevel@tonic-gate
124*7c478bd9Sstevel@tonic-gate   p1_xform
125*7c478bd9Sstevel@tonic-gate   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }
126*7c478bd9Sstevel@tonic-gate   p1_xform
127*7c478bd9Sstevel@tonic-gate   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg blowfish }
128*7c478bd9Sstevel@tonic-gate   p1_xform
129*7c478bd9Sstevel@tonic-gate   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }
130*7c478bd9Sstevel@tonic-gate   p1_xform
131*7c478bd9Sstevel@tonic-gate   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg blowfish }
132*7c478bd9Sstevel@tonic-gate}
133*7c478bd9Sstevel@tonic-gate
134