17c478bd9Sstevel@tonic-gate# 27c478bd9Sstevel@tonic-gate# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate# Use is subject to license terms. 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# CDDL HEADER START 67c478bd9Sstevel@tonic-gate# 77c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 87c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only 97c478bd9Sstevel@tonic-gate# (the "License"). You may not use this file except in compliance 107c478bd9Sstevel@tonic-gate# with the License. 117c478bd9Sstevel@tonic-gate# 127c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 137c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 147c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 157c478bd9Sstevel@tonic-gate# and limitations under the License. 167c478bd9Sstevel@tonic-gate# 177c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 187c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 197c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 207c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 217c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 227c478bd9Sstevel@tonic-gate# 237c478bd9Sstevel@tonic-gate# CDDL HEADER END 247c478bd9Sstevel@tonic-gate# 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate## 277c478bd9Sstevel@tonic-gate## This file should be copied into /etc/inet/ike/config to enable the 28*bbf21555SRichard Lowe## launch of the IKE daemon, in.iked(8), at boot time. You can also 297c478bd9Sstevel@tonic-gate## launch the IKE daemon after creating this file without rebooting by 307c478bd9Sstevel@tonic-gate## invoking /usr/lib/inet/in.iked with a root shell. 317c478bd9Sstevel@tonic-gate## 327c478bd9Sstevel@tonic-gate 33*bbf21555SRichard Lowe# Consult the ike.config(5) man page for further details. Here is a small 347c478bd9Sstevel@tonic-gate# example from the man page. 357c478bd9Sstevel@tonic-gate 367c478bd9Sstevel@tonic-gate### BEGINNING OF FILE 377c478bd9Sstevel@tonic-gate 387c478bd9Sstevel@tonic-gate### First some global parameters... 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate## Optional hardware acceleration parameters... 417c478bd9Sstevel@tonic-gate## Use the pathname of a library that supports PKCS#11 in quotes. 427c478bd9Sstevel@tonic-gate## The example path is for the Sun Crypto Accelerator 1000. 437c478bd9Sstevel@tonic-gate# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so" 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate## certificate parameters... 467c478bd9Sstevel@tonic-gate 477c478bd9Sstevel@tonic-gate# Root certificates. I SHOULD use a full Distinguished Name. 48*bbf21555SRichard Lowe# I MUST have this certificate in my local filesystem, see ikecert(8). 497c478bd9Sstevel@tonic-gatecert_root "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA" 507c478bd9Sstevel@tonic-gate 517c478bd9Sstevel@tonic-gate# Explicitly trusted certs that need no signatures, or perhaps self-signed 527c478bd9Sstevel@tonic-gate# ones. Like root certificates, use full DNs for them for now. 537c478bd9Sstevel@tonic-gatecert_trust "EMAIL=root@domain.org" 547c478bd9Sstevel@tonic-gate 557c478bd9Sstevel@tonic-gate# Where do I send LDAP requests? 567c478bd9Sstevel@tonic-gateldap_server "ldap1.domain.org,ldap2.domain.org:389" 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate# Some PKI-specific tweaks... 597c478bd9Sstevel@tonic-gate# If you wish to ignore CRLs, uncomment this: 607c478bd9Sstevel@tonic-gate#ignore_crls 617c478bd9Sstevel@tonic-gate# If you wish to use HTTP (with name resolution) for URLs inside certs, 627c478bd9Sstevel@tonic-gate# uncomment this: 637c478bd9Sstevel@tonic-gate#use_http 647c478bd9Sstevel@tonic-gate# HTTP proxy and socks URLs should also be indicated if needed... 657c478bd9Sstevel@tonic-gatesocks "socks://socks-relay.domain.org" 667c478bd9Sstevel@tonic-gate#proxy "http://http-proxy.domain.org:8080" 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gate## Phase 1 transform defaults... 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gatep1_lifetime_secs 14400 717c478bd9Sstevel@tonic-gatep1_nonce_len 20 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate## Parameters that may also show up in rules. 747c478bd9Sstevel@tonic-gate 757c478bd9Sstevel@tonic-gatep1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des } 767c478bd9Sstevel@tonic-gatep2_pfs 2 777c478bd9Sstevel@tonic-gate 787c478bd9Sstevel@tonic-gate### Now some rules... 797c478bd9Sstevel@tonic-gate 807c478bd9Sstevel@tonic-gate{ 817c478bd9Sstevel@tonic-gate label "simple inheritor" 827c478bd9Sstevel@tonic-gate local_id_type ip 837c478bd9Sstevel@tonic-gate local_addr 10.1.1.1 847c478bd9Sstevel@tonic-gate remote_addr 10.1.1.2 857c478bd9Sstevel@tonic-gate} 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate{ 887c478bd9Sstevel@tonic-gate # an index-only rule. If I'm a receiver, and all I 897c478bd9Sstevel@tonic-gate # have are index-only rules, what do I do about inbound IKE requests? 907c478bd9Sstevel@tonic-gate # Answer: Take them all! 917c478bd9Sstevel@tonic-gate 927c478bd9Sstevel@tonic-gate label "default rule" 937c478bd9Sstevel@tonic-gate # Use whatever "host" (e.g. IP address) identity is appropriate 947c478bd9Sstevel@tonic-gate local_id_type ipv4 957c478bd9Sstevel@tonic-gate 967c478bd9Sstevel@tonic-gate local_addr 0.0.0.0/0 977c478bd9Sstevel@tonic-gate remote_addr 0.0.0.0/0 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate p2_pfs 5 1007c478bd9Sstevel@tonic-gate 1017c478bd9Sstevel@tonic-gate # Now I'm going to have the p1_xforms 1027c478bd9Sstevel@tonic-gate p1_xform 1037c478bd9Sstevel@tonic-gate {auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish } 1047c478bd9Sstevel@tonic-gate p1_xform 1057c478bd9Sstevel@tonic-gate {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des } 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate # After said list, another keyword (or a '}') will stop xform parsing. 1087c478bd9Sstevel@tonic-gate} 1097c478bd9Sstevel@tonic-gate 1107c478bd9Sstevel@tonic-gate{ 1117c478bd9Sstevel@tonic-gate # Let's try something a little more conventional. 1127c478bd9Sstevel@tonic-gate 1137c478bd9Sstevel@tonic-gate label "host to .80 subnet" 1147c478bd9Sstevel@tonic-gate local_id_type ip 1157c478bd9Sstevel@tonic-gate local_id "10.1.86.51" 1167c478bd9Sstevel@tonic-gate 1177c478bd9Sstevel@tonic-gate remote_id "" # Take any, use remote_addr for access control. 1187c478bd9Sstevel@tonic-gate 1197c478bd9Sstevel@tonic-gate local_addr 10.1.86.51 1207c478bd9Sstevel@tonic-gate remote_addr 10.1.80.0/24 1217c478bd9Sstevel@tonic-gate 1227c478bd9Sstevel@tonic-gate p1_xform 1237c478bd9Sstevel@tonic-gate { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des } 1247c478bd9Sstevel@tonic-gate p1_xform 1257c478bd9Sstevel@tonic-gate { auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish } 1267c478bd9Sstevel@tonic-gate p1_xform 1277c478bd9Sstevel@tonic-gate { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des } 1287c478bd9Sstevel@tonic-gate p1_xform 1297c478bd9Sstevel@tonic-gate { auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg blowfish } 1307c478bd9Sstevel@tonic-gate} 1317c478bd9Sstevel@tonic-gate 132