ipsec
Prev Kernun UTM Reference (5) Next

Name

ipsec — format of ipsec component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ipsec component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in ipsec configuration directives:

ipsec-encryption1 (name-usage obligatory)

Available encryption algorithms for ISAKMP phase 1.

aes, des3, cast128, blowfish

ipsec-encryption2 (name-usage obligatory)

Available encryption algorithms for ISAKMP phase 2.

aes, des3, cast128, blowfish, rc5, rc4, idea, twofish

ipsec-hash1 (name-usage obligatory)

Available hash algorithms for ISAKMP phase 1.

md5, sha1, sha256, sha384, sha512

ipsec-auth2 (name-usage obligatory)

Available authentication algorithms for ISAKMP phase 2.

hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, hmac_sha512

ipsec-dh-group (name-usage optional)

Diffie-Hellman group for ISAKMP.

modp768 (1), modp1024 (2), modp1536 (5), modp2048 (14), modp3072 (15), modp4096 (16), modp6144 (17), modp8192 (18)

ipsec-tunnel-sa-mode (name-usage obligatory)

Mode of creating IPsec security associations in the tunnel mode.

network

There will be a single SA for each pair of networks.

host

There will be a separate SA for each pair of communicating hosts.

ipsec-auth-method (name-usage obligatory)

Method of ISAKMP phase 1 authentication

psk

Pre-shared key.

x509

X.509 certificate.

ipsec-protocol (name-usage optional)

Protocols handled by IPsec in tunnel mode.

any (0), icmp (1), ipencap (4), gif (4), tcp (6), udp (17), gre (47)

ipsec-remote-mode (name-usage obligatory)

Remote host definition mode.

address

Remote address is defined directly.

tunnel

Remote address is taken from INTERFACE.TUNNEL.

ipsec-rekey-mode (name-usage obligatory)

Automatic renegotiation of expired phase1 modes.

off

No automatic rekeying.

on

Rekeying bound to DPD monitoring.

force

Rekeying unconditional.

ITEMS AND SECTIONS

Configuration of ipsec library component consists of following prototypes:


  ipsec-global { ... }
* ipsec name { ... }
* ipsec-remote name { ... }
    

Description:

ipsec-global {


  phase ... ;
* tag ... ;
}

        

Global parameters of IPsec.

Items & subsections:

phase [number];

ISAKMP daemon startup phase.

number (type: uint8, optional, default: 40)

Phase number; the lower one, the earlier start.

tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)

Constraints:

Tag must contain letters, digits, hyphens and dots, only.

[End of section ipsec-global description.]

ipsec name {


  phase ... ;
* tag ... ;
  transport-mode ... ;
  tunnel-mode { ... }
  phase2 { ... }
}

        

Definition of a single IPsec tunnel.

Constraints:

Either TRANSPORT-MODE or TUNNEL-MODE must be specified.

TRANSPORT-MODE and TUNNEL-MODE are mutually exclusive.

Section PHASE2 required.

Items & subsections:

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 40)

Phase number; the lower one, the earlier start.

tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)

Constraints:

Tag must contain letters, digits, hyphens and dots, only.

transport-mode interface;

Use IPsec in transport mode to secure a GIF or GRE tunnel.

interface (type: name of interface, see interface(5))

IPsec will be used for traffic on this tunnel interface.

tunnel-mode {


  tunnel ... ;
  local ... ;
  remote ... ;
  protocol ... ;
  sa-mode ... ;
}

            

Use IPsec in tunnel mode.

Constraints:

Tunnel addresses must be specified.

LOCAL networks must be specified.

REMOTE networks must be specified.

PROTOCOL must be specified.

Items & subsections:

tunnel addr dest;

Pair of tunnel addresses.

addr (type: addr)

Interface address with prefix.

dest (type: host)

Tunnel destination address.

Constraints:

Tunnel addresses must have the same family..

Remote IP address must be specified..

local nets;

Addresses of local networks that communicate via this tunnel.

nets (type: net-list)

Constraints:

At least one LOCAL network must be specified.

remote nets;

Addresses of remote networks that communicate via this tunnel.

nets (type: net-list)

Constraints:

At least one REMOTE network must be specified.

protocol proto;

List of protocols handled by IPsec in this tunnel.

proto (type: ipsec-protocol-list)

Constraints:

At least one PROTOCOL must be specified.

sa-mode [mode];

Mode of creating IPsec security associations in the tunnel mode.

mode (type: ipsec-tunnel-sa-mode, optional, default: network)

[End of section ipsec.tunnel-mode description.]

phase2 {


  lifetime ... ;
* encryption ... ;
  auth-alg ... ;
  pfs-group ... ;
}

            

ISAKMP phase 2 parameters.

Items & subsections:

lifetime [sec];

Lifetime of a SA (in seconds).

sec (type: uint32, optional, default: 43200)

Constraints:

Lifetime must not be zero.

encryption alg [bits];

The encryption algorithms for the phase 2 proposals. If not set, AES256 will be used.

alg (type: ipsec-encryption2-list)

bits (type: uint16, optional, default: 0)

Key length in bits of the encryption algorithm. The value, if nonzero, applies to all algorithm in the list. The value 0 means the default length for each selected algorithm.

Constraints:

At least one algorithm required.

auth-alg alg;

The authentication algorithms for the phase 2 proposals.If not set, HMAC-SHA1 will be used.

alg (type: ipsec-auth2-list)

Constraints:

At least one algorithm required.

pfs-group group;

The group of Diffie-Hellman exponentiations. If not set, PFS will not be used.

group (type: ipsec-dh-group)

Constraints:

Bad DH group number.

[End of section ipsec.phase2 description.]

[End of section ipsec description.]

ipsec-remote name {


  peer ... ;
  lifetime ... ;
  encryption ... ;
  hash ... ;
  dh-group ... ;
  authentication ... ;
  dpd ... ;
  rekey ... ;
  ike-frag ... ;
  esp-frag ... ;
}

        

ISAKMP phase 1 parameters for remote host.

Constraints:

Remote peer must be specified.

Authentication method must be specified.

Items & subsections:

peer address peer;

peer tunnel iface;

Remote peer address definition.

<branching element> (type: ipsec-remote-mode)

iface (type: name of interface, see interface(5))

Tunnel interface used for ipsec to this host.

peer (type: host)

Remote host address.

lifetime [sec];

Lifetime proposed in the phase 1 negotiations (in seconds).

sec (type: uint32, optional, default: 3600)

Constraints:

Lifetime must not be zero.

encryption [alg [bits]];

The encryption algorithm used for the phase 1 negotiations.

alg (type: ipsec-encryption1, optional, default: aes)

bits (type: uint16, optional, default: 0)

Key length in bits of the encryption algorithm. The value 0 means the default length for the selected algorithm.

hash [alg];

The hash algorithm used for the phase 1 negotiations.

alg (type: ipsec-hash1, optional, default: sha1)

dh-group [group];

The group used for the Diffie-Hellman exponentiations.

group (type: ipsec-dh-group, optional, default: modp1024=2)

Constraints:

Bad DH group number.

authentication psk psk;

authentication x509 ca cert key;

Method and data for authentication.

<branching element> (type: ipsec-auth-method)

psk (type: str)

The pre-shared key.

ca (type: name of shared-file, see common(5))

Root CA certificate.

cert (type: name of shared-file, see common(5))

A certificate.

key (type: name of shared-file, see common(5))

A private key.

dpd [delay [retry [maxfail]]];

DPD enabling and parameters setting.

delay (type: uint16, optional, default: 0)

Time between two proofs of liveness.

By default, the DPD monitoring is disabled.

retry (type: uint16, optional, default: 5)

Proof of liveness timeout.

maxfail (type: uint16, optional, default: 5)

Maximum number of proof retry.

rekey [mode];

Automatic phase1 renegotiation.

mode (type: ipsec-rekey-mode, optional, default: on)

ike-frag mode;

Receiver-side IKE fragmentation.

mode (type: ipsec-rekey-mode)

esp-frag fraglen;

Forcing ESP over UDP of fragmented packets instead of fragmented ESP over UDP packets.

fraglen (type: uint16)

[End of section ipsec-remote description.]

SEE ALSO

configuration(7), ipsec(4), common(5), interface(5), racoon.conf(5), racoon(8), setkey(8)

Prev Up Next
ipc Home kernun.cml