###################################################################################### ################################ LOG SECTION ##################################### ###################################################################################### log { # Indicates if show extra info is desired show_extra_info = yes # Put in show_mask list the message log types you want to show show_mask = {all} # Put in hide_mask list the message log types you want to hide hide_mask = { none } # You can use more than one of the following types for show_mask and hide_mask: # none - No info is promnted # info - General information # messages - Messages of exchages # crypto - Crypto information # exceptions - Shows the exceptions # transitions - Shows the state machine transitions # config - Shows the configuration info # threads - Shows threads events # alarms - Shows alarms events # dhcp - Shows dhcp events # ebus - Shows bus events # ipsec - Shows ipsec events # halfopen - Shows the number of half-opened IKE SAs # policies - Shows the IPSEC policies # warnings - Shows the warnings messages # all - Shows all the information available } ###################################################################################### ############################## GENERAL SECTION ################################### ###################################################################################### general { # Max time (in seconds) to perform the initial exchanges (when acting as responder) max_ike_negotiation_time = 30 # Max. use time of the same cookie secret cookies_lifetime = 20 # Number of half-opened IKE SAs that activates cookies cookies_threshold = 5 # A vendor string (default value is openikev2-version) # vendor_id = openikev2-XX } ###################################################################################### ############################## POLICIES SECTION ################################### ###################################################################################### # Uncomment and adjust to match your needs /* policies{ # Indicates that the SPD will be flushed before adding the new ones flush_before = true # Indicate if the the allow policies must be automatically generated. These policies # allow IPv4 and IPv6 IKE traffic and ICMPv6 Neighbor Solicitation and Neighbor Advertisement generate_allow_policies = true # Define a policy to be added in the SPD policy{ # Source address range of the traffic matching this policy src_selector = 192.168.1.0/24 # Source port of the traffic matching this policy (0 = any port) src_port = 0 # Destination address range of the traffic matching this policy dst_selector = 192.168.2.15/32 # Destination port of the traffic matching this policy (0 = any port) dst_port = 0 # IP protocol of the traffic matching this policy (tcp, udp, icmp, icmpv6 or any number) ip_proto = tcp # Direction of the policy (in, out, fwd, all). If all is selected, the policy is assumed as out # and the symmetric in and fwd directions are automatically generated dir = all # IPsec protocol to be used (esp, ah, none). If none is used, then ipsec will # not be used for such traffic. ipsec_proto = esp # IPsec mode to be applied (transport, tunnel) mode = transport # Source tunnel address (only needed when tunnel mode is selected) src_tunnel = 192.168.1.1 # Destination tunnel address (only needed when tunnel mode is selected) dst_tunnel = 192.168.2.15 # Policy priority priority = 1000 } policy{ src_selector = 192.168.2.15/32 dst_selector = 192.168.1.1/24 ip_proto = tcp dir = in ipsec_proto = esp } } */ ###################################################################################### ############################## PEER SECTION ################################### ###################################################################################### # There is a "peer" section for each peer address and role. For example, this section # will be applied when the role is INITIATOR and peer address is in 172.20.0.0/24 or # in 0::0/0. /* peer{ # Our role when comunicating with the peer. # Allowed values are "any", "initiator" or "responder". If you omit this parameter, "any" is assumed by default role = initiator # The allowed peer addresses in a subnet/prefix form peer_address = {172.20.0.0/24, 0::0/0} # These are the IKE_SA parameters when this peer section is applied ike{ # This is the ID to be sent to the peer (same types as peer_id section, except domain_name and any. See above) my_id{ id_type = rfc822 id = alex@um.es } # Allowed peer IDs # Supported types are "fqdn", "rfc822", "ipaddr", "der_asn1_dn", "domain_name" and "any". "ipaddr" can be an # IPv4 address, an IPv6 address or a name to be resolved in the system DNS. "domain_name" accepts any RFC822 # or FQDN ID finalizing with the indicated string. "any" allows any peer ID peer_id{ id_type = rfc822 id = openikev2-admin@dif.um.es } peer_id{ id_type = ipaddr id = 192.168.1.1 } peer_id{ id_type = ipaddr id = 100::1 } peer_id{ id_type = der_asn1_dn id = "certificate.crt" # ID will be extracted from the indicated certificate. } peer_id{ id_type = domain_name id = "@test.com" # ID will be extracted from the indicated certificate. } peer_id{ id_type = any id = any # This value is irrelevant } # IKE proposal to be used (to be sent if initiator role or to be used in the selection process # if responder role). The IKE proposal must have, at least, an "encr", "integ", "prf" and "dh" # transforms. proposal{ # You can choose one or more in order of preference of the following: # des, 3des, aes128, aes192, aes256 encr = {3des, des} # You can choose one or more in order of preference of the following: # hmac_md5, hmac_sha1 integ = {hmac_sha1, hmac_md5} # You can choose one or more in order of preference of the following: # md5, sha1 prf = {md5} # You can choose one or more in order of preference of the following: # 1, 2, 5, 14, 15, 16, 17, 18 dh = {2, 1} } # Seconds before retransmit a exchange request retransmition_time = 5 # Factor to increase retransmition_time after each retransmition retransmition_factor = 2 # Maximun number of exchange retransmition before consider peer is dead an to close IKE_SA max_retries = 10 # Lifetime of the IKE_SA rekey_time = 60 # Maximum time before force to the original authenticatin inititator to close the IKE_SA and start again the # initial exchanges (only used when acting as responder). 0 means no reauthentication. reauth_time = 600 # Use UNAME notification (foo test notification) use_uname = no # Authentication generator. You can choose "psk", "cert" or "btns" auth_generator = psk # Authentication verifiers. You can choose "psk", "cert" or "btns" or any combination of them. auth_verifiers = {psk, cert} # Path to the preshared key to be used with the "psk" auth generator my_preshared_key = "/etc/openikev2/key.txt" # Path to the peer preshared key to be used when "psk" is included in the auth_verifiers list. peer_preshared_key = "/etc/openikev2/key.txt" # List of certificates that can be used to authenticate us to be used with the "cert" auth generator. # A ".crt" is appended to obtain the real certificate filename and a ".key" is appended to obtain the real private key filename # Both must be stored in PEM format. # In addition, if you want to use HASH & URL certificates, it is needed to indicate the url where the certificate (in DER format) # is located. The certificate3 uses this feature. Don't forget enclose all the string with doble-quoted symbols (" ") to avoid # parsing failures with the dashes. # my_certificates = {certificate1, certificate2, "certificate3@http://server/cert.der"} # List of CA certificates for the certificates in "my_certificates" to be used with the "cert" auth generator. # A ".crt" is appended to obtain the real certificate filename. They must be stored in PEM format. # my_ca_certificates = {ca_certificate1, ca_certificate2} # Send CERT payload when needed to be used with the "cert" auth_generator send_cert_payload = yes # List of CA certificates to be used when "cert" is included in the auth_verifiers list # A ".crt" is appended to obtain the real certificate filename. They must be stored in PEM format. # peer_ca_certificates = {ca_certificate1, ca_certificate2} # List of the peer trusted certificates to be used when "cert" is included in the auth_verifiers list. # A ".crt" is appended to obtain the real certificate filename. It is also used to find the peer public key when he doesn't send any payload CERT # cert_white_list = {cert1, cert2} # List of the peer black listed certificates to be used when "cert" is included in the auth_verifiers list. # A ".crt" is appended to obtain the real certificate filename # cert_black_list = {cert3, cert4} # Indicates if we support to retrieve HASH & URL certificates (only HTTP urls) to be used when "cert" is included in the auth_verifiers list. hash_url_support = no # Send CERT_REQ payload when needed to be used when "cert" is included in the auth_verifiers list. send_cert_req_payload = yes # EAP client authenticators. You can choose "eap_md5" or "eap_tls" or any combination of them. eap_clients = {eap_md5, eap_tls} # EAP_MD5 password to be used with "eap_md5" method eap_md5_password = "changeme" # Client certificate to be used with "eap_tls" method eap_tls_client_cert = /home/alex/tmp/certificados/clt-cert.pem # Client private key to be used with "eap_tls" method eap_tls_private_key = /home/alex/tmp/certificados/clt-key.pem # Client private key password to be used with the "eap_tls" method eap_tls_private_key_password = "casa" # CA certificate to be used with "eap_tls" method eap_tls_ca_cert = /home/alex/tmp/certificados/ca-cert.pem # EAP server authenticator. You can choose "eap_md5" and "eap_radius" # eap_server = md5 # EAP MD5 user DB. To be used with "eap_md5" eap_server. It has two columns, the first contains # the user name (in RFC822 format) an the second contains the correspondent textual password # eap_md5_user_db = /etc/openikev2/eap_md5_user_db.txt # RADIUS server address to be used with "eap_radius" method radius_server = 172.0.0.1 # RADIUS server port to be used with the "eap_radius" method radius_port = 1812 # RADIUS server shared secret to be used with the "eap_radius" method radius_secret = testing123 } # These are the IPSEC_SA parameters when this peer section is applied ipsec{ # ESP proposal to be used (to be sent if initiator role or to be used in the selection process # if responder role). The ESP proposal must have, at least, an "encr" and "integ" transforms. # Optionally it can have an "pfs_dh" tranform, if PFS is desired and "use_esn" if ESN transform must be included esp_proposal{ encr = {3des, des} integ = {hmac_sha1} # pfs_dh = {2, 1} # use_esn = yes # you can use "omit" (default), "yes" and "no" for this option } # AH proposal to be used (to be sent if initiator role or to be used in the selection process # if responder role). The AH proposal must have, at least, an "integ" transform. # Optionally it can have an "pfs_dh" tranform, if PFS is desired ah_proposal{ integ = {hmac_sha1} } # This is the address configuration section for Roadwarrior scenarios. If ommited no Roadwarrior is allowed address_configuration{ # This is the server side address configuration section server{ # Method to obtain the remote address. You can choose one of the following # none = No addresss configuration # fixed = Get a random address with a prefix specified in this configuration file # dhcp = Get the address form a DHCP server (not implemented yet) method = none # Subnets to be protected by the server. You must specify at least one (or both) of the following: protected_ipv4_subnet = 192.168.1.0/24 protected_ipv6_subnet = 2005:100::/64 # When fixed method is applied, then you must specify at least one (or both) of the following: # Note that assigned address must not be inside of protected subnet fixed_ipv4_prefix = 192.168.2.0/24 fixed_ipv6_prefix = 2005:200::/64 # If DHCP is the chosen method, then you must set the following attributes: dhcp_interface = eth0 # In witch interface we want to look for a DHCP server. dhcp_server_ip = 192.168.1.1 # The DHCP server IP address. It is optional. # Used to check if the found DHCP server is the desired. # If it doesn't set, then no check is performed. dhcp_timeout = 3 # Timeout in seconds dhcp_retries = 3 # Number of retries to send a DHCP message } # This is the client side address configuration section client{ # Indicates if client wants to request an internal address request_configuration = no # If an IPv6 address is to be requested then a client could fix a suffix. The mask indicates the length of the suffix starting # from the end of the address request_ipv6_suffix = ::100/16 } } # The soft and hard lifetime of the IPSEC SA in seconds (default value = 0x0FFFFFFF) lifetime_soft = 500 lifetime_hard = 800 # The soft and hard lifetime of the IPSEC SA in bytes (default value = 0x0FFFFFFF) max_bytes_soft = 1000000 max_bytes_hard = 1200000 } } */