# $Id: gdoi_ks.conf,v 1.5.2.1 2011/12/05 20:26:53 bew Exp $
# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/gdoi_ks.conf,v $

# 
# A configuration sample for testing GDOI over loopback interfaces.
# This is the key server side.
#

[General]
Retransmits=		5
Exchange-max-time=	120
Listen-on=		127.0.0.2

# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
127.0.0.1=		ISAKMP-peer-client

# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them.  This means we can do on-demand keying.
[Phase 2]
Passive-Connections=		Group-1234

[ISAKMP-peer-client]
Phase=			1
Transport=		udp
Local-address=		127.0.0.2
Address=		127.0.0.1
Configuration=		Default-main-mode
Authentication=		mekmitasdigoat

[Group-1234]
Phase=			2
Configuration=		Default-group-mode
ID-type=		KEY_ID
Key-value=		1234

# Main mode descriptions

[Default-main-mode]
DOI=			GROUP
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

# Group mode description

[Default-group-mode]
DOI=			GROUP
EXCHANGE_TYPE=		PULL_MODE
# Mark this as an IPsec group. TEKs can then be either ESP or AH.
Crypto-protocol=	PROTO_IPSEC_ESP

SA-TEKS=		GROUP1-TEK1
GROUP-POLICY=		GROUP1-GP

[GROUP1-GP]
ATD=			60
DTD=			90
SID-SIZE=		16

# Src-ID and Dst-ID are the addresses for the IP ESP packet.
[GROUP1-TEK1]
Src-ID=               	Group-tek1-src
Dst-ID=              	Group-tek1-dst
TEK_Suite=		GDOI-ESP-3DES-SHA-SUITE

[Group-tek1-src]
ID-type=                IPV4_ADDR
Address=                172.19.137.42
Port=			1024

[Group-tek1-dst]
ID-type=                IPV4_ADDR
Address=                239.192.1.1
Port=			1024

# Main mode transforms

[3DES-SHA]
ENCRYPTION_ALGORITHM=	3DES_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_60_SECS

# Lifetimes

[LIFE_60_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		60,30:120

[LIFE_120_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		120,90:180

# GDOI description

[GDOI-ESP-3DES-SHA-SUITE]
PROTOCOL_ID=            IPSEC_ESP
TRANSFORM_ID=		3DES
ENCAPSULATION_MODE=	TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
Life=			LIFE_120_SECS
ADDRESS_PRESERVATION=	DESTINATION_ONLY
SA_DIRECTION=		RECEIVER_ONLY

# Certificates stored in PEM format
# NOTE: Directory name must have trailing "/"!
#[X509-certificates]
#CA-directory=           /Some/Directory