110 lines
2.4 KiB
Text
110 lines
2.4 KiB
Text
# $Id: gdoi_ks.conf,v 1.5.2.1 2011/12/05 20:26:53 bew Exp $
|
|
# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/gdoi_ks.conf,v $
|
|
|
|
#
|
|
# A configuration sample for testing GDOI over loopback interfaces.
|
|
# This is the key server side.
|
|
#
|
|
|
|
[General]
|
|
Retransmits= 5
|
|
Exchange-max-time= 120
|
|
Listen-on= 127.0.0.2
|
|
|
|
# Incoming phase 1 negotiations are multiplexed on the source IP address
|
|
[Phase 1]
|
|
127.0.0.1= ISAKMP-peer-client
|
|
|
|
# These connections are walked over after config file parsing and told
|
|
# to the application layer so that it will inform us when traffic wants to
|
|
# pass over them. This means we can do on-demand keying.
|
|
[Phase 2]
|
|
Passive-Connections= Group-1234
|
|
|
|
[ISAKMP-peer-client]
|
|
Phase= 1
|
|
Transport= udp
|
|
Local-address= 127.0.0.2
|
|
Address= 127.0.0.1
|
|
Configuration= Default-main-mode
|
|
Authentication= mekmitasdigoat
|
|
|
|
[Group-1234]
|
|
Phase= 2
|
|
Configuration= Default-group-mode
|
|
ID-type= KEY_ID
|
|
Key-value= 1234
|
|
|
|
# Main mode descriptions
|
|
|
|
[Default-main-mode]
|
|
DOI= GROUP
|
|
EXCHANGE_TYPE= ID_PROT
|
|
Transforms= 3DES-SHA
|
|
|
|
# Group mode description
|
|
|
|
[Default-group-mode]
|
|
DOI= GROUP
|
|
EXCHANGE_TYPE= PULL_MODE
|
|
# Mark this as an IPsec group. TEKs can then be either ESP or AH.
|
|
Crypto-protocol= PROTO_IPSEC_ESP
|
|
|
|
SA-TEKS= GROUP1-TEK1
|
|
GROUP-POLICY= GROUP1-GP
|
|
|
|
[GROUP1-GP]
|
|
ATD= 60
|
|
DTD= 90
|
|
SID-SIZE= 16
|
|
|
|
# Src-ID and Dst-ID are the addresses for the IP ESP packet.
|
|
[GROUP1-TEK1]
|
|
Src-ID= Group-tek1-src
|
|
Dst-ID= Group-tek1-dst
|
|
TEK_Suite= GDOI-ESP-3DES-SHA-SUITE
|
|
|
|
[Group-tek1-src]
|
|
ID-type= IPV4_ADDR
|
|
Address= 172.19.137.42
|
|
Port= 1024
|
|
|
|
[Group-tek1-dst]
|
|
ID-type= IPV4_ADDR
|
|
Address= 239.192.1.1
|
|
Port= 1024
|
|
|
|
# Main mode transforms
|
|
|
|
[3DES-SHA]
|
|
ENCRYPTION_ALGORITHM= 3DES_CBC
|
|
HASH_ALGORITHM= SHA
|
|
AUTHENTICATION_METHOD= PRE_SHARED
|
|
GROUP_DESCRIPTION= MODP_1024
|
|
Life= LIFE_60_SECS
|
|
|
|
# Lifetimes
|
|
|
|
[LIFE_60_SECS]
|
|
LIFE_TYPE= SECONDS
|
|
LIFE_DURATION= 60,30:120
|
|
|
|
[LIFE_120_SECS]
|
|
LIFE_TYPE= SECONDS
|
|
LIFE_DURATION= 120,90:180
|
|
|
|
# GDOI description
|
|
|
|
[GDOI-ESP-3DES-SHA-SUITE]
|
|
PROTOCOL_ID= IPSEC_ESP
|
|
TRANSFORM_ID= 3DES
|
|
ENCAPSULATION_MODE= TUNNEL
|
|
AUTHENTICATION_ALGORITHM= HMAC_SHA
|
|
Life= LIFE_120_SECS
|
|
ADDRESS_PRESERVATION= DESTINATION_ONLY
|
|
SA_DIRECTION= RECEIVER_ONLY
|
|
|
|
# Certificates stored in PEM format
|
|
# NOTE: Directory name must have trailing "/"!
|
|
#[X509-certificates]
|
|
#CA-directory= /Some/Directory
|