stv0g/gdoid
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gdoid/samples/three-clients/gdoi_ks.conf

194 lines
4.1 KiB
Text
Raw Blame History

# $Id: gdoi_ks.conf,v 1.6 2011/01/25 00:15:50 bew Exp $
# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/gdoi_ks.conf,v $
#
# A configuration sample for testing GDOI between systems passing IPSec policy.
# This is an example of the key server.
#
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 10.0.224.44
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
10.0.224.37= GDOI-group-member-1
10.0.224.40= GDOI-group-member-2
10.0.224.41= GDOI-group-member-3
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. Since this is the key server, it will wait for the group
# members to register usig these connections.
[Phase 2]
Passive-Connections= IPsec-group-policy
[GDOI-group-member-1]
Phase= 1
Transport= udp
Local-address= 10.0.224.44
Address= 10.0.224.37
Port= 848
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[GDOI-group-member-2]
Phase= 1
Transport= udp
Local-address= 10.0.224.44
Address= 10.0.224.40
Port= 848
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[GDOI-group-member-3]
Phase= 1
Transport= udp
Local-address= 10.0.224.44
Address= 10.0.224.41
Port= 848
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-group-policy]
Phase= 2
ISAKMP-peer= GDOI-group-member
Configuration= Default-group-mode
Group-ID= Group-1
[Group-1]
ID-type= KEY_ID
Key-value= 1234
# Main mode descriptions
[Default-main-mode]
DOI= GROUP
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
# Main mode transforms
# DES
[DES-MD5]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS
[DES-SHA]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_60_SECS
# Lifetimes
[LIFE_60_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 60,45:72
[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
# GDOI description
# 3DES
[GDOI-ESP-TRANSFORM-3DES-SHA]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TRANSPORT
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_60_SECS
# Group mode description
########################
[Default-group-mode]
DOI= GROUP
EXCHANGE_TYPE= PULL_MODE
SA-KEK= GROUP1-KEK
SA-TEKS= GROUP1-TEK1,GROUP1-TEK2
[GROUP1-KEK]
Src-ID= Group-kek-src
Dst-ID= Group-kek-dst
ENCRYPTION_ALGORITHM= 3DES
SIG_HASH_ALGORITHM= SHA
SIG_ALGORITHM= RSA
RSA-Keypair= /usr/local/gdoid/rsakeys.der
REKEY_PERIOD= 30
[Group-kek-src]
ID-type= IPV4_ADDR
Address= 10.0.224.44
Port= 848
[Group-kek-dst]
ID-type= IPV4_ADDR
Address= 239.10.1.1
Port= 848
# Src-ID and Dst-ID are the addresses for the IP ESP packet.
[GROUP1-TEK1]
Crypto-protocol= PROTO_IPSEC_ESP
Src-ID= Group-tek1-src
Dst-ID= Group-tek1-dst
TEK_Suite= GDOI-ESP-3DES-SHA-SUITE
[Group-tek1-src]
ID-type= IPV4_ADDR
Address= 10.0.224.37
Port= 0
[Group-tek1-dst]
ID-type= IPV4_ADDR
Address= 239.1.1.1
Port= 0
# Src-ID and Dst-ID are the addresses for the IP ESP packet.
[GROUP1-TEK2]
Src-ID= Group-tek2-src
Dst-ID= Group-tek2-dst
TEK_Suite= GDOI-ESP-3DES-SHA-SUITE
[Group-tek2-src]
ID-type= IPV4_ADDR
Address= 10.0.224.40
Port= 0
[Group-tek2-dst]
ID-type= IPV4_ADDR
Address= 239.1.1.2
Port= 0
[GDOI-ESP-3DES-SHA-SUITE]
Protocols= GDOI-ESP-3DES-SHA
[GDOI-ESP-3DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= GDOI-ESP-TRANSFORM-3DES-SHA
# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/gdoid/ca/
Cert-directory= /etc/gdoid/certs/
Private-key= /etc/gdoid/private/local.key
Reference in a new issue View git blame Copy permalink