-.\" $OpenBSD: iked.conf.5,v 1.84 2021/02/13 16:14:12 tobhe Exp $
+.\" $OpenBSD: iked.conf.5,v 1.85 2021/04/11 23:27:06 tobhe Exp $
.\"
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: February 13 2021 $
+.Dd $Mdocdate: April 11 2021 $
.Dt IKED.CONF 5
.Os
.Sh NAME
automatically removed.
.Pp
The commands are as follows:
-.Bl -tag -width xxxx
+.Bl -tag -width xxxx -compact
.It Xo
.Ic ikev2
.Op Ar name
or any included files.
If omitted,
a name will be generated automatically for the policy.
+.Pp
.It Op Ar eval
The
.Ar eval
The
.Ar default
option sets the default policy and should only be specified once.
+.Pp
.It Op Ar mode
.Ar mode
specifies the IKEv2 mode to use:
If omitted,
.Ar passive
mode will be used.
+.Pp
.It Op Ar ipcomp
The keyword
.Ar ipcomp
IPcomp must be enabled in the kernel:
.Pp
.Dl # sysctl net.inet.ipcomp.enable=1
+.Pp
.It Op Ar tmode
.Ar tmode
describes the encapsulation mode to be used.
.Ar transport ;
the default is
.Ar tunnel .
+.Pp
.It Op Ar encap
.Ar encap
specifies the encapsulation protocol to be used.
.Ar ah ;
the default is
.Ar esp .
+.Pp
.It Op Ar af
This policy only applies to endpoints of the specified address family
which can be either
Note that this only matters for IKEv2 endpoints and does not
restrict the traffic selectors to negotiate flows with different
address families, e.g. IPv6 flows negotiated by IPv4 endpoints.
+.Pp
.It Ic proto Ar protocol
The optional
.Ic proto
.Xr iked 8 ,
see the file
.Pa /etc/protocols .
+.Pp
.It Ic rdomain Ar number
Specify a different routing domain for unencrypted traffic.
The resulting IPsec SAs will match outgoing packets in the specified
traffic is moved to
.Ic rdomain Ar number
after decryption.
+.Pp
.It Xo
.Ic from Ar src
.Op Ic port Ar sport
.Xr ipsecctl 8 ,
see the file
.Pa /etc/services .
+.Pp
.It Ic local Ar localip Ic peer Ar remote
The
.Ic local
If it is not specified or if the keyword
.Ar any
is given, the default peer is used.
+.Pp
.It Xo
.Ic ikesa
.Ic auth Ar algorithm
.Ic group
can be used multiple times within a single proposal to configure
multiple crypto transforms.
+.Pp
.It Xo
.Ic childsa
.Ic auth Ar algorithm
.Ic group
can be used multiple times within a single proposal to configure
multiple crypto transforms.
+.Pp
.It Ic srcid Ar string Ic dstid Ar string
.Ic srcid
defines an ID of type
.Ic srcid ,
but instead specifies the ID to be used
by the remote peer.
+.Pp
.It Ic ikelifetime Ar time
The optional
.Ic ikelifetime
The accepted format of the
.Ar time
specification is described below.
+.Pp
.It Ic lifetime Ar time Op Ic bytes Ar bytes
The optional
.Ic lifetime
.Pp
Please note that rekeying must happen at least several times a day as
IPsec security heavily depends on frequent key renewals.
+.Pp
.It Op Ar ikeauth
Specify a method to be used to authenticate the remote peer.
.Xr iked 8
.El
.Pp
The default is to allow any signature authentication.
-.It Ic config Ar option address
-Send one or more optional configuration payloads (CP) to the peer.
+.Pp
+.It Cm config Ar option address
+.It Cm request Ar option address
+Request or serve one or more optional configuration payloads (CP).
The configuration
.Ar option
can be one of the following with the expected address format:
.It Ic access-server Ar address
The address of an internal remote access server.
.El
+.Pp
.It Ic iface Ar interface
Configure requested addresses and routes on the specified
.Ar interface .
+.Pp
.It Ic tag Ar string
Add a
.Xr pf 4
.Ar tag
directive occurs only at runtime (not when the file is parsed)
and must be quoted, or it will be interpreted as a macro.
+.Pp
.It Ic tap Ar interface
Send the decapsulated IPsec traffic to the specified
.Xr enc 4
projects / openbsd / commitdiff