• No results found

Layer 2 and Point-to-Point Tunneling ProtocolsProtocols

In document Openrg Configuration Guide (Page 159-175)

Network Connections

23.8 Point-to-Point Protocol (PPP)

23.8.6 Layer 2 and Point-to-Point Tunneling ProtocolsProtocols

dev/<name>/pptpc/remote_host

Description PPTP Server to which to connect.

Relevant to PPTPC

Type text[MAX_DOMAIN_NAME_LEN=256]

Default Value

dev/<name>/l2tpc/remote_host

Description L2TP Server to which to connect.

Relevant to L2TPC

Type text[MAX_DOMAIN_NAME_LEN=256]

Default Value

dev/<name>/l2tpc/shared_secret

Description Shared secret of L2TP connection and L2TP Server.

Relevant to L2TPC Type text[96]

Default Value

23.9 Internet Protocol Security (IPSec)

23.9.1 General

dev/<name>/ipsec/trans_type Description The IPSec transport type.

Relevant to IPSec Type one string of:

"tunneling" (IPSEC_TRANS_TUNNEL),

Network Connections

dev/<name>/ipsec/compressed

Description Indicates whether compression is enabled.

Relevant to IPSec Type boolean

Default Value False=0

dev/<name>/ipsec/is_netbios_route

Description Indicates whether Network Basic Input/Output System (NetBIOS) broadcast packets should be routed through this connection.

Relevant to IPSec Type boolean Default Value

dev/<name>/ipsec/is_any_rmt_addr

Description Indicates whether the IPSec template accepts any remote

address. Only valid if dev/<name>/type is either DEV_IF_IPSEC_TEMPL or DEV_IF_IPSEC_TEMPL_TRANSIENT.

Relevant to IPSec Type boolean Default Value

dev/<name>/ipsec/is_any_rmt_net

Description Indicates whether the IPSec template accept any remote network.

Only valid if dev/<name>/type is either DEV_IF_IPSEC_TEMPL or

DEV_IF_IPSEC_TEMPL_TRANSIENT and dev/<name>/ipsec/trans_type is IPSEC_TRANS_TUNNELING.

Relevant to IPSec Type boolean Default Value

Network Connections

dev/<name>/ipsec/kx_type

Description The method used for exchanging keys.

Relevant to IPSec Type one string of:

"automatic" (IPSEC_KX_AUTO),

"manual" (IPSEC_KX_MANUAL) Default Value

dev/<name>/ipsec/underlying_device

Description WAN device name to be used by IPSec connection.

Relevant to IPSec Type text[IFNAMSIZ]

Default Value

23.9.2 Remote

dev/<name>/ipsec/remote/addr

Description Host name or IP address of the remote computer.

Relevant to IPSec

Type text[MAX_DOMAIN_NAME_LEN=256]

Default Value

dev/<name>/ipsec/remote/bcast_addr

Description Broadcast IP address of the remote subnet.

Relevant to IPSec Type ip

Default Value

Network Connections

dev/<name>/ipsec/remote/range_type Description Type of the remote range.

Relevant to IPSec Type one string of:

"subnet" (RANGE_SEL_SUBNET),

"single" (RANGE_SEL_SINGLE),

"range" (RANGE_SEL_RANGE),

"any" (RANGE_SEL_ANY),

"none" (RANGE_SEL_NONE) Default Value "subnet"

dev/<name>/ipsec/remote/network

Description LAN definition of the remote computer.

Relevant to IPSec Type ip

Default Value 0.0.0.0

dev/<name>/ipsec/remote/netmask

Description LAN netmask definition of the remote computer.

Relevant to IPSec Type ip

Default Value 0.0.0.0

dev/<name>/ipsec/remote/range_start

Description The start of the LAN IP range of the remote computer when the local range type is RANGE_SEL_RANGE.

Relevant to IPSec Type ip

Default Value

Network Connections

dev/<name>/ipsec/remote/range_end

Description The end of the LAN IP range of the remote computer when the local range type is RANGE_SEL_RANGE.

Relevant to IPSec Type ip

Default Value

23.9.3 Local

dev/<name>/ipsec/local/range_type Description Type of the local range.

Relevant to IPSec Type one string of:

"subnet" (RANGE_SEL_SUBNET),

"single" (RANGE_SEL_SINGLE),

"range" (RANGE_SEL_RANGE),

"any" (RANGE_SEL_ANY),

"none" (RANGE_SEL_NONE) Default Value "subnet"

dev/<name>/ipsec/local/network

Description LAN definition of the local computer.

Relevant to IPSec Type ip

Default Value

dev/<name>/ipsec/local/netmask

Description LAN netmask definition of the local computer.

Relevant to IPSec Type ip

Default Value

Network Connections

dev/<name>/ipsec/local/range_start

Description The start of the LAN IP range of the local computer when the local range type is RANGE_SEL_RANGE.

Relevant to IPSec Type ip

Default Value

dev/<name>/ipsec/local/range_end

Description The end of the LAN IP range of the local computer when the local range type is RANGE_SEL_RANGE.

Relevant to IPSec Type ip

Default Value

23.9.4 Protect

dev/<name>/ipsec/protect/protocol Description Protocol to protect.

Relevant to IPSec Type one string of:

"all" (IPSEC_PROTECT_PROTO_ALL),

"icmp" (IPSEC_PROTECT_PROTO_ICMP),

"tcp" (IPSEC_PROTECT_PROTO_TCP),

"udp" (IPSEC_PROTECT_PROTO_UDP),

"gre" (IPSEC_PROTECT_PROTO_GRE) Default Value "all"

dev/<name>/ipsec/protect/source/port_type Description Type of source port protection.

Relevant to IPSec

Network Connections

dev/<name>/ipsec/protect/source/port Description Number of source port to protect.

Relevant to IPSec Type integer Default Value

dev/<name>/ipsec/protect/destination/port_type Description Type of destination port protection.

Relevant to IPSec Type one string of:

"all" (IPSEC_PROTECT_PORT_ALL),

"single" (IPSEC_PROTECT_PORT_SINGLE) Default Value "all"

dev/<name>/ipsec/protect/destination/port Description Number of destination port to protect.

Relevant to IPSec Type integer Default Value

23.9.5 Manual

dev/<name>/ipsec/manual/spi/local

Description Local Security Parameter Index (SPI) number for a manual connection, between 0x100 and 0xFFFF_FFFF.

Relevant to IPSec Type unsigned integer Default Value

Network Connections

dev/<name>/ipsec/manual/spi/remote

Description Remote SPI number for a manual connection, between 0x100 and 0xFFFF_FFFF.

Relevant to IPSec Type unsigned integer Default Value

dev/<name>/ipsec/manual/proto_type

Description The method used for exchanging keys.

Relevant to IPSec Type one string of:

"ah" (IPSEC_PROTO_AH),

"esp" (IPSEC_PROTO_ESP) Default Value

dev/<name>/ipsec/manual/different_keys

Description Indicates whether different remote and local keys are enabled.

Relevant to IPSec Type boolean

Default Value False=0

dev/<name>/ipsec/manual/esp/encrypt/type

Description Encapsulated Security Payload (ESP) encryption to use for a manual connection.

Relevant to IPSec Type one string of:

"null" (IPSEC_ENC_NULL),

"des" (IPSEC_ENC_DES),

"3des" (IPSEC_ENC_3DES),

"aes128" (IPSEC_ENC_AES128),

"aes192" (IPSEC_ENC_AES192),

"aes256" (IPSEC_ENC_AES256)

Network Connections

dev/<name>/ipsec/manual/esp/encrypt/local/key

Description Local key for ESP encryption algorithm for a manual connection.

Relevant to IPSec

Type DES -- text[17], 2 groups of 8 hexadecimal digits connected with '_' (64 bits) 3DES -- text[53], 6 groups of 8 hexadecimal digits connected with '_' (192 bits) Default Value

dev/<name>/ipsec/manual/esp/encrypt/remote/key

Description Remote key for ESP encryption algorithm for manual connections. If ipsec/

manual/different_keys is false, then the remote key is the same as the local key.

Relevant to IPSec

Type DES -- text[17], 2 groups of 8 hexadecimal digits connected with '_' (64 bits) 3DES -- text[53], 6 groups of 8 hexadecimal digits connected with '_' (192 bits) Default Value

dev/<name>/ipsec/manual/[esp|ah]/hash/type

Description ESP or Authentication Header (AH) authentication to use for manual connections.

Relevant to IPSec Type one string of:

"sha1" (IPSEC_AUTH_SHA1),

"md5" (IPSEC_AUTH_MD5) Default Value "sha1"

dev/<name>/ipsec/manual/[esp|ah]/hash/local/key

Description Local key for ESP or AH authentication algorithm.

Relevant to IPSec

Type SHA1 -- text[35], 4 groups of 8 hexadecimal digits connected with '_' (128 bits) MD5 -- text[44], 5 groups of 8 hexadecimal digits connected with '_' (160 bits).

Default Value

Network Connections

dev/<name>/ipsec/manual/[esp|ah]/hash/remote/key

Description Remote key for ESP or AH authentication algorithm. If ipsec/manual/

different_keys is false, then the remote key is the same as the local key.

Relevant to IPSec

Type SHA1 -- text[35], 4 groups of 8 hexadecimal digits connected with '_' (128 bits) MD5 -- text[44], 5 groups of 8 hexadecimal digits connected with '_' (160 bits).

Default Value

23.9.6 Automatic

dev/<name>/ipsec/auto/negotiate_attempts

Description Number of attempts when negotiating automatic connections.

Relevant to IPSec Type integer Default Value 3

dev/<name>/ipsec/auto/rekey_margin

Description The number of seconds before connection expiry should attempts to negotiate a replacement begin.

Relevant to IPSec Type integer Default Value 540

dev/<name>/ipsec/auto/rekey_fuzz

Description The maximum percentage by which Rekey Margin should be randomly increased to randomize re-keying intervals.

Relevant to IPSec Type integer (percents) Default Value 100

Network Connections

dev/<name>/ipsec/auto/no_auto_reconnect

Description Indicates whether to prevent establishing a new connection when a peer disconnects.

Relevant to IPSec Type boolean

Default Value False=0

23.9.7 Phase 1

dev/<name>/ipsec/auto/phase1/mode

Description Type of negotiation in phase1, either main or aggressive.

Relevant to IPSec Type one string of:

"main" (IPSEC_MAIN_MODE),

"aggressive" (IPSEC_AGGRESSIVE_MODE) Default Value "main"

dev/<name>/ipsec/auto/phase1/lifetime

Description Lifetime in seconds of the negotiated session.

Relevant to IPSec Type unsigned integer Default Value 3600

23.9.7.1 Authentication

dev/<name>/ipsec/auto/phase1/auth/type Description Type of authentication in phase 1.

Relevant to IPSec Type one string of:

"shared" (IPSEC_AUTH_TYPE_SHARED),

"rsa" (IPSEC_AUTH_TYPE_RSA),

Network Connections

dev/<name>/ipsec/auto/phase1/auth/shared_secret

Description The shared secret to be used in phase 1 of Internet Key Exchange (IKE).

Relevant to IPSec

Type text[MAX_PPP_PASSWORD_LEN=30]

Default Value

dev/<name>/ipsec/auto/phase1/auth/rsa/public Description RSA key of remote side.

Relevant to IPSec Type binary Default Value

dev/<name>/ipsec/auto/phase1/auth/cert

Description OpenRG's certificate name, as specified in cert/%/name (see entry cert/%/

name on page 19).

Relevant to IPSec

Type text[MAX_X509_NAME_LEN=64]

Default Value

dev/<name>/ipsec/auto/phase1/auth/peer_id

Description Peer ID when IPSec authentication type is "certificate".

Relevant to IPSec

Type text[MAX_CERT_SUBJECT_LEN=255]

Default Value

dev/<name>/ipsec/auto/phase1/auth/local_id

Description Local ID when IPSec authentication type is "certificate".

Relevant to IPSec

Type text[MAX_CERT_SUBJECT_LEN=255]

Network Connections

23.9.7.2 Aggressive

dev/<name>/ipsec/auto/phase1/aggressive/hash

Description Specifies which hash algorithm is used in aggressive mode.

Relevant to IPSec Type one string of:

"sha1" (IPSEC_AUTH_SHA1),

"md5" (IPSEC_AUTH_MD5) Default Value "sha1"

dev/<name>/ipsec/auto/phase1/aggressive/encrypt

Description Specifies which encryption is used in aggressive mode.

Relevant to IPSec Type one string of:

"null" (IPSEC_ENC_NULL),

"des" (IPSEC_ENC_DES),

"3des" (IPSEC_ENC_3DES),

"aes128" (IPSEC_ENC_AES128),

"aes192" (IPSEC_ENC_AES192),

"aes256" (IPSEC_ENC_AES256) Default Value IPSEC_ENC_3DES=0x4

dev/<name>/ipsec/auto/phase1/aggressive/dh_group

Description Specifies which DH group is used in aggressive mode.

Relevant to IPSec Type one string of:

"1" (IPSEC_DH_GROUP1),

"2" (IPSEC_DH_GROUP2),

"5" (IPSEC_DH_GROUP5) Default Value "2"

Network Connections

23.9.7.3 Main

dev/<name>/ipsec/auto/phase1/main/hash/md5

Description Specifies whether MD5 is used in main mode.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase1/main/hash/sha1

Description Specifies whether SHA1 is used in main mode.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase1/main/encrypt/des Description Specifies whether DES is used in main mode.

Relevant to IPSec Type boolean

Default Value False=0

dev/<name>/ipsec/auto/phase1/main/encrypt/3des Description Specifies whether 3DES is used in main mode.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase1/main/dh_group/grp1

Description Specifies whether Diffie-Hellman (DH) group 1 is used in main mode.

Relevant to IPSec

Network Connections

dev/<name>/ipsec/auto/phase1/main/dh_group/grp2

Description Specifies whether Diffie-Hellman (DH) group 2 is used in main mode.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase1/main/dh_group/grp5

Description Specifies whether Diffie-Hellman (DH) group 5 is used in main mode.

Relevant to IPSec Type boolean

Default Value True=1

23.9.8 Phase 2

dev/<name>/ipsec/auto/phase2/lifetime

Description Lifetime in seconds of the negotiated session.

Relevant to IPSec

Type unsigned integer (seconds) Default Value 28000

dev/<name>/ipsec/auto/phase2/use_pfs

Description Indicates whether Perfect Forwarding Secrecy (PFS) should be used.

Relevant to IPSec Type boolean

Default Value True=1

Network Connections

dev/<name>/ipsec/auto/phase2/dh_group

Description Specifies which DH group is used in phase 2.

Relevant to IPSec Type one string of:

"same_as_phase1" (IPSEC_DH_GROUP_SAME_AS_PHASE1),

"1" (IPSEC_DH_GROUP1),

"2" (IPSEC_DH_GROUP2),

"5" (IPSEC_DH_GROUP5) Default Value "same_as_phase1"

23.9.8.1 Hash

dev/<name>/ipsec/auto/phase2/hash/md5

Description Specifies whether MD5 is used in phase2.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase2/hash/sha1

Description Specifies whether SHA1 is used in phase2.

Relevant to IPSec Type boolean

Default Value True=1

23.9.8.2 ESP

dev/<name>/ipsec/auto/phase2/esp/hash/md5

Description Specifies whether MD5 is used in phase2 ESP protocol.

Relevant to IPSec

Network Connections

dev/<name>/ipsec/auto/phase2/esp/hash/sha1

Description Specifies whether SHA1 is used in phase2 ESP protocol.

Relevant to IPSec Type boolean

Default Value True=1

dev/<name>/ipsec/auto/phase2/esp/encrypt/null

Description Specifies whether null ESP is used in phase2.

Relevant to IPSec Type boolean

Default Value False=0

dev/<name>/ipsec/auto/phase2/esp/encrypt/des

Description Specifies whether DES ESP is used in phase2.

Relevant to IPSec Type boolean

Default Value False=0

dev/<name>/ipsec/auto/phase2/esp/encrypt/3des

Description Specifies whether use 3DES ESP is used in phase2.

Relevant to IPSec Type boolean

Default Value True=1

In document Openrg Configuration Guide (Page 159-175)

Related documents