#
# PGPnet - OpenBSD isakmpd configuration file with settings for
# x509 authentication.
#
# This is a configuration file that will get a PGPnet (a part of PGP
# version 6.5 and later) and OpenBSD to interoperate.
#
# You need to change the [my-ID] tag to match you gateways FQDN and you need
# to create [asn1_dn/...] tags for your users in order to make this
# configuration work.
#
# Please mail me if you have any comments or bug-reports.
#
# Johan Allard <johan@allard.nu>
#

[Phase 1]
Default=		ISAKMP-clients

[Phase 2]
Passive-Connections=	IPsec-clients

# Phase 1 peer sections
#######################

[ISAKMP-clients]
Phase=			1
Transport=		udp
Configuration=		PGP-x509-main-mode
ID=			my-ID

[my-ID]
ID-Type=		FQDN
Name=		picard.allard.nu

[asn1_dn//C=SE/L=Stockholm/O=Foo Inc/CN=Johan Allard]
Address=		10.0.1.10
Netmask=		255.255.255.0
Nameserver=		10.0.1.2
WINS-server=		10.0.1.2

# Phase 2 sections
##################

[IPsec-clients]
Phase=			2
Configuration=		PGP-quick-mode
Local-ID=		default-route
Remote-ID=		dummy-remote

# Client ID sections
####################

[default-route]
ID-type=	IPV4_ADDR_SUBNET
Network=	0.0.0.0
Netmask=	0.0.0.0

[dummy-remote]
ID-type=	IPV4_ADDR
Address=	0.0.0.0

# Transform descriptions
########################
#  Some predefined section names are recognized by the daemon, voiding the
#  need to fully specify the Main Mode transforms and Quick Mode suites,
#  protocols and transforms.
#
# For Main Mode:
#   {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
#
# For Quick Mode:   
#   QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE

# -------------------------------------------------------------------------
# PGPnet note:
#
# The Transform values are the default values in PGPnet, if you change them
# you might have to change in all your clients aswell.
# -------------------------------------------------------------------------

[PGP-x509-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		CAST-SHA-RSA_SIG,3DES-MD5-RSA_SIG

[PGP-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-CAST-SHA-SUITE,QM-ESP-CAST-MD5-SUITE,QM-ESP-3DES-MD5-SUITE

# Main mode transforms
######################

[3DES-MD5-RSA_SIG]
ENCRYPTION_ALGORITHM=	3DES_CBC
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	RSA_SIG
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_1_DAY

[CAST-SHA]
ENCRYPTION_ALGORITHM=	CAST_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	RSA_SIG
GROUP_DESCRIPTION=	MODP_1536
Life=			LIFE_1_DAY

# Lifetimes
###########

[LIFE_1_DAY]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		86400,79200:93600