hello wim,
thanks for your intervention.
the problem is that all WRAP boards worked very well.
now I have installed a pcengines ALIX board (same chipset and design as
soekris) with OpenBSD 4.3. everything is working fine just to that point when
configuring isakmpd. to eliminte configuration failures I took the
isakmpd.conf and the few neccessary files from a IPSec working WRAP system and
copied them to the new ALIX with the VIA chipset.
this configuration now does not establish a tunnel, so I traced the IKE
traffic and discovered a difference in the IKE communication which is probably
responsible for the failure that phase II of IKE does not complete and
therefore no IPSec security association is generated.
greetings from austria
arno hechenberger
citydata
trace: new ALIX machine with vr interfaces
No. Time Source Destination Protocol Info
1 0.000000 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
2 0.058193 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
3 0.150492 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
4 0.208460 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
5 0.304038 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
6 0.358672 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
7 0.437001 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
8 0.469804 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
9 0.483476 194.208.33.217 194.208.37.21 ISAKMP Quick
Mode
10 0.494387 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
trace: old WRAP machine with sis interfaces
No. Time Source Destination Protocol Info
1 0.000000 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
2 0.055112 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
3 0.089738 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
4 0.135278 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
5 0.147892 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
6 0.199866 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
7 0.211054 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
8 0.285228 194.208.33.217 194.208.37.21 ISAKMP Quick
Mode
9 0.286238 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
10 26.826381 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
11 26.906322 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
12 27.836780 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
13 27.876157 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
14 28.840978 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
15 28.886188 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
16 29.857408 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
17 29.901540 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
demesg:
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80<clock_battery>
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 133791744 (127MB)
avail mem = 121331712 (115MB)
RTC BIOS diagnostic error 80<clock_battery> mainbus0 at root bios0 at
mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2 pcibios0 at
bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1
function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode
LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M
RhineIII" rev 0x96: irq 10, address 00:0d:b9:14:09:a0 ukphy0 at vr0 phy 1:
Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:0d:b9:14:09:a1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:0d:b9:14:09:a2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev
0x03: rev 0, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility wd0 at pciide0
channel 0 drive 0: <CF CARD 1GB>
wd0: 1-sector PIO, LBA, 961MB, 1969632 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version
1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02:
irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev
2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 npx0 at isa0 port 0xf0/16:
reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4:
ns16550a, 16 byte fifo
pccom0: console
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 biomask e3ef netmask
ffef ttymask ffef
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
clock: unknown CMOS layout
WARNING: clock time much less than file system time
WARNING: using file system time
WARNING: CHECK AND RESET THE DATE!
/etc/isakmpd/isakmpd.conf
##########################################################
##########################################################
[Phase 1]
# Remote client (road_warrior) has dynamic IP addressing
Default= road_warrior
[Phase 2]
# Passive connection between client and server Connections=
nw_VPN_Server-nw_1
Passive-Connections= VPN_Server-road_warrior
# IPSec Peers
#############
[road_warrior]
Phase= 1
Transport= udp
# Local-address= 194.208.34.110 Configuration=
Default-main-mode Authentication= xxxxxx Default=
VPN_Server-road_warrior
[fw-1]
Phase= 1
Transport= udp
# LocalAddress= 194.208.34.110 Address=
194.208.33.217 Configuration= main-mode-AES256
Authentication= xxxxxx
# Connections (Phase 2)
#############
[VPN_Server-road_warrior]
Phase= 2
ISAKMP-peer= road_warrior
Configuration= Default-quick-mode Local-ID=
Net-VPN_Server
[nw_VPN_Server-nw_1]
Phase= 2
ISAKMP-peer= fw-1
Configuration= quick-mode-aes256 Local-ID=
Net-VPN_Server Remote-ID= Net-1
# Network definitions
#####################
[Net-VPN_Server]
ID-type= IPV4_ADDR_SUBNET Network= 192.168.98.0
Netmask= 255.255.255.0
[Net-1]
ID-type= IPV4_ADDR_SUBNET Network= 192.168.1.0
Netmask= 255.255.255.0
##########################################################
# Descriptions (Main Mode - Phase 1)
##############
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[main-mode-AES256]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES256-SHA-GRP2
# Descriptions (Quick Mode - Phase 2)
##############
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
[quick-mode-AES256]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-AES256-SHA-GRP2-PFS-SUITE
# Main mode transforms (Phase 1)
######################
# 3DES SHA Group2
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# AES256 SHA Group2
[AES256-SHA-GRP2]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# Quick mode protection suites (Phase 2 - 1/3) ##############################
# 3DES SHA PFS [QM-ESP-3DES-SHA-PFS-SUITE] Protocols=
QM-ESP-3DES-SHA-PFS
# 3DES SHA
[QM-ESP-3DES-SHA-SUITE]
Protocols= QM-ESP-3DES-SHA
# AES128 SHA PFS
[QM-AES128-SHA-GRP2-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
# AES256 SHA PFS
[QM-AES256-SHA-GRP2-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
# Quick mode protocols (Phase 2 - 2/3)
######################
# 3DES SHA PFS
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF
# 3DES SHA
[QM-ESP-3DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-XF
# AES SHA PFS
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-AES-SHA-PFS-XF
# Quick mode transforms (Phase 2 - 3/3)
#######################
# 3DES SHA PFS
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION=
MODP_1024 Life= LIFE_3600_SECS
# 3DES SHA
[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION=
MODP_1024 Life= LIFE_3600_SECS
# AES SHA PFS
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID= AES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION=
MODP_1024 KEY_LENGTH= 256 Life=
LIFE_3600_SECS
# Lifetimes
###########
# 6 hours
[LIFE_6_HOURS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 21600,18000:25200
# 8 hours
[LIFE_8_HOURS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 28800,25200:32400
# 24 hours / 1 day
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
# 3 min / 180 sec
[LIFE_180_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 180,120:240
# 1 hour
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
> -----Urspr|ngliche Nachricht-----
> Von: Wim Vandeputte [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 21. Mai 2008 16:23
> An: Arno Hechenberger
> Betreff: Re: OpenBSD and "VIA VT6105M RhineIII"
>
> Hey Arno,
>
> just to confirm, you are changing the CF from a wrap board,
> rename the device names and it does not work on the soekris?
>
> On Wed, May 21, 2008 at 11:14 AM, Arno Hechenberger
> <[EMAIL PROTECTED]> wrote:
> > hello,
> >
> >
> >
> > we have huge problems with the new soekris and pcengines
> boards vith
> > the "VIA VT6105M RhineIII" network chipset and OpenBSD.
> >
> >
> >
> > no machine is able to establish a tunnel to another IPsec peer. we
> > worked for years with the pcengines WRAP boards - the had
> no problem.
> >
> >
> >
> > below is a trace of the tunnel establishment with a normal
> pc hardware
> > with fxp interfaces - everything works fine. the other
> picture shows a
> > trace of a board with VIA chipset with vr interfaces and the exacty
> > same configuration (isakmpd.conf and IP adresses) - you can
> see that
> > there must be a problem with the tunnel establishment.
> >
> >
> >
> > unfortunately the phase I and phase II communication is completely
> > encrypted, so there is only low chance to discover a bug
> but at least
> > the headers and all checksums are correct ...
> >
> >
> >
> > has anyone discovered similar problems with OpenBSD and the VIA
> > chipset or other possible positive experiences ?
> >
> >
> >
> > thanks in advance for a feedback
> >
> > regards
> >
> > arno hechenberger
> >
> > citydata
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > trace: machine with vr interfaces
> >
> >
> >
> >
> >
> >
> >
> > trace: machine with fxp interfaces
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > demesg:
> >
> >
> >
> > OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
> >
> > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> >
> > RTC BIOS diagnostic error 80<clock_battery>
> >
> > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
> > 586-class)
> > 432 MHz
> >
> > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
> >
> > real mem = 133791744 (127MB)
> >
> > avail mem = 121331712 (115MB)
> >
> > RTC BIOS diagnostic error 80<clock_battery>
> >
> > mainbus0 at root
> >
> > bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @
> > 0xfceb2
> >
> > pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
> >
> > pcibios0: pcibios_get_intr_routing - function not supported
> >
> > pcibios0: PCI IRQ Routing information unavailable.
> >
> > pcibios0: PCI bus #0 is the last bus
> >
> > bios0: ROM list: 0xe0000/0xa800
> >
> > cpu0 at mainbus0
> >
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> >
> > pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> >
> > glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG
> > AES
> >
> > vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev
> 0x96: irq 10,
> > address 00:0d:b9:14:09:a0
> >
> > ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface,
> rev. 3: OUI
> > 0x004063, model 0x0034
> >
> > vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev
> 0x96: irq 11,
> > address 00:0d:b9:14:09:a1
> >
> > ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface,
> rev. 3: OUI
> > 0x004063, model 0x0034
> >
> > vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev
> 0x96: irq 12,
> > address 00:0d:b9:14:09:a2
> >
> > ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface,
> rev. 3: OUI
> > 0x004063, model 0x0034
> >
> > glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev
> 0x03: rev 0,
> > 32-bit 3579545Hz timer, watchdog, gpio
> >
> > gpio0 at glxpcib0: 32 pins
> >
> > pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
> > channel 0 wired to compatibility, channel 1 wired to compatibility
> >
> > wd0 at pciide0 channel 0 drive 0: <CF CARD 1GB>
> >
> > wd0: 1-sector PIO, LBA, 961MB, 1969632 sectors
> >
> > wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
> >
> > pciide0: channel 1 ignored (disabled)
> >
> > ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15,
> > version 1.0, legacy support
> >
> > ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
> >
> > usb0 at ehci0: USB revision 2.0
> >
> > uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
> >
> > isa0 at glxpcib0
> >
> > isadma0 at isa0
> >
> > pcppi0 at isa0 port 0x61
> >
> > midi0 at pcppi0: <PC speaker>
> >
> > spkr0 at pcppi0
> >
> > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> >
> > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> >
> > pccom0: console
> >
> > usb1 at ohci0: USB revision 1.0
> >
> > uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
> >
> > biomask e3ef netmask ffef ttymask ffef
> >
> > mtrr: K6-family MTRR support (2 registers)
> >
> > nvram: invalid checksum
> >
> > softraid0 at root
> >
> > root on wd0a swap on wd0b dump on wd0b
> >
> > WARNING: / was not properly unmounted
> >
> > clock: unknown CMOS layout
> >
> > WARNING: clock time much less than file system time
> >
> > WARNING: using file system time
> >
> > WARNING: CHECK AND RESET THE DATE!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > /etc/isakmpd/isakmpd.conf
> >
> >
> >
> >
> >
> > ##########################################################
> >
> > ##########################################################
> >
> >
> >
> > [Phase 1]
> >
> > # Remote client (road_warrior) has dynamic IP addressing
> >
> >
> >
> > Default= road_warrior
> >
> >
> >
> >
> >
> > [Phase 2]
> >
> > # Passive connection between client and server
> >
> > Connections= nw_VPN_Server-nw_1
> >
> >
> >
> > Passive-Connections= VPN_Server-road_warrior
> >
> >
> >
> >
> >
> > # IPSec Peers
> >
> > #############
> >
> >
> >
> > [road_warrior]
> >
> > Phase= 1
> >
> > Transport= udp
> >
> > # Local-address= 194.208.34.110
> >
> > Configuration= Default-main-mode
> >
> > Authentication= xxxxxx
> >
> > Default= VPN_Server-road_warrior
> >
> >
> >
> >
> >
> > [fw-1]
> >
> > Phase= 1
> >
> > Transport= udp
> >
> > # LocalAddress= 194.208.34.110
> >
> > Address= 194.208.33.217
> >
> > Configuration= main-mode-AES256
> >
> > Authentication= xxxxxx
> >
> >
> >
> >
> >
> > # Connections (Phase 2)
> >
> > #############
> >
> > [VPN_Server-road_warrior]
> >
> > Phase= 2
> >
> > ISAKMP-peer= road_warrior
> >
> > Configuration= Default-quick-mode
> >
> > Local-ID= Net-VPN_Server
> >
> >
> >
> >
> >
> > [nw_VPN_Server-nw_1]
> >
> > Phase= 2
> >
> > ISAKMP-peer= fw-1
> >
> > Configuration= quick-mode-aes256
> >
> > Local-ID= Net-VPN_Server
> >
> > Remote-ID= Net-1
> >
> >
> >
> >
> >
> >
> >
> > # Network definitions
> >
> > #####################
> >
> > [Net-VPN_Server]
> >
> > ID-type= IPV4_ADDR_SUBNET
> >
> > Network= 192.168.98.0
> >
> > Netmask= 255.255.255.0
> >
> >
> >
> > [Net-1]
> >
> > ID-type= IPV4_ADDR_SUBNET
> >
> > Network= 192.168.1.0
> >
> > Netmask= 255.255.255.0
> >
> >
> >
> >
> >
> > ##########################################################
> >
> >
> >
> > # Descriptions (Main Mode - Phase 1)
> >
> > ##############
> >
> > [Default-main-mode]
> >
> > DOI= IPSEC
> >
> > EXCHANGE_TYPE= ID_PROT
> >
> > Transforms= 3DES-SHA
> >
> >
> >
> > [main-mode-AES256]
> >
> > DOI= IPSEC
> >
> > EXCHANGE_TYPE= ID_PROT
> >
> > Transforms= AES256-SHA-GRP2
> >
> >
> >
> >
> >
> > # Descriptions (Quick Mode - Phase 2)
> >
> > ##############
> >
> > [Default-quick-mode]
> >
> > DOI= IPSEC
> >
> > EXCHANGE_TYPE= QUICK_MODE
> >
> > Suites= QM-ESP-3DES-SHA-PFS-SUITE
> >
> >
> >
> > [quick-mode-AES256]
> >
> > DOI= IPSEC
> >
> > EXCHANGE_TYPE= QUICK_MODE
> >
> > Suites= QM-AES256-SHA-GRP2-PFS-SUITE
> >
> >
> >
> >
> >
> > # Main mode transforms (Phase 1)
> >
> > ######################
> >
> > # 3DES SHA Group2
> >
> > [3DES-SHA]
> >
> > ENCRYPTION_ALGORITHM= 3DES_CBC
> >
> > HASH_ALGORITHM= SHA
> >
> > AUTHENTICATION_METHOD= PRE_SHARED
> >
> > GROUP_DESCRIPTION= MODP_1024
> >
> > Life= LIFE_3600_SECS
> >
> >
> >
> > # AES256 SHA Group2
> >
> > [AES256-SHA-GRP2]
> >
> > ENCRYPTION_ALGORITHM= AES_CBC
> >
> > KEY_LENGTH= 256
> >
> > HASH_ALGORITHM= SHA
> >
> > AUTHENTICATION_METHOD= PRE_SHARED
> >
> > GROUP_DESCRIPTION= MODP_1024
> >
> > Life= LIFE_3600_SECS
> >
> >
> >
> >
> >
> > # Quick mode protection suites (Phase 2 - 1/3)
> >
> > ##############################
> >
> > # 3DES SHA PFS
> >
> > [QM-ESP-3DES-SHA-PFS-SUITE]
> >
> > Protocols= QM-ESP-3DES-SHA-PFS
> >
> >
> >
> > # 3DES SHA
> >
> > [QM-ESP-3DES-SHA-SUITE]
> >
> > Protocols= QM-ESP-3DES-SHA
> >
> >
> >
> > # AES128 SHA PFS
> >
> > [QM-AES128-SHA-GRP2-PFS-SUITE]
> >
> > Protocols= QM-ESP-AES-SHA-PFS
> >
> >
> >
> > # AES256 SHA PFS
> >
> > [QM-AES256-SHA-GRP2-PFS-SUITE]
> >
> > Protocols= QM-ESP-AES-SHA-PFS
> >
> >
> >
> >
> >
> > # Quick mode protocols (Phase 2 - 2/3)
> >
> > ######################
> >
> > # 3DES SHA PFS
> >
> > [QM-ESP-3DES-SHA-PFS]
> >
> > PROTOCOL_ID= IPSEC_ESP
> >
> > Transforms= QM-ESP-3DES-SHA-PFS-XF
> >
> >
> >
> > # 3DES SHA
> >
> > [QM-ESP-3DES-SHA]
> >
> > PROTOCOL_ID= IPSEC_ESP
> >
> > Transforms= QM-ESP-3DES-SHA-XF
> >
> >
> >
> > # AES SHA PFS
> >
> > [QM-ESP-AES-SHA-PFS]
> >
> > PROTOCOL_ID= IPSEC_ESP
> >
> > Transforms= QM-ESP-AES-SHA-PFS-XF
> >
> >
> >
> >
> >
> >
> >
> > # Quick mode transforms (Phase 2 - 3/3)
> >
> > #######################
> >
> > # 3DES SHA PFS
> >
> > [QM-ESP-3DES-SHA-PFS-XF]
> >
> > TRANSFORM_ID= 3DES
> >
> > ENCAPSULATION_MODE= TUNNEL
> >
> > AUTHENTICATION_ALGORITHM= HMAC_SHA
> >
> > GROUP_DESCRIPTION= MODP_1024
> >
> > Life= LIFE_3600_SECS
> >
> >
> >
> > # 3DES SHA
> >
> > [QM-ESP-3DES-SHA-XF]
> >
> > TRANSFORM_ID= 3DES
> >
> > ENCAPSULATION_MODE= TUNNEL
> >
> > AUTHENTICATION_ALGORITHM= HMAC_SHA
> >
> > GROUP_DESCRIPTION= MODP_1024
> >
> > Life= LIFE_3600_SECS
> >
> >
> >
> > # AES SHA PFS
> >
> > [QM-ESP-AES-SHA-PFS-XF]
> >
> > TRANSFORM_ID= AES
> >
> > ENCAPSULATION_MODE= TUNNEL
> >
> > AUTHENTICATION_ALGORITHM= HMAC_SHA
> >
> > GROUP_DESCRIPTION= MODP_1024
> >
> > KEY_LENGTH= 256
> >
> > Life= LIFE_3600_SECS
> >
> >
> >
> >
> >
> > # Lifetimes
> >
> > ###########
> >
> > # 6 hours
> >
> > [LIFE_6_HOURS]
> >
> > LIFE_TYPE= SECONDS
> >
> > LIFE_DURATION= 21600,18000:25200
> >
> >
> >
> > # 8 hours
> >
> > [LIFE_8_HOURS]
> >
> > LIFE_TYPE= SECONDS
> >
> > LIFE_DURATION= 28800,25200:32400
> >
> >
> >
> > # 24 hours / 1 day
> >
> > [LIFE_1_DAY]
> >
> > LIFE_TYPE= SECONDS
> >
> > LIFE_DURATION= 86400,79200:93600
> >
> >
> >
> > # 3 min / 180 sec
> >
> > [LIFE_180_SECS]
> >
> > LIFE_TYPE= SECONDS
> >
> > LIFE_DURATION= 180,120:240
> >
> >
> >
> > # 1 hour
> >
> > [LIFE_3600_SECS]
> >
> > LIFE_TYPE= SECONDS
> >
> > LIFE_DURATION= 3600,1800:7200
