Previous: , Up: IKER  


IKER configuration

Configuration file is in Hjson format:

{
    IKEAlgos: [
        aes256gcm16-aesxcbc-curve25519
        aes128gcm16-aesxcbc-curve25519
    ]
    ESPAlgos: [
        aes256gcm16-noesn
        aes128gcm16-noesn
    ]
    SigHashes: [
        sha512
        sha256
    ]
    DPDTimeout: 300
    Peers: [
        {
            Autostart: false
            OurIP: fc00::dc
            TheirIP: fc00::ac
            # TheirPort: 501
            OurId: gamma.stargrave.org
            TheirId: CN=example.com
            OurTSS: [
                fc00::dc/128[tcp]
                fc00::dc/128[udp/53]
            ]
            TheirTSS: [
                fc00::ac/128
            ]
            Mode: transport

            # PSK is not used if signature-based authentication is enabled
            PSK: DEADBABE

            # Optional SHA256 of expected certificate's SPKI for remote side
            # signature authentication
            TheirCertHash: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447

            # Path to PEM encoded certificate and private key
            # Optional if PSK is used
            OurCert: gamma.stargrave.org.cer.pem
            OurPrvKey: gamma.stargrave.org.key.pem

            # Enable TFC if set and greater than zero
            TFC: 1200
        }
    ]
}
IKEAlgos

List of supported IKE SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.

ESPAlgos

List of supported ESP SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.

SigHashes

List of supported X.509 signature authentication hash algorithms, in order of preference. SIGNATURE_HASH_ALGORITHMS notification contains all of that algorithms. That notification will be sent if SigHashes is not empty. Available:

DPDTimeout

Time in seconds when Dead Peer Detection notification is sent to remote peer. After 3 DPD timeouts, peer is considered dead

Peers

List of known peers configurations

Autostart

Do we automatically initiate connection, or wait as a responder

OurIP, TheirIP

Our and remote IP-addresses. It is used for tunnel endpoints and for sending IKE packets

TheirPort

Optional IKE port override of remote side

OurId

Our FQDN name. If signature authentication is used, then it will be automatically replaced with DN identification based on OurCert certificate’s subject

TheirId

Expected identification from remote side. If PSK authentication is used, then it is FQDN value. With signature authentication it is human readable remote peer’s certificate’s subject representation, like CN=example.com for example

OurTSS, TheirTSS

strongSwan-like traffic selectors specification. Mask is necessary for IP addresses. You can not specify IP-ranges, but starting IP with mask applied to it. Protocol and port specification are optional. You can not specify port-ranges. Allowable formats:

PROTO is one of: tcp, udp, icmp, icmp6.

Mode

Either transport or tunnel

PSK

Pre-shared key for PSK authentication in hexadecimal format. If both peers are expected to use signature authentication, then that option is not used

TheirCertHash

If not empty, then require X.509 certificate signature authentication. This is hexadecimal SHA256 of expected certificate’s SPKI

OurCert

If not empty, then we will authenticate using X.509 certificate signature. It is path to PEM-encoded certificate we will send to remote peer

OurPrvKey

Path to PEM-encoded private key (EC PRIVATE KEY for ECDSA and PRIVATE KEY with PrivateKeyInfo structure for GOST 34.10-2012). Required if OurCert is in use

TFC

If greater than zero, then negotiate TFC usage to pad ESP packet’s payload up to that number of bytes


Previous: , Up: IKER