您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
ike.config items
|
definition
|
Impact SSM
|
Impact MDM
|
Global parameters shared by MDM and SSM
|
|||
p1_nonce_len
|
Nonce length of Phase1 negotiation
|
Y
|
Y
|
########
## Global parameters
|
cert_root and cert_trust required for MDM/MSS IKE rsasig.
.
|
Y
|
Y
|
cert_root "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
|
|||
cert_trust "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
|
|||
ignore_crls
|
To ignore the CRL( Cert Revocation List)
ignore_crls for root CAs
|
Y
|
Y
|
#
## Phase 1 transform defaults
|
|
|
|
p1_lifetime_secs 28800
|
IKE phase1 SAs lifetime
|
Y
|
Y
|
SSM appended entries ( for instance, default phase1 xform)
|
|||
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
|
Default Phase1 transform
|
Y
|
N
|
MDM appended IKE preshared rules
|
|||
{
label INDEXID_1
|
Label used as the search string. for in.iked to looks up phase 1 policy rules
|
Y
|
Y
|
local_id_type ip
|
The type of local address.
|
SS N**
(SSM could display it at M GUI)
|
|
local_addr 47.154.135.86
|
local Ip address
|
||
remote_addr 47.154.135.81
|
remote ip address
|
||
p2_pfs 2
p2_lifetime_secs 28800
|
oakley group and the phase2 SAs lifetime, used for P2 negotiation,
|
||
p1_xform { p1_lifetime_secs 86400 auth_method
preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
|
The transform of phase1 with authenticated by preshared
|
||
MDM appended IKE rsasig rules
|
|||
{
label INDEXID_2
|
Label used as the search string. for in.iked to looks up phase 1 policy rules
|
Y
|
Y
|
local_id_type dn
|
The local id type, “dn” means the DNX.509 distinguished name
|
N
|
Y
|
local_addr 47.154.135.86
|
local IP address
|
||
local_id "CN=SSM0 47.154.135.86, ST=North Carolina
, C=US, L=Research Triangle Park, O=Security, OU=3X20"
|
The DNX.509 distinguished name
|
Y
|
|
remote_addr 47.154.136.69
|
IP address of the remote entry with IPv4 format
|
N
|
|
remote_id ""
|
Use remote_addr for access control. when null means “take any,”
|
||
p2_pfs 1
|
oakley group used for P2 negotiation,
|
||
p1_xform { p1_lifetime_secs 86400 auth_method
rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
|
P1’s transform information ;
|
ike.config items
|
definition
|
Interaction details/Issues
|
Solution
|
Global parameters shared by MDM and SSM
|
|||
p1_nonce_len 20
|
Nonce length of Phase1 negotiation
|
MSS requires 20 for MDM-MSS IKE rsasig relationship.
SSM sets it to 40 as SPFS required.
|
MDM forces it to 20
SSM must not overwrite it if it’s not null.
|
cert_root "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
|
cert_root and cert_trust required for MDM/MSS IKE rsasig.
.
|
Appended by SSM after the certs generated/installed for MDM.
Removed by SSM after the MDM certs were removed
|
MDM does not touch it
|
ignore_crls
|
To ignore the CRL( Cert Revocation List)
ignore_crls for root CAs (as given in cert_root)
|
SSM appended it.
|
If not exist, MDM will append it.
|
p1_lifetime_secs 28800
|
IKE phase1 SAs lifetime, it’s global and could be override by values in the rule entry
|
SSM sets it to 28800, MDM requires 86400 by default.
|
If does not exist, MDM will append that item with 86400.
No matter the value, MDM sets p1_lifetime to 86400 per IKE rule locally.
|
SSM appended entries ( for instance, default phase1 xform)
|
|||
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
|
#
## Defaults that individual rules can override.
|
Added by SSM. It is from SSPFS installation
|
No action required for MDM
|
MDM appended IKE preshared rules
|
|||
{
label INDEXID_1
|
Label used as the search string. for in.iked to looks up phase 1 policy rules
|
SSM required INDEXID_x, where x is the integer identical among this file.
|
MDM follows SSM’s rule.
|
local_id_type ip
|
The type of local address.
|
No action required for SSM
|
MDM always set to “ip” if IKE preshared
|
local_addr 47.154.135.86
|
local Ip address
|
These values are set by MDM ike scripts, either from the operator input or the system derived.
|
|
remote_addr 47.154.135.81
|
remote ip address
|
||
p2_pfs 2
p2_lifetime_secs 28800
|
oakley group and the phase2 SAs lifetime, used for P2 negotiation,
|
||
p1_xform { p1_lifetime_secs 86400 auth_method
preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
|
The transform of phase1 with authenticated by preshared
|
||
{
|
The IKE rsasig rule added by MDM IKE provisioning scripts
|
These IKE rules appended would be displayed by SSM GUI.
|
Added by MDM
Removed by MDM when deletion
|
MDM appended IKE rsasig rules
|
|||
label INDEXID_2
|
See above for label
|
|
|
local_id_type dn
|
The local id type, “dn” means the DNX.509 distinguished name
|
No action required for SSM
SSM should not touch it.
|
MDM always set it to “dn” if at rsasig.
|
local_addr 47.154.135.86
|
local IP address
|
|
|
local_id "CN=SSM0 47.154.135.86, ST=North Carolina
, C=US, L=Research Triangle Park, O=Security, OU=3X20"
|
The DNX.509 distinguished name
|
SSM must modify it when MDM certs were replaced/revoked.
|
MDM sets its value firstly by retrieving it from the local workstation
Removed by MDM when delete IKE rules
|
remote_addr 47.154.136.69
|
IP address of the remote entry with IPv4 format
|
No action required for SSM.
SSM should not touch it.
|
Set by MDM
|
remote_id ""
|
Use remote_addr for access control. when null means “take any”
|
No action required for SSM
SSM should not touch it.
|
Set by MDM
|
p2_pfs 1
|
oakley group used for P2 negotiation
|
No action required for SSM
SSM should not touch it.
|
this value is set by MDM ike scripts( the operator)
|
p1_xform { p1_lifetime_secs 86400 auth_method
rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
|
P1’s transform information
|
No action required for SSM
SSM should not modify them.
|
All these name-value pairs are set by MDM IKE scripts. MDM sets p1_lifetime locally here at rule entry.
|
pattern_name_value_pair1 ::=
saddr <address>/<prefix> |
src <address>/<prefix> |
srcaddr <address>/<prefix> |
smask <mask> |
sport <port> |
daddr <address>/<prefix> |
dst <address>/<prefix> |
dstaddr <address>/<prefix> |
dmask <mask> |
dport <port> |
ulp <protocol> |
proto <protocol>
pattern_name_value_pair2 ::=
raddr <address>/<prefix> |
remote <address>/<prefix> |
rport <port> |
laddr <address>/<prefix> |
local <address>/<prefix> |
lport <port> |
ulp <protocol> |
Parameters
|
Values
|
-p1_pfs
|
<1|2>
|
-p1_lifetime
|
<1800-172800> seconds
|
-enc_alg
|
<des|3des>
|
-auth_alg
|
<md5|sha1>
|
-p2_pfs
|
<0|1|2>
|
-p2_lifetime
|
<1800-172800> seconds
|
Parameters
|
Values
|
-proto
|
<udp|tcp|icmp|any>
|
-srcPort
-dstPort
|
Port must be one of: any, ftpdata, ftp, telnet, ntp, snmp, ike, pki, rip, radius, fmip, 1-19, 22-24, 124-160, 162-499, 501-519, 521-828, 830-1811, 1813-5927, 5929-65535
|
-enc_alg
|
<des|3des|aes|none>
|
-auth_alg
|
<md5|sha1>
|
-p2_pfs
|
<0|1|2>
|
-p2_lifetime
|
<1800-172800> seconds
|
-antiReplay
|
<on|off>
|
MDM does not have IKE messages interactions with local solaris
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。