This program is an implementation of ISAKMP/Oakley. It implements the drafts: draft-ietf-ipsec-isakmp-08 draft-ietf-ipsec-isakmp-oakley-04 draft-ietf-ipsec-ipsec-doi-02 draft-mcdonald-pf-key-v2-02 draft-mcdonald-simple-ipsec-api-01 with a few changes. There is, however, no guarantee that the implementation is compatible with the other implementations of ISAKMP/Oakley. The implementation of this package is based on "pluto", implemented by Angelos D. Keromytis. The file isakmp-secrets (should be in /etc in normal operation) is used to keep Pre_shared keys for authentication. The format of the file is: . . The trailing newline is not included in the secret. To fire up a daemon, just type ketone on root. If compiled with -DDEBUG option, the daemon binds the socket to port 7500, or to the command line argument. If without -DDEBUG option, it uses port 500. Whichever port it usesanother temporal port (whose number is one added to the number of the base port) is also used to receive requests for initiateing ISAKMP exchanges. If compiled without option, "Pre_shared key" or "Digital Signature" are used for authentication. While if the file isakmp-secrets does not keep appropriate Pre_shared key, Digital Signature is automatically used for authentication. However, this implementation uses "privatekey" and "publickey" which are used by ssh. The file "ssh_host_key" which keeps its own privatekey and publickey, the file "ssh_known_hosts" which keeps pribatekeys and publickeys of the others, and any other files related to ssh, must be located under /usr/local/etc. When these files are not in /usr/local/etc, create (hard or symbolic) link to the corresponding files under /usr/local/etc. Appropriate publickeys of others must be kept in the file, since the current implementation cannot handle the situationwhere there are no appropriate keys. The daemon compiled with -DRSAENC option uses "Pre_shared key" or "Publickey Encryption" for authentication. If the file isakmp-secrets does not keep appropriate Pre_shared key, Publickey Encryption is automatically used for authentication. However, this implementation uses privatekey and publickey which are used by ssh. You need the same attention for privatekey and publickey as the case for Digital Signature. If the daemon was compiled with -DMODER option, "Moderate Mode" which has been proposed by Tomonori Negi is used instead of Main Mode. Only when the couple of daemon was compiled with -DMODER, the process normally complete. Be careful that Moderate Mode is not described in ISAKMP/Oakley. Other options that can be specified in the compiling time are for debugging or for evaluation of performance. -DMEASURE : time of each steps -DMEASURE2 : time of Initiator's each mode -DMEASURE3 : time of RSA encryption and decryption -DMEASURE4 : time of Respondes's each mode And yes this implementation has some restrictions as: ssh must be installed. GMP library must be installed. zlib must be installed. This implementation establishes SA for AH which uses Keyed-MD5 and SA for ESP which uses DES-CBC. And it establishes ISAKEMP SA which use Keyed-SAH1 and DES-CBC. There is a LOT of work needed yet to make this a really useful program, but this helps development of ISAKMP/Oakley Key Management Daemon. This code is released under the despicable GPL terms. See the accompanying file COPYING-2.0 for more details. The GPL does NOT apply to those pieces of code written by others which are included in this distribution, except as noted by the individual authors. For instructions on how to install this software, read the file INSTALL. For the libdeslite license, see libdeslite/COPYRIGHT (code by Eric Young). For the ssh license, see ssh/COPYING-1.2.20. For the pluto license, see license.pluto. For the pluto implementation, see README.pluto This software should be used in conjuction with an IPsec implementation. For a directory with such implementation, see: ftp://ftp.itojun.org/pub/ipsec/ Files: FreeBSD222-ipsec.970914.tar.gz This software was written by Tomonori Negi in 1997/1998, at Keio University Japan. - Tomonori Negi (negi@mt.cs.keio.ac.jp)