# linked in at compile time, and cannot be controlled
# here.
}
+
+ # Configuration for experimental EAP types. The sub-sections
+ # can be copied into eap.conf.
+ eap {
+ ikev2 {
+
+ # Server auth type
+ # Allowed values are:
+ # cert - for certificate based server authentication,
+ # other required settings for this type are
+ # 'private_key_file' and 'certificate_file'
+ # secret - for shared secret based server authentication,
+ # other required settings for this type is 'id'
+ # Default value of this option is 'secret'
+ # server_authtype=cert
+
+ # Allowed default client auth types
+ # Allowed values are:
+ # secret - for shared secret based client authentication
+ # cert - for certificate based client authentication
+ # both - shared secret and certificate is allowed
+ # none - authentication will always fail
+ # Default value for this option is 'both'. This option could
+ # be overwritten within 'usersfile' file by EAP-IKEv2-Auth
+ # option.
+ # default_authtype = both
+
+ # path to trusted CA certificate file
+ CA_file="/path/to/CA/cacert.pem"
+
+ # path to CRL file, if not set, then there will be no
+ # checks against CRL
+ # crl_file="/path/to/crl.pem"
+
+ # path to file with user settings
+ #
+ # Note that this file is read ONLY on module initialization!
+ #
+ # default ${confdir}/eap_ikev2_users
+ # usersfile=${confdir}/eap_ikev2_users
+
+#
+# Sample "eap_ikev2_users" file entry:
+#
+#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
+
+## where:
+## username - client user name from IKE-AUTH (IDr) or CommonName
+## from x509 certificate
+## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
+## allowable attributes for EAP-IKEv2-IDType:
+## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
+## DER_ASN1_GN KEY_ID
+## EAP-IKEv2-Secret - shared secret
+## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
+## type. Allowed values are: secret,cert,both,none.
+## For the meaning of this values, please see the
+## description of 'default_authtype'.
+## This attribute can overwrite 'default_authtype' value.
+
+
+
+ # path to file with server private key
+ private_key_file="/path/to/srv-private-key.pem"
+
+ # password to private key file
+ private_key_password="passwd"
+
+ # path to file with server certificate
+ certificate_file="/path/to/srv-cert.pem"
+
+ # server identity string
+ id="deMaio"
+
+ # Server identity type. Allowed values are:
+ # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
+ # KEY_ID
+ # Default value is: KEY_ID
+ # id_type = KEY_ID
+
+
+ # MTU (default: 1398)
+ # fragment_size = 1398
+
+ # maximal allowed number of resends SA_INIT after receiving
+ # 'invalid KEY' notification (default 3)
+ # DH_counter_max = 3
+
+ # option which is used to control whenever send CERT REQ
+ # payload or not.
+ # Allowed values for this option are "yes" or "no".
+ #Default value is "no".
+ # certreq = "yes"
+
+ # option which cotrols fast reconnect capability.
+ # Allowed valuse for this option are "yes" or "no".
+ # Default value is "yes".
+ # enable_fast_reauth = "no"
+
+ # option which is used to control performing of DH exchange
+ # during fast rekeying protocol run.
+ # Allowed values for this option are "yes" or "no".
+ # Default value is "no"
+ # fast_DH_exchange = "yes"
+
+ # Option which is used to set up expiration time of inactive
+ # IKEv2 session.
+ # After selected period of time (in seconds), inactive
+ # session data will be deleted.
+ # Default value of this option is set to 900 seconds
+ # fast_timer_expire = 900
+
+ # list of server proposals of available cryptographic
+ # suites
+ proposals {
+ # proposal number #1
+ proposal {
+
+ # Supported transforms types: encryption,
+ # prf, integrity, dhgroup. For multiple
+ # transforms just simple repeat key (i.e.
+ # integity).
+
+ # encryption algorithm
+ # supported algorithms:
+ # null,3des,aes_128_cbc,aes_192_cbc,
+ # aes_256_cbc,idea
+ # blowfish:n, where n range from 8 to 448 bits,
+ # step 8 bits
+ # cast:n, where n range from 40 to 128 bits,
+ # step 8 bits
+ encryption = 3des
+
+ # pseudo random function. Supported prf's:
+ # hmac_md5, hmac_sha1, hmac_tiger
+ prf = hmac_sha1
+
+ # integrity algorithm. Supported algorithms:
+ # hmac_md5_96, hmac_sha1_96,des_mac
+ integrity = hmac_sha1_96
+ integrity = hmac_md5_96
+
+ # Diffie-Hellman groups:
+ # modp768, modp1024, modp1536, modp2048,
+ # modp3072, modp4096, modp6144, modp8192
+ dhgroup = modp2048
+ }
+
+ # proposal number #2
+ proposal {
+ encryption = 3des
+ prf = hmac_md5
+ integrity = hmac_md5_96
+ dhgroup = modp1024
+ }
+
+ # proposal number #3
+ proposal {
+ encryption=3des
+ prf=hmac_md5
+ integrity=hmac_md5_96
+ dhgroup=modp2048
+ }
+ }
+ }
+ }