The /etc/isakmpd.conf file

Edit online

You can configure options for the isakmpd daemon in the /etc/isakmpd.conf file.

The following options are available in the /etc/isakmpd.conf file.

Log configuration
Determine the amount of information that you want to log. Then set the level. The IKE daemons use this option to specify the level of logging.

Syntax: none | error | isakmp_events | information

where the level has the following meaning:
none
No logging. This is the default.
error
Log protocol errors or appliation programming interface (API) errors.
isakmp_events
Log IKE protocol events or errors. Use this level when debugging a problem.
information
Log protocol information and implementation information.
Unrecognized IP address negotiation
You can set this option to YES or NO. When you set this option to YES, the local IKE database must contain an IP address for both phase-1 tunnel endpoints. You must specify YES for the host to accept an incoming main-mode tunnel. The IP address can be the primary ID or an optional IP address that is associated with some other ID type.

Set this option to NO to accept an incoming main-mode connection. When you set the option to NO, the host might accept the connection even when the IKE database does not specify IP addresses for the phase 1 endpoints. However, in order for the host to accept the connection, you must use certificate-based authentication. This allows a host with a dynamically assigned IP address to initiate a main mode tunnel to the machine.

If you do not specify this parameter, the default is NO.

Syntax: MAIN_MODE_REQUIRES_IP= YES | NO
SOCKS4 server configuration
The SOCKS4_PORTNUM option is optional. If you do not specify it, the default SOCKS-server port value of 1080 is used. The port value is used when the SOCKS server communicates with the HTTP server.
Syntax: mnemonic = value
where mneumonic and value can be the following values:
  • SOCKS4_SERVER= specifies the server name
  • SOCKS4_PORTNUM= specifies the SOCKS-server port number
  • SOCKS4_USERID= user ID
LDAP server configuration
Syntax: mnemonic = value
where mnemonic and value can be the following values:
  • LDAP_SERVER= specifies the LDAP server name
  • LDAP_VERSION= the version of the LDAP server (can be 2 or 3)
  • LDAP_SERVERPORT= the LDAP-server port number
  • LDAP_SEARCHTIME=client-search timeout value
CRL fetch order
This option defines whether the HTTP or LDAP server is queried first, when both servers are configured. The CRL_FETCH_ORDER option is optional. The default fetch order is HTTP first, then LDAP, depending on whether both HTTP and LDAP servers are configured.
Syntax: CRL_FETCH_ORDER= protocol#, protocol#

where protocol# can be HTTP or LDAP.

IKEv1 and IKEv2 port specification
This string specifies the ports used by the isakmpd daemon (IKEv1) and the ikev2d daemon (IKEv2). The iked daemon (the IKE message broker daemon) looks up this entry and starts the isakmpd daemon and the ikev2d daemon on their respective ports.
Syntax: v1=port-natport,v2=port-natport