The /etc/isakmpd.conf file

Edit online

You can configure options for the isakmpd daemon in the /etc/isakmpd.conf file.

The following options are available in the /etc/isakmpd.conf file.

Log configuration

Syntax: none | error | isakmp_events | information

This option determines the amount of information that you want to log. Then set the level. The IKE daemons use this option to specify the level of logging, where the level has the following meaning:
none
No logging. This is the default.
error
Log protocol errors or application programming interface (API) errors.
isakmp_events
Log IKE protocol events or errors. Use this level when debugging a problem.
information
Log protocol information and implementation information.
Unrecognized IP address negotiation
Syntax: MAIN_MODE_REQUIRES_IP= YES | NO
You can set this option to YES or NO. When you set this option to YES, the local IKE database must contain an IP address for both phase-1 tunnel endpoints. You must specify YES for the host to accept an incoming main-mode tunnel. The IP address can be the primary ID or an optional IP address that is associated with some other ID type.

Set this option to NO to accept an incoming main-mode connection. When you set the option to NO, the host might accept the connection even when the IKE database does not specify IP addresses for the phase 1 endpoints. However, in order for the host to accept the connection, you must use certificate-based authentication. This allows a host with a dynamically assigned IP address to initiate a main mode tunnel to the machine.

If you do not specify this parameter, the default is NO.

SOCKS4 server configuration
Syntax: mnemonic = value

The SOCKS4_PORTNUM option is optional. If you do not specify it, the default SOCKS-server port value of 1080 is used. The port value is used when the SOCKS server communicates with the HTTP server.

The mneumonic and value parameters can be the following values:
  • SOCKS4_SERVER= specifies the server name
  • SOCKS4_PORTNUM= specifies the SOCKS-server port number
  • SOCKS4_USERID= user ID
LDAP server configuration
Syntax: mnemonic = value
where mnemonic and value can be the following values:
  • LDAP_SERVER= specifies the LDAP server name
  • LDAP_VERSION= the version of the LDAP server (can be 2 or 3)
  • LDAP_SERVERPORT= the LDAP-server port number
  • LDAP_SEARCHTIME=client-search timeout value
CRL fetch order
Syntax: CRL_FETCH_ORDER= protocol#, protocol#

where protocol# can be HTTP or LDAP.

This option defines whether the HTTP or LDAP server is queried first, when both servers are configured. The CRL_FETCH_ORDER option is optional. The default fetch order is HTTP first, then LDAP, depending on whether both HTTP and LDAP servers are configured.
IKEv1 and IKEv2 port specification
Syntax: v1=port-natport,v2=port-natport
This string specifies the ports used by the isakmpd daemon (IKEv1) and the ikev2d daemon (IKEv2). The iked daemon (the IKE message broker daemon) looks up this entry and starts the isakmpd daemon and the ikev2d daemon on their respective ports.
Liveness or dead peer detection (DPD) configuration
Syntax: LIVENESS_CHK_INTERVAL=number_of_seconds

You can specify a value, in seconds, in the LIVENESS_CHK_INTERVAL option for the IKEv2 IPsec configuration. The liveness interval, also known as dead peer detection (DPD), is used to monitor the health of the end-points or peer nodes by sending keepalive messages regularly. The liveness interval is the time duration between each keepalive message. This option is disabled by default.

When you set a value for the LIVENESS_CHK_INTERVAL option, the ikev2d daemon uses this option to determine when the keepalive messages must be transmitted or exchanged with the peer nodes to confirm the availability of the peer nodes. When you configure liveness for a node, the liveness is effective only when the node acts as the initiator of a new IKE security association (SA). If the initiator node does not receive any responses to the keepalive messages that were sent to the peer node, the initiator node transmits the keepalive message again at the time interval of 8, 16, 32, 64, 128, and 256 seconds. If the initiator node does not receive any response even after several attempts, the peer node is declared as dead.

Syntax: LIVENESS_CHK_RETRIES=1|2|3|4|5|6

Optionally, you can also specify the number of retries in the LIVENESS_CHK_RETRIES option for the IKEv2 IPsec configuration. The initiator node sends the keepalive messages for the specified number of times before the initiator node receives a response from a peer node. The duration of resending the keepalive messages starts with 8 seconds and is increased exponentially through 256 seconds. You can specify the LIVENESS_CHK_RETRIES option in the range 1-6. A default value of 6 is set if this option is missing in the /etc/isakmpd.conf file.

Security association (SA) idle timeout configuration
Syntax: SA_IDLE_TIMEOUT=number_of_seconds

In AIX IPsec configuration, when a security association (SA) is created between two peer nodes, system resources are used to maintain the state of the SA and to monitor the SA health. If a peer node that is associated with an SA is idle for a long time, which means no inbound or outbound data traffic is passed through the IPsec tunnel, the system resources are also idle for a long time.

The SA_IDLE_TIMEOUT option identifies the SAs that are idle. If the SAs are idle for a specified duration, the SAs are deleted to reclaim the system resource. The SA_IDLE_TIMEOUT option is applicable only for the IKEv2 configuration. When you set an SA idle timeout interval by using the SA_IDLE_TIMEOUT option, in seconds, a timer is created for a specific SA to monitor the SA activities and to monitor the data traffic that is sent or received through this SA. If no data traffic is sent or received through the SA during the specified timeout interval, the SA is deleted and an information message (delete payload) is sent to the associated peer node to request deletion of the SA from the peer node. This option is disabled by default.

Retransmission attempt configuration
Syntax: RETRANSMISSION_ATTEMPT=1|2|3|4|5|6|7

Optionally, you can specify the number of retries in the RETRANSMISSION_ATTEMPT option for an initiating or responding node to send a cached request or response message before the node discards the request or message. When you specify this option, the message or request is retransmitted at the interval of 2, 4, 8, 16, 32, 64, and 64 seconds, based on the number of retries you specify. If you do not specify this option, or if you specify an invalid value, a default value of 8 is set, and the default retransmission interval of 16, 32, 64, 128, 128, 256, 512, and 512 seconds is used.