#################################
## ReUsable Policy Definitions ##
#################################
###################################################################
### ORGANIZATION - this is not a policy object, but there must  ###
### be some node created under which the policy objects can be  ###
### placed.  Most likely this will not be the organization ibm.	###
### If there is already a node in the DIT that is suitable for  ###
### this information then remove this organization object and   ###
### change the suffix (o=ibm, c=us) to the existing node you    ###
### wish to use.  If you want to create a new organization      ###
### object then change the "o=ibm, c=us" to something else and	###
### then change the suffixes in the other policy objects.	###
###################################################################
dn: o=ibm, c=us
objectclass: organization
o: ibm

############################
##### VALIDITY PERIODS #####
############################
#1 All the time
dn: cn=allTheTime, o=ibm, c=us
objectclass: policyvalidityperiod
cn: allTheTime

#2 All hours during the week
dn: cn=allTheTimeMonThruFri, o=ibm, c=us
objectclass: policyvalidityperiod
cn: allTheTimeMonThruFri
policyvaliditydayofweekmask: 1111100

#3 Working hours 9am to 5pm
dn: cn=9to5MonThruFri, o=ibm, c=us
objectclass: policyvalidityperiod
cn: 9to5MonThruFri
policyvaliditydayofweekmask: 1111100
policyvaliditytimeofdayrange: 090000:170000

#4 After hours 5pm to 9am
dn: cn=5to9MonThruFri, o=ibm, c=us
objectclass: policyvalidityperiod
cn: 5to9MonThruFri
policyvaliditydayofweekmask: 1111100
policyvaliditytimeofdayrange: 170000:090000

############################
##### DIFFSERV ACTIONS #####
############################
dn: cn=EF, o=ibm, c=us
objectclass: diffservaction
cn: EF
diffservpermission: accept
diffservbandwidthshare: 2:19
diffservqueuepriority: 1
diffservouttosbyte: 11111100:10111000

dn: cn=AF1, o=ibm, c=us
objectclass:diffservaction
cn: AF1
diffservpermission: accept
diffservbandwidthshare: 2:15
diffservqueuepriority: 2
diffservouttosbyte: 11111100:00101000

dn: cn=AF2, o=ibm, c=us
objectclass: diffservaction
cn: AF2
diffservpermission: accept
diffservbandwidthshare: 2:10
diffservqueuepriority: 2
diffservouttosbyte: 11111100:01001000

dn: cn=AF3, o=ibm, c=us
objectclass: diffservaction
cn: AF3
diffservpermission: accept
diffservbandwidthshare: 2:10
diffservqueuepriority: 2
diffservouttosbyte: 11111100:01101000

dn: cn=AF4, o=ibm, c=us
objectclass: diffservaction
cn: AF4
diffservpermission: accept
diffservbandwidthshare: 2:5
diffservqueuepriority: 2
diffservouttosbyte: 11111100:10001000

############################
##### ISAKMP PROPOSALS #####
############################
#1 strong p1 proposal - pre-shared key, MD5 Auth, DES encr, DH Grp 1
dn: cn=strongP1PropSharedKey, o=ibm, c=us
objectclass: isakmpproposal
cn: strongP1PropSharedKey
isakmpauthenticationmethod: 1
isakmphashalgorithm: 1
isakmpcipheralgorithm: 1
defaultdiffhellmangroupid: 1

#2  strong p1 proposal - RSA Cert, MD5 Auth, DES encr, DH Grp 1
dn: cn=strongP1PropRSACert, o=ibm, c=us
objectclass: isakmpproposal
cn: strongP1PropRSACert
isakmpauthenticationmethod: 3
isakmphashalgorithm: 1
isakmpcipheralgorithm: 1
defaultdiffhellmangroupid: 1

#3  very strong p1 proposal - Pre-shared key, SHA Auth, 3DES encr, DH Grp 1
dn: cn=veryStrongP1PropSharedKey, o=ibm, c=us
objectclass: isakmpproposal
cn: veryStrongP1PropSharedKey
isakmpauthenticationmethod: 1
isakmphashalgorithm: 2
isakmpcipheralgorithm: 5
defaultdiffhellmangroupid: 1

#4  very strong p1 proposal - RSA Cert, SHA Auth, 3DES encr, DH Grp 1
dn: cn=veryStrongP1PropRSACert, o=ibm, c=us
objectclass: isakmpproposal
cn: veryStrongP1PropRSACert
isakmpauthenticationmethod: 3
isakmphashalgorithm: 2
isakmpcipheralgorithm: 5
defaultdiffhellmangroupid: 1

##########################
##### ISAKMP ACTIONS #####
##########################
#1 Phase 1 action, main mode, strong pre-shared key and cert proposals and very strong
# pre-shared key and cert proposals
dn: cn=generalPhase1Action, o=ibm, c=us
objectclass: ipsecisakmpaction
cn: generalPhase1Action
isakmpexchangemode: 2
isakmpproposalreference: 1: cn=veryStrongP1PropRSACert, o=ibm, c=us
isakmpproposalreference: 2: cn=strongP1PropRSACert, o=ibm, c=us
isakmpproposalreference: 3: cn=veryStrongP1PropSharedKey, o=ibm, c=us
isakmpproposalreference: 4: cn=strongP1PropSharedKey, o=ibm, c=us
isakmpconnectionlifetimesec: 30000
isakmpconnectionlifetimekbytes: 5000
isakmpautostartflag: 0

############################
##### IPSEC TRANSFORMS #####
############################
#1 AH Transform, Transport Mode, MD5 authentication
dn: cn=ahTransportMD5, o=ibm, c=us
objectclass: ipsectransform
cn: ahTransportMD5
ipsecprotocolid: 2
ahintegrityalgorithm: 2
encapsulationmode: 2

#2 AH Transform, Transport Mode, SHA authentication
dn: cn=ahTransportSHA, o=ibm, c=us
objectclass: ipsectransform
cn: ahTransportSHA
ipsecprotocolid: 2
ahintegrityalgorithm: 3
encapsulationmode: 2

#3 AH Transform, Tunnel Mode, MD5 authentication
dn: cn=ahTunnelMD5, o=ibm, c=us
objectclass: ipsectransform
cn: ahTunnelMD5
ipsecprotocolid: 2
ahintegrityalgorithm: 2
encapsulationmode: 1

#4 AH Transform, Tunnel Mode, SHA authentication
dn: cn=ahTunnelSHA, o=ibm, c=us
objectclass: ipsectransform
cn: ahTunnelSHA
ipsecprotocolid: 2
ahintegrityalgorithm: 3
encapsulationmode: 1

#5 ESP Transform, Tunnel Mode with MD5 and DES
dn: cn=espTunnelMD5andDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnelMD5andDES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 1
espcipheralgorithm: 2

#6 ESP Transform, Tunnel Mode with SHA and DES
dn: cn=espTunnelSHAandDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnelSHAandDES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 2
espcipheralgorithm: 2

#7 ESP Transform, Tunnel Mode with MD5 and 3DES
dn: cn=espTunnelMD5and3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnelMD5and3DES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 1
espcipheralgorithm: 3

#8 ESP Transform, Tunnel Mode with SHA and 3DES
dn: cn=espTunnelSHAand3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnelSHAand3DES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 2
espcipheralgorithm: 3

#9 ESP Transform, Tunnel Mode with no authentication and DES
dn: cn=espTunnelDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnelDES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 0
espcipheralgorithm: 2

#10 ESP Transform, Tunnel Mode with no authentication and 3DES
dn: cn=espTunnel3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTunnel3DES
ipsecprotocolid: 3
encapsulationmode: 1
espintegrityalgorithm: 0
espcipheralgorithm: 3

#11 ESP Transform, Transport Mode with MD5 and DES
dn: cn=espTransportMD5andDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransportMD5andDES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 1
espcipheralgorithm: 2

#12 ESP Transform, Transport Mode with SHA and DES
dn: cn=espTransportSHAandDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransportSHAandDES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 2
espcipheralgorithm: 2

#13 ESP Transform, Transport Mode with MD5 and 3DES
dn: cn=espTransportMD5and3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransportMD5and3DES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 1
espcipheralgorithm: 3

#14 ESP Transform, Transport Mode with SHA and 3DES
dn: cn=espTransportSHAand3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransportSHAand3DES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 2
espcipheralgorithm: 3

#15 ESP Transform, Transport Mode with DES, no Auth
dn: cn=espTransportDES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransportDES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 0
espcipheralgorithm: 2

#16 ESP Transform, Transport Mode with 3DES, no Auth
dn: cn=espTransport3DES, o=ibm, c=us
objectclass: ipsectransform
cn: espTransport3DES
ipsecprotocolid: 3
encapsulationmode: 2
espintegrityalgorithm: 0
espcipheralgorithm: 3

###########################
##### IPSEC PROPOSALS #####
###########################
#1 Strong Phase 2 Proposal, ESP Only in Tunnel Mode, combinations of DES,MD5,SHA
dn: cn=strongP2EspProp, o=ibm, c=us
objectclass: ipsecproposal
cn: strongP2EspProp
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTunnelMD5andDES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTunnelSHAandDES, o=ibm, c=us

#2 Strong Phase 2 Proposal - AH-ESP in Tunnel Mode, Combinations of DES,3DES,MD5,3DES-SHA
dn: cn=strongP2EspAhProp, o=ibm, c=us
objectclass: ipsecproposal
cn: strongP2EspAhProp
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTunnelDES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTunnelMD5, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTunnelSHA, o=ibm, c=us

#3 Very Strong Phase 2 Proposal, ESP only in Tunnel Mode, combinations of 3DES,MD5,SHA
dn: cn=veryStrongP2EspProp, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspProp
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTunnelSHAand3DES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTunnelMD5and3DES, o=ibm, c=us

#4 Very Strong Phase 2 Proposal, AH-ESP in Tunnel Mode with 3DES and SHA or MD5
dn: cn=veryStrongP2EspAhProp, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspAhProp
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTunnel3DES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTunnelSHA, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTunnelMD5, o=ibm, c=us

#5 Very Strong Phase 2 Proposal, ESP only in Tunnel Mode, combinations of 3DES,MD5,SHA, with PFS
dn: cn=veryStrongP2EspPropPFS, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspPropPFS
perfectforwardsecrecy: 1
espprotocoltransformreference: 1: cn=espTunnelSHAand3DES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTunnelMD5and3DES, o=ibm, c=us

#6 Very Strong Phase 2 Proposal, AH-ESP in Tunnel Mode with 3DES and SHA or MD5, with PFS
dn: cn=veryStrongP2EspAhPropPFS, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspAhPropPFS
perfectforwardsecrecy: 1
espprotocoltransformreference: 1: cn=espTunnel3DES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTunnelSHA, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTunnelMD5, o=ibm, c=us

#7 Strong Phase 2 Proposal, ESP Only in Transport Mode, combinations of DES,MD5,SHA
dn: cn=strongP2EspPropXport, o=ibm, c=us
objectclass: ipsecproposal
cn: strongP2EspPropXport
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTransportMD5andDES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTransportSHAandDES, o=ibm, c=us

#8 Strong Phase 2 Proposal - AH-ESP in Transport Mode, Combinations of DES,3DES,MD5,3DES-SHA
dn: cn=strongP2EspAhPropXport, o=ibm, c=us
objectclass: ipsecproposal
cn: strongP2EspAhPropXport
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTransportDES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTransportMD5, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTransportSHA, o=ibm, c=us

#9 Very Strong Phase 2 Proposal, ESP only in Transport Mode, combinations of 3DES,MD5,SHA
dn: cn=veryStrongP2EspPropXport, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspPropXport
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTransportSHAand3DES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTransportMD5and3DES, o=ibm, c=us

#10 Very Strong Phase 2 Proposal, AH-ESP in Transport Mode with 3DES and SHA or MD5
dn: cn=veryStrongP2EspAhPropXport, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspAhPropXport
perfectforwardsecrecy: 0
espprotocoltransformreference: 1: cn=espTransport3DES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTransportSHA, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTransportMD5, o=ibm, c=us

#11 Very Strong Phase 2 Proposal, ESP only in Transport Mode, combinations of 3DES,MD5,SHA, with PFS
dn: cn=veryStrongP2EspPropPFSXport, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspPropPFSXport
perfectforwardsecrecy: 1
espprotocoltransformreference: 1: cn=espTransportSHAand3DES, o=ibm, c=us
espprotocoltransformreference: 2: cn=espTransportMD5and3DES, o=ibm, c=us

#12 Very Strong Phase 2 Proposal, AH-ESP in Transport Mode with 3DES and SHA or MD5, with PFS
dn: cn=veryStrongP2EspAhPropPFSXport, o=ibm, c=us
objectclass: ipsecproposal
cn: veryStrongP2EspAhPropPFSXport
perfectforwardsecrecy: 1
espprotocoltransformreference: 1: cn=espTransport3DES, o=ibm, c=us
ahprotocoltransformreference:  1: cn=ahTransportSHA, o=ibm, c=us
ahprotocoltransformreference:  2: cn=ahTransportMD5, o=ibm, c=us

#################################
##### GENERIC IPSEC ACTIONS #####
#################################
#1 IPSec action to drop packets (filter rule)
dn: cn=ipsecDrop, o=ibm, c=us
objectclass: IPSecSecurityAction
cn: ipsecDrop
securityaction: block

#2 IPSec action to pass packets in clear (filter rule)
dn: cn=ipsecPassClear, o=ibm, c=us
objectclass: IPSecSecurityAction
cn: ipsecPassClear
securityaction: permit