ipsec.conf¶
strongSwan's /etc/ipsec.conf configuration file consists of three different section types:
- config setup defines general configuration parameters
- conn <name> defines a connection
- ca <name> defines a certification authority
There can be only one config setup section but an unlimited number of conn and ca sections.
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains include followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: include ipsec.*.conf
Reusing Existing Parameters¶
All conn and ca sections inherit the parameters defined in a conn %default
or ca %default section, respectively.
Parameters defined in other conn or ca sections may be included in a section
with the also=othersection parameter.
Example¶
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
cachecrls=yes
strictcrlpolicy=yes
ca strongswan #define alternative CRL distribution point
cacert=strongswanCert.pem
crluri=http://crl2.strongswan.org/strongswan.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
auto=add