Project

General

Profile

ipsec.conf: config setup

cachecrls = yes | no

if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will be cached in /etc/ipsec.d/crls/
under a unique file name derived from the certification authority's public key.

charondebug = <debug list>

how much charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1. Acceptable values for
types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level
is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level
is set to 1 for all types.
For more flexibility see LoggerConfiguration.

charonstart = yes | no

whether to start the IKE charon daemon or not. The default is yes.

strictcrlpolicy = yes | ifuri | no

defines if a fresh CRL must be available in order for the peer authentication based on RSA
signatures to succeed. IKEv2 additionally recognizes ifuri which reverts to yes if
at least one CRL URI is defined and to no if no URI is known.

uniqueids = yes | no | never | replace | keep

whether a particular participant ID should be kept unique, with any new IKE_SA using an ID
deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new
IKE_SA using the same ID is almost invariably intended to replace an old one.
The difference between no and never is that the daemon will replace old IKE_SAs when receiving an
INITIAL_CONTACT notify if the option is no but will ignore these notifies if never is configured.
The daemon also accepts the value replace which is identical to yes and the value keep to reject
new IKE_SA setups and keep the duplicate established earlier.

Old options (before 5.0.0)

These options are supported by the IKEv1 pluto daemon in previous releases.

crlcheckinterval = 0s | <time>

interval in seconds. CRL fetching is enabled if the value is greater than zero.
Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

keep_alive = 20s | <time>

interval in seconds between NAT keep alive packets.

nat_traversal = yes | no

activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
of floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only, NAT traversal is
always being active in IKEv2.

nocrsend = yes | no

no certificate request payloads will be sent.

pkcs11initargs = <args>

non-standard argument string for PKCS#11 C_Initialize() function; required by NSS softoken.

pkcs11module = <lib>

defines the path during run-time to a dynamically loadable PKCS#11 library. Overrides any
path defined during compile-time using the --pkcs11-module configure option.

pkcs11keepstate = yes | no

PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.
Useful with pin-pad smart card readers where PINs cannot be cached.

pkcs11proxy = yes | no

Pluto will act as a PKCS#11 proxy accessible via the whack interface.

plutodebug = none | <debug list> | all

how much pluto debugging output should be logged. none means no debugging output
while all means full output. Otherwise only the specified types of output separated by white space) are enabled;
Available debugging types are control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw.
Recommended setting is plutodebug=control.

plutostart = yes | no

whether to start the IKEv1 pluto daemon or not. The default is yes if starter was compiled with IKEv1 support.

plutostderrlog = <file>

Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

postpluto = <command>

shell command to run after starting pluto (e.g., to remove a decrypted copy of the ipsec.secrets file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
/dev/tty or equivalent for their interaction.

prepluto = <command>

shell command to run before starting pluto (e.g., to decrypt an encrypted copy of the ipsec.secrets file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
/dev/tty or equivalent for their interaction.

virtual_private = <networks>

defines private networks using a wildcard notation.