strongSwan

h1. config setup

h2. both daemons



* _cachecrls = yes | *no*_
p((. yes|*no*_
certificate revocation lists (CRLs) fetched via http or ldap will be cached in _/etc/ipsec.d/crls/_
under a unique file name derived from the certification authority's public key.

* _charonstart = *yes* | no_
p((. *yes*|no_
starts the IKEv2 charon daemon.

* _plutostart = *yes* | no_
p((. *yes*|no_
starts the IKEv1 pluto daemon.

* _strictcrlpolicy = yes | ifuri | *no*_
p((. yes|ifuri|*no*_
defines if a fresh CRL must be available in order for the peer authentication based on RSA
signatures to succeed. IKEv2 additionally recognizes _ifuri_ which reverts to _yes_ if
at least one CRL URI is defined and to _no_ if no URI is known.

* _uniqueids = *yes* | no | replace | keep_
p((. *yes*|no|replace|keep_
whether a particular participant ID should be kept unique, with any new (automatically keyed)
connection using an ID from a different IP address deemed to replace all old ones using that ID.
Participant IDs normally _are_ unique, so a new (automatically-keyed) connection using the same ID
is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value _replace_
which is identical to _yes_ and the value _keep_ to reject new IKE_SA setups and keep the duplicate
established earlier.

h2. IKEv1 *IKEv1 pluto daemon only only:*

* _crlcheckinterval = *0s* | <time>_
p((. 0s_|<time>
interval in seconds. CRL fetching is enabled if the value is greater than zero.
Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

* _keep_alive = *20s* | <time>_
p((. *20s*|_<time>
interval in seconds between NAT keep alive packets.

* _nat_traversal = yes | *no*_
p((. yes|*no*_
activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
of floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only, NAT traversal is
always being active in IKEv2.

* _nocrsend = yes | *no*_
p((. yes|*no*_
no certificate request payloads will be sent.

* _pkcs11initargs = <args>_
p((. _<args>
non-standard argument string for PKCS#11 PKCS!#11 C_Initialize() function; required by NSS softoken.

* _pkcs11module = <lib>_
p((. _<lib>
defines the path during run-time to a dynamically loadable PKCS#11 PKCS!#11 library. Overrides any
path defined during compile-time using the --pkcs11-module _--pkcs11-module_ configure option.

* _pkcs11keepstate = yes | *no*_
p((. PKCS#11 yes|*no*_
PKCS!#11 login sessions will be kept during the whole lifetime of the keying daemon.
Useful with pin-pad smart card readers where PINs cannot be cached.

* _pkcs11proxy = yes | *no*_
p((. yes|*no*_
Pluto will act as a PKCS#11 PKCS!#11 proxy accessible via the whack interface.

* _plutodebug = *none_* | <debug list> | _all_
p((. *none_*|<debug list>|_all_
how much Pluto debugging output should be logged. _none_ means no debugging output
while _all_ means full output. Otherwise only the specified types of output separated by white space) are enabled;
Available debugging types are _control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_.
Recommended setting is _plutodebug=control_.

* _plutostderrlog = <file>_
p((. _<file>
Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

* _postpluto = <command>_
p((. _<command>
shell command to run after starting Pluto (e.g., to remove a decrypted copy of the [[IpsecSecrets|ipsec.secrets]] _ipsec.secrets_ file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
_/dev/tty_ or equivalent for their interaction.

* _prepluto = <command>_
p((. _<command>
shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the [[IpsecSecrets|ipsec.secrets]] _ipsec.secrets_ file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
_/dev/tty_ or equivalent for their interaction.

* _virtual_private = <networks>_
p((. _<networks>
defines private networks using a wildcard notation.

h2. IKEv2 *IKEv2 charon daemon only only:*

* _charondebug = <debug list>_
p((. _<debug list>
how much Charon debugging output should be logged. A comma-separated list containing
_type level_ pairs may be specified, e.g: _dmn 3, ike 1, net -1_. Acceptable values for
types are _dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib_ and the level is one of
_[-1, _-1, 0, 1, 2, 3, 4]_ 4_ (for silent, audit, control, controlmore, raw, private).
For more flexibility see [[LoggerConfiguration]].