Project

General

Profile

ipsec.conf: config setup Reference » History » Version 12

Tobias Brunner, 19.10.2010 16:59
Minor fixes.

1 9 Tobias Brunner
h1. config setup
2 1 Martin Willi
3 10 Tobias Brunner
h2. both daemons
4 9 Tobias Brunner
5 10 Tobias Brunner
_cachecrls = yes | *no*_
6 11 Andreas Steffen
7 10 Tobias Brunner
p((. certificate revocation lists (CRLs) fetched via http or ldap will be cached in _/etc/ipsec.d/crls/_
8 12 Tobias Brunner
     under a unique file name derived from the certification authority's public key. Only relevant for
9 12 Tobias Brunner
     IKEv1 as CRLs are always cached in IKEv2.
10 3 Martin Willi
11 1 Martin Willi
_charonstart = *yes* | no_
12 11 Andreas Steffen
13 12 Tobias Brunner
p((. whether to start the IKEv2 charon daemon or not. The default is *yes* if starter was compiled with IKEv2 support.
14 1 Martin Willi
15 10 Tobias Brunner
_plutostart = *yes* | no_
16 11 Andreas Steffen
17 12 Tobias Brunner
p((. whether to start the IKEv1 pluto daemon or not. The default is *yes* if starter was compiled with IKEv1 support.
18 1 Martin Willi
19 10 Tobias Brunner
_strictcrlpolicy = yes | ifuri | *no*_
20 11 Andreas Steffen
21 10 Tobias Brunner
p((. defines if a fresh CRL must be available in order for the peer authentication based on RSA
22 9 Tobias Brunner
     signatures to succeed. IKEv2 additionally recognizes _ifuri_ which reverts to _yes_ if
23 9 Tobias Brunner
     at least one CRL URI is defined and to _no_ if no URI is known.
24 8 Tobias Brunner
25 10 Tobias Brunner
_uniqueids = *yes* | no | replace | keep_
26 11 Andreas Steffen
27 10 Tobias Brunner
p((. whether a particular participant ID should be kept unique, with any new (automatically  keyed)
28 1 Martin Willi
     connection using an ID from a different IP address deemed to replace all old ones using that ID.
29 8 Tobias Brunner
     Participant IDs normally _are_ unique, so a new (automatically-keyed)  connection  using the same ID
30 9 Tobias Brunner
     is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value _replace_
31 9 Tobias Brunner
     which is identical to _yes_ and the value _keep_ to reject new IKE_SA setups and keep the duplicate
32 1 Martin Willi
     established earlier.
33 1 Martin Willi
34 10 Tobias Brunner
h2. IKEv1 pluto daemon only
35 8 Tobias Brunner
36 10 Tobias Brunner
_crlcheckinterval = *0s* | <time>_
37 11 Andreas Steffen
38 10 Tobias Brunner
p((. interval in seconds. CRL fetching is enabled if the value is greater than zero.
39 1 Martin Willi
     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.
40 3 Martin Willi
41 10 Tobias Brunner
_keep_alive = *20s* | <time>_
42 11 Andreas Steffen
43 10 Tobias Brunner
p((. interval in seconds between NAT keep alive packets.
44 1 Martin Willi
45 10 Tobias Brunner
_nat_traversal = yes | *no*_
46 11 Andreas Steffen
47 10 Tobias Brunner
p((. activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
48 10 Tobias Brunner
     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal is
49 1 Martin Willi
     always being active in IKEv2.
50 3 Martin Willi
51 10 Tobias Brunner
_nocrsend = yes | *no*_
52 11 Andreas Steffen
53 10 Tobias Brunner
p((. no certificate request  payloads will be sent.
54 1 Martin Willi
55 10 Tobias Brunner
_pkcs11initargs = <args>_
56 11 Andreas Steffen
57 10 Tobias Brunner
p((. non-standard argument string for PKCS#11 C_Initialize() function; required by NSS softoken.
58 1 Martin Willi
59 10 Tobias Brunner
_pkcs11module = <lib>_
60 11 Andreas Steffen
61 10 Tobias Brunner
p((. defines the path during run-time to a dynamically loadable PKCS#11 library. Overrides any
62 10 Tobias Brunner
     path defined during compile-time using the --pkcs11-module configure option.
63 9 Tobias Brunner
64 10 Tobias Brunner
_pkcs11keepstate = yes | *no*_
65 11 Andreas Steffen
66 10 Tobias Brunner
p((. PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.
67 1 Martin Willi
     Useful with  pin-pad smart card readers where PINs cannot be cached. 
68 6 Martin Willi
69 10 Tobias Brunner
_pkcs11proxy = yes | *no*_
70 11 Andreas Steffen
71 1 Martin Willi
p((. Pluto will act as a PKCS#11 proxy accessible via the whack interface.
72 3 Martin Willi
73 10 Tobias Brunner
_plutodebug = *none_* | <debug list> | _all_
74 11 Andreas Steffen
75 12 Tobias Brunner
p((. how much pluto debugging output should be logged. _none_ means  no  debugging output
76 9 Tobias Brunner
     while _all_ means full output.  Otherwise only the specified types of output separated by white space) are enabled;
77 9 Tobias Brunner
     Available debugging types are _control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_.
78 9 Tobias Brunner
     Recommended setting is _plutodebug=control_.
79 9 Tobias Brunner
80 10 Tobias Brunner
_plutostderrlog = <file>_
81 1 Martin Willi
82 10 Tobias Brunner
p((. Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.
83 3 Martin Willi
84 10 Tobias Brunner
_postpluto = <command>_
85 11 Andreas Steffen
86 12 Tobias Brunner
p((. shell command to run after starting pluto (e.g., to remove a decrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).
87 1 Martin Willi
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
88 5 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
89 1 Martin Willi
     _/dev/tty_ or equivalent for their interaction.
90 9 Tobias Brunner
91 10 Tobias Brunner
_prepluto = <command>_
92 11 Andreas Steffen
93 12 Tobias Brunner
p((. shell command to run before starting pluto (e.g., to decrypt an encrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).
94 9 Tobias Brunner
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
95 3 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
96 3 Martin Willi
     _/dev/tty_ or equivalent for their interaction.
97 9 Tobias Brunner
98 10 Tobias Brunner
_virtual_private = <networks>_
99 11 Andreas Steffen
100 10 Tobias Brunner
p((. defines private networks using a wildcard notation.
101 1 Martin Willi
102 10 Tobias Brunner
h2. IKEv2 charon daemon only
103 9 Tobias Brunner
104 10 Tobias Brunner
_charondebug = <debug list>_
105 11 Andreas Steffen
106 10 Tobias Brunner
p((. how much Charon debugging output should be logged. A comma-separated list containing
107 3 Martin Willi
     _type level_ pairs  may  be specified, e.g: _dmn 3, ike 1, net -1_.  Acceptable values for
108 9 Tobias Brunner
     types are _dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib_ and the level is one of
109 10 Tobias Brunner
     _[-1,  0,  1,  2,  3,  4]_ (for silent, audit, control, controlmore, raw, private).
110 10 Tobias Brunner
     For more flexibility see [[LoggerConfiguration]].