Project

General

Profile

ipsec.conf: config setup Reference » History » Version 15

« Previous - Version 15/18 (diff) - Next » - Current version
Tobias Brunner, 16.12.2011 16:47
asn log group added


ipsec.conf: config setup

both daemons

cachecrls = yes | no

certificate revocation lists (CRLs) fetched via http or ldap will be cached in /etc/ipsec.d/crls/
under a unique file name derived from the certification authority's public key. Only relevant for
IKEv1 as CRLs are always cached in IKEv2.

charonstart = yes | no

whether to start the IKEv2 charon daemon or not. The default is yes if starter was compiled with IKEv2 support.

plutostart = yes | no

whether to start the IKEv1 pluto daemon or not. The default is yes if starter was compiled with IKEv1 support.

strictcrlpolicy = yes | ifuri | no

defines if a fresh CRL must be available in order for the peer authentication based on RSA
signatures to succeed. IKEv2 additionally recognizes ifuri which reverts to yes if
at least one CRL URI is defined and to no if no URI is known.

uniqueids = yes | no | replace | keep

whether a particular participant ID should be kept unique, with any new (automatically keyed)
connection using an ID from a different IP address deemed to replace all old ones using that ID.
Participant IDs normally are unique, so a new (automatically-keyed) connection using the same ID
is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value replace
which is identical to yes and the value keep to reject new IKE_SA setups and keep the duplicate
established earlier.

IKEv1 pluto daemon only

crlcheckinterval = 0s | <time>

interval in seconds. CRL fetching is enabled if the value is greater than zero.
Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

keep_alive = 20s | <time>

interval in seconds between NAT keep alive packets.

nat_traversal = yes | no

activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
of floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only, NAT traversal is
always being active in IKEv2.

nocrsend = yes | no

no certificate request payloads will be sent.

pkcs11initargs = <args>

non-standard argument string for PKCS#11 C_Initialize() function; required by NSS softoken.

pkcs11module = <lib>

defines the path during run-time to a dynamically loadable PKCS#11 library. Overrides any
path defined during compile-time using the --pkcs11-module configure option.

pkcs11keepstate = yes | no

PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.
Useful with pin-pad smart card readers where PINs cannot be cached.

pkcs11proxy = yes | no

Pluto will act as a PKCS#11 proxy accessible via the whack interface.

plutodebug = none | <debug list> | all

how much pluto debugging output should be logged. none means no debugging output
while all means full output. Otherwise only the specified types of output separated by white space) are enabled;
Available debugging types are control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw.
Recommended setting is plutodebug=control.

plutostderrlog = <file>

Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

postpluto = <command>

shell command to run after starting pluto (e.g., to remove a decrypted copy of the ipsec.secrets file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
/dev/tty or equivalent for their interaction.

prepluto = <command>

shell command to run before starting pluto (e.g., to decrypt an encrypted copy of the ipsec.secrets file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
/dev/tty or equivalent for their interaction.

virtual_private = <networks>

defines private networks using a wildcard notation.

IKEv2 charon daemon only

charondebug = <debug list>

how much Charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1. Acceptable values for
types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts and the level is one of
[-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is
set to 1 for all types.
For more flexibility see LoggerConfiguration.