strongSwan

{{title(ipsec.conf: config setup Reference)}}

h1. ipsec.conf: config setup

h2. both daemons

_cachecrls = yes | *no*_

p((. certificate revocation lists (CRLs) fetched via http or ldap will be cached in _/etc/ipsec.d/crls/_

     under a unique file name derived from the certification authority's public key. Only relevant for

     IKEv1 as CRLs are always cached in IKEv2.

_charonstart = *yes* | no_

p((. whether to start the IKEv2 charon daemon or not. The default is *yes* if starter was compiled with IKEv2 support.

_plutostart = *yes* | no_

p((. whether to start the IKEv1 pluto daemon or not. The default is *yes* if starter was compiled with IKEv1 support.

_strictcrlpolicy = yes | ifuri | *no*_

p((. defines if a fresh CRL must be available in order for the peer authentication based on RSA

     signatures to succeed. IKEv2 additionally recognizes _ifuri_ which reverts to _yes_ if

     at least one CRL URI is defined and to _no_ if no URI is known.

_uniqueids = *yes* | no | never | replace | keep_

p((. whether  a  particular  participant  ID  should  be  kept unique, with any new IKE_SA using an ID

     deemed to replace all  old  ones  using that ID.  Participant IDs normally _are_ unique,  so  a  new

     IKE_SA  using  the same ID is almost invariably intended to replace an old one.

     The difference between _no_ and _never_ is that the daemon will replace old IKE_SAs when receiving an

     INITIAL_CONTACT notify if the option is _no_ but will ignore these notifies if _never_ is configured.

     The daemon also accepts  the  value  replace which  is  identical to _yes_ and the value _keep_ to reject

     new IKE_SA setups and keep the duplicate established earlier.

h2. IKEv1 pluto daemon only

_crlcheckinterval = *0s* | <time>_

p((. interval in seconds. CRL fetching is enabled if the value is greater than zero.

     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

_keep_alive = *20s* | <time>_

p((. interval in seconds between NAT keep alive packets.

_nat_traversal = yes | *no*_

p((. activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able

     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal is

     always being active in IKEv2.

_nocrsend = yes | *no*_

p((. no certificate request  payloads will be sent.

_pkcs11initargs = <args>_

p((. non-standard argument string for PKCS#11 C_Initialize() function; required by NSS softoken.

_pkcs11module = <lib>_

p((. defines the path during run-time to a dynamically loadable PKCS#11 library. Overrides any

     path defined during compile-time using the --pkcs11-module configure option.

_pkcs11keepstate = yes | *no*_

p((. PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.

     Useful with  pin-pad smart card readers where PINs cannot be cached. 

_pkcs11proxy = yes | *no*_

p((. Pluto will act as a PKCS#11 proxy accessible via the whack interface.

_plutodebug = *none_* | <debug list> | _all_

p((. how much pluto debugging output should be logged. _none_ means  no  debugging output

     while _all_ means full output.  Otherwise only the specified types of output separated by white space) are enabled;

     Available debugging types are _control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_.

     Recommended setting is _plutodebug=control_.

_plutostderrlog = <file>_

p((. Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

_postpluto = <command>_

p((. shell command to run after starting pluto (e.g., to remove a decrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).

     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.

     Any output is redirected for logging, so running interactive commands is difficult unless they use

     _/dev/tty_ or equivalent for their interaction.

_prepluto = <command>_

p((. shell command to run before starting pluto (e.g., to decrypt an encrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).

     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.

     Any output is redirected for logging, so running interactive commands is difficult unless they use

     _/dev/tty_ or equivalent for their interaction.

_virtual_private = <networks>_

p((. defines private networks using a wildcard notation.

h2. IKEv2 charon daemon only

_charondebug = <debug list>_

p((. how much Charon debugging output should be logged. A comma-separated list containing

     _type/level_ pairs  may  be specified, e.g: _dmn 3, ike 1, net -1_.  Acceptable values for

     types are _dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts_ and the level is one of

     _[-1,  0,  1,  2,  3,  4]_ (for silent, audit, control, controlmore, raw, private). By default, the level is

     set to *1* for all types.

     For more flexibility see [[LoggerConfiguration]].