Project

General

Profile

ipsec.conf: config setup Reference » History » Version 18

Tobias Brunner, 03.10.2012 12:23

1 14 Tobias Brunner
{{title(ipsec.conf: config setup Reference)}}
2 14 Tobias Brunner
3 14 Tobias Brunner
h1. ipsec.conf: config setup
4 1 Martin Willi
5 1 Martin Willi
_cachecrls = yes | *no*_
6 10 Tobias Brunner
7 18 Tobias Brunner
p((. if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will be cached in _/etc/ipsec.d/crls/_
8 17 Tobias Brunner
     under a unique file name derived from the certification authority's public key.
9 1 Martin Willi
10 18 Tobias Brunner
_charondebug = <debug list>_
11 1 Martin Willi
12 18 Tobias Brunner
p((. how much charon debugging output should be logged. A comma-separated list containing
13 18 Tobias Brunner
     _type/level_ pairs  may  be specified, e.g: _dmn 3, ike 1, net -1_.  Acceptable values for
14 18 Tobias Brunner
     types are _dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts_ and the level
15 18 Tobias Brunner
     is one of _[-1,  0,  1,  2,  3,  4]_ (for silent, audit, control, controlmore, raw, private). By default, the level
16 18 Tobias Brunner
     is set to *1* for all types.
17 18 Tobias Brunner
     For more flexibility see [[LoggerConfiguration]].
18 1 Martin Willi
19 18 Tobias Brunner
_charonstart = *yes* | no_
20 11 Andreas Steffen
21 18 Tobias Brunner
p((. whether to start the IKE charon daemon or not. The default is *yes*.
22 1 Martin Willi
23 10 Tobias Brunner
_strictcrlpolicy = yes | ifuri | *no*_
24 11 Andreas Steffen
25 10 Tobias Brunner
p((. defines if a fresh CRL must be available in order for the peer authentication based on RSA
26 9 Tobias Brunner
     signatures to succeed. IKEv2 additionally recognizes _ifuri_ which reverts to _yes_ if
27 9 Tobias Brunner
     at least one CRL URI is defined and to _no_ if no URI is known.
28 8 Tobias Brunner
29 1 Martin Willi
_uniqueids = *yes* | no | never | replace | keep_
30 16 Tobias Brunner
31 1 Martin Willi
p((. whether  a  particular  participant  ID  should  be  kept unique, with any new IKE_SA using an ID
32 16 Tobias Brunner
     deemed to replace all  old  ones  using that ID.  Participant IDs normally _are_ unique,  so  a  new
33 1 Martin Willi
     IKE_SA  using  the same ID is almost invariably intended to replace an old one.
34 1 Martin Willi
     The difference between _no_ and _never_ is that the daemon will replace old IKE_SAs when receiving an
35 16 Tobias Brunner
     INITIAL_CONTACT notify if the option is _no_ but will ignore these notifies if _never_ is configured.
36 16 Tobias Brunner
     The daemon also accepts  the  value  replace which  is  identical to _yes_ and the value _keep_ to reject
37 16 Tobias Brunner
     new IKE_SA setups and keep the duplicate established earlier.
38 16 Tobias Brunner
39 18 Tobias Brunner
h2. Old options (before 5.0.0)
40 1 Martin Willi
41 18 Tobias Brunner
These options are supported by the IKEv1 pluto daemon in previous releases.
42 18 Tobias Brunner
43 10 Tobias Brunner
_crlcheckinterval = *0s* | <time>_
44 11 Andreas Steffen
45 10 Tobias Brunner
p((. interval in seconds. CRL fetching is enabled if the value is greater than zero.
46 1 Martin Willi
     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.
47 3 Martin Willi
48 10 Tobias Brunner
_keep_alive = *20s* | <time>_
49 11 Andreas Steffen
50 10 Tobias Brunner
p((. interval in seconds between NAT keep alive packets.
51 1 Martin Willi
52 10 Tobias Brunner
_nat_traversal = yes | *no*_
53 11 Andreas Steffen
54 10 Tobias Brunner
p((. activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
55 10 Tobias Brunner
     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal is
56 1 Martin Willi
     always being active in IKEv2.
57 3 Martin Willi
58 10 Tobias Brunner
_nocrsend = yes | *no*_
59 11 Andreas Steffen
60 10 Tobias Brunner
p((. no certificate request  payloads will be sent.
61 1 Martin Willi
62 10 Tobias Brunner
_pkcs11initargs = <args>_
63 11 Andreas Steffen
64 10 Tobias Brunner
p((. non-standard argument string for PKCS#11 C_Initialize() function; required by NSS softoken.
65 1 Martin Willi
66 10 Tobias Brunner
_pkcs11module = <lib>_
67 11 Andreas Steffen
68 10 Tobias Brunner
p((. defines the path during run-time to a dynamically loadable PKCS#11 library. Overrides any
69 10 Tobias Brunner
     path defined during compile-time using the --pkcs11-module configure option.
70 9 Tobias Brunner
71 10 Tobias Brunner
_pkcs11keepstate = yes | *no*_
72 11 Andreas Steffen
73 10 Tobias Brunner
p((. PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.
74 1 Martin Willi
     Useful with  pin-pad smart card readers where PINs cannot be cached. 
75 6 Martin Willi
76 10 Tobias Brunner
_pkcs11proxy = yes | *no*_
77 11 Andreas Steffen
78 1 Martin Willi
p((. Pluto will act as a PKCS#11 proxy accessible via the whack interface.
79 1 Martin Willi
80 1 Martin Willi
_plutodebug = *none_* | <debug list> | _all_
81 1 Martin Willi
82 1 Martin Willi
p((. how much pluto debugging output should be logged. _none_ means  no  debugging output
83 3 Martin Willi
     while _all_ means full output.  Otherwise only the specified types of output separated by white space) are enabled;
84 10 Tobias Brunner
     Available debugging types are _control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_.
85 11 Andreas Steffen
     Recommended setting is _plutodebug=control_.
86 12 Tobias Brunner
87 18 Tobias Brunner
_plutostart = *yes* | no_
88 18 Tobias Brunner
89 18 Tobias Brunner
p((. whether to start the IKEv1 pluto daemon or not. The default is *yes* if starter was compiled with IKEv1 support.
90 18 Tobias Brunner
91 10 Tobias Brunner
_plutostderrlog = <file>_
92 1 Martin Willi
93 10 Tobias Brunner
p((. Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.
94 3 Martin Willi
95 3 Martin Willi
_postpluto = <command>_
96 3 Martin Willi
97 9 Tobias Brunner
p((. shell command to run after starting pluto (e.g., to remove a decrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).
98 10 Tobias Brunner
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
99 11 Andreas Steffen
     Any output is redirected for logging, so running interactive commands is difficult unless they use
100 10 Tobias Brunner
     _/dev/tty_ or equivalent for their interaction.
101 1 Martin Willi
102 10 Tobias Brunner
_prepluto = <command>_
103 9 Tobias Brunner
104 10 Tobias Brunner
p((. shell command to run before starting pluto (e.g., to decrypt an encrypted copy of the [[IpsecSecrets|ipsec.secrets]] file).
105 11 Andreas Steffen
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
106 10 Tobias Brunner
     Any output is redirected for logging, so running interactive commands is difficult unless they use
107 13 Tobias Brunner
     _/dev/tty_ or equivalent for their interaction.
108 15 Tobias Brunner
109 13 Tobias Brunner
_virtual_private = <networks>_
110 13 Tobias Brunner
111 10 Tobias Brunner
p((. defines private networks using a wildcard notation.