Project

General

Profile

ipsec.conf: config setup Reference » History » Version 2

« Previous - Version 2/18 (diff) - Next » - Current version
Martin Willi, 02.09.2007 07:11
filled in config setup options


= config setup =

  • ''cachecrls = yes|'''no'''''
    certificate revocation lists (CRLs) fetched via http or ldap will be cached in ''/etc/ipsec.d/crls/''
    under a unique file name derived from the certification authority's public key.
  • ''charonstart''= '''yes'''|no
    starts the IKEv2 charon daemon.
  • ''crlcheckinterval = 0s''|<time>
    interval in seconds. CRL fetching is enabled if the value is greater than zero.
    Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.
  • ''plutostart = '''yes'''|no''
    starts the IKEv1 pluto daemon.
  • ''strictcrlpolicy = yes|ifuri|'''no'''''
    defines if a fresh CRL must be available in order for the peer authentication based on RSA
    signatures to succeed. IKEv2 additionally recognizes ''ifuri'' which reverts to ''yes'' if
    at least one CRL URI is defined and to ''no'' if no URI is known.

'''IKEv1 pluto daemon only:'''

  • ''keep_alive = '''20s'''''
  • ''nat_traversal = yes|'''no'''''
  • ''pkcs11initargs = ''<args>
  • ''pkcs11module = ''<lib>
  • ''pkcs11keepstate = yes|'''no'''''
  • ''pkcs11proxy = yes|'''no'''''
  • ''plutodebug = '''none'''''|<debug list>|''all''
  • ''postpluto = ''<commands>
  • ''prepluto = ''<commands>
  • ''virtual_private = ''<networks>
  • ''uniqueids = '''yes'''|no''

'''IKEv2 charon daemon only:'''

  • ''charondebug = ''<debug list>