Project

General

Profile

ipsec.conf: config setup Reference » History » Version 6

Version 5 (Martin Willi, 12.05.2008 13:44) → Version 6/18 (Martin Willi, 12.05.2008 14:44)

= config setup =

* ''cachecrls = yes|'''no'''''
certificate revocation lists (CRLs) fetched via http or ldap will be cached in ''/etc/ipsec.d/crls/''
under a unique file name derived from the certification authority's public key.

* ''charonstart = '''yes'''|no''
starts the IKEv2 charon daemon.

* ''crlcheckinterval = 0s''|<time>
interval in seconds. CRL fetching is enabled if the value is greater than zero.
Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

* ''plutostart = '''yes'''|no''
starts the IKEv1 pluto daemon.

* ''strictcrlpolicy = yes|ifuri|'''no'''''
defines if a fresh CRL must be available in order for the peer authentication based on RSA
signatures to succeed. IKEv2 additionally recognizes ''ifuri'' which reverts to ''yes'' if
at least one CRL URI is defined and to ''no'' if no URI is known.

'''IKEv1 pluto daemon only:'''

* ''keep_alive = '''20s'''|''<time>
interval in seconds between NAT keep alive packets.

* ''nat_traversal = yes|'''no'''''
activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
of floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only, NAT traversal
always being active in IKEv2.

* ''nocrsend = yes|'''no'''''
no certificate request payloads will be sent.

* ''pkcs11initargs = ''<args>
non-standard argument string for PKCS!#11 PKCS#11 C_Initialize() function; required by NSS softoken.

* ''pkcs11module = ''<lib>
defines the path during run-time to a dynamically loadable PKCS!#11 PKCS#11 library. Overrides any
path defined during compile-time using the ''--pkcs11-module'' configure option.

* ''pkcs11keepstate = yes|'''no'''''
PKCS!#11 PKCS#11 login sessions will be kept during the whole lifetime of the keying daemon.
Useful with pin-pad smart card readers where PINs cannot be cached.

* ''pkcs11proxy = yes|'''no'''''
Pluto will act as a PKCS!#11 PKCS#11 proxy accessible via the whack interface.

* ''plutodebug = '''none'''''|<debug list>|''all''
how much Pluto debugging output should be logged. ''none'' means no debugging output
while ''all'' means full output. Otherwise only the specified types of output separated by white space) are enabled;
Available debugging types are ''control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw''.
Recommended setting is ''plutodebug=control''.

* ''postpluto = ''<command>
shell command to run after starting Pluto (e.g., to remove a decrypted copy of the ''ipsec.secrets'' file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
''/dev/tty'' or equivalent for their interaction.

* ''prepluto = ''<command>
shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the ''ipsec.secrets'' file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
''/dev/tty'' or equivalent for their interaction.

* ''plutostderrlog = ''<file>
Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

* ''virtual_private = ''<networks>
defines private networks using a wildcard notation.

* ''uniqueids = '''yes'''|no''
whether a particular participant ID should be kept unique, with any new (automatically keyed)
connection using an ID from a different IP address deemed to replace all old ones using that ID.
Participant IDs normally are unique, so a new (automatically-keyed) connection using the same ID
is almost invariably intended to replace an old one.

'''IKEv2 charon daemon only:'''

* ''charondebug = ''<debug list>
how much Charon debugging output should be logged. A comma-separated list containing
''type level'' pairs may be specified, e.g: ''dmn 3, ike 1, net -1''. Acceptable values for
types are ''dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib'' and the level is one of
''-1, 0, 1, 2, 3, 4'' (for silent, audit, control, controlmore, raw, private).