Project

General

Profile

ipsec.conf: config setup Reference » History » Version 8

Tobias Brunner, 10.12.2008 18:30
uniqueids like in the manpage

1 1 Martin Willi
= config setup =
2 1 Martin Willi
3 2 Martin Willi
 * ''cachecrls = yes|'''no'''''
4 2 Martin Willi
     certificate revocation lists (CRLs) fetched via http or ldap will be cached in ''/etc/ipsec.d/crls/''
5 2 Martin Willi
     under a unique file name derived from the certification authority's public key.
6 1 Martin Willi
7 3 Martin Willi
 * ''charonstart = '''yes'''|no''
8 2 Martin Willi
     starts the IKEv2 charon daemon.
9 1 Martin Willi
10 2 Martin Willi
 * ''plutostart = '''yes'''|no''
11 2 Martin Willi
     starts the IKEv1 pluto daemon.
12 1 Martin Willi
13 2 Martin Willi
 * ''strictcrlpolicy = yes|ifuri|'''no'''''
14 1 Martin Willi
     defines if a fresh CRL must be available in order for the peer authentication based on RSA
15 1 Martin Willi
     signatures to succeed. IKEv2 additionally recognizes ''ifuri'' which reverts to ''yes'' if
16 1 Martin Willi
     at least one CRL URI is defined and to ''no'' if no URI is known.
17 1 Martin Willi
18 8 Tobias Brunner
 * ''uniqueids = '''yes'''|no|replace|keep''
19 8 Tobias Brunner
     whether a particular participant ID should be kept unique, with any new (automatically  keyed)
20 8 Tobias Brunner
     connection using an ID from a different IP address deemed to replace all old ones using that ID.
21 8 Tobias Brunner
     Participant IDs normally _are_ unique, so a new (automatically-keyed)  connection  using the same ID
22 8 Tobias Brunner
     is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value ''replace''
23 8 Tobias Brunner
     which is identical to ''yes'' and the value ''keep'' to reject new IKE_SA setups and keep the duplicate
24 8 Tobias Brunner
     established earlier.
25 8 Tobias Brunner
26 1 Martin Willi
'''IKEv1 pluto daemon only:'''
27 1 Martin Willi
28 8 Tobias Brunner
 * ''crlcheckinterval = 0s''|<time>
29 8 Tobias Brunner
     interval in seconds. CRL fetching is enabled if the value is greater than zero.
30 8 Tobias Brunner
     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.
31 8 Tobias Brunner
32 3 Martin Willi
 * ''keep_alive = '''20s'''|''<time>
33 3 Martin Willi
     interval in seconds between NAT keep alive packets.
34 1 Martin Willi
35 1 Martin Willi
 * ''nat_traversal = yes|'''no'''''
36 3 Martin Willi
     activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
37 3 Martin Willi
     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal
38 3 Martin Willi
     always being active in IKEv2.
39 1 Martin Willi
40 3 Martin Willi
 * ''nocrsend = yes|'''no'''''
41 3 Martin Willi
     no certificate request  payloads will be sent.
42 3 Martin Willi
43 1 Martin Willi
 * ''pkcs11initargs = ''<args>
44 6 Martin Willi
     non-standard argument string for PKCS!#11 C_Initialize() function; required by NSS softoken.
45 1 Martin Willi
46 2 Martin Willi
 * ''pkcs11module = ''<lib>
47 6 Martin Willi
     defines the path during run-time to a dynamically loadable PKCS!#11 library. Overrides any
48 3 Martin Willi
     path defined during compile-time using the ''--pkcs11-module'' configure option.
49 1 Martin Willi
50 2 Martin Willi
 * ''pkcs11keepstate = yes|'''no'''''
51 6 Martin Willi
     PKCS!#11 login sessions will be kept during the whole lifetime of the keying daemon.
52 3 Martin Willi
     Useful with  pin-pad smart card readers where PINs cannot be cached. 
53 2 Martin Willi
54 1 Martin Willi
 * ''pkcs11proxy = yes|'''no'''''
55 6 Martin Willi
     Pluto will act as a PKCS!#11 proxy accessible via the whack interface.
56 1 Martin Willi
57 1 Martin Willi
 * ''plutodebug = '''none'''''|<debug list>|''all''
58 3 Martin Willi
     how much Pluto debugging output should be logged. ''none'' means  no  debugging output
59 4 Martin Willi
     while ''all'' means full output.  Otherwise only the specified types of output separated by white space) are enabled;
60 4 Martin Willi
     Available debugging types are ''control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw''.
61 4 Martin Willi
     Recommended setting is ''plutodebug=control''.
62 1 Martin Willi
63 7 Martin Willi
 * ''plutostderrlog = ''<file>
64 7 Martin Willi
     Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.
65 7 Martin Willi
66 3 Martin Willi
 * ''postpluto = ''<command>
67 3 Martin Willi
     shell command to run after starting Pluto (e.g., to remove a decrypted copy of the ''ipsec.secrets'' file).
68 1 Martin Willi
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
69 5 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
70 5 Martin Willi
     ''/dev/tty'' or equivalent for their interaction.
71 5 Martin Willi
72 1 Martin Willi
 * ''prepluto = ''<command>
73 3 Martin Willi
     shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the ''ipsec.secrets'' file).
74 1 Martin Willi
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
75 2 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
76 3 Martin Willi
     ''/dev/tty'' or equivalent for their interaction.
77 3 Martin Willi
78 3 Martin Willi
 * ''virtual_private = ''<networks>
79 3 Martin Willi
     defines private networks using a wildcard notation.
80 1 Martin Willi
81 1 Martin Willi
'''IKEv2 charon daemon only:'''
82 1 Martin Willi
83 2 Martin Willi
 * ''charondebug = ''<debug list>
84 3 Martin Willi
     how much Charon debugging output should be logged. A comma-separated list containing
85 3 Martin Willi
     ''type level'' pairs  may  be specified, e.g: ''dmn 3, ike 1, net -1''.  Acceptable values for
86 3 Martin Willi
     types are ''dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib'' and the level is one of
87 3 Martin Willi
     ''-1,  0,  1,  2,  3,  4'' (for silent, audit, control, controlmore, raw, private).